Hello, I’m using GL iNet 4g smart router, firwmare version LuCI openwrt-18.06 branch (git-18.196.56128-9112198)](GitHub - openwrt/luci: LuCI - OpenWrt Configuration Interface) / OpenWrt 18.06.1 r7258-5eb055306f
I checked the config I use on other machine and it works well.
When I enable my OpenVPN client, internet stops working: e.g. when I ssh to it I can’t ping any IP address. Maybe I need to add something to the iptables rules?
I use the wwan0 (the built-in 3g/4g modem) interface to connect the Internet.
Here is iptables -L output, let me know if you need more info about my config.
Chain INPUT (policy ACCEPT)
target prot opt source destination
GL_SPEC_OPENING all -- anywhere anywhere
ACCEPT all -- anywhere anywhere /* !fw3 */
input_rule all -- anywhere anywhere /* !fw3: Custom input rule chain */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
zone_lan_input all -- anywhere anywhere /* !fw3 */
zone_wan_input all -- anywhere anywhere /* !fw3 */
zone_guestzone_input all -- anywhere anywhere /* !fw3 */
zone_ovpn_input all -- anywhere anywhere /* !fw3 */
Chain FORWARD (policy DROP)
target prot opt source destination
forwarding_rule all -- anywhere anywhere /* !fw3: Custom forwarding rule chain */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward all -- anywhere anywhere /* !fw3 */
zone_wan_forward all -- anywhere anywhere /* !fw3 */
zone_guestzone_forward all -- anywhere anywhere /* !fw3 */
zone_ovpn_forward all -- anywhere anywhere /* !fw3 */
reject all -- anywhere anywhere /* !fw3 */
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* !fw3 */
output_rule all -- anywhere anywhere /* !fw3: Custom output rule chain */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output all -- anywhere anywhere /* !fw3 */
zone_wan_output all -- anywhere anywhere /* !fw3 */
zone_guestzone_output all -- anywhere anywhere /* !fw3 */
zone_ovpn_output all -- anywhere anywhere /* !fw3 */
Chain GL_SPEC_OPENING (1 references)
target prot opt source destination
Chain forwarding_guestzone_rule (1 references)
target prot opt source destination
Chain forwarding_lan_rule (1 references)
target prot opt source destination
Chain forwarding_ovpn_rule (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
Chain forwarding_wan_rule (1 references)
target prot opt source destination
Chain input_guestzone_rule (1 references)
target prot opt source destination
Chain input_lan_rule (1 references)
target prot opt source destination
Chain input_ovpn_rule (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_wan_rule (1 references)
target prot opt source destination
Chain output_guestzone_rule (1 references)
target prot opt source destination
Chain output_lan_rule (1 references)
target prot opt source destination
Chain output_ovpn_rule (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destination
Chain output_wan_rule (1 references)
target prot opt source destination
Chain reject (6 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere /* !fw3 */ reject-with tcp-reset
REJECT all -- anywhere anywhere /* !fw3 */ reject-with icmp-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
DROP all -- anywhere anywhere /* !fw3 */
Chain zone_guestzone_dest_ACCEPT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_guestzone_dest_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere /* !fw3 */
Chain zone_guestzone_forward (1 references)
target prot opt source destination
forwarding_guestzone_rule all -- anywhere anywhere /* !fw3: Custom guestzone forwarding rule chain */
zone_ovpn_dest_ACCEPT all -- anywhere anywhere /* !fw3: Zone guestzone to ovpn forwarding policy */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
zone_guestzone_dest_REJECT all -- anywhere anywhere /* !fw3 */
Chain zone_guestzone_input (1 references)
target prot opt source destination
input_guestzone_rule all -- anywhere anywhere /* !fw3: Custom guestzone input rule chain */
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc /* !fw3: guestzone_DHCP */
ACCEPT tcp -- anywhere anywhere tcp dpt:domain /* !fw3: guestzone_DNS */
ACCEPT udp -- anywhere anywhere udp dpt:domain /* !fw3: guestzone_DNS */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
zone_guestzone_src_REJECT all -- anywhere anywhere /* !fw3 */
Chain zone_guestzone_output (1 references)
target prot opt source destination
output_guestzone_rule all -- anywhere anywhere /* !fw3: Custom guestzone output rule chain */
zone_guestzone_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_guestzone_src_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere /* !fw3 */
Chain zone_lan_dest_ACCEPT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_lan_forward (1 references)
target prot opt source destination
forwarding_lan_rule all -- anywhere anywhere /* !fw3: Custom lan forwarding rule chain */
zone_ovpn_dest_ACCEPT all -- anywhere anywhere /* !fw3: Zone lan to ovpn forwarding policy */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
zone_lan_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_lan_input (1 references)
target prot opt source destination
input_lan_rule all -- anywhere anywhere /* !fw3: Custom lan input rule chain */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
zone_lan_src_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_lan_output (1 references)
target prot opt source destination
output_lan_rule all -- anywhere anywhere /* !fw3: Custom lan output rule chain */
zone_lan_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_lan_src_ACCEPT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_ovpn_dest_ACCEPT (3 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_ovpn_dest_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere /* !fw3 */
Chain zone_ovpn_forward (1 references)
target prot opt source destination
forwarding_ovpn_rule all -- anywhere anywhere /* !fw3: Custom ovpn forwarding rule chain */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
zone_ovpn_dest_REJECT all -- anywhere anywhere /* !fw3 */
Chain zone_ovpn_input (1 references)
target prot opt source destination
input_ovpn_rule all -- anywhere anywhere /* !fw3: Custom ovpn input rule chain */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
zone_ovpn_src_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_ovpn_output (1 references)
target prot opt source destination
output_ovpn_rule all -- anywhere anywhere /* !fw3: Custom ovpn output rule chain */
zone_ovpn_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_ovpn_src_ACCEPT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_wan_dest_ACCEPT (1 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_wan_dest_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere /* !fw3 */
Chain zone_wan_forward (1 references)
target prot opt source destination
forwarding_wan_rule all -- anywhere anywhere /* !fw3: Custom wan forwarding rule chain */
zone_lan_dest_ACCEPT esp -- anywhere anywhere /* !fw3: Allow-IPSec-ESP */
zone_lan_dest_ACCEPT udp -- anywhere anywhere udp dpt:isakmp /* !fw3: Allow-ISAKMP */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
zone_wan_dest_REJECT all -- anywhere anywhere /* !fw3 */
Chain zone_wan_input (1 references)
target prot opt source destination
input_wan_rule all -- anywhere anywhere /* !fw3: Custom wan input rule chain */
ACCEPT udp -- anywhere anywhere udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
ACCEPT icmp -- anywhere anywhere icmp echo-request /* !fw3: Allow-Ping */
ACCEPT igmp -- anywhere anywhere /* !fw3: Allow-IGMP */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
zone_wan_src_REJECT all -- anywhere anywhere /* !fw3 */
Chain zone_wan_output (1 references)
target prot opt source destination
output_wan_rule all -- anywhere anywhere /* !fw3: Custom wan output rule chain */
zone_wan_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_wan_src_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere /* !fw3 */
Can you send a screenshot after the openvpn client connecting?
Do you not have the internet for the router itself or for the clients connected to the router?
I have a similar problem here
@danger86 Internet works for both clients and router when I disconnect the VPN, when VPN is up internet does not work for both clients and the router.
Is this your own server?
Problem could happen in the server side or in the local side. From your screenshot there is no data at all.
Does the ovpn works in your PC directly?
@alzhao yes, I’m the owner and it works when I connect from my PC directly.
I looked for the gateways: route -n, and there was no gateway for my OpenVPN server. When I add the GW manually, ping starts working:
ip route add 257.257.257.257/32 via 10.213.90.112 dev wwan0
Where 257.257.257.257 is the IP of my OpenVPN server and 10.213.90.112 is the GW for the wwan0 interface. I’ll try to find a bit more elegant solution, since the GW for wwan0 changes every time I reconnect, but, at least, I found the root of the problem.
The problem is that when I connect from my PC, the OpenVPN server gateway is properly pushed to the routing table. I think it’s bug here.
Can you post your ovpn so that we can check the push options.
@alzhao sure.
client
dev tun
proto tcp
remote 257.257.257.257 443
redirect-gateway
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
1234567abcd
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
1234567abcd
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
1234567abcd
-----END PRIVATE KEY-----
</key>
<tls-crypt>
1234567abcd
</tls-crypt>
auth sha256
cipher AES-256-GCM
auth-nocache
compress lzo
I’ll also try to use some 3rd party VPN service/WAN port instead of the 3g/4g modem and let how it works.
When I use my VPN server and WAN port to connect to the internet everything works ok! Any ideas?
Try to change port from 443 to others. Like 1194
Don’t have any idea but seems carrier blocked you. Just do some twisting and try.
Also ssh to the router and get the following when you use 4G and vpn
route
ifstatus wwan
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default * 128.0.0.0 U 0 0 0 tun0
default 10.128.142.16 0.0.0.0 UG 0 0 0 tun0
10.128.142.0 10.128.142.16 255.255.255.0 UG 0 0 0 tun0
10.128.142.16 * 255.255.255.255 UH 0 0 0 tun0
10.250.249.116 * 255.255.255.252 U 40 0 0 wwan0
128.0.0.0 * 128.0.0.0 U 0 0 0 tun0
172.16.82.0 10.128.142.16 255.255.255.0 UG 0 0 0 tun0
192.168.94.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.147.0 10.128.142.16 255.255.255.0 UG 0 0 0 tun0
212.53.40.0 10.128.142.16 255.255.255.0 UG 0 0 0 tun0
but occasionally all my VPN-related routes disappear, that’s strange.
@alzhao I’m still wondering why it works with the wan port, but does not work with the internal modem.
I see you’re using OpenWrt, maybe I should ask there. Did you modify it to support your devices with multiple WANs/Modems?
All the things you do should be the same in openwrt and we don’t change it.
One more question, did you use vpn policy in the router?
@robotluo @kyson-lok can you pls have a check of the logs and routes?
there is output of route when I’m using the WAN port.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default * 128.0.0.0 U 0 0 0 tun0
default 10.128.142.16 0.0.0.0 UG 0 0 0 tun0
default 10.248.134.28 0.0.0.0 UG 40 0 0 wwan0
10.128.142.0 10.128.142.16 255.255.255.0 UG 0 0 0 tun0
10.128.142.16 * 255.255.255.255 UH 0 0 0 tun0
10.248.134.24 * 255.255.255.248 U 40 0 0 wwan0
257.257.257.257 192.168.147.1 255.255.255.255 UGH 0 0 0 eth0
128.0.0.0 * 128.0.0.0 U 0 0 0 tun0
172.16.82.0 10.128.142.16 255.255.255.0 UG 0 0 0 tun0
192.168.94.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.147.0 10.128.142.16 255.255.255.0 UG 0 0 0 tun0
192.168.147.0 * 255.255.255.0 U 10 0 0 eth0
212.53.40.0 10.128.142.16 255.255.255.0 UG 0 0 0 tun0
as you can see the GW for my VPN server is configured: 257.257.257.257 via 192.168.147.1
and ifconfig eth0 output
eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:192.168.147.123 Bcast:192.168.147.255 Mask:255.255.255.0
inet6 addr: xxxx::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:617 errors:0 dropped:24 overruns:0 frame:0
TX packets:285 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:152250 (148.6 KiB) TX bytes:28880 (28.2 KiB)
Interrupt:4
Where and how can I configure it?
Also I have strong feeling that eth0 is hardcoded or configured somewhere and that’s why it works.
wwan0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:10.250.249.117 Bcast:10.250.249.119 Mask:255.255.255.252
inet6 addr: xxxx::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
UP BROADCAST RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:118 errors:0 dropped:0 overruns:0 frame:0
TX packets:120 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15443 (15.0 KiB) TX bytes:15171 (14.8 KiB)