No Internet When VPN is Up

Hello, I’m using GL iNet 4g smart router, firwmare version LuCI openwrt-18.06 branch (git-18.196.56128-9112198)](GitHub - openwrt/luci: LuCI - OpenWrt Configuration Interface) / OpenWrt 18.06.1 r7258-5eb055306f

I checked the config I use on other machine and it works well.

When I enable my OpenVPN client, internet stops working: e.g. when I ssh to it I can’t ping any IP address. Maybe I need to add something to the iptables rules?

I use the wwan0 (the built-in 3g/4g modem) interface to connect the Internet.
Here is iptables -L output, let me know if you need more info about my config.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
GL_SPEC_OPENING  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
input_rule  all  --  anywhere             anywhere             /* !fw3: Custom input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
zone_lan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_guestzone_input  all  --  anywhere             anywhere             /* !fw3 */
zone_ovpn_input  all  --  anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP)
target     prot opt source               destination
forwarding_rule  all  --  anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_guestzone_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_ovpn_forward  all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
output_rule  all  --  anywhere             anywhere             /* !fw3: Custom output rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_guestzone_output  all  --  anywhere             anywhere             /* !fw3 */
zone_ovpn_output  all  --  anywhere             anywhere             /* !fw3 */

Chain GL_SPEC_OPENING (1 references)
target     prot opt source               destination

Chain forwarding_guestzone_rule (1 references)
target     prot opt source               destination

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination

Chain forwarding_ovpn_rule (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination

Chain input_guestzone_rule (1 references)
target     prot opt source               destination

Chain input_lan_rule (1 references)
target     prot opt source               destination

Chain input_ovpn_rule (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_wan_rule (1 references)
target     prot opt source               destination

Chain output_guestzone_rule (1 references)
target     prot opt source               destination

Chain output_lan_rule (1 references)
target     prot opt source               destination

Chain output_ovpn_rule (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination

Chain output_wan_rule (1 references)
target     prot opt source               destination

Chain reject (6 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
DROP       all  --  anywhere             anywhere             /* !fw3 */

Chain zone_guestzone_dest_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_guestzone_dest_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_guestzone_forward (1 references)
target     prot opt source               destination
forwarding_guestzone_rule  all  --  anywhere             anywhere             /* !fw3: Custom guestzone forwarding rule chain */
zone_ovpn_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone guestzone to ovpn forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_guestzone_dest_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_guestzone_input (1 references)
target     prot opt source               destination
input_guestzone_rule  all  --  anywhere             anywhere             /* !fw3: Custom guestzone input rule chain */
ACCEPT     udp  --  anywhere             anywhere             udp dpts:bootps:bootpc /* !fw3: guestzone_DHCP */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain /* !fw3: guestzone_DNS */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain /* !fw3: guestzone_DNS */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_guestzone_src_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_guestzone_output (1 references)
target     prot opt source               destination
output_guestzone_rule  all  --  anywhere             anywhere             /* !fw3: Custom guestzone output rule chain */
zone_guestzone_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_guestzone_src_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_dest_ACCEPT (4 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
target     prot opt source               destination
forwarding_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan forwarding rule chain */
zone_ovpn_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone lan to ovpn forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
target     prot opt source               destination
input_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_lan_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
target     prot opt source               destination
output_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan output rule chain */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_ovpn_dest_ACCEPT (3 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_ovpn_dest_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_ovpn_forward (1 references)
target     prot opt source               destination
forwarding_ovpn_rule  all  --  anywhere             anywhere             /* !fw3: Custom ovpn forwarding rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_ovpn_dest_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_ovpn_input (1 references)
target     prot opt source               destination
input_ovpn_rule  all  --  anywhere             anywhere             /* !fw3: Custom ovpn input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_ovpn_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_ovpn_output (1 references)
target     prot opt source               destination
output_ovpn_rule  all  --  anywhere             anywhere             /* !fw3: Custom ovpn output rule chain */
zone_ovpn_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_ovpn_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (1 references)
target     prot opt source               destination
forwarding_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan forwarding rule chain */
zone_lan_dest_ACCEPT  esp  --  anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
zone_lan_dest_ACCEPT  udp  --  anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (1 references)
target     prot opt source               destination
input_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan input rule chain */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping */
ACCEPT     igmp --  anywhere             anywhere             /* !fw3: Allow-IGMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_wan_src_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (1 references)
target     prot opt source               destination
output_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan output rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere             /* !fw3 */

Can you send a screenshot after the openvpn client connecting?

Sure.

I’d also attach OpenVPN logs, but I found nothing in /var/logs

Do you not have the internet for the router itself or for the clients connected to the router?

I have a similar problem here

@danger86 Internet works for both clients and router when I disconnect the VPN, when VPN is up internet does not work for both clients and the router.

Is this your own server?

Problem could happen in the server side or in the local side. From your screenshot there is no data at all.

Does the ovpn works in your PC directly?

@alzhao yes, I’m the owner and it works when I connect from my PC directly.

I looked for the gateways: route -n, and there was no gateway for my OpenVPN server. When I add the GW manually, ping starts working:
ip route add 257.257.257.257/32 via 10.213.90.112 dev wwan0

Where 257.257.257.257 is the IP of my OpenVPN server and 10.213.90.112 is the GW for the wwan0 interface. I’ll try to find a bit more elegant solution, since the GW for wwan0 changes every time I reconnect, but, at least, I found the root of the problem.

The problem is that when I connect from my PC, the OpenVPN server gateway is properly pushed to the routing table. I think it’s bug here.

Can you post your ovpn so that we can check the push options.

@alzhao sure.

client
dev tun
proto tcp
remote 257.257.257.257 443
redirect-gateway
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
1234567abcd
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
1234567abcd
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
1234567abcd
-----END PRIVATE KEY-----
</key>
<tls-crypt>
1234567abcd
</tls-crypt>
auth sha256
cipher AES-256-GCM
auth-nocache
compress lzo

I’ll also try to use some 3rd party VPN service/WAN port instead of the 3g/4g modem and let how it works.

When I use my VPN server and WAN port to connect to the internet everything works ok! Any ideas?

Try to change port from 443 to others. Like 1194

Don’t have any idea but seems carrier blocked you. Just do some twisting and try.

Also ssh to the router and get the following when you use 4G and vpn

route
ifstatus wwan

route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               128.0.0.0       U     0      0        0 tun0
default         10.128.142.16   0.0.0.0         UG    0      0        0 tun0
10.128.142.0    10.128.142.16   255.255.255.0   UG    0      0        0 tun0
10.128.142.16   *               255.255.255.255 UH    0      0        0 tun0
10.250.249.116  *               255.255.255.252 U     40     0        0 wwan0
128.0.0.0       *               128.0.0.0       U     0      0        0 tun0
172.16.82.0     10.128.142.16   255.255.255.0   UG    0      0        0 tun0
192.168.94.0    *               255.255.255.0   U     0      0        0 br-lan
192.168.147.0   10.128.142.16   255.255.255.0   UG    0      0        0 tun0
212.53.40.0     10.128.142.16   255.255.255.0   UG    0      0        0 tun0

but occasionally all my VPN-related routes disappear, that’s strange.

@alzhao I’m still wondering why it works with the wan port, but does not work with the internal modem.

I see you’re using OpenWrt, maybe I should ask there. Did you modify it to support your devices with multiple WANs/Modems?

All the things you do should be the same in openwrt and we don’t change it.

One more question, did you use vpn policy in the router?

@luochongjun @kyson-lok can you pls have a check of the logs and routes?

there is output of route when I’m using the WAN port.

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               128.0.0.0       U     0      0        0 tun0
default         10.128.142.16   0.0.0.0         UG    0      0        0 tun0
default         10.248.134.28   0.0.0.0         UG    40     0        0 wwan0
10.128.142.0    10.128.142.16   255.255.255.0   UG    0      0        0 tun0
10.128.142.16   *               255.255.255.255 UH    0      0        0 tun0
10.248.134.24   *               255.255.255.248 U     40     0        0 wwan0
257.257.257.257  192.168.147.1   255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       *               128.0.0.0       U     0      0        0 tun0
172.16.82.0     10.128.142.16   255.255.255.0   UG    0      0        0 tun0
192.168.94.0    *               255.255.255.0   U     0      0        0 br-lan
192.168.147.0   10.128.142.16   255.255.255.0   UG    0      0        0 tun0
192.168.147.0   *               255.255.255.0   U     10     0        0 eth0
212.53.40.0     10.128.142.16   255.255.255.0   UG    0      0        0 tun0

as you can see the GW for my VPN server is configured: 257.257.257.257 via 192.168.147.1

and ifconfig eth0 output

eth0      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          inet addr:192.168.147.123  Bcast:192.168.147.255  Mask:255.255.255.0
          inet6 addr: xxxx::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:617 errors:0 dropped:24 overruns:0 frame:0
          TX packets:285 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:152250 (148.6 KiB)  TX bytes:28880 (28.2 KiB)
          Interrupt:4

Where and how can I configure it?

Also I have strong feeling that eth0 is hardcoded or configured somewhere and that’s why it works.

wwan0     Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          inet addr:10.250.249.117  Bcast:10.250.249.119  Mask:255.255.255.252
          inet6 addr: xxxx::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:118 errors:0 dropped:0 overruns:0 frame:0
          TX packets:120 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:15443 (15.0 KiB)  TX bytes:15171 (14.8 KiB)