Hoping this is the correct category for this. I’ve been banging my head against the wall all day trying to figure this out and I’ll try to include as much detail as possible but I may miss something. Quick version is I’m trying to run an OpenVPN connection from my Slate to my home network with the server running on my router (TP Link Omada ER605). When not on the VPN I’m able to connect to the internet but as soon as I connect to the VPN (I am able to access my home network) I lose internet connection. I’m on firmware version 3.212 on my Slate. The longer version is I created an OpenVPN server on my home router then exported the config file. Then on my Slate I’m using my phone as a tether to “simulate” that I’m on an outside network. I then upload the OpenVPN config to the Slate (OpenVPN client), no other changes have been made on the Slate. There have been a couple similar threads but none have really had a concrete solution to the issue, I appreciate any help with this.
I face the same issue on the AR300M (3.212) and on the E750 (3.211). The server is at my house (in an Asus router). The config file has been exported to the AR300M, the E750, my PC (OpenVPN client on Linux Mint) and my Android phone (OpenVPN client app for Android). I can connect to the server successfully with the four devices, unfortunately, with the GL-inet devices I might have a DNS problem that I’m not able to solve. I can browse the internet successfully with only the android phone and the PC. In the GL-inet devices I get the green light for the OpenVPN connection, the log shows successful connection but not being able to browse not using any internet service.
There are three pieces to this. Neither is a Slate client thing.
The first is having your Slate redirect its gateway to the TP Link OpenVPN server. That is done by the TP Link server pushing a redirect command: push “redirect-gateway def1”,
The second is for your TP Link to set up iptables rules that redirect the tunnel traffic to the internet.
The third is for your TP Link to push its DNS resolver to your Slate.
These things should be configurable on the TP Link side; I think there are tutorials for this.
Mango 3.212 snapshot; Beryl 3.212 snapshot; Not affiliated with GL-iNet–just a user
There really aren’t a lot of options on the TP Link side, it’s really basic. I forgot to include it in the post but like Bpz1970, using the same config on the Windows and Android client and it’s working fine. Does that change your thoughts that it’s not a Slate client issue? If not, where should I start looking as it’s my first time trying to set this up.
Check if the problem is with DNS, or with connectivity, by trying to access the following URL from a client PC or phone connected to the GL.iNet router running the OpenVPN client:
https://1.1.1.1/
Also, find out what is the DNS IP address on the client PC or phone. Try setting the DNS to 8.8.8.8 on the client PC or phone.
I do not work for and I do not have formal association with GL.iNet
If you look at this tutorial: How to Setup OpenVPN on TP-Link Routers (Windows) be sure that in Step 5 you select “Internet and home network”. That should handle the iptables stuff, add the change to the default gateway, and push the route to your home network. I can see that it is somewhat limited, because it doesn’t actually suggest that it is pushing (“advertising”) the TP Link DNS server. If you select “home network” then, duh, you don’t get any of that except the route to your home network. Your internet traffic will go out of the client’s own default gateway and not over the tunnel. (That is called split tunneling and is often very useful. You can do that on the fly on the client side if you select the internet and home network option.)
Now, you can’t necessarily tell from your client PC or phone when it is connected as a VPN Client whether it is split tunneling or not. Windows can be using its own routing tables. In a terminal, try a tracert command and see if you are going out of the TPLink default gateway or the Slate default gateway. If it is working right, then it could be the slate.
You would need to get into the Slate’s openvpn log and see if the default gateway is changing and the route is being added.
Full disclosure–I’ve never used openvpn with a TP Link. I’m more familiar with OpenVPN on Asus routers, particularly the Merlin fork.
Trying to access https://1.1.1.1/ fails and changing the DNS to 8.8.8.8 fails as well.
So my VPN options are a bit different than those in that tutorial, I don’t have the “Internet and home network” options. But I do have to bind it to WAN and LAN ports which I think may be similar. Doing a tracert it is going out of my Slate’s default gateway (192.168.8.1). Which brings me to the logs, which I have attached with my public IP redacted. Notable thing to me is the “Linux route add command failed” near the bottom.
Since https://1.1.1.1/ fails, the immediate problem is not with DNS, although DNS may still be an issue afterwards. The System Log contains an error that likely affects connectivity.
Can you install OpenVPN app on your phone and run test with the same config file?
I do not work for and I do not have formal association with GL.iNet
What all do you want me to try from my phone? Going to https://1.1.1.1 is successful with the same config file.
Can you access Internet websites in general (google.com, microsoft.com, facebook.com, etc.) with your phone using the same OpenVPN config fike? If so, then DNS is also working well.
Can you post the config file with the key and certificates removed?
I do not work for and I do not have formal association with GL.iNet
Yes, I am able to access websites using the config file from my phone.
Here is the config file with keys/certificates/public ip removed:
client
dev tun
proto udp
float
nobind
cipher AES-128-CBC
comp-lzo adaptive
resolv-retry infinite
remote-cert-tls server
persist-key
persist-tun
remote public IP 1194
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
The OpenVPN config file looks pretty standard compared to other config files from my GL.iNet router, Asus router and NordVPN provider. The error in the System Log seems the most troubling right now that may require opening a ticket with GL.iNet Support.
I do not work for and I do not have formal association with GL.iNet
The closest relevant information I’ve found on the error is this: " This error doesn’t really mean much on its own. The exit code of 2 simply means the kernel rejected your route for some reason. It could be because you already have a route for that network, it could be because the gateway was not appropriate for the network/subnet, or many other things.
In any case bump up the verbosity you should be able to see more details about what specific route was failing.
Depending on the error you may need to fix your configuration, or just ignore the error. Sometimes the vpn server will offer routes, that your computer already has, or do not apply to your current connection."
This was relating to pfsense so I’m not sure if there is a way to get a more detailed log to see which route is failing.
I took a testing on Slate (firmware 3.212) with Home TP-Link OpenVPN server(Archer C3150). Works fine.
Make sure you selected Internet and Home Network
I just test it on TP-LINK Archer C1200 and Slate 3.212, it works.
Below is my setting.
test in on Slate.
Unfortunately I don’t have that option as I’m using a TP-Link Omada router. I posted a picture of my options above.
Ugh. It looks like the Omada is not well suited to your purpose. I don’t see that there is any alternative firmware for you (DD-wrt, openwrt, tomato), and I don’t see hooks for you to ssh into the router and monkey with stuff with scripts.
Plan A would be to get a different router, plan b would be to try within TP Link support to see what can be done.
What you want to do I’ve done with little difficulty with five different Asus routers over the last 12 years, but they each supported gobs of customization ala openwrt.
Mango 3.212 snapshot; Beryl 3.212 snapshot; Not affiliated with GL-iNet–just a user
You can look into getting another TP-Link wifi travel router to replace the Slate as OpenVPN client to your TP Link Omada ER605. Confirm with TP-Link on which models are “guaranteed” to work.
I do not work for and I do not have formal association with GL.iNet
You may be right, but I still think the problem is with the Omada. It doesn’t have the button that would otherwise do what he wants. I think he should be ditching the Omada for something else.