I have an issue using the router as OpenVPN client where as soon as it connects to OpenVPN server, the router’s clients stop resolving DNS queries, and nmap confirms that port 53 closes after VPN connection is established. Tried with several VPN configs and 2 providers.
The DNS settings I tried to set to Auto, Cloudflare, PiHole (LAN) - no difference, port 53 closed.
This issue is not present when using WireGuard.
There is a similar topic but looks like the issue was fixed by updating the firmware. I am using FW v4.2.1 that was upgraded from 4.2 with keeping settings (I kept them because only WiFi passkeys and names were modified only).
It looks like a FW bug, my old AR300M works like a charm. I can provide logs if necessary
Is this with Global Proxy or Auto Detect? Others of us are having similar issues.
1 Like
It turns out a bug related to keep-setting sysupgrade:
run this command in the router terminal
cp /rom/etc/openvpn/scripts/ovpnclient-up /etc/openvpn/scripts/ovpnclient-up
and toggle the OpenVPN client for a temporary workaround.
Thanks for reporting, will be fixed in next release.
1 Like
@hansome Thanks for help! OpenVPN firewall is working properly now.
I noticed another bug (maybe a feature?) just playing with settings.
My Toggle Switch is set to toggle Wireguard client. When I reboot the router with the switch in OFF (right) position, but WG was enabled from the UI, the router boots up connecting to WG. Not sure if intended that way, but I’d assume the switch position should dictate more permanent router behavior, while starting VPN from the UI should be ephemeral until the reboot.
That’s how it’s designed. Web UI settings are cumbersome, compared to button switches, so web UI adjustments should be permanently saved.
Fair enough.
Comparing to AR300M when I start the VPN connection and leave the switch in OFF position, on next restart VPN will be disabled, that’s how I noticed the difference with this model.
copying the rom ovpnclient-up command didn’t work for me.
Using global proxy, traffic goes through the tunnel. Good.
Using Auto detect, the client is ignoring the server’s push redirect-gateway command, traffic doesn’t go through the tunnel.
[CODE]
“Tue Apr 4 09:00:06 2023 daemon.notice netifd: ovpnclient (6370): * Rule ‘wan_in_conn_mark’\n
Tue Apr 4 09:00:06 2023 daemon.notice netifd: ovpnclient (6370): * Rule ‘lan_in_conn_mark_restore’\n
Tue Apr 4 09:00:06 2023 daemon.notice netifd: ovpnclient (6370): * Rule ‘out_conn_mark_restore’\n
Tue Apr 4 09:00:06 2023 daemon.notice netifd: ovpnclient (6370): * Zone ‘lan’\n
Tue Apr 4 09:00:06 2023 daemon.notice netifd: ovpnclient (6370): * Zone ‘wan’\n
Tue Apr 4 09:00:06 2023 daemon.notice netifd: ovpnclient (6370): * Zone ‘guest’\n
Tue Apr 4 09:00:06 2023 daemon.notice netifd: ovpnclient (6370): * Zone ‘ovpnclient’\n
Tue Apr 4 09:00:06 2023 daemon.notice netifd: ovpnclient (6370): * Set tcp_ecn to off\n
Tue Apr 4 09:00:06 2023 daemon.notice netifd: ovpnclient (6370): * Set tcp_syncookies to on\n
Tue Apr 4 09:00:06 2023 daemon.notice netifd: ovpnclient (6370): * Set tcp_window_scaling to on\n
Tue Apr 4 09:00:06 2023 daemon.notice netifd: ovpnclient (6370): * Running script ‘/etc/firewall.nat6’\n
Tue Apr 4 09:00:06 2023 daemon.notice netifd: ovpnclient (6370): * Running script ‘/etc/firewall.vpn_server_policy.sh’\n
Tue Apr 4 09:00:06 2023 daemon.notice netifd: ovpnclient (6370): * Running script ‘/var/etc/gls2s.include’\n
Tue Apr 4 09:00:06 2023 daemon.notice netifd: ovpnclient (6370): ! Skipping due to path error: No such file or directory\n
Tue Apr 4 09:00:06 2023 daemon.notice netifd: ovpnclient (6370): * Running script ‘/usr/bin/gl_block.sh’\n
Tue Apr 4 09:00:06 2023 user.notice mwan3[7047]: Execute ifup event on interface ovpnclient (ovpnclient)\n
Tue Apr 4 09:00:07 2023 user.notice mwan3[7047]: Starting tracker on interface ovpnclient (ovpnclient)\nTue Apr 4 09:00:08 2023 daemon.warn ovpnclient[6370]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this\n
Tue Apr 4 09:00:08 2023 daemon.notice ovpnclient[6370]: Initialization Sequence Completed\n
Tue Apr 4 09:00:08 2023 user.notice firewall: Reloading firewall due to ifup of ovpnclient (ovpnclient)\n”[/CODE]
1 Like
To resolve this issue, you can temporarily remove the --route-noexec option in the file /lib/netifd/proto/ovpnclient.sh.