Trouble connecting to OpenVPN TAP Server

Technical Support for Routers
21

Hi, I’m having a similar situation just with a GL-AR750S acting as OpenVPN client and connecting to a OpenVPN server in TAP mode. Right now I managed to establish the connection but I still have some trouble using the VPN from a device connected to The GL-AR750S and I thought that you might be able to help.
The setup:

  • 2GHz wifi of GL-AR750S connected to some internet cafe (it gets the e.g. the IP 10.130.222.1)
  • 5GHz wifi of GL-AR750S connected to my Android phone (my phone gets the IP 192.168.8.130, this IP is needed to operate an use the GUI of the GL-AR750S)
  • OpenVPN to a server is started, it connects, and the IP is 10.100.140.1.

Now from my phone I can access the local computers of the OpenVPN connection 10.100.140.xxx but not the Internet though this tunel.
Do I need to deactivate DHCP? but if I do how do I connect to the GL-AR750S the next time when the VPN connection is lost or not active?
Thank you.

22

You can ssh to the router, and execute those commands.

ifconfig
ip route show
mwan3 status
cat /etc/config/network
23

Hi thanks,
I did those commands and it is lots of data, how shall I send it to you?

I had a typo on my previous post, as I did not have the numbers in front of me, the OpenVPN IP is correct 10.111.240.1

So the remote PCs at 10.111.240.xxx I can access when connecting my phone to the gl-inet-router which has a VPN connection to the remote OpenVPN server.

Looks like all other traffic, DNS, etc, is staying in the gl-inet-router 10.130.222.109 or 192.168.8.0.

This is how I see the attributed IPs on the devices:

wifi-hotspot:
IP 10.130.222.109
Mask 255.255.254.0
Gateway 10.130.222.1
DNS 10.32.20.98

OpenVPN client:
IP 10.111.240.200

Android Phone:
IP 192.168.8.131
Mask 255.255.255.0
Gateway 192.168.8.1
DNS 192.168.8.

I think the main part of the issue could be on the routes:

root@GL-AR750S:~# ip route show

0.0.0.0/1 dev tap0 scope link
default via 10.130.222.1 dev wlan-sta proto static src 10.130.222.109 metric 20
10.111.240.0/20 dev tap0 proto kernel scope link src 10.111.240.200
10.130.222.0/23 dev wlan-sta proto static scope link metric 20
128.0.0.0/1 dev tap0 scope link
188.193.117.137 via 10.130.222.1 dev wlan-sta 192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1

root@GL-AR750S:~# ifconfig

br-lan Link encap:Ethernet HWaddr E4:95:6E:45:9C:4F
inet addr:192.168.8.1 Bcast:192.168.8.255 Mask:255.255.255.0
inet6 addr: fd2f:82f5:9885:10::1/60 Scope:Global
inet6 addr: fe80::e695:6eff:fe45:9c4f/64 Scope:Link

eth0 Link encap:Ethernet HWaddr E4:95:6E:45:9C:4E
inet6 addr: fe80::e695:6eff:fe45:9c4e/64 Scope:Link

eth0.1 Link encap:Ethernet HWaddr E4:95:6E:45:9C:4E

eth0.2 Link encap:Ethernet HWaddr E4:95:6E:45:9C:4E
inet6 addr: fe80::e695:6eff:fe45:9c4e/64 Scope:Link

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host

tap0 Link encap:Ethernet HWaddr B2:34:FA:01:F1:E5
inet addr:10.111.240.200 Bcast:10.111.255.255 Mask:255.255.240.0
inet6 addr: fe80::b034:faff:fe01:f1e5/64 Scope:Link

wlan-sta Link encap:Ethernet HWaddr E4:95:6E:45:9C:4E
inet addr:10.130.222.109 Bcast:10.130.223.255 Mask:255.255.254.0
inet6 addr: fe80::e695:6eff:fe45:9c4e/64 Scope:Link

wlan0 Link encap:Ethernet HWaddr E4:95:6E:45:9C:4F
inet6 addr: fe80::e695:6eff:fe45:9c4f/64 Scope:Link

wlan1 Link encap:Ethernet HWaddr E6:95:6E:45:9C:4E
inet6 addr: fe80::e495:6eff:fe45:9c4e/64 Scope:Link

(I remove the extra lines about the packets beginning with UP “BROADCAST RUNNING MULTICAST”)

24

You can send it as attachment.

I check the output, it seems all is fine. But you didn’t show the mwan3 output here.

25

Hi
I finally managed to get other traffic (e.g. internet) across the VPN besides the access to remote computers on the local network :slight_smile:

Solution
Using the following option in the client.ovpn configuration file as I did not have an equivalent “push” command on the server side, did make the required changes to the route table:

redirect-gateway def1 bypass-dhcp bypass-dns

the effect on the table is marked in bold below:

–WORKING–
root@GL-AR750S:~# route -n

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.111.248.1 128.0.0.0 UG 0 0 0 tap0
0.0.0.0 10.130.222.1 0.0.0.0 UG 20 0 0 wlan-sta
10.111.240.0 0.0.0.0 255.255.240.0 U 0 0 0 tap0
10.130.222.0 0.0.0.0 255.255.254.0 U 20 0 0 wlan-sta
128.0.0.0 10.111.248.1 128.0.0.0 UG 0 0 0 tap0
188.193.117.137 10.130.222.1 255.255.255.255 UGH 0 0 0 wlan-sta
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan

Remark 10.111.248.1 is the gateway and the DNS server on the remote local network that is accessible trough the VPN connection.

Table before the command and –NOT WORKING–

root@GL-AR750S:~# netstat -rn

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 0.0.0.0 128.0.0.0 U 0 0 0 tap0
0.0.0.0 10.130.222.1 0.0.0.0 UG 0 0 0 wlan-sta
10.111.240.0 0.0.0.0 255.255.240.0 U 0 0 0 tap0
10.130.222.0 0.0.0.0 255.255.254.0 U 0 0 0 wlan-sta
128.0.0.0 0.0.0.0 128.0.0.0 U 0 0 0 tap0
188.193.117.137 10.130.222.1 255.255.255.255 UGH 0 0 0 wlan-sta
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan

Anyway here is the mwan3 output from yesterday before the change, maybe something else must still be corrected:

root@GL-AR750S:~# mwan3 status

Interface status:
interface wan is unknown and tracking is down
interface wwan is offline and tracking is active
interface tethering is unknown and tracking is down
interface modem_1_1 is unknown and tracking is down

Current ipv4 policies:
default_poli:
default

Current ipv6 policies:
default_poli:
default

Directly connected ipv4 networks:
188.193.117.137
0.0.0.0/1
192.168.8.1
128.0.0.0/1
10.130.222.109
10.111.240.200
10.111.255.255
127.255.255.255
10.111.240.0
10.111.240.0/20
224.0.0.0/3
10.130.222.0
127.0.0.1
10.130.223.255
192.168.8.255
192.168.8.0
192.168.8.0/24
127.0.0.0
10.130.222.0/23
127.0.0.0/8

Directly connected ipv6 networks:
fd2f:82f5:9885:10::/64
fe80::/64

Active ipv4 user rules:
0 0 - default_poli all – * * 0.0.0.0/0 0.0.0.0/0

Active ipv6 user rules:
537 100K - default_poli all * * ::/0 ::/0

root@GL-AR750S:~#

26

Glad to hear you solve this issue.

Actually, we had deal with the situation that the server doesn’t push def1 to client, but it missing gateway.

image
image888×488 11.9 KB

It is a bug, thank you!