I'm setting up a VPN connection using OpenVPN client on OpenWrt. The client connects to the server, but I can't ping any network hosts using the tun0 interface
Ping Examples:
ping -I tun0 192.168.1.252
PING 192.168.1.252 (192.168.1.252): 56 data bytes
ping: sendto: No such device
ping -I tun0 google.it
ping: bad address 'google.it'
Details:
Local network: 192.168.1.0/24
Local network gateway : 192.168.1.252
ifconfig :
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.86.0.42 P-t-P:10.86.0.41 Mask:255.255.255.255
inet6 addr: fe80::54b9:1a92:10b8:9975/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:304 (304.0 B)
openwrt log:
Mon Sep 23 19:46:29 2019 daemon.notice openvpn(expressvpn)[1366]: [Server-2720-0a] Inactivity timeout (--ping-restart), restarting
Mon Sep 23 19:46:29 2019 daemon.notice openvpn(expressvpn)[1366]: SIGUSR1[soft,ping-restart] received, process restarting
Mon Sep 23 19:46:29 2019 daemon.notice openvpn(expressvpn)[1366]: Restart pause, 5 second(s)
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.183.105.195:1195
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: Socket Buffers: R=[163840->327680] S=[163840->327680]
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: UDP link local: (not bound)
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: UDP link remote: [AF_INET]185.183.105.195:1195
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: TLS: Initial packet from [AF_INET]185.183.105.195:1195, sid=34c1a1c3 38782ada
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: VERIFY OK: .....censored.....
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: VERIFY KU OK
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: Validating certificate extended key usage
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: VERIFY EKU OK
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: VERIFY OK: .....censored.....
Mon Sep 23 19:46:35 2019 daemon.warn openvpn(expressvpn)[1366]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1606'
Mon Sep 23 19:46:35 2019 daemon.warn openvpn(expressvpn)[1366]: WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'
Mon Sep 23 19:46:35 2019 daemon.notice openvpn(expressvpn)[1366]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Sep 23 19:46:35 2019 daemon.notice openvpn(expressvpn)[1366]: [Server-2720-0a] Peer Connection Initiated with [AF_INET]185.183.105.195:1195
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: SENT CONTROL [Server-2720-0a]: 'PUSH_REQUEST' (status=1)
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.86.0.1,comp-lzo no,route 10.86.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.86.0.46 10.86.0.45,peer-id 10,cipher AES-256-GCM'
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: OPTIONS IMPORT: timers and/or timeouts modified
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: OPTIONS IMPORT: compression parms modified
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: OPTIONS IMPORT: --ifconfig/up options modified
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: OPTIONS IMPORT: route options modified
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: OPTIONS IMPORT: peer-id set
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: OPTIONS IMPORT: adjusting link_mtu to 1625
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: OPTIONS IMPORT: data channel crypto options modified
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: NCP: overriding user-set keysize with default
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: Preserving previous TUN/TAP instance: tun0
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/route del -net 10.86.0.1 netmask 255.255.255.255
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/route del -net 185.183.105.195 netmask 255.255.255.255
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: Closing TUN/TAP interface
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/ifconfig tun0 0.0.0.0
Mon Sep 23 19:46:36 2019 daemon.notice netifd: Network device 'tun0' link is down
Mon Sep 23 19:46:36 2019 daemon.notice netifd: Interface 'expressevpn' has link connectivity loss
Mon Sep 23 19:46:36 2019 daemon.notice netifd: Interface 'expressevpn' is now down
Mon Sep 23 19:46:36 2019 daemon.notice netifd: Interface 'expressevpn' is disabled
Mon Sep 23 19:46:37 2019 daemon.notice openvpn(expressvpn)[1366]: TUN/TAP device tun0 opened
Mon Sep 23 19:46:37 2019 daemon.notice openvpn(expressvpn)[1366]: TUN/TAP TX queue length set to 100
Mon Sep 23 19:46:37 2019 daemon.notice openvpn(expressvpn)[1366]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Sep 23 19:46:37 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/ifconfig tun0 10.86.0.46 pointopoint 10.86.0.45 mtu 1500
Mon Sep 23 19:46:37 2019 daemon.notice netifd: Interface 'expressevpn' is enabled
Mon Sep 23 19:46:37 2019 daemon.notice netifd: Interface 'expressevpn' is setting up now
Mon Sep 23 19:46:37 2019 daemon.notice netifd: Interface 'expressevpn' is now up
Mon Sep 23 19:46:37 2019 daemon.notice netifd: Network device 'tun0' link is up
Mon Sep 23 19:46:37 2019 daemon.notice netifd: Interface 'expressevpn' has link connectivity
Mon Sep 23 19:46:37 2019 user.notice firewall: Reloading firewall due to ifup of expressevpn (tun0)
Mon Sep 23 19:46:37 2019 daemon.err openvpn(expressvpn)[1366]: write UDP: Operation not permitted (code=1)
Mon Sep 23 19:46:37 2019 daemon.err openvpn(expressvpn)[1366]: write UDP: Operation not permitted (code=1)
Mon Sep 23 19:46:39 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/route add -net 185.183.105.195 netmask 255.255.255.255 gw 192.168.1.252
Mon Sep 23 19:46:39 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.86.0.45
Mon Sep 23 19:46:39 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.86.0.45
Mon Sep 23 19:46:39 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/route add -net 10.86.0.1 netmask 255.255.255.255 gw 10.86.0.45
Mon Sep 23 19:46:39 2019 daemon.notice openvpn(expressvpn)[1366]: Initialization Sequence Completed
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
....
config rule
option name 'Allow-Ping'
....
config rule
option name 'Allow-IGMP'
...
config rule
option name 'Allow-DHCPv6'
option src 'wan'
.....
config rule
option name 'Allow-MLD'
...
config rule
option name 'Allow-ICMPv6-Input'
.....
config rule
option name 'Allow-ICMPv6-Forward'
....
config rule
option name 'Allow-IPSec-ESP'
....
config rule
option name 'Allow-ISAKMP'
....
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'lan'
config zone
option name 'vpn'
option output 'ACCEPT'
option device 'tun0'
option masq '1'
option mtu_fix '1'
option network 'expressevpn'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option dest 'vpn'
option src 'lan'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdbb:c451:1704::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.252'
option dns '8.8.8.8'
option stp '1'
option ifname 'eth0.1 eth0.2'
config device 'lan_dev'
option name 'eth0.1'
option macaddr '50:64:2b:b4:6f:18'
config interface 'wan'
option proto 'dhcp'
option type 'bridge'
option clientid 'root'
option ifname 'eth0.2'
config interface 'wan6'
option proto 'dhcpv6'
option ifname 'eth0'
option reqaddress 'try'
option reqprefix 'auto'
option clientid 'root'
option auto '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config interface 'expressevpn'
option proto 'static'
option delegate '0'
option ifname 'tun0'
openvpn conf:
config openvpn 'expressvpn'
option dev 'tun'
option reneg_sec '0'
option verb '3'
option persist_key '1'
option nobind '1'
option persist_tun '1'
option client '1'
option remote_cert_tls 'server'
option fast_io '1'
option route_delay '2'
option tun_mtu '1500'
option sndbuf '524288'
option rcvbuf '524288'
option pull '1'
list remote '......'
option remote_random '1'
option auth_user_pass '/etc/openvpn/userpass.txt'
option tls_client '1'
option cipher 'AES-256-CBC'
option keysize '256'
option auth 'SHA512'
option key_direction '1'
option tls_auth '/etc/openvpn/tlsauth.key'
option port '1195'
option enabled '1'
option ca '/etc/luci-uploads/cbid.openvpn.expressvpn.ca'
option cert '/etc/luci-uploads/cbid.openvpn.expressvpn.cert'
option key '/etc/luci-uploads/cbid.openvpn.expressvpn.key'
option redirect_gateway 'def1'
ip route:
0.0.0.0/1 via 10.86.0.41 dev tun0
default via 192.168.1.252 dev br-lan
10.86.0.1 via 10.86.0.41 dev tun0
10.86.0.41 dev tun0 scope link src 10.86.0.42
128.0.0.0/1 via 10.86.0.41 dev tun0
185.183.105.195 via 192.168.1.252 dev br-lan
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
I apologize but I am not practical in this area, for this there could be completely incorrect settings
Best Answer
The VPN server is redirecting your default gateway to the VPN. Thatswhy you can't access anything from within your local network and only what the VPN server lets you access.
You can use one of the methods described in the OpenVPN community wiki to ignore the redirection of your gateway.
Either by filtering out the pushed option in openvpn.conf:
The second option is to ignore all routes pushed from the server in openvpn.conf:
or
The last option is to overwrite the default route using routes with higher priority
You can set the routes as described in the UCI networking cheat sheet