OpenVPN connects but then internet connection drops on RutOS

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
sifr
OpenVpn Newbie
Posts: 2
Joined: Thu Jan 13, 2022 3:19 pm

OpenVPN connects but then internet connection drops on RutOS

Post by sifr » Thu Jan 13, 2022 3:36 pm

I set up my rut950 4g router to connect to a commercial VPN provider and it was working fine until one day it stopped working. To be more specific, the internet connection works, the VPN connection connects but upon connecting, the internet connection then no longer works. I didnt change any settings on the router at the time.

i.e. if I ping from my computer connected to the router's hotspot I have no internet access:

Code: Select all

[user@client ~]$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
From 192.168.1.1 icmp_seq=1 Destination Port Unreachable

I tried doing a factory reset on the router and then the following different methods:

a) copying the settings from the VPN providers ovpn file into the router's VPN settings
(openvpn connects but no internet)

b) default ovpn with username and password
(openvpn connects but no internet)

c) default ovpn but with the following two lines added:

Code: Select all

redirect-gateway def1
dhcp-option DNS 192.168.1.1
(openvpn connects but no internet)

SSH into the router
But the router has internet access through the VPN tunnel because if I SSH into the router and ping the internet the pings are successful to both 1.1.1.1 and any website.

I know these requests are going through my VPN tunnel because

Code: Select all

curl ifconfig.me
returns the VPN's IP address in that country.

Option (c) above seems preferable though because if I `curl ifconfig.me` but without the two redirect-gateway lines added to the ovpn config file, curl is not successful in returning an IP:

Code: Select all

curl: (6) Couldn't resolve host 'ifconfig.me'
IP forwarding is enabled on the system:

Code: Select all

cat /proc/sys/net/ipv4/ip_forward
1
AND

`"/etc/sysctl.d/10-default.conf"` contains the following line:

Code: Select all

net.ipv4.ip_forward=1
So then is it a NAT issue?
Because after all, this section in the router's GUI configuration is empty:

Network > Firewall > NAT Rules > Source NAT > "This section contains no values yet"

Im used to the NAT table in iptables having a rule resembling:

Code: Select all

iptables -t nat -A POSTROUTING -o [interface] -j MASQUERADE
But looking at rutOS' NAT table of the firewall from iptables, it looks like its designed to be administered through the GUI:

Code: Select all

$ iptables -L -v -t nat

Chain PREROUTING (policy ACCEPT 98 packets, 5127 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   98  5127 prerouting_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom prerouting rule chain */
   98  5127 zone_lan_prerouting  all  --  br-lan any     anywhere             anywhere             /* !fw3 */
    0     0 zone_wan_prerouting  all  --  eth1   any     anywhere             anywhere             /* !fw3 */
    0     0 zone_wan_prerouting  all  --  wwan0  any     anywhere             anywhere             /* !fw3 */
    0     0 zone_wan_prerouting  all  --  qmimux0 any     anywhere             anywhere             /* !fw3 */
    0     0 zone_openvpn_prerouting  all  --  tun_+  any     anywhere             anywhere             /* !fw3 */

Chain INPUT (policy ACCEPT 77 packets, 4035 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 14 packets, 909 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 28 packets, 1323 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   35  1749 postrouting_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom postrouting rule chain */
   21   840 zone_lan_postrouting  all  --  any    br-lan  anywhere             anywhere             /* !fw3 */
    0     0 zone_wan_postrouting  all  --  any    eth1    anywhere             anywhere             /* !fw3 */
    0     0 zone_wan_postrouting  all  --  any    wwan0   anywhere             anywhere             /* !fw3 */
    7   426 zone_wan_postrouting  all  --  any    qmimux0  anywhere             anywhere             /* !fw3 */
    0     0 zone_openvpn_postrouting  all  --  any    tun_+   anywhere             anywhere             /* !fw3 */

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_openvpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_openvpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   21   840 postrouting_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom lan postrouting rule chain */

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   98  5127 prerouting_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom lan prerouting rule chain */

Chain zone_openvpn_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 postrouting_openvpn_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom openvpn postrouting rule chain */
    0     0 MASQUERADE  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_openvpn_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 prerouting_openvpn_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom openvpn prerouting rule chain */

Chain zone_wan_postrouting (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    7   426 postrouting_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom wan postrouting rule chain */
    7   426 MASQUERADE  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_prerouting (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 prerouting_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom wan prerouting rule chain */
Openvpn .ovpn config file:

Code: Select all

client
dev tun
proto udp
remote [VPN service provider] 1197
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-256-cbc
auth sha256
tls-client
remote-cert-tls server
auth-user-pass
compress
verb 1
reneg-sec 0
disable-occ

redirect-gateway def1
dhcp-option DNS 192.168.1.1

<crl-verify>
-----BEGIN X509 CRL-----
[text omitted]
-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----
[text omitted]
-----END CERTIFICATE-----
</ca>
I'm losing sleep over this, please can anyone help?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN connects but then internet connection drops on RutOS

Post by TinCanTech » Thu Jan 13, 2022 4:33 pm

Your router needs to do NAT Masquerade. Probably best to check your router manual.

sifr
OpenVpn Newbie
Posts: 2
Joined: Thu Jan 13, 2022 3:19 pm

Re: OpenVPN connects but then internet connection drops on RutOS

Post by sifr » Mon Jan 17, 2022 10:32 pm

I managed to fix the issue by:

1) doing a factory reset from the web interface (holding the reset button for 5 seconds was insufficient) and then

2) copying the settings from the ovpn (openvpn config) file into the rutOS' web interface VPN settings (method (a) above)

Post Reply