What's new

OpenVPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Travison

Occasional Visitor
I'm having trouble with OpenVPN server on my new router. I was using AC68U before and had a OpenVPN server running on it. At first I couldn't understand why the internet wasn't working on clients when advertising local DNS to them until I figured I had to set client access to BOTH instead of internet only. It makes sense that clients need access to the LAN to access a local DNS server.

I bought a new router now, AX88U and trying to set up an identical server but having the same problem, once I advertise DNS to clients they can't access the internet, but this time I'm using client access set to both. So I'm pretty stumped on why it's not working. Perhaps some error in the firewall or routing table in the latest firmware, causing it not to allow access when it should?

Both routers are using up to date firmware, although the 68U is now a slave node in AiMesh.
 
This setting works well for me.
Running Server 1 for TAP/TCP, Server 2 for TUN/UDP, both on 443 port.
 

Attachments

  • OpenVPN.png
    OpenVPN.png
    261.5 KB · Views: 249
This setting works well for me.
Running Server 1 for TAP/TCP, Server 2 for TUN/UDP, both on 443 port.
I started out with basic config, server 1 and server 2, the only difference between them is one advertises DNS and the other doesn't.

In both cases clients can connect but the client that get's the local DNS can't surf the internet
 
Try explicitly pushing a public DNS server to the clients, instead of pushing the router's own IP. In the Custom settings for the server:

Code:
push "dhcp-option DNS 8.8.8.8"

And disable the option to Advertise DNS to clients.
 
Last edited:
Try explicitly pushing a public DNS server to the clients, instead of pushing the router's own IP. In the Custom settings for the server:

Code:
push "dhcp-option DNS 8.8.8.8"

And disable the option to Advertise DNS to clients.
Thank you for the reply RMerlin!

By default if I don't advertise DNS it uses 8.8.8.8 and works fine on the clients. I tried pushing 1.1.1.1 and that works aswell. It only seems to not work when advertising my local DNS on the router, which I kind of want to do because of the block list file.
 
Thank you for the reply RMerlin!

By default if I don't advertise DNS it uses 8.8.8.8 and works fine on the clients. I tried pushing 1.1.1.1 and that works aswell. It only seems to not work when advertising my local DNS on the router, which I kind of want to do because of the block list file.

This is a bug, the firewall blocks entire LAN access when the OpenVPN server is set to "Internet-only", so that means access to the router's DNS caching resolver is also blocked.

I already have a fix in the pipeline for this, as well as further enhancements. For instance, people configuring a custom DNS server on the router's DHCP settings page will also have these pushed to OpenVPN clients - just like with regular LAN clients. note: these are not to be confused with the WAN DNS settings.

One temporary fix would be for you to push the OpenVPN server's IP address instead of 8.8.8.8. So, leave "Advertise DNS" disabled, and have something like this (adjust according to your VPN server's subnet):

Code:
push "dhcp-option DNS 10.8.0.1"

Second VPN server would normally be 10.16.0.1 if you kept the default values.
 
My settings are not on "Internet-Only" but on "Both".

I remember on my previous router I had set it to Internet-Only and therefore could not access the local DNS so I set it to "Both" for it to work. On this router that doesn't seem to be working, neither "Internet-Only" or "Both" seem to give access to the local DNS.

Normally when I select "Advertise DNS to clients" it sets it to 192.168.x.x network. I checked if it would work using the VPN network by pushing 10.8.0.1 and 10.16.0.1 like you suggested and that still doesn't work, the client receives the DNS command but can't reach/use it.
 
It doesn't seem to be a firewall or a routing issue, the VPN clients can ping the router on both 10.16.0.1 and the 192.168.x.x network.

Pinging 1.1.1.1 works, while connected to VPN.
When I try to access a website, the site does not load.
When I try accessing an ip address on the browser address bar the page does not load. However strangely enough, the ip in the address bar changes to the hostname like it gets resolved.

I am stumped. Could it be any of the following DNS settings in WAN section interfering?
"Enable DNSSEC support"
"Enable DNS Rebind protection"
"Validate unsigned DNSSEC replies"
"Prevent client auto DoH"
"DNS Privacy Protocol"
"DNS-over-TLS Profile"
 
Last edited:
Then you now have a different issue from your original one. The one I just fixed is related to the very first paragraph you wrote in this thread (failure to use the DNS when setting it to Internet-only).

Test the DNS with nslookup to see if you can communicate with it through the tunnel.
 
Then you now have a different issue from your original one. The one I just fixed is related to the very first paragraph you wrote in this thread (failure to use the DNS when setting it to Internet-only).

Test the DNS with nslookup to see if you can communicate with it through the tunnel.
While connected to VPN;
Pinging my address and the routers address on the 10.x.x.x and 192.168.x.x works.
Pinging 1.1.1.1 works.
Nslookup using the router ip address (either 10.x.x.x and using 192.168.x.x) does not work, "DNS request timed out; timeout was 2 seconds.". (nslookup google.com 10.8.0.1).
Nslookup using 1.1.1.1 as a server works. (nslookup google.com 1.1.1.1).
 
What's in your firewall rules?

Code:
iptables -L -vn
 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
104 14721 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1195
0 0 DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
901 162K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
130 13088 PTCSRVWAN all -- !br0 * 0.0.0.0/0 0.0.0.0/0
111 6833 PTCSRVLAN all -- br0 * 0.0.0.0/0 0.0.0.0/0
111 6833 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
59 8115 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
71 4973 OVPN all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 INPUT_ICMP icmp -- * * 0.0.0.0/0 0.0.0.0/0
6 768 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
373 122K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 128 other2wan all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
18 876 NSFW all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
18 876 OVPN all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
16 748 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 1093 packets, 783K bytes)
pkts bytes target prot opt in out source destination
21 1563 OUTPUT_DNS udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 u32 "0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0"
0 0 OUTPUT_DNS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x8>>0xf&0x1=0x0"
1093 783K OUTPUT_IP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ACCESS_RESTRICTION (0 references)
pkts bytes target prot opt in out source destination

Chain DNSFILTER_DOT (0 references)
pkts bytes target prot opt in out source destination

Chain FUPNP (0 references)
pkts bytes target prot opt in out source destination

Chain INPUT_ICMP (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 13
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0

Chain NSFW (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP ah -- br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 DROP esp -- br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- br0 eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
0 0 DROP udp -- br0 eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:500
0 0 DROP udp -- br0 eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
0 0 DROP 47 -- br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- br0 eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
 
Chain OUTPUT_DNS (2 references)
pkts bytes target prot opt in out source destination
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|10706f697579747975696f706b6a666e6603636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0d72666a656a6e666a6e65666a6503636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|1131306166646d617361787373736171726b03636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0f376d667364666173646d6b676d726b03636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0d386d617361787373736171726b03636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0f3966646d617361787373736171726b03636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|1265666274686d6f6975796b6d6b6a6b6a677403636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|086861636b7563647403636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|076c696e77756469056633333232036e657400|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0f6c6b6a68676664736174727975696f03636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0b6d6e627663787a7a7a313203636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|077131313133333303746f7000|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|057371353230056633333232036e657400|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|077563746b6f6e6503636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0e7a786376626d6e6e666a6a66777103636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0a65756d6d6167766e627003636f6d00|" ALGO name bm TO 65535 ICASE

Chain OUTPUT_IP (1 references)
pkts bytes target prot opt in out source destination
0 0 logdrop_ip all -- * * 0.0.0.0/0 193.201.224.0/24

Chain OVPN (2 references)
pkts bytes target prot opt in out source destination
67 4333 ACCEPT all -- tun21 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun22 * 0.0.0.0/0 0.0.0.0/0

Chain PControls (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain PTCSRVLAN (1 references)
pkts bytes target prot opt in out source destination

Chain PTCSRVWAN (1 references)
pkts bytes target prot opt in out source destination

Chain SECURITY (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02 limit: avg 1/sec burst 5
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x04 limit: avg 1/sec burst 5
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x04
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain default_block (0 references)
pkts bytes target prot opt in out source destination

Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "ACCEPT "
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "DROP "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logdrop_dns (16 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix "DROP_DNS "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logdrop_ip (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix "DROP_IP "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain other2wan (1 references)
pkts bytes target prot opt in out source destination
2 128 RETURN all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
 
What adblocker are you using? And have you tried using TCP as the VPN protocol instead of UDP (just for testing purposes).
 
I haven't tried using TCP, this is just the default server that I'm trying to get to work, was going to tweak after the server once I get everything working. I suppose I could try it tonight. If it works I'll be sure to post here.

I'm just using my own script to adblock, downloads from various sources and sorts into a file, I've been using it for a long time, on my old router aswell. I prefer it to Division because there is no USB needed. I could try disabling it but I don't think it would solve anything since the DNS server works just fine on both ethernet and wifi connections. But I will try it anyway.
 
Your OpenVPN firewall rules look fine to me - both servers are set to allow all traffic in. Only server 1 actually fowarded traffic in this log (67 packets), and no traffic for server 2.

Did you customize your dnsmasq settings? Make sure you don't have a /jffs/configs/dnsmasq.conf file, as that could override the VPN settings.

If you run third party scripts then you should test without them in case one of them is interfering.
 
You're completely right, I had made a custom config to add a block hosts file before setting up VPN. This was the root of the problem. Thank you very much for your help @RMerlin
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top