R9000 openvpn internet access issue using voxel

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

masta_orc

Occasional Visitor
Hello,

if i use R9000 behind a fritz!box 7590 (fritz!box 7590 connects directly to my ISP) the internet access works great, even if i enable openvpn but..


I want R9000 to connect to my ISP instead of fritz!box 7590, so i tried R9000 behind the modem draytek vigor165 and internet access works.
If i run openvpn now using '/etc/init.d/openvpn-client start' internet access doesnt work anymore.

I can see all ISP data at internet port, but it shows me a error that it cant access the internet and if i try to visit any website it simply doesnt work.

If i stop openvpn using '/etc/init.d/openvpn-client stop' internet access works again.



Help please :(
 
Last edited:

Voxel

Very Senior Member
Hello,

if i use R9000 behind a fritz!box 7590 (fritz!box 7590 connects directly to my ISP) the internet access works great, even if i enable openvpn but..


I want R9000 to connect to my ISP instead of fritz!box 7590, so i tried R9000 behind the modem draytek vigor165 and internet access works.
If i run openvpn now using '/etc/init.d/openvpn-client start' internet access doesnt work anymore.

I can see all ISP data at internet port, but it shows me a error that it cant access the internet and if i try to visit any website it simply doesnt work.

If i stop openvpn using '/etc/init.d/openvpn-client stop' internet access works again.



Help please :(
Please copy/paste your LOG file /var/log/openvpn-client.log after "/etc/init.d/openvpn-client start"

Voxel.
 

masta_orc

Occasional Visitor
okay

Code:
Thu Feb 13 16:34:46 2020 OpenVPN 2.4.8 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Feb 13 16:34:46 2020 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Thu Feb 13 16:34:46 2020 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Thu Feb 13 16:34:46 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Feb 13 16:34:46 2020 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Feb 13 16:34:46 2020 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Feb 13 16:34:46 2020 nice -20 succeeded
Thu Feb 13 16:34:46 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]185.180.12.49:1194
Thu Feb 13 16:34:46 2020 Socket Buffers: R=[163840->327680] S=[163840->327680]
Thu Feb 13 16:34:46 2020 UDP link local: (not bound)
Thu Feb 13 16:34:46 2020 UDP link remote: [AF_INET]185.180.12.49:1194
Thu Feb 13 16:34:46 2020 TLS: Initial packet from [AF_INET]185.180.12.49:1194, sid=38c59291 5dd99acf
Thu Feb 13 16:34:46 2020 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Thu Feb 13 16:34:46 2020 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA4
Thu Feb 13 16:34:46 2020 VERIFY KU OK
Thu Feb 13 16:34:46 2020 Validating certificate extended key usage
Thu Feb 13 16:34:46 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Feb 13 16:34:46 2020 VERIFY EKU OK
Thu Feb 13 16:34:46 2020 VERIFY OK: depth=0, CN=at55.nordvpn.com
Thu Feb 13 16:34:46 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Thu Feb 13 16:34:46 2020 [at55.nordvpn.com] Peer Connection Initiated with [AF_INET]185.180.12.49:1194
Thu Feb 13 16:34:47 2020 SENT CONTROL [at55.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Thu Feb 13 16:34:47 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.2.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.2.30 255.255.255.0,peer-id 33,cipher AES-256-GCM'
Thu Feb 13 16:34:47 2020 OPTIONS IMPORT: timers and/or timeouts modified
Thu Feb 13 16:34:47 2020 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Feb 13 16:34:47 2020 OPTIONS IMPORT: compression parms modified
Thu Feb 13 16:34:47 2020 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Thu Feb 13 16:34:47 2020 Socket Buffers: R=[327680->327680] S=[327680->327680]
Thu Feb 13 16:34:47 2020 OPTIONS IMPORT: --ifconfig/up options modified
Thu Feb 13 16:34:47 2020 OPTIONS IMPORT: route options modified
Thu Feb 13 16:34:47 2020 OPTIONS IMPORT: route-related options modified
Thu Feb 13 16:34:47 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Feb 13 16:34:47 2020 OPTIONS IMPORT: peer-id set
Thu Feb 13 16:34:47 2020 OPTIONS IMPORT: adjusting link_mtu to 1657
Thu Feb 13 16:34:47 2020 OPTIONS IMPORT: data channel crypto options modified
Thu Feb 13 16:34:47 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Feb 13 16:34:47 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Feb 13 16:34:47 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Feb 13 16:34:47 2020 TUN/TAP device tun21 opened
Thu Feb 13 16:34:47 2020 TUN/TAP TX queue length set to 1000
Thu Feb 13 16:34:47 2020 /sbin/ifconfig tun21 10.8.2.30 netmask 255.255.255.0 mtu 1500 broadcast 10.8.2.255
Thu Feb 13 16:34:47 2020 /etc/openvpn/ovpnclient-up.sh tun21 1500 1585 10.8.2.30 255.255.255.0 init
Thu Feb 13 16:34:47 2020 /sbin/route add -net 185.180.12.49 netmask 255.255.255.255 gw 62.155.243.132
Thu Feb 13 16:34:47 2020 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.2.1
Thu Feb 13 16:34:47 2020 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.2.1
Thu Feb 13 16:34:47 2020 Initialization Sequence Completed
Thu Feb 13 16:40:13 2020 [at55.nordvpn.com] Inactivity timeout (--ping-restart), restarting
Thu Feb 13 16:40:13 2020 SIGUSR1[soft,ping-restart] received, process restarting
Thu Feb 13 16:40:13 2020 Restart pause, 5 second(s)
Thu Feb 13 16:40:18 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Feb 13 16:40:18 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]185.180.12.49:1194
Thu Feb 13 16:40:18 2020 Socket Buffers: R=[212992->425984] S=[212992->425984]
Thu Feb 13 16:40:18 2020 UDP link local: (not bound)
Thu Feb 13 16:40:18 2020 UDP link remote: [AF_INET]185.180.12.49:1194
Thu Feb 13 16:40:41 2020 event_wait : Interrupted system call (code=4)
Thu Feb 13 16:40:41 2020 /sbin/route del -net 185.180.12.49 netmask 255.255.255.255
route: SIOC[ADD|DEL]RT: No such process
Thu Feb 13 16:40:41 2020 ERROR: Linux route delete command failed: external program exited with error status: 1
Thu Feb 13 16:40:41 2020 /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Thu Feb 13 16:40:41 2020 /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Thu Feb 13 16:40:41 2020 Closing TUN/TAP interface
Thu Feb 13 16:40:41 2020 /sbin/ifconfig tun21 0.0.0.0
Thu Feb 13 16:40:41 UTC 2020 Voxel: Error: openvpn-client stop: process was not killed properly 2, try a new kill!
Thu Feb 13 16:40:41 UTC 2020 Voxel: Error: openvpn-client stop: process was not killed properly 2, try a new kill!
Thu Feb 13 16:40:41 UTC 2020 Voxel: Error: openvpn-client stop: process was not killed properly 2, try a new kill!
Thu Feb 13 16:40:41 UTC 2020 Voxel: OpenVPNclient stop run: ip route del:
default via 62.155.243.132 dev ppp0
62.155.243.132 dev ppp0  proto kernel  scope link  src 217.86.109.76
192.168.178.0/24 dev br0  proto kernel  scope link  src 192.168.178.1
239.0.0.0/8 dev br0  scope link
Thu Feb 13 16:42:05 2020 OpenVPN 2.4.8 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Feb 13 16:42:05 2020 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Thu Feb 13 16:42:05 2020 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Thu Feb 13 16:42:05 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Feb 13 16:42:05 2020 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Feb 13 16:42:05 2020 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Feb 13 16:42:05 2020 nice -20 succeeded
Thu Feb 13 16:42:05 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]185.180.12.49:1194
Thu Feb 13 16:42:05 2020 Socket Buffers: R=[212992->425984] S=[212992->425984]
Thu Feb 13 16:42:05 2020 UDP link local: (not bound)
Thu Feb 13 16:42:05 2020 UDP link remote: [AF_INET]185.180.12.49:1194
Thu Feb 13 16:42:05 2020 TLS: Initial packet from [AF_INET]185.180.12.49:1194, sid=cbcb7093 9d9d19f5
Thu Feb 13 16:42:05 2020 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Thu Feb 13 16:42:05 2020 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA4
Thu Feb 13 16:42:05 2020 VERIFY KU OK
Thu Feb 13 16:42:05 2020 Validating certificate extended key usage
Thu Feb 13 16:42:05 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Feb 13 16:42:05 2020 VERIFY EKU OK
Thu Feb 13 16:42:05 2020 VERIFY OK: depth=0, CN=at55.nordvpn.com
Thu Feb 13 16:42:05 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Thu Feb 13 16:42:05 2020 [at55.nordvpn.com] Peer Connection Initiated with [AF_INET]185.180.12.49:1194
Thu Feb 13 16:42:07 2020 SENT CONTROL [at55.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Thu Feb 13 16:42:07 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.0.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.0.21 255.255.255.0,peer-id 23,cipher AES-256-GCM'
Thu Feb 13 16:42:07 2020 OPTIONS IMPORT: timers and/or timeouts modified
Thu Feb 13 16:42:07 2020 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Feb 13 16:42:07 2020 OPTIONS IMPORT: compression parms modified
Thu Feb 13 16:42:07 2020 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Thu Feb 13 16:42:07 2020 Socket Buffers: R=[425984->425984] S=[425984->425984]
Thu Feb 13 16:42:07 2020 OPTIONS IMPORT: --ifconfig/up options modified
Thu Feb 13 16:42:07 2020 OPTIONS IMPORT: route options modified
Thu Feb 13 16:42:07 2020 OPTIONS IMPORT: route-related options modified
Thu Feb 13 16:42:07 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Feb 13 16:42:07 2020 OPTIONS IMPORT: peer-id set
Thu Feb 13 16:42:07 2020 OPTIONS IMPORT: adjusting link_mtu to 1657
Thu Feb 13 16:42:07 2020 OPTIONS IMPORT: data channel crypto options modified
Thu Feb 13 16:42:07 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Feb 13 16:42:07 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Feb 13 16:42:07 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Feb 13 16:42:07 2020 TUN/TAP device tun21 opened
Thu Feb 13 16:42:07 2020 TUN/TAP TX queue length set to 1000
Thu Feb 13 16:42:07 2020 /sbin/ifconfig tun21 10.8.0.21 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Thu Feb 13 16:42:07 2020 /etc/openvpn/ovpnclient-up.sh tun21 1500 1585 10.8.0.21 255.255.255.0 init
Thu Feb 13 16:42:07 2020 /sbin/route add -net 185.180.12.49 netmask 255.255.255.255 gw 62.155.243.132
Thu Feb 13 16:42:07 2020 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Thu Feb 13 16:42:07 2020 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Thu Feb 13 16:42:07 2020 Initialization Sequence Completed
 

kamoj

Very Senior Member
A very fast diagnose:

DNS is not working.

Try these commands when having problem:
Code:
ping -c3 8.8.8.8
ping -c3 google.com
Also it might help to switch on DNSCrypt Proxy 2.
 

masta_orc

Occasional Visitor
Code:
ping -c3 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=58 time=29.6 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=29.4 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=29.7 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 29.4/29.5/29.7 ms
Code:
ping -c3 google.com
ping: google.com: Unknown host
sorry but i am really new to this.. how can i fix it? and how does it work with DNSCrypt Proxy 2?
 

kamoj

Very Senior Member
Have you tried this add-on?
https://www.snbforums.com/threads/kamoj-add-on-v5-for-netgear-r7800-x4s-and-r9000-x10.60590/

With the add-on you can easily enable DNSCrypt Proxy 2, and it also supports NordVPN

sorry but i am really new to this.. how can i fix it? and how does it work with DNSCrypt Proxy 2?
PS
A new version of the add-on might be released in near time.:cool:
But until then it's good to know:

For OpenVPN there is a flaw in the @Voxel readme.docx:
Don't forget to follow Voxel's README.
1. Download your VPN providers OVPN file and place them in the /etc/openvpn/config/client directory
PS: Use full path directory filenames on any referenced files in the OVPN file. Example: change "auth-user-pass credentials.txt" to "auth-user-pass /etc/openvpn/config/client/credentials.txt"
should be:
Don't forget to follow Voxel's README.

1. Download your VPN providers OVPN file and place them in the /etc/openvpn/config/client directory

PS: Do NOT use full path directory filenames on any referenced files in the OVPN file.

(This is automatically taken care of with the command option "--cd")
Example: "auth-user-pass credentials.txt" is OK, but
"auth-user-pass /etc/openvpn/config/client/credentials.txt" is NOT needed.
 

masta_orc

Occasional Visitor
i used following commands from readme and VPN finally works for all devices except R9000.

Code:
nvram set dnscrypt2=1
nvram commit
reboot
wget /curl doesn't work at R9000.. seems R9000 cant reach internet?

same results as before at:
Code:
ping -c3 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=58 time=28.8 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=28.7 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=28.9 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 28.7/28.8/28.9 ms
and
Code:
ping -c3 google.com
ping: google.com: Unknown host
i installed your addon kamoj, generated new nordvpn config files but it didnt fix that problem..
 
Last edited:

masta_orc

Occasional Visitor
so dnscrypt2 fixed internet access/dns issue for my connected devices.. but there is no way to fix internet access/dns issue for my R9000? :(

and i got another problem: if i try to use openvpn bypass/tunnel for some devices, those devices can't reach internet anymore. only if i remove them from openvpn bypass/tunnel list.

got any idea how i can fix that? @Voxel and @kamoj ?
 

kamoj

Very Senior Member
Set your DNS properly.

E.g. via your router GUI:
Use a web-browser and logon to your router, e.g.: http://www.routerlogin.net/
Click "Internet"
Find: Domain Name Server (DNS) Address
Check: Use These DNS Servers
Primary DNS: 1.1.1.1
Secondary DNS: 8.8.8.8
Third DNS: 9.9.9.9

Click "Apply"
 

masta_orc

Occasional Visitor
i can only enter Primary DNS and Secondary DNS at 'Use These DNS Servers' there is no Third DNS?
well i tried it at Primary and Secondary DNS and lost internet connection.

only way to get my internet connection back working is to reenable 'Get Automatically from ISP'.

then i tried 'Use These DNS Servers' with default autoentered dns servers and i lost my internet connection again.
It seems there is something not working correctly?
 
Last edited:

kamoj

Very Senior Member
Strange that you only have 2 DNS alternatives.
(I don't have an R9000, but I looked in the code, and there is code for 3 DNS entries!)

Are you sure the draytek vigor165 modem is set in Bridge Mode? If not you must enable Full Bridge Mode.
Is the fritz!box 7590 still connected? If so disconnect it.

Be very clear with what you say.
What does e.g. "lost my internet connection" mean?
You lost internet where? In the router? Some other connected device? Wired device? WiFi device? etc
Or you just lost the DNS capability?

So start again from the beginning:
  1. Disconnect/Power off the "FRITZ!Box 7590"
  2. Disconnect all devices from the R9000 except one
  3. Install the Kamoj add-on on your R9000
  4. Use a web-browser and logon to your router, e.g.: http://www.routerlogin.net/
  5. Switch off the OpenVPN Client
  6. Switch off DNS Encryption
  7. Setup the DNS (as above):
    Click "Internet"
    Find: Domain Name Server (DNS) Address
    Check: Use These DNS Servers
    Primary DNS: 1.1.1.1
    Secondary DNS: 8.8.8.8

    Click "Apply"
  8. Set the "Draytek Vigor165" modem in Bridge Mode:
    Internet Access >> MPoA / Static or dynamic IP : Bridge Mode : Enable Full Bridge Mode + OK
  9. Connect the port 1 "P1" of the "Draytek Vigor165" modem to the Internet port of the R9000 router.
  10. Telnet to the router :
    telnet www.routerlogin.net (or telnet 192.168.1.1)
  11. Run the ping commands from the router:
    ping -c3 8.8.8.8
    ping -c3 google.com
  12. Start the OpenVPN Client:
    /etc/init.d/openvpn-client start
  13. Run the ping commands from the router again:
    ping -c3 8.8.8.8
    ping -c3 google.com
  14. Use a web-browser and logon to your router, e.g.: http://www.routerlogin.net/
  15. Go to the Kamoj Router Information page (http://www.routerlogin.net/addon_routerinfo.htm)
    Make a screen dump of this page.
  16. Run the ping commands from all your connected devices
  17. Switch on "DNSCrypt Proxy v2" in DNS Encryption
  18. Run the ping commands from the router again
  19. Switch on the OpenVPN Client
  20. Run the ping commands from the router again
  21. Run the ping commands from all your connected devices again
  22. Give the results to me here or in PM
  23. Show some gratitude if you feel someone making an effort to help you
 

masta_orc

Occasional Visitor
i have done all your steps and after all it seems that everything is fixed since fritz!box 7590 is disconnected... thank you!

well now i need to learn how to setup fritz!box just for voip.

by the way nothing happens if i try to turn on "DNSCrypt Proxy v2" in DNS Encryption.. it simply reloads with 'none' as marked.
but i can enable it at telnet.

openvpn bypass/tunneling works at your addon.

as proof there is no available 3rd dns option:

 
Last edited:

masta_orc

Occasional Visitor
if i reboot my r9000 all bypassing/tunneling settings seem turned off, because all devices use openvpn until i change bypassing settings once again… is that a bug?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top