No Internet after VPN Connection.

[Kim Puleston]

Hey Chaps,

So I seem to be having issues accessing the internet after I activate the VPN. A little history first

Router: GT:AC5300
Firmware: 3.0.0.4.384.20648

My WAN is on a Static IP to my main gateway
DNS Servers are set to Open DNS
My VPN Provider is Torguard
I am using OpenVPN as my VPN Method

All other settings on the router are defaults as I wanted to test the VPN without any other influences that I may accidently put into place.

As soon as I disable the VPN connection my internet is back in full swing. For clarity sakes, please see below a VPN connection log.


.................................................................................................................................


Apr 12 19:39:40 vpnclient5[9788]: OpenVPN 2.3.2 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Mar 26 2018

Apr 12 19:39:40 vpnclient5[9788]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Apr 12 19:39:40 vpnclient5[9788]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file

Apr 12 19:39:40 vpnclient5[9788]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication

Apr 12 19:39:40 vpnclient5[9788]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication

Apr 12 19:39:40 vpnclient5[9788]: Socket Buffers: R=[524288->524288] S=[524288->524288]

Apr 12 19:39:40 vpnclient5[9789]: UDPv4 link local: [undef]

Apr 12 19:39:40 vpnclient5[9789]: UDPv4 link remote: [AF_INET]88.150.181.10:1912

Apr 12 19:39:40 vpnclient5[9789]: TLS: Initial packet from [AF_INET]88.150.181.10:1912, sid=bedcc0ec fd3d7eca

Apr 12 19:39:40 vpnclient5[9789]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Apr 12 19:39:41 vpnclient5[9789]: VERIFY OK: depth=1, C=US, ST=FL, L=Orlando, O=TorGuard, OU=VPN, CN=TG-OVPN-CA, name=TorGuard, emailAddress=sysadmin@torguard.net

Apr 12 19:39:41 vpnclient5[9789]: Validating certificate key usage

Apr 12 19:39:41 vpnclient5[9789]: ++ Certificate has key usage 00a0, expects 00a0

Apr 12 19:39:41 vpnclient5[9789]: VERIFY KU OK

Apr 12 19:39:41 vpnclient5[9789]: Validating certificate extended key usage

Apr 12 19:39:41 vpnclient5[9789]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Apr 12 19:39:41 vpnclient5[9789]: VERIFY EKU OK

Apr 12 19:39:41 vpnclient5[9789]: VERIFY OK: depth=0, C=US, ST=FL, L=Orlando, O=TorGuard, OU=VPN, CN=TG-OVPN-CA, name=TorGuard, emailAddress=sysadmin@torguard.net

Apr 12 19:39:41 vpnclient5[9789]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1570'

Apr 12 19:39:41 vpnclient5[9789]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'

Apr 12 19:39:41 vpnclient5[9789]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-128-CBC'

Apr 12 19:39:41 vpnclient5[9789]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'

Apr 12 19:39:41 vpnclient5[9789]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Apr 12 19:39:41 vpnclient5[9789]: Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication

Apr 12 19:39:41 vpnclient5[9789]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Apr 12 19:39:41 vpnclient5[9789]: Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication

Apr 12 19:39:41 vpnclient5[9789]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

Apr 12 19:39:41 vpnclient5[9789]: [TG-OVPN-CA] Peer Connection Initiated with [AF_INET]88.150.181.10:1912

Apr 12 19:39:43 vpnclient5[9789]: SENT CONTROL [TG-OVPN-CA]: 'PUSH_REQUEST' (status=1)

Apr 12 19:39:43 vpnclient5[9789]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.9.0.1,dhcp-option DNS 10.8.0.1,route 10.35.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.35.0.6 10.35.0.5'

Apr 12 19:39:43 vpnclient5[9789]: OPTIONS IMPORT: timers and/or timeouts modified

Apr 12 19:39:43 vpnclient5[9789]: OPTIONS IMPORT: --ifconfig/up options modified

Apr 12 19:39:43 vpnclient5[9789]: OPTIONS IMPORT: route options modified

Apr 12 19:39:43 vpnclient5[9789]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Apr 12 19:39:43 vpnclient5[9789]: TUN/TAP device tun15 opened

Apr 12 19:39:43 vpnclient5[9789]: TUN/TAP TX queue length set to 100

Apr 12 19:39:43 vpnclient5[9789]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Apr 12 19:39:43 vpnclient5[9789]: /sbin/ifconfig tun15 10.35.0.6 pointopoint 10.35.0.5 mtu 1500

Apr 12 19:39:43 vpnclient5[9789]: /etc/openvpn/ovpnc-up 5 tun15 1500 1602 10.35.0.6 10.35.0.5 init

Apr 12 19:39:43 vpnclient5[9789]: Initialization Sequence Completed

Apr 12 19:40:13 vpnclient5[9789]: [TG-OVPN-CA] Inactivity timeout (--ping-restart), restarting

Apr 12 19:40:13 vpnclient5[9789]: SIGUSR1[soft,ping-restart] received, process restarting

Apr 12 19:40:13 vpnclient5[9789]: Restart pause, 2 second(s)

Apr 12 19:40:15 vpnclient5[9789]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Apr 12 19:40:15 vpnclient5[9789]: Socket Buffers: R=[524288->524288] S=[524288->524288]

Apr 12 19:40:55 vpnclient5[9789]: RESOLVE: Cannot resolve host address: uk.torguardvpnaccess.com: Name or service not known


.............................................................................................


I see that it fails to resolve to the VPN address. I did check with my provider and they state the service is operating normally which I confirmed by using the Torguard PC application and it connected just fine.

Any ideas ?

Thanks guys.

 

[Xentrk]

Hey Chaps,

So I seem to be having issues accessing the internet after I activate the VPN. A little history first

Router: GT:AC5300
Firmware: 3.0.0.4.384.20648

My WAN is on a Static IP to my main gateway
DNS Servers are set to Open DNS
My VPN Provider is Torguard
I am using OpenVPN as my VPN Method

All other settings on the router are defaults as I wanted to test the VPN without any other influences that I may accidently put into place.

As soon as I disable the VPN connection my internet is back in full swing. For clarity sakes, please see below a VPN connection log.


.................................................................................................................................


Apr 12 19:39:40 vpnclient5[9788]: OpenVPN 2.3.2 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Mar 26 2018

Apr 12 19:39:40 vpnclient5[9788]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Apr 12 19:39:40 vpnclient5[9788]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file

Apr 12 19:39:40 vpnclient5[9788]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication

Apr 12 19:39:40 vpnclient5[9788]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication

Apr 12 19:39:40 vpnclient5[9788]: Socket Buffers: R=[524288->524288] S=[524288->524288]

Apr 12 19:39:40 vpnclient5[9789]: UDPv4 link local: [undef]

Apr 12 19:39:40 vpnclient5[9789]: UDPv4 link remote: [AF_INET]88.150.181.10:1912

Apr 12 19:39:40 vpnclient5[9789]: TLS: Initial packet from [AF_INET]88.150.181.10:1912, sid=bedcc0ec fd3d7eca

Apr 12 19:39:40 vpnclient5[9789]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Apr 12 19:39:41 vpnclient5[9789]: VERIFY OK: depth=1, C=US, ST=FL, L=Orlando, O=TorGuard, OU=VPN, CN=TG-OVPN-CA, name=TorGuard, emailAddress=sysadmin@torguard.net

Apr 12 19:39:41 vpnclient5[9789]: Validating certificate key usage

Apr 12 19:39:41 vpnclient5[9789]: ++ Certificate has key usage 00a0, expects 00a0

Apr 12 19:39:41 vpnclient5[9789]: VERIFY KU OK

Apr 12 19:39:41 vpnclient5[9789]: Validating certificate extended key usage

Apr 12 19:39:41 vpnclient5[9789]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Apr 12 19:39:41 vpnclient5[9789]: VERIFY EKU OK

Apr 12 19:39:41 vpnclient5[9789]: VERIFY OK: depth=0, C=US, ST=FL, L=Orlando, O=TorGuard, OU=VPN, CN=TG-OVPN-CA, name=TorGuard, emailAddress=sysadmin@torguard.net

Apr 12 19:39:41 vpnclient5[9789]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1570'

Apr 12 19:39:41 vpnclient5[9789]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'

Apr 12 19:39:41 vpnclient5[9789]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-128-CBC'

Apr 12 19:39:41 vpnclient5[9789]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'

Apr 12 19:39:41 vpnclient5[9789]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Apr 12 19:39:41 vpnclient5[9789]: Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication

Apr 12 19:39:41 vpnclient5[9789]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Apr 12 19:39:41 vpnclient5[9789]: Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication

Apr 12 19:39:41 vpnclient5[9789]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

Apr 12 19:39:41 vpnclient5[9789]: [TG-OVPN-CA] Peer Connection Initiated with [AF_INET]88.150.181.10:1912

Apr 12 19:39:43 vpnclient5[9789]: SENT CONTROL [TG-OVPN-CA]: 'PUSH_REQUEST' (status=1)

Apr 12 19:39:43 vpnclient5[9789]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.9.0.1,dhcp-option DNS 10.8.0.1,route 10.35.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.35.0.6 10.35.0.5'

Apr 12 19:39:43 vpnclient5[9789]: OPTIONS IMPORT: timers and/or timeouts modified

Apr 12 19:39:43 vpnclient5[9789]: OPTIONS IMPORT: --ifconfig/up options modified

Apr 12 19:39:43 vpnclient5[9789]: OPTIONS IMPORT: route options modified

Apr 12 19:39:43 vpnclient5[9789]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Apr 12 19:39:43 vpnclient5[9789]: TUN/TAP device tun15 opened

Apr 12 19:39:43 vpnclient5[9789]: TUN/TAP TX queue length set to 100

Apr 12 19:39:43 vpnclient5[9789]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Apr 12 19:39:43 vpnclient5[9789]: /sbin/ifconfig tun15 10.35.0.6 pointopoint 10.35.0.5 mtu 1500

Apr 12 19:39:43 vpnclient5[9789]: /etc/openvpn/ovpnc-up 5 tun15 1500 1602 10.35.0.6 10.35.0.5 init

Apr 12 19:39:43 vpnclient5[9789]: Initialization Sequence Completed

Apr 12 19:40:13 vpnclient5[9789]: [TG-OVPN-CA] Inactivity timeout (--ping-restart), restarting

Apr 12 19:40:13 vpnclient5[9789]: SIGUSR1[soft,ping-restart] received, process restarting

Apr 12 19:40:13 vpnclient5[9789]: Restart pause, 2 second(s)

Apr 12 19:40:15 vpnclient5[9789]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Apr 12 19:40:15 vpnclient5[9789]: Socket Buffers: R=[524288->524288] S=[524288->524288]

Apr 12 19:40:55 vpnclient5[9789]: RESOLVE: Cannot resolve host address: uk.torguardvpnaccess.com: Name or service not known


.............................................................................................


I see that it fails to resolve to the VPN address. I did check with my provider and they state the service is operating normally which I confirmed by using the Torguard PC application and it connected just fine.

Any ideas ?

Thanks guys.

I wrote setup instructions for configuring TorGuard with AsusWRT-Merlin on my newly launched blog site. Let me know if it helps. https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/

Some hacks are required if you use Policy Rules in order to get DNS to work right. Or, you may have routing issues similar to what you describe. I suspect this is your issue.

 

[Kim Puleston]

Thanks, that guide is fantastic but unfortunately not applicable to me as AsusWRT does not support my device, as such I am using the more basic VPN interface.

It seems that regardless of the VPN server I choose, I get the following:

OpenVPN 2.3.2 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Mar 26 2018
Apr 13 13:13:43 vpnclient5[1994]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 13 13:13:43 vpnclient5[1994]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
Apr 13 13:13:43 vpnclient5[1994]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 13 13:13:43 vpnclient5[1994]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 13 13:13:43 vpnclient5[1994]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Apr 13 13:13:44 vpnclient5[1995]: UDPv4 link local: [undef]
Apr 13 13:13:44 vpnclient5[1995]: UDPv4 link remote: [AF_INET]85.195.116.66:1195
Apr 13 13:13:45 vpnclient5[1995]: TLS: Initial packet from [AF_INET]85.195.116.66:1195, sid=dd1db392 de83e545
Apr 13 13:13:45 vpnclient5[1995]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 13 13:13:45 vpnclient5[1995]: VERIFY OK: depth=1, C=US, ST=FL, L=Orlando, O=TorGuard, OU=VPN, CN=TG-OVPN-CA, name=TorGuard, emailAddress=sysadmin@torguard.net
Apr 13 13:13:45 vpnclient5[1995]: Validating certificate key usage
Apr 13 13:13:45 vpnclient5[1995]: ++ Certificate has key usage 00a0, expects 00a0
Apr 13 13:13:45 vpnclient5[1995]: VERIFY KU OK
Apr 13 13:13:45 vpnclient5[1995]: Validating certificate extended key usage
Apr 13 13:13:45 vpnclient5[1995]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Apr 13 13:13:45 vpnclient5[1995]: VERIFY EKU OK
Apr 13 13:13:45 vpnclient5[1995]: VERIFY OK: depth=0, C=US, ST=FL, L=Orlando, O=TorGuard, OU=VPN, CN=TG-OVPN-CA, name=TorGuard, emailAddress=sysadmin@torguard.net
Apr 13 13:13:47 vpnclient5[1995]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1570'
Apr 13 13:13:47 vpnclient5[1995]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
Apr 13 13:13:47 vpnclient5[1995]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 13 13:13:47 vpnclient5[1995]: Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 13 13:13:47 vpnclient5[1995]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 13 13:13:47 vpnclient5[1995]: Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 13 13:13:47 vpnclient5[1995]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Apr 13 13:13:47 vpnclient5[1995]: [TG-OVPN-CA] Peer Connection Initiated with [AF_INET]85.195.116.66:1195
Apr 13 13:13:49 vpnclient5[1995]: SENT CONTROL [TG-OVPN-CA]: 'PUSH_REQUEST' (status=1)
Apr 13 13:13:50 vpnclient5[1995]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.9.0.1,dhcp-option DNS 10.8.0.1,route 10.33.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.33.0.6 10.33.0.5'
Apr 13 13:13:50 vpnclient5[1995]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 13 13:13:50 vpnclient5[1995]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 13 13:13:50 vpnclient5[1995]: OPTIONS IMPORT: route options modified
Apr 13 13:13:50 vpnclient5[1995]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 13 13:13:50 vpnclient5[1995]: TUN/TAP device tun15 opened
Apr 13 13:13:50 vpnclient5[1995]: TUN/TAP TX queue length set to 100
Apr 13 13:13:50 vpnclient5[1995]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Apr 13 13:13:50 vpnclient5[1995]: /sbin/ifconfig tun15 10.33.0.6 pointopoint 10.33.0.5 mtu 1500
Apr 13 13:13:50 vpnclient5[1995]: /etc/openvpn/ovpnc-up 5 tun15 1500 1602 10.33.0.6 10.33.0.5 init
Apr 13 13:13:50 vpnclient5[1995]: Initialization Sequence Completed
Apr 13 13:14:20 vpnclient5[1995]: [TG-OVPN-CA] Inactivity timeout (--ping-restart), restarting
Apr 13 13:14:20 vpnclient5[1995]: SIGUSR1[soft,ping-restart] received, process restarting
Apr 13 13:14:20 vpnclient5[1995]: Restart pause, 2 second(s)
Apr 13 13:14:22 vpnclient5[1995]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 13 13:14:22 vpnclient5[1995]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Apr 13 13:15:02 vpnclient5[1995]: RESOLVE: Cannot resolve host address: frank.gr.torguardvpnaccess.com: Name or service not known

Note: L2TP Works fine and resolved to the VPN Host but not with OpenVPN

 

[Xentrk]

Do you also have a VPN server configured on your router? Is so, make sure the client and server use a different port and subnet.

Can you ping or do an nslookup on the TG VPN server when using the WAN iface?

 

[Kim Puleston]

Looks like I found the issue, it seems to be a DNS problem. If I use an IP instead of hostname I get a connection just fine. I have to admit that confuses me as no matter what DNS I have set under the WAN, the VPN will not establish is using hostnames.

Any ideas ?

 

[Xentrk]

Looks like I found the issue, it seems to be a DNS problem. If I use an IP instead of hostname I get a connection just fine. I have to admit that confuses me as no matter what DNS I have set under the WAN, the VPN will not establish is using hostnames.

Any ideas ?

I have not looked at the stock FW in a long time to recall the difference in the OpenVPN client with Merlin FW.

I suspected a DNS issue. Does the stock FW have the Accept DNS Configuration option? Test with Exclusive and then Strict to see if there is any change with the issue.

The VPN DNS appears to successfully be working from the log entries. Most TG servers use a dynamic IP address. I experimented using the IP address with a server that had a dynamic IP address rather than the domain name and never had an issue. TG appears to rotate the same IP addresses on the dynamic servers. So using IP instead of domain name should be an okay work around.

What happens when you do an nslookup on the TG VPN server domain name? Does it resolve it and return the IP address?

 

[Xentrk]

Turn off Spanning Tree Protocol (STP) if enabled. Also, turn off IPv6 if you don’t use it.

 

[Kim Puleston]

Unfortunately the VPN options are very limites with stock firmware. You have no options for adjusting the VPN DNS parameters. I will have a look at the nslookup now for the TG VPN Domain name.

As for STP, I have yet to see it on this router actually. I have not found this option yet, on my last router it was under LAN...but on this one note so much.

 

[Xentrk]

Unfortunately the VPN options are very limites with stock firmware. You have no options for adjusting the VPN DNS parameters. I will have a look at the nslookup now for the TG VPN Domain name.

As for STP, I have yet to see it on this router actually. I have not found this option yet, on my last router it was under LAN...but on this one note so much.

Does the stock FW OpenVPN have the Custom Config section? and the ability to enable jffs partition? If so, we can try to duplicate some of Merlin’s FW functionality manually.

 

[dutuka]

I have the same problem, under WAN -> WAN DNS Setting -> Connect to DNS Server automatically (set to no), fill the IP adress of favorite DNS Server in DNS Server1/2 fields. After that Internet status is connected again while VPN Fusion is connected to a default VPN Server.