OpenVPN: partial or no internet access

[perrotuerto]

Before submitting an issue
Please read this first https://github.com/billz/raspap-webgui/wiki/Reporting-issues

• This is a bug report
• I searched existing issues before opening this one
• I checked the FAQ before creating this issue
• I have read and understand the issue reporting guidelines

Describe the bug

Hi, I am trying to enable the VPN and, even though the config is working, I can only sometimes access to duckduckgo and Telegram. The rest of websites o email client connections are denied. Most of the times I don't have any internet access.

Your environment

• Raspberry Pi 3 Model B Rev 1.2
• Raspbian Buster Lite
• Followed the project prerequisites? Y
• Checked the project FAQ? Y
• RaspAP Quick Install
• Using default configuration? Y
• Simultaneous AP and managed mode? N
• Onboard wireless chipset

Steps to reproduce

1. Add OpenVPN conf file (see below)
2. Add user and pass
3. Start OpenVPN

$ cat /etc/openvpn/client/client.conf
remote 198.252.153.226
remote vpn.riseup.net
auth SHA256
auth-nocache
auth-user-pass login.conf
cipher AES-256-CBC
client
dev tun
nobind
persist-key
persist-tun
port 80
proto udp
remote-cert-tls server
resolv-retry infinite
script-security 2

<ca>
-----BEGIN CERTIFICATE-----
MIIF2jCCA8KgAwIBAgIIVogyQTSIzc8wDQYJKoZIhvcNAQELBQAwgYYxGDAWBgNV
BAMTD1Jpc2V1cCBOZXR3b3JrczEYMBYGA1UEChMPUmlzZXVwIE5ldHdvcmtzMRAw
DgYDVQQHEwdTZWF0dGxlMQswCQYDVQQIEwJXQTELMAkGA1UEBhMCVVMxJDAiBgkq
hkiG9w0BCQEWFWNvbGxlY3RpdmVAcmlzZXVwLm5ldDAiGA8yMDE2MDEwMjIwMjU0
MFoYDzIwMjYwMzMwMjAyNjAxWjCBhjEYMBYGA1UEAxMPUmlzZXVwIE5ldHdvcmtz
MRgwFgYDVQQKEw9SaXNldXAgTmV0d29ya3MxEDAOBgNVBAcTB1NlYXR0bGUxCzAJ
BgNVBAgTAldBMQswCQYDVQQGEwJVUzEkMCIGCSqGSIb3DQEJARYVY29sbGVjdGl2
ZUByaXNldXAubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAw2VV
uoz4xqeB1ROIwXBRaj0prOqEFX89A7+2rslGRfjM8NPHyBLGleoHTK3DPwadtQeg
ulaEOAjM5EMXTEX/o9H46L6h729HUWPCwVssvvOjyxTyGJDf7Ihd/Ab7ODtlJSyc
g31aXMioA5pGz5QnS3VGz4nE9+NL+jobc/NbhaacsEPR/7xO7meRNu/1S+YiHK1y
BSVrfap3XItlcNHDGNQkPyyJbS3pAS1lQs2HCBTzcFCamCkDOC7cRh9wZ4GH8U2f
2s0mDD5zhRpheNW4gFBtGpqHiRXv7WJW612aaXzKQQoIq2loGNvOpnyBPKL3jjUT
Rxv5IzWMV0nAofMCy25u/S4J65uSEd9mLNXFJ3rl+cFaybcOUXktTbS7bZy6cMyf
/gO28bEXIWr5WfZf8jCbPyOVfExZquG3aS+0YPWmIJCheXQzgiwplZy93oND1GGQ
f+1R2F7GPwNXQdefv2xm7PTWhHbSWHHmeY89qYED+yFJrX5ChoFoBbYs1lMmdU/C
2MnQBFtvcVockXFAUONyMKiq8ZP6sQ1lu0rO9Bvkhx55sJLZOmjN3g4S1K97PbbI
5DzHKcR0JQSt8ZtCY/MuMbwvlNYo98bFWvlfKET0KPtogNNH0PNfJmStKR8jWGjE
HnUNXo7YDfK90iEKTjLz2K5CYzH5Dm6iYJNaaykCAwEAAaNGMEQwEgYDVR0TAQH/
BAgwBgEB/wIBADAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBTGek7ebtq2Ibm+
2K6je1IMobvEkzANBgkqhkiG9w0BAQsFAAOCAgEAO2B3jnL+8LeoRkc282qUpHyu
xYj0Qd68l0CJ0FjfA2OCR/6h1W4gZVH+fTd/mhgrNXj28GRT53JEh1jdRC7ENTXu
W9O8I9gCbWQ6V4nkZ9lpq8UEmKTFGnngVu8VCmSDF+y0kFuEtmt0jyd2UkJfC/vy
Gh78OCHEdGAeOTYHXamiuA9Z7wMuncPjP476gSW2kfWTdxV25ad4tT5dA5d42xDm
YE2UKzHeB9amOmvyh08LPD0idT5oROCIHsHBhQC9oltJXO5j6GyHRg88C1inyv6R
xk+w9ek4wSBpoJg5t3hdbZr3JTUsuu4WPtAET0fMQpJC+niaBbegwtvdLZFM+d8x
ead3ZpMO+XrpazDFGtdPTQdi5EIYmr2RL9eTeQbVPwMB9TgFpBXP+iYIuTpNo8jn
8zS4EcPRmz6PQJVK4zkHczfvquyU9RuOwEgb8qN4tSNxF0Z94uSVUoXCG9WZLf8q
MfsGesYiR/qLnLn3MfAyWm3OVOUvGzczDE2T8VvY7rXc2+8ra5aK0TNAgEz9ey6D
/dGzM1JCCe1A08s+2+eRX//pmqmOCoGrY7zwIVS2T249h6iIMM9yT0C3ZXRoTnVN
osyidOkVuQr0YK6shJ0WaK4F1MktdjOZKPoIc9QLw+TrSU2hfyla36T0bNWMC/TJ
YtxDI+d1jIFZ7zMmts4=
-----END CERTIFICATE-----
</ca>

Expected behavior

Have full internet access.

Actual behavior

Partial or no internet access (sometimes duckduckgo or Telegram, most of the times none).

Additional context

$ uname -a
Linux raspberrypi 4.19.118-v7+ #1311 SMP Mon Apr 27 14:21:24 BST 2020 armv7l GNU/Linux

$ sudo systemctl status openvpn
● openvpn.service - OpenVPN service
   Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
   Active: active (exited) since Fri 2020-06-12 15:32:51 CDT; 18min ago
 Main PID: 560 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 2200)
   Memory: 0B
   CGroup: /system.slice/openvpn.service

Jun 12 15:32:51 raspberrypi systemd[1]: Starting OpenVPN service...
Jun 12 15:32:51 raspberrypi systemd[1]: Started OpenVPN service.

$ sudo systemctl status openvpn-client@client
● openvpn-client@client.service - OpenVPN tunnel for client
   Loaded: loaded (/lib/systemd/system/openvpn-client@.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2020-06-12 15:45:41 CDT; 1min 39s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 2689 (openvpn)
   Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 2200)
   Memory: 1.1M
   CGroup: /system.slice/system-openvpn\x2dclient.slice/openvpn-client@client.service
           └─2689 /usr/sbin/openvpn --suppress-timestamps --nobind --config client.conf

Jun 12 15:45:41 raspberrypi openvpn[2689]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Jun 12 15:45:41 raspberrypi openvpn[2689]: TCP/UDP: Preserving recently used remote address: [AF_INET]198.252.153.226:80
Jun 12 15:45:41 raspberrypi openvpn[2689]: UDP link local: (not bound)
Jun 12 15:45:41 raspberrypi openvpn[2689]: UDP link remote: [AF_INET]198.252.153.226:80
Jun 12 15:45:41 raspberrypi systemd[1]: Started OpenVPN tunnel for client.
Jun 12 15:45:42 raspberrypi openvpn[2689]: [vpn.riseup.net] Peer Connection Initiated with [AF_INET]198.252.153.226:80
Jun 12 15:45:44 raspberrypi openvpn[2689]: TUN/TAP device tun0 opened
Jun 12 15:45:44 raspberrypi openvpn[2689]: /sbin/ip link set dev tun0 up mtu 1500
Jun 12 15:45:44 raspberrypi openvpn[2689]: /sbin/ip addr add dev tun0 172.27.0.32/22 broadcast 172.27.3.255
Jun 12 15:45:44 raspberrypi openvpn[2689]: Initialization Sequence Completed

$ journalctl --identifier openvpn
-- Logs begin at Fri 2020-06-12 15:32:34 CDT, end at Fri 2020-06-12 15:48:53 CDT. --
Jun 12 15:32:52 raspberrypi openvpn[561]: WARNING: file 'login.conf' is group or others accessible
Jun 12 15:32:52 raspberrypi openvpn[561]: OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Jun 12 15:32:52 raspberrypi openvpn[561]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Jun 12 15:32:52 raspberrypi openvpn[561]: TCP/UDP: Preserving recently used remote address: [AF_INET]198.252.153.226:80
Jun 12 15:32:52 raspberrypi openvpn[561]: UDP link local: (not bound)
Jun 12 15:32:52 raspberrypi openvpn[561]: UDP link remote: [AF_INET]198.252.153.226:80
Jun 12 15:32:52 raspberrypi openvpn[561]: [vpn.riseup.net] Peer Connection Initiated with [AF_INET]198.252.153.226:80
Jun 12 15:32:54 raspberrypi openvpn[561]: TUN/TAP device tun0 opened
Jun 12 15:32:54 raspberrypi openvpn[561]: /sbin/ip link set dev tun0 up mtu 1500
Jun 12 15:32:54 raspberrypi openvpn[561]: /sbin/ip addr add dev tun0 172.27.0.43/22 broadcast 172.27.3.255
Jun 12 15:32:54 raspberrypi openvpn[561]: Initialization Sequence Completed
Jun 12 15:32:59 raspberrypi openvpn[561]: event_wait : Interrupted system call (code=4)
Jun 12 15:32:59 raspberrypi openvpn[561]: /sbin/ip addr del dev tun0 172.27.0.43/22
Jun 12 15:32:59 raspberrypi openvpn[561]: SIGTERM[hard,] received, process exiting
Jun 12 15:33:31 raspberrypi openvpn[861]: WARNING: file 'login.conf' is group or others accessible
Jun 12 15:33:31 raspberrypi openvpn[861]: OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Jun 12 15:33:31 raspberrypi openvpn[861]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Jun 12 15:33:31 raspberrypi openvpn[861]: TCP/UDP: Preserving recently used remote address: [AF_INET]198.252.153.226:80
Jun 12 15:33:31 raspberrypi openvpn[861]: UDP link local: (not bound)
Jun 12 15:33:31 raspberrypi openvpn[861]: UDP link remote: [AF_INET]198.252.153.226:80
Jun 12 15:33:32 raspberrypi openvpn[861]: [vpn.riseup.net] Peer Connection Initiated with [AF_INET]198.252.153.226:80
Jun 12 15:33:34 raspberrypi openvpn[861]: TUN/TAP device tun0 opened
Jun 12 15:33:34 raspberrypi openvpn[861]: /sbin/ip link set dev tun0 up mtu 1500
Jun 12 15:33:34 raspberrypi openvpn[861]: /sbin/ip addr add dev tun0 172.27.0.7/22 broadcast 172.27.3.255
Jun 12 15:33:34 raspberrypi openvpn[861]: Initialization Sequence Completed
Jun 12 15:37:34 raspberrypi openvpn[861]: event_wait : Interrupted system call (code=4)
Jun 12 15:37:34 raspberrypi openvpn[861]: /sbin/ip addr del dev tun0 172.27.0.7/22
Jun 12 15:37:35 raspberrypi openvpn[861]: SIGTERM[hard,] received, process exiting
Jun 12 15:37:53 raspberrypi openvpn[1569]: WARNING: file 'login.conf' is group or others accessible
Jun 12 15:37:53 raspberrypi openvpn[1569]: OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Jun 12 15:37:53 raspberrypi openvpn[1569]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Jun 12 15:37:53 raspberrypi openvpn[1569]: TCP/UDP: Preserving recently used remote address: [AF_INET]198.252.153.226:80
Jun 12 15:37:53 raspberrypi openvpn[1569]: UDP link local: (not bound)
Jun 12 15:37:53 raspberrypi openvpn[1569]: UDP link remote: [AF_INET]198.252.153.226:80
Jun 12 15:37:54 raspberrypi openvpn[1569]: [vpn.riseup.net] Peer Connection Initiated with [AF_INET]198.252.153.226:80
Jun 12 15:37:55 raspberrypi openvpn[1569]: TUN/TAP device tun0 opened
Jun 12 15:37:55 raspberrypi openvpn[1569]: /sbin/ip link set dev tun0 up mtu 1500
Jun 12 15:37:55 raspberrypi openvpn[1569]: /sbin/ip addr add dev tun0 172.27.0.45/22 broadcast 172.27.3.255
Jun 12 15:37:55 raspberrypi openvpn[1569]: Initialization Sequence Completed
Jun 12 15:39:19 raspberrypi openvpn[1569]: event_wait : Interrupted system call (code=4)
Jun 12 15:39:19 raspberrypi openvpn[1569]: /sbin/ip addr del dev tun0 172.27.0.45/22
Jun 12 15:39:20 raspberrypi openvpn[1569]: SIGTERM[hard,] received, process exiting
Jun 12 15:44:05 raspberrypi openvpn[2377]: WARNING: file 'login.conf' is group or others accessible
Jun 12 15:44:05 raspberrypi openvpn[2377]: OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Jun 12 15:44:05 raspberrypi openvpn[2377]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Jun 12 15:44:05 raspberrypi openvpn[2377]: TCP/UDP: Preserving recently used remote address: [AF_INET]198.252.153.226:80
Jun 12 15:44:05 raspberrypi openvpn[2377]: UDP link local: (not bound)
Jun 12 15:44:05 raspberrypi openvpn[2377]: UDP link remote: [AF_INET]198.252.153.226:80
Jun 12 15:44:06 raspberrypi openvpn[2377]: [vpn.riseup.net] Peer Connection Initiated with [AF_INET]198.252.153.226:80
Jun 12 15:44:07 raspberrypi openvpn[2377]: TUN/TAP device tun0 opened
Jun 12 15:44:07 raspberrypi openvpn[2377]: /sbin/ip link set dev tun0 up mtu 1500
Jun 12 15:44:07 raspberrypi openvpn[2377]: /sbin/ip addr add dev tun0 172.27.0.26/22 broadcast 172.27.3.255
Jun 12 15:44:07 raspberrypi openvpn[2377]: Initialization Sequence Completed
Jun 12 15:45:31 raspberrypi openvpn[2377]: event_wait : Interrupted system call (code=4)
Jun 12 15:45:31 raspberrypi openvpn[2377]: /sbin/ip addr del dev tun0 172.27.0.26/22
Jun 12 15:45:31 raspberrypi openvpn[2377]: SIGTERM[hard,] received, process exiting
Jun 12 15:45:41 raspberrypi openvpn[2689]: WARNING: file 'login.conf' is group or others accessible
Jun 12 15:45:41 raspberrypi openvpn[2689]: OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Jun 12 15:45:41 raspberrypi openvpn[2689]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Jun 12 15:45:41 raspberrypi openvpn[2689]: TCP/UDP: Preserving recently used remote address: [AF_INET]198.252.153.226:80
Jun 12 15:45:41 raspberrypi openvpn[2689]: UDP link local: (not bound)
Jun 12 15:45:41 raspberrypi openvpn[2689]: UDP link remote: [AF_INET]198.252.153.226:80
Jun 12 15:45:42 raspberrypi openvpn[2689]: [vpn.riseup.net] Peer Connection Initiated with [AF_INET]198.252.153.226:80
Jun 12 15:45:44 raspberrypi openvpn[2689]: TUN/TAP device tun0 opened
Jun 12 15:45:44 raspberrypi openvpn[2689]: /sbin/ip link set dev tun0 up mtu 1500
Jun 12 15:45:44 raspberrypi openvpn[2689]: /sbin/ip addr add dev tun0 172.27.0.32/22 broadcast 172.27.3.255
Jun 12 15:45:44 raspberrypi openvpn[2689]: Initialization Sequence Completed

$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o tun0 -j ACCEPT

[billz]

The logs indicate that this project has successfully configured an openvpn client for you. Great!

even though the config is working, I can only sometimes access [snip]

Intermittent access is an issue for your openvpn provider, not this project. It's likely your provider is oversubscribed. There are various Linux tools such as mtr or traceroute you can use to measure network latency and make your own assessment.

Protip: you usually get what you pay for with 'no-cost' public VPNs, which is what riseup.net appears to offer.

[perrotuerto]

Thanks for your help. I am glad it is not and issue of this great project. Cheers!