deddit.petersanchez.com

Setting up ProtonVPN on an OpenWRT router, no internet access with service up (UPDATE: found workaround)
from oddlyqueer@lemmy.ml to selfhosted@lemmy.world on 13 Oct 02:50
https://lemmy.ml/post/37461980

— UPDATE 2025-10-18 —

I never found the solution for OpenVPN, I think there may be some steps missing from Proton’s ovpn guide (as of this writing) regarding setting up a vpn zone but I am no longer actively looking for solutions. What I did instead was reset the router to default and followed the guide for WireGuard protonvpn.com/support/openwrt-wireguard which worked flawlessly and does what I need it to do. Thanks everyone for the help in troubleshooting!

— ORIGINAL POST —

Hi all, as the title says I’m trying to set up Proton VPN on an old router, with the goal of piping 100% of my home traffic through the VPN. I followed this tutorial I found protonvpn.com/…/how-to-set-up-protonvpn-on-openwr… and as soon as I got to the end of it, I couldn’t access the internet with the VPN instance started. If I turn it off, the router behaves normally. I’ve looked through the instructions and I can’t see where I’ve deviated from them, and I’m a little out of my element with routers so I’m not sure how to improvise. Any advice on what to try would be appreciated!

Facts:

with the VPN service down, both the router and connected clients are able to access the internet (ping 8.8.8.8 is the test). However, with the VPN service up neither the router nor any connected client appears to be able to access the internet at all.
running OpenWRT 24.10.3, which should be supported
using the Free tier of Proton, I don’t think that should be impacting as I don’t see anything that says I can’t do this with the Free tier, but it may be relevant
The OpenWRT router is currently behind my ISP router, which again I don’t think is relevant (and it’s how I would like the final topology to look anyway) but IDRK.

selected log snippets from the router. NOTE there are a ton of logs with the repeated EHOSTUNREACH array of varying lengths, they all seem to have the same error at the end: Host is unreachable (fd=5,code=148)

daemon.warn openvpn(protonvpn)[19695]: NOTE setsockopt TCP_NODELAY=1 failed
daemon.warn openvpn(protonvpn)[19695] sitnl_send: rtnl: generic error (-128): Network unreachable
...
daemon.notice openvpn(protonvpn)[19695]: WARNING: OpenVPN was configured to add an IPv6 route. However, no IPv6 has been configured for tun0, therefore the route installation may fail or may not work as expected.
...
daemon.notice openvpn(protonvpn)[19695]: Initialization Sequence Completed
daemon.err openvpn(protonvpn)[19695]: read UDPv4 [EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH]: Host is unreachable (fd=5,code=148)
daemon.err openvpn(protonvpn)[19695]: read UDPv4 [EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH]: Host is unreachable (fd=5,code=148)
daemon.err openvpn(protonvpn)[19695]: read UDPv4 [EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH]: Host is unreachable (fd=5,code=148)
... # This block repeats over and over
daemon.notice openvpn(protonvpn)[19695]: SIGUSR1[soft,tls-error] received, process restarting
daemon.warn openvpn(protonvpn)[19695]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
daemon.notice openvpn(protonvpn)[19695]: TCP/UDP: Preserving recently used remote address: [AF_INET]89.187.171.225:51820
daemon.warn openvpn(protonvpn)[19695]: NOTE: setsockopt TCP_NODELAY=1 failed
daemon.notice openvpn(protonvpn)[19695]: UDPv4 link local: (not bound)
daemon.notice openvpn(protonvpn)[19695]: UDPv4 link remote: [AF_INET]89.187.171.225:51820
daemon.err openvpn(protonvpn)[19695]: read UDPv4 [EHOSTUNREACH|EHOSTUNREACH]: Host is unreachable (fd=5,code=148)
daemon.err openvpn(protonvpn)[19695]: read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=5,code=148)
daemon.err openvpn(protonvpn)[19695]: read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=5,code=148)
daemon.err openvpn(protonvpn)[19695]: read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=5,code=148)
daemon.err openvpn(protonvpn)[19695]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
daemon.err openvpn(protonvpn)[19695]: TLS Error: TLS handshake failed
daemon.notice openvpn(protonvpn)[19695]: SIGUSR1[soft,tls-error] received, process restarting

#selfhosted

threaded - newest

frongt@lemmy.zip on 13 Oct 03:06 next collapse

Sounds like that host is unreachable. Are you sure that VPN server is up and reachable?

oddlyqueer@lemmy.ml on 13 Oct 03:12 collapse

It came with the ovpn config file I got from Proton, and I can reach it when the openvpn service is down. Not sure why I can’t hit it (or anything else) with the service up but I think there’s something wrong with how the service is capturing traffic from the wan interface. Not really sure but that’s where my head is at ATM.

watson387@sopuli.xyz on 13 Oct 03:45 next collapse

Is it being blocked by the firewall on the ISP router?

EDIT: I have ProtonVPN running through Wireguard with Gluetun. It was pretty simple to set up that way.

oddlyqueer@lemmy.ml on 13 Oct 04:03 next collapse

I don’t think so, I’m not trying to do port forwarding or anything like that, I just want the secondary router to be treated like a regular client by the ISP router (that only sends traffic to the VPN). Thanks for the rec though, if I can’t get the native client working I’ll give Gluetun a shot.

EDIT: I added some rules for UDP ports 1194 and 5060 to the ISP router just in case there was some back traffic that wasn’t getting back to the client, restarted the server and same result, Host Unreachable :(

village604@adultswim.fan on 13 Oct 17:23 collapse

Thank you for this. I’ve been struggling to get wireguard running in hotio containers on my Synology, and this looks like it might be what I need.

Edit: it worked! Had to fiddle around with it because it didn’t like multiple containers in one compose yaml

watson387@sopuli.xyz on 13 Oct 23:11 collapse

Nice! Glad it worked for you.

tjoa@feddit.org on 13 Oct 07:23 next collapse

If you didn’t already, I would also recommend hit up the guys on the openWRT forum.

oddlyqueer@lemmy.ml on 13 Oct 12:59 collapse

Good call, I haven’t yet but I think I should in any case. I got big plans for this little fella and network administration is one of the gaps in my education I’ve been meaning to fill in for a while now.

hitmyspot@aussie.zone on 13 Oct 10:39 collapse

Which router is a router and which is a bridge? If they are both acting as routers, you may have conflicts. Is there only one dchp server? Can the openwrt router access internet (not clients) when proton is off.

oddlyqueer@lemmy.ml on 13 Oct 12:55 collapse

They’re both functioning as routers at the moment, the topology is:

internet fiber cable <---> ISP Router <---> OpenWRT Router <---> (ideally VPN'd) client devices

Both routers are handling DHCP on their own LANs, and if the OpenVPN service is stopped, clients connected to the OpenWRT router can connect to the internet without any apparent issue.

hitmyspot@aussie.zone on 13 Oct 21:09 collapse

I’d say you are getting conflicts. Can you put your isp router into bridge mode?