OpenVPN tunnel established but not passing traffic after WAN IP change
I have a TP-Link ER7206 router, which was hosting an OpenVPN tunnel for my personal use and it was working fine over the years. Unfortunately, my ISP changed my public IP address. Of course, the new IP is already updated in the router (DHCP reneved it), I generated a new .ovpn profile (yes, it has the new address), and even recreated the entire tunnel from scratch. Still, the same issue persists: the tunnel establishes correctly, I receive an IP address on the client, and I can see the session on the server. However, there is no connectivity – I can't ping the LAN addresses from the client side, nor can I ping the client's assigned IP from the router.
The only thing I've managed to determine on my own is that the problem is likely related to routing on the server side. According to the configuration, the tunnel assigns IP addresses in the 10.5.8.0/24 range, and the client was assigned 10.5.8.6. However, in the router's routing table, I can see a static route: 10.5.8.2 255.255.255.255 0.0.0.0 tun_server2
As mentioned, the tunnel was working fine before. The only thing that changed is the WAN IP. Ports shouldn’t be an issue since the tunnel still establishes. So, what could have caused this to stop working?
here is the configuration of my tunnel:
here are my clients:
and mentioned part of routing table:
.ovpn profile (part, with blurred WAN IP)
@RaRu and this is the point. I have a static public IP, payimng for it and it was working fine for over 10 years. Few days ago my ISP changed my IP and it is still public, still static, but behind of CGNAT. And yes, I'm trying to argue with them.
10.1.1.1 is my router, position 3 is my public IP.
With CGNAT i don't thin the VPN will work.
From my point of view, your "public" IP is still private - or more like behind the NAT. If that's behind the NAT, then you need to forward some ports. Which I believe will be impossible since that's something what should be done by ISP in that case...
IMO you need to work this out with your ISP. You are hosting your own web service (vpn server in that case), therefore you need public IP without NAT.
I believe you are polish speaker, so here for example is info from Netia (ISP) showing that hosting own services is impossible behind CGNAT:
OFC there are solutions (3rd party) to bypass CGNAT - VPS. But what would complicate your configuration and I don't think it is needed for simple VPN server.
You could also try to change the port used by your VPN server. I can see that you are using the default one, sometimes those are blocked by ISP. Try something higher than 50000, usually those are not blocked/occupied. But that's just for testing I guess.
Best Regards
RR