Here is a latest log with *.4 ipk
Same issue. I cant access router or ssh. My Wi-Fi tells me there is no internet connection. I also canāt get acces to other LAN-Clients
no worries, the GL-MT300N-V2 Openwrt version is OpenWrt 22.03.4.
So it should still have the recommended packages on the system.
I think its also still possible to get an real native one on the router for the actual version but not sure.
Regards
Yep, as i suspected, all packages are still on board.
Regards
Happy New Year everyone!
Try the latest release, I rewrote the killswitch to be compatible with OpenWRT. I think this was the root cause of quite a few issues. The killswitch was previously optimized for end devices like laptops and phones, not routers.
1 Like
Thanks. Installed but for me its the same issue producing.
Questions
-
How are you accessing the router when it locks up?
- Are you on the local LAN (192.168.2.x) via WiFi/ethernet?
- Or remotely via GL.iNetās WireGuard server (I see
wgserverrunning on 10.1.0.1)?
-
When it becomes unresponsive, can you still ping the router?
From a LAN device, try:ping 192.168.2.1Does it respond, or is it completely dead?
Diagnostic Script
Please run this script - it will capture the system state before and after connecting, which will help us identify exactly whatās blocking traffic.
#!/bin/sh
# Save as /root/nym-debug.sh
OUTDIR="/tmp/nym-debug"
mkdir -p "$OUTDIR"
capture_state() {
local prefix="$1"
echo "=== Capturing $prefix state ==="
nft list ruleset > "$OUTDIR/nft-${prefix}.txt" 2>&1
ip route show > "$OUTDIR/routes-${prefix}.txt" 2>&1
ip route show table all > "$OUTDIR/routes-all-${prefix}.txt" 2>&1
ip rule show > "$OUTDIR/ip-rules-${prefix}.txt" 2>&1
ip addr show > "$OUTDIR/ip-addr-${prefix}.txt" 2>&1
echo "Saved to $OUTDIR/*-${prefix}.txt"
}
echo "=== Nym VPN Diagnostic Script ==="
echo ""
# Check initial status
echo "=== Current VPN Status ==="
nym-vpnc status
echo ""
# Capture before state
capture_state "before"
echo ""
# Connect to VPN
echo "=== Connecting to VPN ==="
nym-vpnc connect-v2
# Wait for connection to establish
echo "Waiting 60 seconds for connection..."
sleep 60
echo "=== VPN Status After Connect ==="
nym-vpnc status
echo ""
# Capture after state
capture_state "after"
echo ""
# Disconnect VPN
echo "=== Disconnecting ==="
nym-vpnc disconnect
echo ""
# Package everything
echo "=== Packaging diagnostics ==="
tar czf /tmp/nym-diagnostic.tar.gz -C /tmp nym-debug/
echo ""
echo "Done! Please share: /tmp/nym-diagnostic.tar.gz"
Steps:
- SSH into your router
- Save the script above to
/root/nym-debug.sh - Run:
chmod +x /root/nym-debug.sh
./root/nym-debug.sh
- After it completes, SCP back to your machine on the LAN:
scp -O /tmp/nym-diagnostic.tar.gz user@192.168.2.x:/home/user/
- Share the tar.gz file here
What Weāre Looking For
The Nym VPN firewall creates an inet nym nftables table with kill-switch rules. On your system (OpenWrt 24.x with fw4), our table runs at priority -10 (before GL.iNetās firewall). If something in our rules isnāt matching correctly, traffic gets dropped before GL.iNetās firewall can process it.
Your LAN (192.168.2.0/24) should be allowed by our rules, so we need to see the actual ruleset to understand why itās being blocked.
1 Like
Iām sending this message from behind the router with openwrt ON and working.
I have an issue with ādiscordā though. It doesn t have internet access. I guess it s not linked to the ipk, but more likely a IP ban from discord on the range used for the VPN exit.
Hm, it block other connection, thunderbird also, firefox also is blocked.
Try restarting the daemon and connecting to different entry & exit gateways. If that doesnāt work, can you follow the steps here and share the file?
1 Like
Ok I can ping 9.9.9.9, but canāt ping google.com
How could I put DNS settings in the VPN?
So, while the script is active I can acces the router per ssh, ping it and webaccess.
When I try to connect manually, either per ssh (nym-vpnc connect) or webpage connection breaks. Cant access on any interface. I need to power off hardly and then boot it to get accessā¦
The scripts output is here:
1 Like
Looks like the 60 second wait wasnāt long enough for it to connect.
Remove the old artifacts:
rm -rf /tmp/nym-debug
rm /tmp/nym-diagnostic.tar.gz
Try this:
#!/bin/sh
# Save as /root/nym-debug.sh
OUTDIR="/tmp/nym-debug"
mkdir -p "$OUTDIR"
capture_state() {
local prefix="$1"
echo "=== Capturing $prefix state ==="
nft list ruleset > "$OUTDIR/nft-${prefix}.txt" 2>&1
ip route show > "$OUTDIR/routes-${prefix}.txt" 2>&1
ip route show table all > "$OUTDIR/routes-all-${prefix}.txt" 2>&1
ip rule show > "$OUTDIR/ip-rules-${prefix}.txt" 2>&1
ip addr show > "$OUTDIR/ip-addr-${prefix}.txt" 2>&1
echo "Saved to $OUTDIR/*-${prefix}.txt"
}
echo "=== Nym VPN Diagnostic Script ==="
echo ""
# Stop any existing connection and restart daemon for fresh logs
echo "=== Restarting daemon for fresh logs ==="
nym-vpnc disconnect 2>/dev/null
/etc/init.d/nym-vpnd restart
sleep 3
# Check initial status
echo "=== Current VPN Status ==="
nym-vpnc status | tee "$OUTDIR/status-before.txt"
echo ""
# Capture before state
capture_state "before"
echo ""
# Connect to VPN
echo "=== Connecting to VPN ==="
nym-vpnc connect-v2
# Wait for connection, checking status periodically
echo "Waiting for connection (up to 90 seconds)..."
for i in 1 2 3 4 5 6 7 8 9; do
sleep 10
echo " ${i}0s - checking status..."
if nym-vpnc status | grep -qi "connected"; then
echo " Connected!"
sleep 5 # Let it stabilize
break
fi
done
echo ""
# Capture after state
capture_state "after"
echo ""
# Show final status
echo "=== Final VPN Status ==="
nym-vpnc status | tee "$OUTDIR/status-after.txt"
echo ""
# Capture daemon logs
echo "=== Capturing daemon logs ==="
logread | grep -i nym > "$OUTDIR/daemon-logs.txt"
dmesg | tail -100 > "$OUTDIR/dmesg.txt"
# Disconnect VPN
echo "=== Disconnecting VPN ==="
nym-vpnc disconnect
sleep 2
# Package everything
echo "=== Packaging diagnostics ==="
tar czf /tmp/nym-diagnostic.tar.gz -C /tmp nym-debug/
echo ""
echo "Done! Please share: /tmp/nym-diagnostic.tar.gz"
1 Like
I need to sync our fork with the upstream repo where they added custom DNS. I should have it done by the end of this week.
1 Like
Here is the new one:
Thanks for running the diagnostic! Found the issue.
Root Cause
The problem is in our IP policy routing rules, not the nftables firewall. Looking at your ip-rules-after.txt:
0: not from all fwmark 0x14d lookup 333 <-- This matches first!
0: from all lookup main suppress_prefixlength 0 <-- Never reached
Both rules are at priority 0, but the table 333 rule is processed first and routes ALL traffic (without our fwmark) through the VPN routing table.
Looking at your routes-all-after.txt, table 333 only contains:
default dev nym-exit table 333 proto static mtu 1340
10.1.0.1 dev nym-entry table 333 proto static mtu 1420
185.55.241.210 dev nym-entry table 333 proto static mtu 1420
There are no LAN routes(192.168.2.0/24) in table 333! So when the router tries to respond to your SSH/HTTP requests:
- Packet needs to go to 192.168.2.x (your device)
- IP rule says āuse table 333ā
- Table 333 has no route for 192.168.2.x, so default route is used
- Packet goes through
nym-exit(the VPN tunnel) instead ofbr-lan - Your connection is lost
The suppress_prefixlength 0 rule is supposed to fix this by checking the main table first for LAN routes - but it never gets evaluated because both rules are at the same priority and the table 333 rule matches first.
The Fix
Weāve fixed this in the routing code by adding explicit priorities:
- Priority 100:
suppress_prefixlength 0rule (checks main table first for LAN routes) - Priority 200: table 333 rule (routes through VPN)
Now the rule flow will be:
- Priority 100: Check if main table has a non-default route (like 192.168.2.0/24 via br-lan)
- If yes, use that route (LAN stays local!)
- If no (only default route 0.0.0.0/0), continueā¦
- Priority 200: Route through table 333 (VPN tunnel)
This ensures LAN traffic stays local while internet traffic goes through the VPN.
The release build is running now, should be done in 15-20 minutes. Try out the latest release once itās finished, v1.21.6.
2 Likes
Looks good for now. It connects and I can connect to other LAN Clients.
I know its a beta package. Will glddns get to function or is it generally not compatible with the glinets āownā software.
Maybe an option for what traffic goes through the vpn, what traffic is normal?
Another thing, how is the ānormalā VPN-Service like WG, OpenVPN be handled beside nym-package on the router?
Is it possible tho cascade wg-server to nym and although having access to LAN-Clients?
Thanks for you effort!!!
1 Like
I wanted to, but after i removed my older version my gl- mt300v2 seems broken. Massive lags in webif and the ssh service seems also not working properly.
But cpu/memory usage was on an normal low level. Dropbear service was also running
I tried to reset my firmware, but sth. deeper seems broken.
Tomorrow i will tried to fix this with the uboot mode flashing.
Regards
So, now everything worked as expected in normal state with out the nym vpn package.
May my other router changed his channels and occours some interferes dont know.
But for being sure, what does the uninstall script for the ipk package do ?
After the installation the same error still persist:
Network: Error: Failed to create RPC client Caused by: 0: transport error 1: No such file or directory (os error 2) 2: No such file or directory (os error 2)
If i had made an guess my one wil be thats sth. that the permissions for control sth. arent enough but im not an dev.
Sidefact, the glinet vpn client works flawlessly.
Here is my Debug log, with the help from the script with extended disconnect times:
https://www.swisstransfer.com/d/252c85c2-c976-47bb-8dc8-9aff857e3ada
regards
1 Like
Well could be also because GL.INET are using a custom fork of OpenWRT , on my XE3000 it runs some 4 yo 21.04 build.
You have to assume that NYM Is quite bleeding edge and we are testing stuff on the latest OpenWRT builds.
I am gonna try to see if the thing will fly on this XE3000 of mine without any issues and let you know.
Thanks to everyone for helping us to test this, by the nature of it - it takes a community effort to pull this off.
@moejoe Could you be more specific please?
- what build , fw and device are you using?
- Dropbear works but ssh does not work? I am bit confused - do you mean you are running two ssh daemons ā¦?
Please note that we are not OpenWRT support and this is a NYM forum ā¦ 
Anyway, I should get back here with a follow up later tonight. If I donāt then sorry in advance - busy packing after the NYE and also Vodafone decided to throw FUP on me, so it will be funny to try this with 3-5 mbit downstram lol