Allow open-vpn connections on custom port

Hi there, recently got my hands (for the first time) on openwrt firmware for ASUS RT-AC57U router.

Everything works fine on default settings except VPN. I can't connect to remote port udp/51194 (which is not the default open-vpn port). After failing to connect from my LAN pc i am losing internet connection and unable to do anything (except for browsing luci frontend) until i reboot the router.

I suggest i should somehow open ports or maybe do port forwarding? I've tried to disable firewall completely, but it seems that disabling it disables all the traffic flow via iptables default chains. The problem is that i can't experiment too much, because after any failed connection attempt i need to reboot the router, and this is about 15-25 seconds each time ...

Please help

Use ssh to connect to the device.
Then run the following commands (copy-paste the whole block) and paste the output here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export openvpn; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

root@asus:/etc/config# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export openvpn; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
	"kernel": "4.14.195",
	"hostname": "asus",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "ASUS RT-AC57U",
	"board_name": "asus,rt-ac57u",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.4",
		"revision": "r11208-ce6496d796",
		"target": "ramips/mt7621",
		"description": "OpenWrt 19.07.4 r11208-ce6496d796"
	}
}
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdbb:0563:b3d7::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr '<mac-here>'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'static'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option ipaddr '<my-static-ip-here>'
	option gateway '<my-isp-gateway-here>'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '<mac-here>'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
	option htmode 'HT20'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option key '<my-wpa2-key-here>'
	option ssid '<my-wifi-network-ssid-here>'
	option encryption 'psk2'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option disabled '1'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

uci: Entry not found
package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet <my-wan-static-ip-here>/24 brd <my-public-ip-first-3-octets-here>.255 scope global eth0.2
       valid_lft forever preferred_lft forever
default via <my-wan-gateway-here> dev eth0.2 
<my-public-ip-first-3-octets-here>.0/24 dev eth0.2 scope link  src <my-public-ip-here>
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
broadcast <my-public-ip-first-3-octets-here>.0 dev eth0.2 table local scope link  src <my-public-ip-here>
local <my-public-ip-here> dev eth0.2 table local scope host  src <my-public-ip-here> 
broadcast <my-public-ip-first-3-octets-here>.255 dev eth0.2 table local scope link  src <my-public-ip-here>
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1 
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx    1 root     root            16 Sep  6 16:19 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Sep  6 16:21 /tmp/resolv.conf
-rw-r--r--    1 root     root            54 Sep  6 16:22 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 8.8.8.8
nameserver 8.8.4.4
head: /tmp/resolv.*/*: No such file or directory

Please

Your router doesn't seem to have OpenVPN installed.
Where are you connecting from and to?

I am trying to connect from local PC (in 192.168 network) to my external open-vpn server which is not on the router. It worked perfectly with default asus firmware.

Lan to wan traffic is not blocked by default. And from what I can see you have not messed with the firewall, so it is not blocked there.
Install tcpdump first opkg update; opkg install tcpdump
Then run on one ssh window tcpdump -i eth0.2 -evn udp port 51194
On another ssh window run logread -f
Fire up the Openvpn connection from the PC and paste her the output from the 2 windows.

This is indeed very strange thing. In tcpdump window there are packets like this

21:21:01.117576 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 31765, offset 0, flags [DF], proto UDP (17), length 68)
    <my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40
21:21:11.143149 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 32600, offset 0, flags [DF], proto UDP (17), length 68)
    <my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40
21:21:21.272845 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 33889, offset 0, flags [DF], proto UDP (17), length 68)
    <my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40
21:21:31.405310 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 34130, offset 0, flags [DF], proto UDP (17), length 68)
    <my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40
21:21:41.758317 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 35700, offset 0, flags [DF], proto UDP (17), length 68)
    <my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40

In logread -f window there were nothing (was running it from another ssh session from the router). I even checked my open-vpn server logs, seems like i was connected, and in addition to that my network manager icon showed me that i am connected (small lock icon, i am using arch-linux). The most bad part that after i disconnect from that broken vpn connection (because i have not internet) i can't access any 80 or 443 port via router (just freezing on connection), BUT i can use ssh 22 port from my local PC in 192 network

Looks like you have some problem with client and/or server configuration.
Your issue doesn't seem to be related to OpenWrt.

But it was working perfectly fine, before i started using openwrt firmware + that port blocking after disconnecting from "broken" vpn connection is clearly router issue, i had nothing near that previously

Activate the VPN connection and collect the diagnostics from your PC:

PAGER= nmcli connection show id VPN_CON; \
ip address show; ip route show; ip rule show; \
ip route get 1; ip route get 1::; \
grep -e ^hosts /etc/nsswitch.conf; \
grep -v -e ^# -e ^$ /etc/resolv.conf; \
resolvectl query example.org; \
resolvectl dns; resolvectl domain; \
ping -w 3 8.8.8.8; ping -w 3 example.org; \
nslookup example.org 8.8.8.8; nslookup example.org

You can post it to pastebin.com.

So i solved first issue, which was loss of dns after i was disconnecting from VPN, by enabling systemd-resolved service, it wasn't somehow disabled, but anyway when VPN is connected, nothing of below works resulting in 100% packet loss or timeout

resolvectl query openwrt.org
ping -w 3 openwrt.org
ping -w 3 8.8.8.8
nslookup openwrt.org 8.8.8.8
nslookup openwrt.org

resolvectl domain; resolvectl dns
Global:
Link 2 (enp30s0):
Link 3 (br-1469495459e8):
Link 4 (br-35c745066029):
Link 5 (docker0):
Link 6 (br-baeb43c59b81):
Link 25 (tun0): ~.
Global: 8.8.8.8 8.8.4.4
Link 2 (enp30s0):
Link 3 (br-1469495459e8):
Link 4 (br-35c745066029):
Link 5 (docker0):
Link 6 (br-baeb43c59b81):
Link 25 (tun0): 8.8.8.8 8.8.4.4

ip route get 1; ip route get 1::;
1.0.0.0 via 192.168.255.5 dev tun0 src 192.168.255.6 uid 1000 
    cache 
RTNETLINK answers: Network is unreachable

This might be MTU-related issues, see:
Route into a Open-VPN-Client Subnet

I will check that out, in addition to that, i am getting timeout doing nslookup openwrt.org on normal connection state, without VPN connected

grep -e ^hosts /etc/nsswitch.conf; \
ls -l /etc/resolv.conf; \
grep -v -e ^# -e ^$ /etc/resolv.conf; \
resolvectl dns; resolvectl domain

grep -e ^hosts /etc/nsswitch.conf; \
> ls -l /etc/resolv.conf; \
> grep -v -e ^# -e ^$ /etc/resolv.conf; \
> resolvectl dns; resolvectl domain
hosts: files mymachines myhostname resolve [!UNAVAIL=return] dns
-rw-r--r-- 1 root root 30 окт 31 02:17 /etc/resolv.conf
Global:
Link 2 (enp30s0):
Link 3 (br-1469495459e8):
Link 4 (br-35c745066029):
Link 5 (docker0):
Link 6 (br-baeb43c59b81):
Global:
Link 2 (enp30s0):
Link 3 (br-1469495459e8):
Link 4 (br-35c745066029):
Link 5 (docker0):
Link 6 (br-baeb43c59b81):

Post your main connection config:

PAGER= nmcli connection show id MAIN_CONNECTION

And fix resolver:

sudo ln -f -r -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Ye, resolver is ok now from wired connection, but not from vpn. Config here https://pastebin.com/F95uc3kX

Check both the VPN server and client logs for clues.

I have no idea at all. Journalctl is clean, i am 90% sure the problem is in router\openwrt firewall, because everything was working okay yesterday on this pc with all this settings (and even switched off resolvectl service) with default asus firmware. OpenVPN server logs are clean too, it is allowing me to connect + networkmanager icon is showing that i am connected. And after that connection nothing is working, unable to nslookup, ping, e.t.c, like something is blocking all the traffic.

Is this okay that tun interface are getting 192.168.255.* local address the same that router LAN network is in? Is this okay that iptables -S on the router showing rejection of all tcp traffic by default?

-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable

How can i completely disable firewall and allow everything to everything ?

Your LAN is: