Cant reach internet from LAN with VPN active

Installing and Using OpenWrt
1

Hi. I have set up my policy based routing and firewall this way:

Added to /etc/config/pbr

config policy
	option name 'Internal-services'
	option src_addr '192.168.1.176'
	option dest_addr '192.168.1.0/24'
	option interface 'wan'

config policy
	option name 'Torrent via VPN'
	option src_addr '192.168.1.176'
	option dest_addr '0.0.0.0/0'
	option interface 'VPN'

added to /etc/config/firewall

# Allow LAN-to-LAN access
config rule
    option name 'Allow LAN to LAN'
    option src 'lan'
    option dest 'lan'
    option family 'ipv4'
    option proto 'all'
    option target 'ACCEPT'

# Allow VPN traffic from the server
config rule
    option name 'Allow Server to VPN'
    option src 'lan'
    option src_ip '192.168.1.176'
    option dest 'vpn'
    option family 'ipv4'
    option proto 'all'
    option target 'ACCEPT'

What I have tried to achieve :
192.168.1.190 <-gaming pc
192.168.1.176 <-server
192.168.1.120<-htpc

I want to set it up so that the server uses nordvpn for torrenting. That server also hosts Jellyfin,Sonarr and Kopia. The torrent traffic needs to use the expressvpn. I also want to be able to reach the Jellyfin, Sonarr and Kopia services from my gaming PC and htpc.
The htpc and the gaming pc must reach internet normally.

So,- what is the cause of my issue ?

2

Duplicate thread from: A question about routing

Not sure why you are starting a new thread?

3

Could be a lot of things i'm not familiar with pbr but I know for the firewall config you would need something like:

config forwarding
        option src 'lan'
        option dest 'vpn'
4

Because I sortof figured it out,- and I want to keep my issues in a separate thread.

5

Disable PBR
Setup NordVPN and check that everything routes via the VPN
Then disable default routing via the VPN ,see the PBR guide, check that default route is now via the WAN
Enable PBR

The only rule you need is

If you have followed the above instructions you should be able to delete all the other rules you posted

6

Done.
Cant reach https://duckduckgo.com/
https://learnopenwrt.com/
Discord does not work.
This and facebook works:
https://www.digitaldutch.com/

curl --interface tun0 ifconfig.me
37.140.25x.xxx

I can reach the server just fine.

If it turn the vpn off again all those sites and discord works.

7

From 192.168.1.176 do a traceroute to see the path of the traffic:

traceroute 8.8.8.8
traceroute openwrt.org
8 
traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  OpenWrt.lan (192.168.1.1)  0.215 ms  0.195 ms  0.196 ms
 2  * * *
 3  37.140.254.252 (37.140.254.252)  48.573 ms  48.675 ms  48.650 ms
 4  vl204.zur-itx1-core-2.cdn77.com (138.199.0.184)  48.519 ms vl202.zur-itx1-core-2.cdn77.com (138.199.0.180)  48.600 ms vl204.zur-itx1-core-2.cdn77.com (138.199.0.184)  48.489 ms
 5  ae20-407.zur10.core-backbone.com (81.95.9.68)  48.672 ms  48.660 ms  48.705 ms
 6  * ae20-407.zur10.core-backbone.com (81.95.9.68)  48.344 ms  48.336 ms
 7  142.250.162.98 (142.250.162.98)  56.763 ms  60.338 ms  60.336 ms
 8  192.178.105.223 (192.178.105.223)  60.317 ms  60.302 ms  60.311 ms
 9  192.178.105.117 (192.178.105.117)  60.306 ms  60.287 ms 142.251.68.123 (142.251.68.123)  60.294 ms
10  108.170.228.35 (108.170.228.35)  61.227 ms dns.google (8.8.8.8)  59.282 ms 108.170.228.35 (108.170.228.35)  59.293 ms


traceroute openwrt.org
traceroute to openwrt.org (64.226.122.113), 30 hops max, 60 byte packets
 1  OpenWrt.lan (192.168.1.1)  0.244 ms  0.199 ms  0.191 ms
 2  * * *
 3  37.140.254.252 (37.140.254.252)  46.978 ms  46.948 ms  46.984 ms
 4  vl204.zur-itx1-core-2.cdn77.com (138.199.0.184)  46.911 ms vl202.zur-itx1-core-2.cdn77.com (138.199.0.180)  46.950 ms  46.944 ms
 5  vl1101.ams-eq6-bbcore-1.cdn77.com (185.229.188.11)  61.142 ms  61.112 ms  66.988 ms
 6  vl272.ams-eq6-core-2.cdn77.com (79.127.192.216)  61.994 ms  62.401 ms  59.957 ms
 7  146.190.180.32 (146.190.180.32)  63.065 ms 146.190.180.36 (146.190.180.36)  61.821 ms 146.190.180.32 (146.190.180.32)  59.685 ms
 8  * 143.244.224.72 (143.244.224.72)  62.095 ms *
 9  * * *
10  * * *
11  * * *
12  * * *
13  wiki-03.infra.openwrt.org (64.226.122.113)  58.330 ms  60.453 ms  58.258 ms

Thats with the vpn enabled, and from the server.

9

It does not look like it is routing via the VPN.
It will help if we can see your configs, so please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
cat /etc/config/openvpn
for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
for vpn in $(ls /tmp/etc/openvpn*.conf);do echo $vpn;cat $vpn;echo;done
logread | grep openvpn
cat /etc/config/pbr
service pbr status
cat /var/run/pbr.nft
nft -c -f /var/run/pbr.nft
10

not sure how it works for pbr but are you sure clamping or 'mtu_fix' is enabled for the firewall zone that the nordvpn is using ?

11

Results are here,- because of character limitation:

12

Great looks almost OK.
Your VPN is now the default route and you want everything via the VPN except you server.

The instructions for that are in the PBR read.me, but basically add in the OpenVPN config:

pull-filter ignore "redirect-gateway"

Save and reboot and test with ipleak.net from a client in your lan (not the server) that you are not using the VPN

The problem with your setup is that the VPN only does IPv4 and you also have IPv6 running.

So we will have to take that into account.

For the PBR setup enable IPv6

For the PBR rule for your server you have to use the MAC address and do not use a destination so remove 0.0.0.0/0 this should also try to route IPv6 via the VPN which will of course fail but my hope is that it will fall back to IPv4.

If that does not work the next step is to disable IPv6 on the server

Of course the best option is to use a VPN which also covers IPv6 :slight_smile:

Test from the server with :ipleak.net which checks both IPv4 and IPv6.
You can compare with another LAN client which does not use the VPN

13

facebook and digitaldutch have native IPv6 addresses, while learnopenwrt and (surprisingly) duckduckgo are v4 only. This is why some sites work while your v4 routing is broken. You are connecting to them on v6.

14

Thanks Mike exactly what I was thinking (but did not check, thanks for that) hence my emphasis on the IPv4/IPv6

15

There's no command named ipleak.net.

From my server:

Curl ipleak.net says a lot of html code, and the word Switzerland so that seems to work.

Whatsmyip from my phone shows a ip adress in my country so it works now.
Can acess all websites.

16

ipleak.net in a webbrowser :slight_smile:

from command line:

curl ipinfo.io
curl v6.ipinfo.io
17 
curl ipinfo.io
{
  "ip": "37.140.xxx.xxx",
  "city": "Oberhausen-Böschenwiesen",
  "region": "Zurich",
  "country": "CH",
  "loc": "47.4257,8.5674",
  "org": "AS206092 Internet Utilities Europe and Asia Limited",
  "postal": "8152",
  "timezone": "Europe/Zurich",

curl v6.ipinfo.io
curl: (6) Could not resolve host: v6.ipinfo.io
18

I think the VPN was Zurich so it is connected to the VPN and IPv6 is not working as we expect as the VPN does not have IPv6.

You might need to also set a DNS policy for your server so that you will not get IPv6 addresses returned for a DNS query, but in the end you might need to disable IPv6 on the server altogether

19

According to my servers nano /etc/default/grub it's ipv6 is disabled.
GRUB_CMDLINE_LINUX="ipv6.disable=1" does that.

20

Then you should be good :slight_smile:

1 Like