Connection timing-out when default routing is through VPN tunnel

vrvrvrvrvr · February 22, 2025, 6:34pm

My main problem was initially described here: Connection timing-out
Upon upgrade to latest stable release I had same problem and decided to return default route from VPN tunnel to WAN.
This fixed all connection issues.
Maybe someone is smart enough to explain on why connections timeouts when my default route goes through VPN tunnel.

Config is basically the same as provided in previous topic and I can provide it upon request once again (now with default route through WAN)

Thanks in advance.

brada4 · February 22, 2025, 6:56pm

If you search forum for "Russia" you find recent workarounds available.

vrvrvrvrvr · February 22, 2025, 6:58pm

How does it relates ? I am not located in Russia, and VPN source is not Russian based.

The only difference between configs for stable and unstable is default gateway setting within vpn peer.

brada4 · February 22, 2025, 7:11pm

You can find solutions for vpn being blocked. Does not matter where you are.

vrvrvrvrvr · February 22, 2025, 7:19pm

VPN is not being blocked. This is some config/SW/HW issue. Please stop posting nonsense. In my current setup I do not use default route as VPN but with PBR it actually is default for my main LAN network, but when I set VPN as default route - issues appear.

lleachii · February 25, 2025, 9:28am

Can we see this specific configuration?

vrvrvrvrvr · February 28, 2025, 11:13am

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde3:d3f0:9ebc::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'sfp2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option delegate '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option disabled '1'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'WG0'
	option proto 'wireguard'
	option peerdns '0'
	option mtu '1280'
	option private_key 'XXX'
	list addresses '172.16.0.2/32'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option delegate '0'
	option defaultroute '1'

config wireguard_WG0
	option endpoint_port '2408'
	option description 'cloudflare_warp'
	option endpoint_host 'engage.cloudflareclient.com'
	option public_key 'XXX'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '0.0.0.0/0'

config interface 'openvpn'
	option proto 'none'
	option device 'tun0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'vpn_free'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'real_guest'
	option proto 'static'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'iot_vpn_free'
	option proto 'static'
	option ipaddr '192.168.40.1'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config device
	option name 'wan'
	option macaddr 'E8:9F:80:E9:56:F5'

config wireguard_WG0
	option description 'Proton_VPN_Wireguard_-NL-FREE-378149.conf'
	option endpoint_port '51820'
	option endpoint_host '169.150.218.137'
	option public_key 'xxx'
	option route_allowed_ips '1'
	list allowed_ips '0.0.0.0/0'
	option disabled '1'

config 1 'wed_enable'



config pbr 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option src_ipset '0'
	option dest_ipset '0'
	list ignored_interface 'vpnserver wgserver'
	option boot_timeout '30'
	option procd_reload_delay '1'
	option webui_enable_column '0'
	option webui_protocol_column '0'
	option webui_chain_column '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option ipv6_enabled '0'
	option resolver_set 'dnsmasq.nftset'
	option rule_create_option 'add'
	option enabled '1'
	option webui_show_ignore_target '1'

config include
	option path '/etc/pbr.netflix.user'
	option enabled '0'

config include
	option path '/etc/pbr.aws.user'
	option enabled '0'

config policy
	option name 'Allow LAN access from OpenVPN'
	option interface 'ignore'
	option dest_addr '192.168.8.0/24'

config policy
	option name 'Allow LAN access from VPN FREE'
	option dest_addr '192.168.20.0/24'
	option interface 'ignore'

config policy
	option interface 'wan'
	option name 'openvpn'
	option src_port '1194'
	option proto 'tcp'
	option chain 'output'

config policy
	option src_addr '192.168.1.233'
	option interface 'wan'
	option name 'lianli'
	option enabled '0'

config policy
	option name 'sharp'
	option src_addr '192.168.1.191'
	option interface 'wan'
	option enabled '0'

config policy
	option name 'hosts_to_skip_wg'
	option dest_addr 'userbenchmark.com''
	option interface 'wan'
	option src_addr '192.168.1.1/24'

config policy
	option name 'lan_to_wg'
	option src_addr '192.168.1.1/24'
	option interface 'WG0'

config policy
	option name 'openvpn_in_to_wg'
	option src_addr '192.168.8.0/24'
	option interface 'WG0'

config policy
	option name 'guest_to_vpn'
	option src_addr '192.168.30.1/24'
	option interface 'WG0'

config policy
	option src_addr '192.168.10.1/24'
	option name 'iot_to_vpn'
	option interface 'WG0'

config policy
	option name 'iot_to_wan'
	option src_addr '192.168.40.1/24'
	option interface 'wan'

config policy
	option name 'vpn_free'
	option interface 'wan'
	option src_addr '192.168.20.1/24'

config policy
	option name 'transmission'
	option interface 'WG0'
	option src_addr '172.16.0.2/32'

config policy
	option interface 'wan'
	option enabled '0'


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'
	option flow_offloading '1'
	option flow_offloading_hw '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn_free'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vpn_free'

config zone
	option name 'openvpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'openvpn'

config zone
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	option name 'iot_vpn_fre'
	list network 'iot_vpn_free'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'guest'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config zone
	option name 'real_guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'real_guest'

config rule
	option name 'VPN_FREE DNS'
	option src 'vpn_free'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'VPN_FREE DHCP'
	list proto 'udp'
	option src 'vpn_free'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'IOT_VPN_FREE DNS'
	option dest_port '53'
	option target 'ACCEPT'
	option src 'iot_vpn_fre'

config rule
	option name 'IOT_VPN_FREE DHCP'
	list proto 'udp'
	option dest_port '67-68'
	option target 'ACCEPT'
	option src 'iot_vpn_fre'

config rule
	option name 'REAL_GUEST DNS'
	option src 'real_guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'REAL_GUEST DHCP'
	list proto 'udp'
	option src 'real_guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config zone
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'
	option input 'REJECT'
	option name 'wg0'
	list network 'WG0'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'wan'
	list network 'wan6'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'WOL'
	option src_dport '9'
	option dest_ip '192.168.1.233'
	option dest_port '9'
	option src 'lan'
	option enabled '0'

config forwarding
	option src 'guest'
	option dest 'wg0'

config rule
	list proto 'tcp'
	option src 'wan'
	option dest_port '8000'
	option target 'ACCEPT'
	option name 'Allow-HTTP-lighttpd'
	option enabled '0'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'tcp'
	option target 'ACCEPT'

config rule
	option src_port '5353'
	option src '*'
	option name 'Allow-mDNS'
	option target 'ACCEPT'
	option dest_ip '224.0.0.251'
	option dest_port '5353'
	option proto 'udp'

config forwarding
	option src 'lan'
	option dest 'wg0'

config forwarding
	option src 'vpn_free'
	option dest 'wan'

config forwarding
	option src 'real_guest'
	option dest 'wg0'

config forwarding
	option src 'iot_vpn_fre'
	option dest 'wan'

config rule
	option name 'Allow-Transmission'
	option src 'wan'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '51413'

config rule
	option name 'Allow-Transmission'
	option src 'wan'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '51413'
	option dest '*'

config rule
	option name 'Allow-Transmission'
	option src 'wg0'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '51413'

config rule
	option name 'Allow-Transmission'
	option src 'wg0'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '51413'
	option dest '*'

config forwarding
	option src 'vpn_free'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'iot_vpn_fre'

config forwarding
	option src 'lan'
	option dest 'real_guest'

config forwarding
	option src 'lan'
	option dest 'vpn_free'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Transmission'
	option src 'wan'
	option src_dport '54606'
	option dest_port '54606'
	option dest_ip '192.168.20.108'
	option enabled '0'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Transmission-On-Router'
	option src 'wg0'
	option src_dport '51413'
	option dest_ip '172.16.0.2'
	option dest_port '51413'
	option enabled '0'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'vpn_free'
	option dest 'iot_vpn_fre'

config forwarding
	option src 'vpn_free'
	option dest 'real_guest'

config forwarding
	option src 'vpn_free'
	option dest 'guest'

config forwarding
	option src 'lan'
	option dest 'guest'

config forwarding
	option src 'openvpn'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'openvpn'

config forwarding
	option src 'openvpn'
	option dest 'iot_vpn_fre'

config forwarding
	option src 'openvpn'
	option dest 'real_guest'

config forwarding
	option src 'openvpn'
	option dest 'vpn_free'

config forwarding
	option src 'openvpn'
	option dest 'guest'

config forwarding
	option src 'openvpn'
	option dest 'wg0'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

egc · February 28, 2025, 11:33am

For my understanding, you have a WireGuard client to cloudfare and want to run a concurrent OpenVPN server?

If the WireGuard client is the default route you can no longer connect to the OpenVPN server?

If that is the case it might be due to the fact that traffic for the OpenVPN server is coming in via the WAN and goes out via the VPN and the Firewall will not allow that.
Traffic from the OpenVPN server must be redirected to go out via the WAN.

I saw a PBR rule to do that but I noticed that does not work as intended.

For a test disable the PBR rule to route sport 1194 via the WAN but otherwise keep PBR enabled.
Add the following via SSH:

ip rule add sport 1194 table pbr_wan

vrvrvrvrvr · February 28, 2025, 11:41am

I didnt mentioned OpenVPN server. It is here solely for incoming connections to router
Problems appear on clients within all LAN networks, time-outing connections when default route is enabled. When I disable - everything works smoothly.

config interface 'WG0'
	option defaultroute '1'

egc · February 28, 2025, 11:53am

OK forget the OpenVPN server and do this simple test to see if the WG tunnel works:
Disable PBR
Enable default route via the WG tunnel
Reboot the router

After that lets see:

wg show
ip route show

Test from the router with:

ping 8.8.8.8
ping openwrt.org

Test from your LAN clients with:

ping 8.8.8.8
ping openwrt.org

vrvrvrvrvr · February 28, 2025, 5:16pm

Enabled back default route through WG0
no, ping does not replicate any issues, some other methods should be used to confirm issue.

Some of the examples I can provide when I enabled default route back and tested with PBR enabled and disabled settings:

HTTP streams start getting out of synchronization between sound and video
From time to time web sites are being open with several attempts only. Random sites, no patterns.

Not sure for 100% but looks like affected is HTTP/HTTPS traffic