Hello again,
In need of some pointers, as once again going around in circles.
Desired outcome: Access rPI 4B from a different subnet so that I don't have to change wifi networks and can hide the VPN SSID
Current situation: Following some great guidance from @psherman in this thread rpi-vpn-usg, I got the VPN working but started to run into some DNS and DHCP issues, so I moved the VPN to its vlan (192.168.3.0) on my USG configured a port on my switch for the VPN / vlan. All works great!
Problem: I have tried various configs, including setting up a vlan on the single LAN interface with a 192.168.1.4 address. This is fine, but the issue moves to the USG, whereby I have run out of ideas for firewall rules and port profiles to allow access. Thus, I decided to re-add my (now) spare USB-Ethernet to the Pi and connect it to the switch.
This also works great, as I can achieve the 'desired outcome', but this knocks out the VPN as soon as the new LAN1 gets connected; syslog says it cannot resolve the VPN address. After making numerous changes to exclude LAN1 from PBR, dnsmasq, etc, and then restarting the LAN interface it all works, including the VPN (but with DNS leaks).
However, if I reboot the Pi, the VPN won't start as it can't resolve the VPN address.
Alternate attempts: In the config files attached, you'll see I created a bridge interface for LAN1, defined as br-lan_only and specified eth1. And here is where I go in circles...
My thinking is that somehow I need to specify that tun0 is only associated with eth0. As you'll see, I have tried that, but the same problem(s) continue.
I've searched and searched online for potential solutions, but none seem to work with my setup, or if they do, then the VPN has DNS leaks which the overseas TV networks detect and block me. Hoping the community can provide some pointers/guidance to help resolve this.
NETWORK:
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'fd98:b5b9:9ffb::/48'
config interface 'lan'
option proto 'static'
option device 'br-lan'
option ipaddr '192.168.3.4'
option netmask '255.255.255.0'
option gateway '192.168.3.1'
option peerdns '0'
list dns '85.203.37.1'
list dns '85.203.37.2'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
option ipv6 '0'
config interface 'lan_only'
option proto 'static'
option device 'br-lan_only'
option ipaddr '192.168.1.4'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
option peerdns '0'
config device
option name 'br-lan_only'
option type 'bridge'
list ports 'eth1'
option ipv6 '0'
FIREWALL
config defaults
option output 'ACCEPT'
option synflood_protect '1'
option input 'ACCEPT'
option forward 'DROP'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option family 'ipv4'
list network 'lan'
list device 'br-lan'
list device 'eth0'
list device 'tun0'
config zone 'vpn'
option name 'vpn'
option output 'ACCEPT'
list device 'tun0'
option masq '1'
option input 'DROP'
option forward 'DROP'
option family 'ipv4'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option name 'Intercept-DNS'
option src 'lan'
option src_dport '53'
option src_ip '!192.168.3.4'
option dest 'lan'
option dest_ip '192.168.3.4'
option dest_port '53'
config nat
option name 'Prevent hardcoded DNS clients from giving unexpected source error after DNS redirected to .4'
list proto 'tcp'
list proto 'udp'
option src 'lan'
option dest_ip '192.168.3.4'
option dest_port '53'
option target 'MASQUERADE'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config forwarding
option src 'lan'
option dest 'vpn'
config rule
list proto 'icmp'
option name 'Block-Ping'
option family 'ipv4'
option src 'vpn'
option target 'DROP'
list icmp_type 'echo-request'
config zone 'lan_only'
option name 'lan_only'
option input 'ACCEPT'
option output 'REJECT'
option forward 'REJECT'
list network 'lan_only'
list device 'br-lan_only'
list device 'eth1'
DHCP:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option noresolv '1'
option localservice '1'
option confdir '/etc/dnsmasq.d'
option logqueries '1'
option authoritative '1'
option cachesize '1000'
list server '85.203.37.1'
list server '85.203.37.2'
list interface 'lan'
list notinterface 'lan_only'
config dhcp 'lan'
option interface 'lan'
option dhcpv4 'server'
option ignore '1'
option ra_management '1'
option start '200'
option limit '50'
option leasetime '12h'
option dynamicdhcp '0'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
PBR:
config pbr 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
option ipv6_enabled '0'
option boot_timeout '30'
option procd_reload_delay '1'
option webui_protocol_column '0'
option webui_chain_column '0'
option webui_show_ignore_target '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_enable_column '1'
option rule_create_option 'insert'
option resolver_set 'none'
list supported_interface 'lan'
option enabled '1'
list ignored_interface 'lan_only'
config policy
option interface 'lan'
option name 'Laptop'
option src_addr '192.168.3.6'
option enabled '0'
config policy
option name 'TV'
option interface 'lan'
option src_addr '192.168.3.7'
option enabled '0'