mat
April 26, 2018, 12:09pm
#1
I have installed OpenVPN which is working if I only want to talk to the router. To talk to the LAN devices I need to setup zone forwarding, so I added the following to /etc/config/firewall
config forwarding
option dest 'lan'
option src 'vpnserver'
config forwarding
option dest 'vpnserver'
option src 'lan'
I thought that this should allow the vpnserver to forward to the lan and the opposite. It didn't work and looking at the iptables rules although it has added some new chains for forwarding they are never referenced. So the forwarding from the vpnserver zone to the lan zone is not happening.
Is there something else I need to do to enable this, or am I missing the points of zones?
Cheers Mat.
jow
April 26, 2018, 1:22pm
#2
How is your vpnserver zone defined?
mat
April 26, 2018, 1:38pm
#3
The zones in question are below:
config zone
option name 'vpnserver'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpnserver'
option forward 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
jow
April 26, 2018, 1:40pm
#4
How is the vpnserver network (config interface vpnserver in /etc/config/network) defined?
mat
April 26, 2018, 1:55pm
#5
For the networks I'm trying to forward across:
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ipv6 '0'
config interface 'vpnserver'
option proto 'none'
option ifname 'ovpns0'
option auto '1'
jow
April 26, 2018, 1:59pm
#6
Do you seee any references to ovpns0 in iptables-save | grep ovpns0 ? What is reported by ifstatus vpnserver ?
mat
April 26, 2018, 2:07pm
#7
ifstatus vpnserver, fails:
Interface vpnserver not found
iptables-save | grep ovpns0, fails, there are no results.
jow
April 26, 2018, 2:09pm
#8
Maybe try an ifup -a to apply your network config and check for syntax errors with uci show network >/dev/null
mat
April 26, 2018, 2:12pm
#9
Some files for investigations:
iptables-save
# Generated by iptables-save v1.4.21 on Thu Apr 26 15:03:47 2018
*nat
:PREROUTING ACCEPT [748:236397]
:INPUT ACCEPT [569:223246]
:OUTPUT ACCEPT [155:11237]
:POSTROUTING ACCEPT [6:578]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpnserver_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpnserver_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpnserver_postrouting - [0:0]
:zone_vpnserver_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -p tcp -m mac --mac-source 78:E4:00:B6:9D:DF -m recent --rcheck --hitcount 1 --name lexie_counter --mask 255.255.255.255 --rsource -m tcp --dport 80 -j DNAT --to-destination 192.168.1.50
-A PREROUTING -m comment --comment "!fw3: user chain for prerouting" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: user chain for postrouting" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A MINIUPNPD -p tcp -m tcp --dport 27587 -j DNAT --to-destination 192.168.1.50:32400
-A MINIUPNPD-POSTROUTING -s 192.168.1.50/32 -p tcp -m tcp --sport 32400 -j MASQUERADE --to-ports 27587
-A zone_lan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.1/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.50/32 -p tcp -m tcp --dport 7890 -m comment --comment "!fw3: Soccer-Red (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.188.75/32 -p tcp -m tcp --dport 1022 -m comment --comment "!fw3: SSH (reflection)" -j DNAT --to-destination 192.168.1.1:22
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.188.75/32 -p tcp -m tcp --dport 7890 -m comment --comment "!fw3: Soccer-Red (reflection)" -j DNAT --to-destination 192.168.1.50:7890
-A zone_vpnserver_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_vpnserver_rule
-A zone_vpnserver_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_vpnserver_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 1022 -m comment --comment "!fw3: SSH" -j DNAT --to-destination 192.168.1.1:22
-A zone_wan_prerouting -p tcp -m tcp --dport 7890 -m comment --comment "!fw3: Soccer-Red" -j DNAT --to-destination 192.168.1.50:7890
COMMIT
# Completed on Thu Apr 26 15:03:47 2018
# Generated by iptables-save v1.4.21 on Thu Apr 26 15:03:47 2018
*mangle
:PREROUTING ACCEPT [14069:5784402]
:INPUT ACCEPT [3626:1345264]
:FORWARD ACCEPT [10420:4436608]
:OUTPUT ACCEPT [2625:734828]
:POSTROUTING ACCEPT [13037:5171020]
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Apr 26 15:03:47 2018
# Generated by iptables-save v1.4.21 on Thu Apr 26 15:03:47 2018
*filter
:INPUT ACCEPT [1:52]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpnserver_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpnserver_rule - [0:0]
:input_wan_rule - [0:0]
:lexie - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpnserver_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpnserver_dest_ACCEPT - [0:0]
:zone_vpnserver_forward - [0:0]
:zone_vpnserver_input - [0:0]
:zone_vpnserver_output - [0:0]
:zone_vpnserver_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m mac --mac-source 78:E4:00:B6:9D:DF -j lexie
-A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A MINIUPNPD -d 192.168.1.50/32 -p tcp -m tcp --dport 32400 -j ACCEPT
-A lexie -m limit --limit 1/min --limit-burst 1 -m recent --set --name lexie_counter --mask 255.255.255.255 --rsource
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> vpnserver" -j zone_vpnserver_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpnserver_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_vpnserver_rule
-A zone_vpnserver_forward -m comment --comment "!fw3: forwarding vpnserver -> lan" -j zone_lan_dest_ACCEPT
-A zone_vpnserver_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpnserver_forward -m comment --comment "!fw3" -j zone_vpnserver_dest_ACCEPT
-A zone_vpnserver_input -m comment --comment "!fw3: user chain for input" -j input_vpnserver_rule
-A zone_vpnserver_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpnserver_input -m comment --comment "!fw3" -j zone_vpnserver_src_ACCEPT
-A zone_vpnserver_output -m comment --comment "!fw3: user chain for output" -j output_vpnserver_rule
-A zone_vpnserver_output -m comment --comment "!fw3" -j zone_vpnserver_dest_ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
-A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_DROP -i eth1 -m comment --comment "!fw3" -j DROP
COMMIT
# Completed on Thu Apr 26 15:03:47 2018
/etc/config/firewall
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '1022'
option dest_ip '192.168.1.1'
option dest_port '22'
option name 'SSH'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'tcpudp'
option dest_port '1194'
config zone
option name 'vpnserver'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpnserver'
option forward 'ACCEPT'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '7890'
option dest_port '7890'
option name 'Soccer-Red'
option dest_ip '192.168.1.50'
config forwarding
option dest 'lan'
option src 'vpnserver'
config forwarding
option dest 'vpnserver'
option src 'lan'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'auto'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6'
ifconfig
br-lan Link encap:Ethernet HWaddr 5A:EF:68:A5:FB:BA
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::58ef:68ff:fea5:fbba/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8522 errors:0 dropped:0 overruns:0 frame:0
TX packets:8064 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4957073 (4.7 MiB) TX bytes:1993587 (1.9 MiB)
eth0 Link encap:Ethernet HWaddr 5A:EF:68:A5:FB:BA
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11253 errors:0 dropped:0 overruns:0 frame:0
TX packets:12661 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:5285859 (5.0 MiB) TX bytes:2853266 (2.7 MiB)
Interrupt:35
eth1 Link encap:Ethernet HWaddr 58:EF:68:A5:FB:BA
inet addr:192.168.188.75 Bcast:192.168.188.255 Mask:255.255.255.0
inet6 addr: fe80::5aef:68ff:fea5:fbba/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8301 errors:0 dropped:0 overruns:0 frame:0
TX packets:7325 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:2270377 (2.1 MiB) TX bytes:4679826 (4.4 MiB)
Interrupt:37
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:32 errors:0 dropped:0 overruns:0 frame:0
TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:2883 (2.8 KiB) TX bytes:2883 (2.8 KiB)
ovpns0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.200.1 P-t-P:192.168.200.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:832 errors:0 dropped:0 overruns:0 frame:0
TX packets:518 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:62181 (60.7 KiB) TX bytes:87482 (85.4 KiB)
wlan0 Link encap:Ethernet HWaddr 5A:EF:68:A5:FB:BC
inet6 addr: fe80::58ef:68ff:fea5:fbbc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2083 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:713119 (696.4 KiB)
wlan1 Link encap:Ethernet HWaddr 5A:EF:68:A5:FB:BB
inet6 addr: fe80::58ef:68ff:fea5:fbbb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5765 errors:0 dropped:0 overruns:0 frame:0
TX packets:5953 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1234289 (1.1 MiB) TX bytes:1502227 (1.4 MiB)
mat
April 26, 2018, 2:15pm
#10
No errors from either ifup -a or uci show network. Although there is nothing in uci show network about the vpn interface?
uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='auto'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth1'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth1'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 5'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6'
jow
April 26, 2018, 2:47pm
#11
Your /etc/config/network indeed contains no trace of the vpnserver interface. You can bypass /etc/config/network entirely though and change your firewall zone declaration from option network vpnserver to option device ovpns0 - this way it will bypass netifd and use the interface directly.
mat
April 27, 2018, 10:06am
#12
I have this working now. In the end I purged from the config files anything to do with OpenVPN and started again. In my first run through I must have missed something or made a type...
Anyway thanks for the help.