Help with configuration : indentify the need

If layer 2 means tun0 so yes, I guess? (that's how ti is in the basic configuration of openvpn server on the tuto).

1 Like

Help us understand better the situation by posting the following.

uci show network; uci show wireless; \
uci show dhcp; uci show firewall; \
uci show openvpn; \
iptables-save -c; ip6tables-save -c; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro ; ip -4 ru; \
ip -6 addr ; ip -6 ro ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

You may remove sensitive data like passwords, keys etc from the configs.

Thanks for taking time to help me.

That's many many lines to send, can i help by sending what could be usefull ?(i have to admit that i don't even know what i'm supposed to hide :sweat_smile:).

also for the firewall, wireless and network wouldn't it be preferable to send the file instead of the output?

It's my troubleshooting copy-paste post. I guess in your case if you don't use IPv6 you can omit the

ip6tables-save -c;
ip -6 addr ; ip -6 ro ; ip -6 ru; \

and if your DNS is working fine you can skip the last line.
But the rest should be pasted here.

Hide passwords (like for the pppoe), wifi keys, openvpn keys and certificates, mac addresses.

ok then i think i have everything :

uci show network

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fda3:3459:8a77::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan_eth0_1_dev=device
network.lan_eth0_1_dev.name='eth0.1'
network.lan_eth0_1_dev.macaddr=XXXXXXXXXXXXX
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 6t'

uci show wireless

wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.channel='11'
wireless.radio0.hwmode='11g'
wireless.radio0.path='pci0000:00/0000:00:00.0/0000:01:00.0'
wireless.radio0.htmode='HT20'
wireless.default_radio0=wifi-iface
wireless.default_radio0.device='radio0'
wireless.default_radio0.network='lan'
wireless.default_radio0.mode='ap'
wireless.default_radio0.ssid=NAME
wireless.default_radio0.encryption='sae-mixed'
wireless.default_radio0.wpa_disable_eapol_key_retries='1'
wireless.default_radio0.ieee80211w='1'
wireless.default_radio0.hidden='1'
wireless.default_radio0.key=KEY
wireless.radio1=wifi-device
wireless.radio1.type='mac80211'
wireless.radio1.channel='36'
wireless.radio1.hwmode='11a'
wireless.radio1.path='pci0000:00/0000:00:01.0/0000:02:00.0'
wireless.radio1.htmode='VHT80'
wireless.default_radio1=wifi-iface
wireless.default_radio1.device='radio1'
wireless.default_radio1.network='lan'
wireless.default_radio1.mode='ap'
wireless.default_radio1.ssid=NAME
wireless.default_radio1.encryption='sae-mixed'
wireless.default_radio1.wpa_disable_eapol_key_retries='1'
wireless.default_radio1.ieee80211w='1'
wireless.default_radio1.hidden='1'
wireless.default_radio1.key=KEY

uci show dhcp

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'

uci show firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.network='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.device='tun0'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.network='wan' 'wan6'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.lan_wan=forwarding
firewall.lan_wan.src='lan'
firewall.lan_wan.dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.ovpn=rule
firewall.ovpn.name='Allow-OpenVPN'
firewall.ovpn.src='wan'
firewall.ovpn.dest_port=XXXXXXXXXXXXX
firewall.ovpn.proto=XXXXXXXXXXXXX
firewall.ovpn.target='ACCEPT'

uci show openvpn

openvpn.custom_config=openvpn
openvpn.custom_config.enabled='0'
openvpn.custom_config.config=XXXXXXXXXXXXX
openvpn.sample_server=openvpn
openvpn.sample_server.enabled='0'
openvpn.sample_server.port=XXXXXXXXXXXXX
openvpn.sample_server.proto=XXXXXXXXXXXXX
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca=XXXXXXXXXXXXX
openvpn.sample_server.cert=XXXXXXXXXXXXX
openvpn.sample_server.key=XXXXXXXXXXXXX
openvpn.sample_server.dh=XXXXXXXXXXXXX
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.compress='lzo'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.enabled='0'
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.proto='udp'
openvpn.sample_client.remote=XXXXXXXXXXXXX
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.user='nobody'
openvpn.sample_client.ca=XXXXXXXXXXXXX
openvpn.sample_client.cert=XXXXXXXXXXXXX
openvpn.sample_client.key=XXXXXXXXXXXXX
openvpn.sample_client.compress='lzo'
openvpn.sample_client.verb='3'

iptables-save -c

# Generated by iptables-save v1.8.3 on Wed Feb 19 15:56:27 2020
*nat
:PREROUTING ACCEPT [113634:17106587]
:INPUT ACCEPT [2907:191090]
:OUTPUT ACCEPT [2873:196515]
:POSTROUTING ACCEPT [270:19207]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[113634:17106587] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[5510:1045012] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_lan_prerouting
[1982:441660] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[106142:15619915] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[6535:1356274] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_lan_postrouting
[7:2016] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[6265:1337067] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[7:2016] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[7492:1486672] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[6265:1337067] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[6265:1337067] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[106142:15619915] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed Feb 19 15:56:27 2020
# Generated by iptables-save v1.8.3 on Wed Feb 19 15:56:27 2020
*raw
:PREROUTING ACCEPT [1094532:1010596591]
:OUTPUT ACCEPT [185107:150198665]
:zone_lan_helper - [0:0]
[136472:26101447] -A PREROUTING -i tun0 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[120627:11493844] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Wed Feb 19 15:56:27 2020
# Generated by iptables-save v1.8.3 on Wed Feb 19 15:56:27 2020
*mangle
:PREROUTING ACCEPT [1094532:1010596591]
:INPUT ACCEPT [218134:39224955]
:FORWARD ACCEPT [833825:959421402]
:OUTPUT ACCEPT [185112:150200269]
:POSTROUTING ACCEPT [1018815:1109615961]
[2798:149056] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Feb 19 15:56:27 2020
# Generated by iptables-save v1.8.3 on Wed Feb 19 15:56:27 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[1157:91671] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[216977:39133284] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[147305:35047296] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[271:14092] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[2875:190980] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_lan_input
[330:21858] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[66467:3873150] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[833825:959421402] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[829350:957944883] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3222:1059802] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_lan_forward
[1253:416717] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[1157:91671] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[183955:150108598] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[181181:149917163] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_lan_output
[14:4312] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[2760:187123] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[44:2476] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[64492:3805036] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[271:14092] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[14:4312] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[4475:1476519] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[4475:1476519] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[3205:212838] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[3205:212838] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[14:4312] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[14:4312] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2875:190980] -A zone_lan_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[330:21858] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[122:5710] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[7113:1657932] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[66467:3873150] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[7:2541] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[1900:60800] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[24:2297] -A zone_wan_input -p XXXXXXXXXXXXX -m XXXXXXXXXXXXX --dport XXXXXXXXXXXXX -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[64536:3807512] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[2760:187123] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[2760:187123] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[64536:3807512] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Feb 19 15:56:27 2020

head -n -0 /etc/firewall.user

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

ip -4 addr ; ip -4 ro ; ip -4 ru

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
14: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.4.24/24 brd 192.168.4.255 scope global eth0.2
       valid_lft forever preferred_lft forever
17: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 192.168.8.1/24 brd 192.168.8.255 scope global tun0
       valid_lft forever preferred_lft forever
default via 192.168.4.1 dev eth0.2  src 192.168.4.24
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.4.0/24 dev eth0.2 scope link  src 192.168.4.24
192.168.8.0/24 dev tun0 scope link  src 192.168.8.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

If I forgot a command or forgot to censor something, please tell me and thank you in advance !

Ok you overdid it with censorship. In the firewall section you don't need to cover anything.
Also you don't need to cover the openvpn proto, port
Other than that, I see it fine, however all OpenVPN instances are disabled in the config. Maybe you are running them manually?

Access from the OpenVPN will work as it is part of the lan firewall zone. Make sure the OpenVPN port is forwarded from the router of the provider to the OpenWrt.
As for access from the wan, do you mean that you have some devices connected directly to the router of the provider? Then you need to think if you really need the wan zone, since both lan and wan are consider inside/green/friendly zones. Keeping it like this you add extra difficulty in your setup.
If I were you I would either

  1. Keep zone wan and connect all hosts on mir3g lan. Then wan would be the outside/red/hostile zone and a 1:1 NAT would be needed on the router of the provider.
  2. Remove completely or bridge the router of the provider, then have mir3g have the connection with the provider.
  3. Make mir3g dumbAP and just add the OpenVPN there.
1 Like

concur... also... did you say that you've opened the port on the provider router too? ( ok just saw trendy mentions this also ) didn't find that anywhere... and it's probably the first thing you have to do after the vpn-server script... ( so yeah... advise to reset and start again... )

Also clearly state what your CURRENT issue is after repeating a server setup from scratch, with the appropriate fw/forwards in place on the provider router...

I think not, but after a reboot the server is still accessible.

For the rest of your message,
The provider router is the main one but our house (i live with my parents) is quiet big and i can't connect to the main router from my bedroom so i put a rj45 cable on a lan port of the provider's on the wan port of my openwrt. my familly keeps connect to the provider's one.

Unfortunately I can't do anything on the provider's router except some port-forwarding which was done in order to connect to the openvpn server.


After a clean reset of the router, all is setup : can connect to the openvpn server hosted on openwrt (i did a port-forward from the provider's router to the openwrt one). all is fine except i can't ping a device that is connected to the openwrt router.

I'm able to ping 192.168.1.1, all the devices on the provider's router network and all the devices connected to the OpenVPN server.

Provider's router is on 192.168.4.X
Openwrt on 192.168.1.X
OpenVPN on 192.168.8.X

I just wan't to be able to ping/access a 192.168.1.X device form an OpenVPN connection.

I hope i'm understandable (English isn't my native language).

1 Like

excellent... this means your almost there :slight_smile:

please post your full openvpn server settings ( no keys )... and firewall > vpn zone + forwarding rules only... ( and take note that random devices on 192.168.1.x may not respond to pings )... bonus points if you paste the routing table of a connected client... relevance...

Ok, so here is the server.config :

verb 3
user nobody
group nogroup
dev tun0
port XX
proto XX
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----
</dh>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>

and here is the firewall file :


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun0'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port XX
	option proto XX
	option target 'ACCEPT'

Is this all you wanted or i forgot something ?

1 Like

Then I think it would be simpler to just make the mir3g a dumbAP+OpenVPN server. You have already done the OVPN server part, so follow the dumbAP guide with a few remarks: Keep firewall activated, masquerade on the lan firewall zone, and fix the address you had in wan on lan.

Ok thanks i'm going to follow the guide, do you know which step1 i have to follow ?

And so i have to skip the step 5 but what do i need to do for this :

?

It's this one:
image
For the address change the lan IP to 192.168.4.24/24 or switch the protocol to dhcp. (better the 1st).

Do you have the uci command please ?

uci set firewall.lan.masq=1

Ok so after step 1&2 i would have to do :

uci set firewall.lan.masq=1
uci commit firewall
/etc/init.d/firewall restart


uci set dhcp.lan.ignore=1
uci commit dhcp
/etc/init.d/dnsmasq restart
/etc/init.d/dnsmasq disable
/etc/init.d/dnsmasq stop
uci set dhcp.lan.dhcpv6=disabled
uci set dhcp.lan.ra=disabled
uci commit
/etc/init.d/odhcpd disable
/etc/init.d/odhcpd stop
/etc/init.d/network reload

Now i just need to understand step 1&2 :sweat_smile:

Step 1 is isolating the soon-to-be-dumbAP from the existing network.
You need to move the wan port from vlan2 to vlan1, so from this:
network.@switch_vlan[0].ports='2 3 6t'
you should have
`network.@switch_vlan[0].ports='1 2 3 6t'
and delete vlan2.
Step 2 is configuring the wifi.

ok for step 1 i think i will be good (not at home for the moment).

for step 2 currently my wireless config is :

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'HT20'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid XXX
        option encryption 'sae-mixed'
        option wpa_disable_eapol_key_retries '1'
        option ieee80211w '1'
        option hidden '1'
        option key XXX

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
        option htmode 'VHT80'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid XXX
        option encryption 'sae-mixed'
        option wpa_disable_eapol_key_retries '1'
        option ieee80211w '1'
        option hidden '1'
        option key XXX

I don't think there anything that needs to be changed, am i wrong ?

If the interface name is still LAN, then you are good.

fantastic, i'll try it at lunch (in 3hours) and tell you if all is good or not ^^.

1 Like