After doing this my clients(connected to the router wired or wireless) lost access to the internet. Also vpn stops working as well. so in order to make things work again, i had to put 192.168.1.1/0. with chain to OUTPUT, but still VPN still wouldn't connect with OUTPUT chain, so i put it to FORWARD, and now it works..
OUTPUT is set ACCEPT for this firewall zone.
The below commands are executed after my clients lost internet access. But for the last two commands i had to make changes like i said above so that vpn would connect.
etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'ovpn_fw'
list network 'OVPN'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'REJECT'
option input 'ACCEPT'
config forwarding
option dest 'ovpn_fw'
option src 'lan'
etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd36:50ab:267c::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr 'd4:6e:0e:xx:xx:xx'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config interface 'OVPN'
option ifname 'tun0'
option proto 'none'
etc/config/vpn-policy-routing
config policy
option name 'Aria2 VPN'
option interface 'OVPN'
option src_addr '0.0.0.0/0'
option chain 'OUTPUT'
config policy
option interface 'wan'
option name 'Lan'
option src_addr '192.168.1.0/24'
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_enable_column '0'
option webui_protocol_column '0'
option webui_show_ignore_target '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_chain_column '1'
option enabled '1'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
before vpn
/etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.3.2-20 running on OpenWrt 19.07.8.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-nettlehash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 192.168.2.1 0.0.0.0 UG 0 0 0 eth0.2
IPv4 Table 201: default via 192.168.2.1 dev eth0.2
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
IPv4 Table 201 Rules:
32765: from all fwmark 0x10000/0xff0000 lookup wan
IPv4 Table 202: unreachable default
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
IPv4 Table 202 Rules:
32764: from all fwmark 0x20000/0xff0000 lookup OVPN
============================================================
Mangle IP Table: PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.1.0/24 -m comment --comment Lan -c 14047 2237166 -g VPR_MARK0x010000
============================================================
Mangle IP Table: OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -m comment --comment Aria2_VPN -c 9530 2981647 -g VPR_MARK0x020000
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x010000
-N VPR_MARK0x010000
-A VPR_MARK0x010000 -c 14050 2237286 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_MARK0x010000 -c 14050 2237286 -j RETURN
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x020000
-N VPR_MARK0x020000
-A VPR_MARK0x020000 -c 9536 2982687 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_MARK0x020000 -c 9536 2982687 -j RETURN
============================================================
Current ipsets
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'.
before vpn
/etc/init.d/vpn-policy-routing reload
Creating table 'wan/eth0.2/192.168.2.1' [✓]
Creating table 'OVPN/tun0/0.0.0.0' [✓]
Routing 'Aria2 VPN' via OVPN [✓]
Routing 'Lan' via wan [✓]
vpn-policy-routing 0.3.2-20 monitoring interfaces: wan OVPN [✓]
vpn-policy-routing 0.3.2-20 started with gateways:
wan/eth0.2/192.168.2.1 [✓]
OVPN/tun0/0.0.0.0
after vpn
/etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.3.2-20 running on OpenWrt 19.07.8.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-nettlehash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 1-186-109-91.dy 128.0.0.0 UG 0 0 0 tun0
default 192.168.2.1 0.0.0.0 UG 0 0 0 eth0.2
IPv4 Table 201: default via 192.168.2.1 dev eth0.2
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
IPv4 Table 201 Rules:
32763: from all fwmark 0x10000/0xff0000 lookup wan
IPv4 Table 202: default via 91.109.xx.xx dev tun0
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
IPv4 Table 202 Rules:
32762: from all fwmark 0x20000/0xff0000 lookup OVPN
============================================================
Mangle IP Table: PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.1.0/24 -m comment --comment Lan -c 2561 378782 -g VPR_MARK0x010000
============================================================
Mangle IP Table: FORWARD
-N VPR_FORWARD
-A VPR_FORWARD -m comment --comment Aria2_VPN -c 1476 1260197 -g VPR_MARK0x020000
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x010000
-N VPR_MARK0x010000
-A VPR_MARK0x010000 -c 2564 378902 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_MARK0x010000 -c 2564 378902 -j RETURN
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x020000
-N VPR_MARK0x020000
-A VPR_MARK0x020000 -c 1476 1260197 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_MARK0x020000 -c 1476 1260197 -j RETURN
============================================================
Current ipsets
============================================================
after vpn
/etc/init.d/vpn-policy-routing reload
Creating table 'wan/eth0.2/192.168.2.1' [✓]
Creating table 'OVPN/tun0/91.109.xx.xx' [✓]
Routing 'Aria2 VPN' via OVPN [✓]
Routing 'Lan' via wan [✓]
vpn-policy-routing 0.3.2-20 monitoring interfaces: wan OVPN [✓]
vpn-policy-routing 0.3.2-20 started with gateways:
wan/eth0.2/192.168.2.1
OVPN/tun0/91.109.xx.xx [✓]
With current setting like i mentioned above, everything works as intended except, when i turn off vpn, aria2 can still download files. When VPN works, it downloads over VPN interface but when VPN is down , it downloads over WAN interface.