ubus call system board; \
> uci export network; uci export vpn-policy-routing; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
"kernel": "5.4.111",
"hostname": "",
"system": "ARMv7 Processor rev 5 (v7l)",
"model": "AVM FRITZ!Box 4040",
"board_name": "avm,fritzbox-4040",
"release": {
"distribution": "OpenWrt",
"version": "21.02.0-rc1",
"revision": "r16046-59980f7aaf",
"target": "ipq40xx/generic",
"description": "OpenWrt 21.02.0-rc1 r16046-59980f7aaf"
}
}
package network
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'fdcb:bc60:8b65::/48'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan'
config interface 'wan'
option proto 'dhcp'
option device 'eth1'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'vpn'
option proto 'wireguard'
option private_key ''
option listen_port '51820'
list addresses '192.168.9.1/24'
list addresses 'fdf1:e8a1:8d3f:9::1/64'
config wireguard_vpn 'wgclient'
option preshared_key ''
list allowed_ips '192.168.9.2/32'
list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
option description ''
option public_key ''
option endpoint_host ''
option persistent_keepalive '25'
option route_allowed_ips '1'
config wireguard_vpn 'wglaptop'
option public_key ''
option preshared_key ''
list allowed_ips '192.168.9.3/32'
list allowed_ips 'fdf1:e8a1:8d3f:9::3/128'
config wireguard_vpn 'wgmobile'
option public_key ''
option preshared_key ''
list allowed_ips '192.168.9.4/32'
list allowed_ips 'fdf1:e8a1:8d3f:9::4/128'
config interface 'tun0'
option proto 'none'
option device 'tun0'
package vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_protocol_column '0'
option webui_chain_column '0'
option webui_show_ignore_target '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_enable_column '1'
option enabled '1'
list ignored_interface 'vpnserver wgserver'
list ignored_interface 'wgserver'
list supported_interface 'vpnclient'
list supported_interface 'vpn'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option name 'iMac'
option src_addr '192.168.1.172'
option interface 'tun0'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vpn'
list network 'tun0'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 192.168.10.10/24 brd 192.168.10.255 scope global eth1
valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
16: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 192.168.9.1/24 brd 192.168.9.255 scope global vpn
valid_lft forever preferred_lft forever
default via 192.168.10.1 dev eth1 table wan
31.16.42.67 via 192.168.10.1 dev eth1 table wan proto static
192.168.1.0/24 dev br-lan table wan proto kernel scope link src 192.168.1.1
192.168.10.0/24 dev eth1 table wan proto kernel scope link src 192.168.10.10
default via 192.168.9.1 dev vpn table vpn
31.16.42.67 via 192.168.10.1 dev eth1 table vpn proto static
192.168.1.0/24 dev br-lan table vpn proto kernel scope link src 192.168.1.1
192.168.10.0/24 dev eth1 table vpn proto kernel scope link src 192.168.10.10
default via 192.168.10.1 dev eth1 proto static src 192.168.10.10
31.16.42.67 via 192.168.10.1 dev eth1 proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.9.0/24 dev vpn proto kernel scope link src 192.168.9.1
192.168.9.2 dev vpn proto static scope link
192.168.10.0/24 dev eth1 proto kernel scope link src 192.168.10.10
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.9.0 dev vpn table local proto kernel scope link src 192.168.9.1
local 192.168.9.1 dev vpn table local proto kernel scope host src 192.168.9.1
broadcast 192.168.9.255 dev vpn table local proto kernel scope link src 192.168.9.1
broadcast 192.168.10.0 dev eth1 table local proto kernel scope link src 192.168.10.10
local 192.168.10.10 dev eth1 table local proto kernel scope host src 192.168.10.10
broadcast 192.168.10.255 dev eth1 table local proto kernel scope link src 192.168.10.10
0: from all lookup local
32764: from all fwmark 0x20000/0xff0000 lookup vpn
32765: from all fwmark 0x10000/0xff0000 lookup wan
32766: from all lookup main
32767: from all lookup default
no se donde puede estar el error.
Openvpn esta activo y la plantilla .ovpn esta configurada como lo hacia en el pasado. a la interfaz tun0 tambien parece que llega, pero VPN and WAN Policy-Based Routing me sigue dando este error, Policy 'iMac' has unknown interface: 'tun0'
root@Sava:~# /etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10; log
read
Sat Jul 17 08:37:16 2021 daemon.err openvpn(de926nordvpncom)[13859]: event_wait : Interrupted system call (code=4)
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[13859]: Closing TUN/TAP interface
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[13859]: net_addr_v4_del: 10.7.0.2 dev tun0
Sat Jul 17 08:37:16 2021 daemon.notice netifd: Network device 'tun0' link is down
Sat Jul 17 08:37:16 2021 daemon.notice netifd: Interface 'tun0' has link connectivity loss
Sat Jul 17 08:37:16 2021 daemon.notice netifd: Interface 'tun0' is now down
Sat Jul 17 08:37:16 2021 daemon.notice netifd: Interface 'tun0' is disabled
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[13859]: /usr/libexec/openvpn-hotplug down de926nordvpncom tun0 1500 1587 10.7.0.2 255.255.255.0 init
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[13859]: SIGTERM[hard,] received, process exiting
Sat Jul 17 08:37:16 2021 daemon.warn openvpn(de926nordvpncom)[15077]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: OpenVPN 2.5.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
Sat Jul 17 08:37:16 2021 daemon.warn openvpn(de926nordvpncom)[15077]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sat Jul 17 08:37:16 2021 daemon.warn openvpn(de926nordvpncom)[15077]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: NOTE: --fast-io is disabled since we are not using UDP
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: TCP/UDP: Preserving recently used remote address: [AF_INET]45.141.152.27:443
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: Attempting to establish TCP connection with [AF_INET]45.141.152.27:443 [nonblock]
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: TCP connection established with [AF_INET]45.141.152.27:443
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: TCP_CLIENT link local: (not bound)
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: TCP_CLIENT link remote: [AF_INET]45.141.152.27:443
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: TLS: Initial packet from [AF_INET]45.141.152.27:443, sid=4c6df0cd 33a57940
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: VERIFY KU OK
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: Validating certificate extended key usage
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: VERIFY EKU OK
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: VERIFY OK: depth=0, CN=de926.nordvpn.com
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
Sat Jul 17 08:37:16 2021 daemon.notice openvpn(de926nordvpncom)[15077]: [de926.nordvpn.com] Peer Connection Initiated with [AF_INET]45.141.152.27:443
Sat Jul 17 08:37:17 2021 daemon.notice openvpn(de926nordvpncom)[15077]: SENT CONTROL [de926.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.7.3.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.3.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: Pushed option removed by filter: 'redirect-gateway def1'
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: OPTIONS IMPORT: timers and/or timeouts modified
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: OPTIONS IMPORT: compression parms modified
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: Socket Buffers: R=[131072->360448] S=[44800->360448]
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: OPTIONS IMPORT: --ifconfig/up options modified
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: OPTIONS IMPORT: route-related options modified
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: OPTIONS IMPORT: peer-id set
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: OPTIONS IMPORT: adjusting link_mtu to 1659
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: OPTIONS IMPORT: data channel crypto options modified
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: TUN/TAP device tun0 opened
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: net_iface_mtu_set: mtu 1500 for tun0
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: net_iface_up: set tun0 up
Sat Jul 17 08:37:18 2021 daemon.notice netifd: Interface 'tun0' is enabled
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: net_addr_v4_add: 10.7.3.2/24 dev tun0
Sat Jul 17 08:37:18 2021 daemon.notice netifd: Network device 'tun0' link is up
Sat Jul 17 08:37:18 2021 daemon.notice netifd: Interface 'tun0' has link connectivity
Sat Jul 17 08:37:18 2021 daemon.notice netifd: Interface 'tun0' is setting up now
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: /usr/libexec/openvpn-hotplug up de926nordvpncom tun0 1500 1587 10.7.3.2 255.255.255.0 init
Sat Jul 17 08:37:18 2021 daemon.notice netifd: Interface 'tun0' is now up
Sat Jul 17 08:37:18 2021 daemon.warn openvpn(de926nordvpncom)[15077]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Jul 17 08:37:18 2021 daemon.notice openvpn(de926nordvpncom)[15077]: Initialization Sequence Completed
Sat Jul 17 08:37:18 2021 user.notice firewall: Reloading firewall due to ifup of tun0 (tun0)
root@Sava:~#
Thank you very much for the information!!
At the moment I have made the decision to go back to version 19.07.7, because it seems more stable at the moment when using VPN and WAN Policy. There are many things that I like about the new version, but for stability at home, I prefer 19.07.7.
Thank you very much again for the help. this community is really incredible and the staff works hard