I need help with VPN client

good morning,
and tried to make some changes in Openwrt to get more speed of downloading and uploading data.
I have not made any changes in the interfaces of my vpn clients, but somehow now the routing to my vpn clients does not work, could someone tell me if it happens or has happened?

Did you miss a part of your sentence?

Has what happened/does what happens?

:confused:

Excuse me for not explaining myself very well, I don't speak or write English very well, so he helped me with a translator. I hope I can explain myself better.
I have 3 VPN Clients on my system.
tun0- NordVpn
tun1- NordVpn
wgclient- Wireguard Client.
I route these interfaces with PBR. Until x time this worked perfectly, but today I had an error in PBR and I do a restart of PBR and when doing a test that whatsismyipadress the routing does not work.
I don't know how to explain it very well

1 Like

I need help to reconfigure my Vpnclient.
Routing through PBR to interfaces, but it doesn't work. I have everything configured that I knew how to do until now, but at this moment I don't know how to solve the problem.
Can someone help me review what may be wrong? I do not want to touch more, so as not to misalign more things

You haven't provided any configs.

  • What was the error?
  • What was changed?
  • Do you have a backup of your config?
3 Likes
  • What was the error?
    the error now no longer appears. Put some iptables, but when you restart, it went away, now in PBR I don't get any error. But when doing the Policy and sending an ip to an interface, for example tun0, it does not take it into account.

  • What was changed?
    What I did was follow this step to see if I could get more speed on the FritzBox 4040:
    -Enable "Software flow offloading" in Network -> Firewall -> Routing/NAT Offloading
    Add the following line to System -> Startup -> Local Startup before 'exit 0'
    echo performance > /sys/devices/system/cpu/cpufreq/policy0/scaling_governor
    Disable SQM QoS if you are using it!
    Install the irqbalance package. System -> Software -> Filter irqbalance -> Install
    Reboot your FritzBox.

  • Do you have a backup of your config?
    I have, but when uploading the .tar file generated in Openwrt, I get this message:
    The uploaded backup archive is not readable

1 Like

They're just text files inside.

1 Like

I'm very new to all this and I don't have much idea, that's why I ask so much help for the forum
I don't know very well how I can upload the backup. I saw the folder inside the .tar file.
which surprises me, that routing from PBR to interfaces has always worked well for me, but now even with the policy it doesn't work

root@Home:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> uci export vpn-policy-routing; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
{
	"kernel": "4.14.171",
	"hostname": "Home",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "AVM FRITZ!Box 4040",
	"board_name": "avm,fritzbox-4040",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.2",
		"revision": "r10947-65030d81f3",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 19.07.2 r10947-65030d81f3"
	}
}
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd91:31ed:87d2::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.15.1'
	option ifname 'eth0'

config interface 'wan'
	option ifname 'eth1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.10.10'
	option gateway '192.168.10.1'
	option metric '0'
	list dns '192.168.10.1'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 2 3 4'

config interface 'wifi'
	option ifname 'radio0.network1 radio1.network1'
	option type 'bridge'
	option proto 'dhcp'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 
	option listen_port '52466'
	list addresses '10.0.0.1/24'

config wireguard_wg0
	option public_key 
	option description 
	option persistent_keepalive '25'
	list allowed_ips '10.0.0.2'
	option endpoint_host 
	option endpoint_port '52466'
	option route_allowed_ips '1'

config wireguard_wg0
	option public_key 
	option description 
	option persistent_keepalive '25'
	option endpoint_port '52466'
	list allowed_ips '10.0.0.3'
	option route_allowed_ips '1'
	option endpoint_host 

config interface 'VpnClient2'
	option ifname 'tun1'
	option proto 'none'

config interface 'wgclient0'
	option proto 'wireguard'
	option private_key 
	option listen_port '51820'
	list addresses '10.66.126.50/32'

config wireguard_wgclient0
	option public_key 
	option description 
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/1'
	list allowed_ips '128.0.0.0/1'
	option endpoint_host 
	option endpoint_port '51820'

config interface 'vpnclient'
	option ifname 'tun0'
	option proto 'none'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/soc/a000000.wifi'
	option htmode 'HT20'
	option channel '11'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 
	option encryption 'psk-mixed'
	option key 

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'platform/soc/a800000.wifi'
	option htmode 'VHT80'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 
	option encryption 'psk-mixed'
	option key 

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option start '100'
	option limit '150'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'
	list dhcp_option '6,8.8.8.8,8.8.4.4'
	list dns '2001:4860:4860::8888'
	list dns '2001:4860:4860::8844'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wifi'
	option leasetime '12h'
	option interface 'wifi'
	option start '150'
	option limit '100'

config host
	option mac 
	option name 
	option dns '1'
	option ip '192.168.15.2'

config host
	option mac
	option name 
	option dns '1'
	option ip '192.168.15.3'

config host
	option mac 
	option name 
	option dns '1'
	option ip '192.168.15.4'

config host
	option mac 
	option name 
	option dns '1'
	option ip '192.168.15.5'

config host
	option mac 
	option name 
	option dns '1'
	option ip '192.168.15.6'

config host
	option name 
	option dns '1'
	option mac 
	option ip '192.168.15.7'

config host
	option mac 
	option name 
	option dns '1'
	option ip '192.168.15.8'

config host
	option mac 
	option name 
	option dns '1'
	option ip '192.168.15.9'

config host
	option mac 
	option name 
	option dns '1'
	option ip '192.168.15.10'

config host
	option mac 
	option dns '1'
	option name 
	option ip '192.168.15.11'

config host
	option name 
	option dns '1'
	option ip '192.168.15.12'
	option mac 

config host
	option dns '1'
	option ip '192.168.15.13'
	option mac 
	option name 

config host
	option name 
	option dns '1'
	option ip '192.168.15.14'
	option mac 

config host
	option mac 
	option name 
	option dns '1'
	option ip '192.168.15.15'

config host
	option mac 
	option name 
	option dns '1'
	option ip '192.168.15.16'

config host
	option mac 
	option name 
	option dns '1'
	option ip '192.168.15.17'

config host
	option mac 
	option name 
	option dns '1'
	option ip '192.168.15.18'

config host
	option mac 
	option name 
	option dns '1'
	option ip '192.168.15.19'

config host
	option mac 
	option name 
	option dns '1'
	option ip '192.168.15.20'

config host
	option mac
	option name 
	option dns '1'
	option ip '192.168.15.21'

config host
	option mac 
	option name 
	option dns '1'
	option ip '192.168.15.22'

config host
	option mac 
	option name 
	option dns '1'
	option ip '192.168.15.23'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'
	option flow_offloading '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg0'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'wifi'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'wifi'

config forwarding
	option dest 'wan'
	option src 'wifi'

config zone
	option mtu_fix '1'
	option masq '1'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	option name 'VpnClient'
	option network 'vpnclient'

config forwarding
	option src 'lan'
	option dest 'VpnClient'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option network 'VpnClient2'
	option name 'VpnClient2'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option output 'ACCEPT'

config forwarding
	option dest 'VpnClient2'
	option src 'lan'

config zone
	option name 'wgclient'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option output 'ACCEPT'
	option network 'wgclient0'

config forwarding
	option dest 'wgclient'
	option src 'lan'

package vpn-policy-routing

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config vpn-policy-routing 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option dest_ipset 'dnsmasq.ipset'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option src_ipset '0'
	option webui_enable_column '1'
	option webui_protocol_column '1'
	option webui_chain_column '1'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver wgserver'
	list ignored_interface 'wg0'
	list supported_interface 'vpnclient'
	option append_src_rules '! -d 10.0.0.0/24'
	option iprule_enabled '0'
	option enabled '1'

config policy
	option name 
	option src_addr '192.168.15.4'
	option interface 'wgclient0'

config policy
	option name 
	option src_addr '192.168.15.8'
	option interface 'vpnclient'

config policy
	option name 
	option src_addr '192.168.15.5'
	option interface 'vpnclient'

config policy
	option name 
	option src_addr '192.168.15.10'
	option interface 'VpnClient2'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    inet 192.168.10.10/24 brd 192.168.10.255 scope global eth1
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.15.1/24 brd 192.168.15.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.0.0.1/24 brd 10.0.0.255 scope global wg0
       valid_lft forever preferred_lft forever
10: wgclient0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.66.126.50/32 brd 255.255.255.255 scope global wgclient0
       valid_lft forever preferred_lft forever
14: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 10.8.3.12/24 brd 10.8.3.255 scope global tun1
       valid_lft forever preferred_lft forever
15: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 10.8.2.10/24 brd 10.8.2.255 scope global tun0
       valid_lft forever preferred_lft forever
default via 192.168.10.1 dev eth1 table 201 
default via 10.8.3.12 dev tun1 table 202 
default via 10.66.126.50 dev wgclient0 table 203 
default via 10.8.2.10 dev tun0 table 204 
default via 192.168.10.1 dev eth1 
10.0.0.0/24 dev wg0 scope link  src 10.0.0.1 
10.0.0.2 dev wg0 scope link 
10.0.0.3 dev wg0 scope link 
10.8.2.0/24 dev tun0 scope link  src 10.8.2.10 
10.8.3.0/24 dev tun1 scope link  src 10.8.3.12 
31.16.42.117 via 192.168.10.1 dev eth1 
192.168.10.0/24 dev eth1 scope link  src 192.168.10.10 
192.168.15.0/24 dev br-lan scope link  src 192.168.15.1 
193.27.14.146 via 192.168.10.1 dev eth1 
broadcast 10.0.0.0 dev wg0 table local scope link  src 10.0.0.1 
local 10.0.0.1 dev wg0 table local scope host  src 10.0.0.1 
broadcast 10.0.0.255 dev wg0 table local scope link  src 10.0.0.1 
broadcast 10.8.2.0 dev tun0 table local scope link  src 10.8.2.10 
local 10.8.2.10 dev tun0 table local scope host  src 10.8.2.10 
broadcast 10.8.2.255 dev tun0 table local scope link  src 10.8.2.10 
broadcast 10.8.3.0 dev tun1 table local scope link  src 10.8.3.12 
local 10.8.3.12 dev tun1 table local scope host  src 10.8.3.12 
broadcast 10.8.3.255 dev tun1 table local scope link  src 10.8.3.12 
local 10.66.126.50 dev wgclient0 table local scope host  src 10.66.126.50 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.10.0 dev eth1 table local scope link  src 192.168.10.10 
local 192.168.10.10 dev eth1 table local scope host  src 192.168.10.10 
broadcast 192.168.10.255 dev eth1 table local scope link  src 192.168.10.10 
broadcast 192.168.15.0 dev br-lan table local scope link  src 192.168.15.1 
local 192.168.15.1 dev br-lan table local scope host  src 192.168.15.1 
broadcast 192.168.15.255 dev br-lan table local scope link  src 192.168.15.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 Feb 27 22:05 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Aug 17 18:27 /tmp/resolv.conf
-rw-r--r--    1 root     root            40 Aug 17 18:23 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 192.168.10.1

If you've recently upgraded BusyBox, check out this thread:

3 Likes

I don't really know how to reinstall the file.
What I did was delete this file and reinstalled it: coreutils-sort, but my problem remains

If I put this in the ssh it reinstalls

opkg update; opkg --force-reinstall install coreutils-sort

1 Like

good morning,
Unfortunately this step has not helped me on my FritzBox 4040.
At least I know now that it wasn't my fault that my routing from PBR to my VpnClient interfaces was my fault, because I was going crazy and desperate

Try this:

opkg update; opkg --force-reinstall install ip-full
3 Likes

Thank you very much for the help!!
They do an incredible job on this forum!
Everything seems to be working perfectly again

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.