I have an issue where I have configured my router with a PPPOE (wan) interface and an OpenVPN (tun) interface. For the OpenVPN connection I have created a separate interface and zone specifically for the connection to AirVPN.
All is working fine. However the problem I have is that when the OpenVPN client is connected none of the external access rules work (such as tcp 22, 80, as examples) to the wan interface.
When the OpenVPN client is disconnected they work just fine testing from an external shell with nmap.
I can only think this is potentially a routing problem where the packet gets sent back down the wrong interface ie the tun adapter when received on the wan.
Sounds like a routing issue with multiple interfaces. Could you post here the following: cat /etc/config/network; cat /etc/config/firewall; ip -4 addr ; ip -4 ro ; ip -4 ru
First I suggest that you cover some sensitive data in your previous post, like username and password for PPPOE, your public IP address.
Add this command and test again, no restart needed. ip rule add from $IP1 table 100 where $IP1 is the public IP of pppoe-wan.
For the router itself to use the wan line you can issue the following command ip rule add iif lo to default lookup 100 prio 2
That should do it and then we would need to see how to add it in the configuration for every time the network restarts or pppoe renews your IP.
@trendy
Thanks for the latest fix. Now making progress with your latest solution and I can confirm that inbound connections to the wan interface while OpenVPN is connected are now working great.
I have somewhat put together a solution (although not thoroughly tested) for /etc/init.d/network restarts and the VPN connecting and disconnecting. I currently run an up.sh and down.sh script upon connection and disconnection with the OpenVPN client.
I have modified these scripts with your routing fix and some of my code to grab the current IPV4 address from the pppoe-wan interface.
up.sh
#!/bin/sh
#reload sqm due to openvpn interface changes
/etc/init.d/sqm reload >/dev/null 2>&1
#commit crontab on openvpn up successfull to enable vpn gateway checking and restart if down
(crontab -u root -l ; echo "*/5 * * * * /root/check_vpn") | crontab -u root -
#Fix for inbound connections on wan interface while openvpn connected
pppoeip4=$(/sbin/ip -o -4 addr list pppoe-wan | awk '{print $4}' | cut -d/ -f1)
ip rule add from $pppoeip4 table 100
#ipv6 not currently supported by ISP
#pppoeip6=$(/sbin/ip -o -6 addr list eth0 | awk '{print $4}' | cut -d/ -f1)
#ip rule add from $pppoeip6 table 100
down.sh
#!/bin/sh
#reload sqm due to interface changes
/etc/init.d/sqm reload >/dev/null 2>&1
#commit crontab vpn gateway check script
crontab -u root -l | grep -v '/root/check_vpn' | crontab -u root -
#ipv4 remove wan traffic fix when openvpn disconnects
pppoeip4=$(/sbin/ip -o -4 addr list pppoe-wan | awk '{print $4}' | cut -d/ -f1)
ip rule del from $pppoeip4 table 100
#ipv6 not currently supported by ISP so not used yet (not required for 6in4)
#pppoeip6=$(/sbin/ip -o -6 addr list eth0 | awk '{print $4}' | cut -d/ -f1)
#ip rule del from $pppoeip6 table 100
I am not fussed about routing all traffic from the OpenWRT router out of the wan interface with the vpn connected (I prefer it this way for security)
The only potential problem I can so far see is with a full network init script restart. However I am hoping if the OpenVPN service is still running when that happens, the up.sh and down.sh scripts should still take effect when it reconnects.Also if the pppoe-wan address gets dhcp renewed on re-lease this should still force OpenVPN to reconnect in the same manner (in theory) and the scripts to fix the traffic will run.