Linksys EA6350 pings successfully, no internet

The history: I am new to openwrt and not real knowledgeable about routers in general, but I am learning. I am trying to set up a router with vpn on it as a secondary router using OpenVPN. I actually had it working for about a month, then my openwrt router quit accessing the internet and restarting everything several times did not correct it. While I was trying anything I thought looked promising from this forum and openwrt.org, I saw the new release of openwrt was out and decided to start from scratch.

My setup: isp connected to a Linksys EA7300 running native firmware. The EA7300's ethernet port is connected to the WAN port on the second router which is a Linksys EA6350v3 running OpenWRT 19.07.3. I used the OpenWRT guide on the Nordvpn site to configure Openvpn. I can go into Network diagnostics and successfully ping openwrt.org, but for some reason beyond my skills, cannot seem to get internet access. Any help is appreciated.

Links to copies of the config files:
[https://www.dropbox.com/s/dinaq29btterhgb/firewall.txt?dl=0
https://www.dropbox.com/s/lnmsxgxrlenhn4a/network.txt?dl=0
https://www.dropbox.com/s/j96bxdc9bi0k071/openvpn.txt?dl=0
https://www.dropbox.com/s/2qjx0g3d01asleb/wireless.txt?dl=0

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
Thanks for looking at this.  The output is below:

root@OpenWrt:~# uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd90:a266:dcbb::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '103.86.96.100'
        list dns '103.86.99.100'
        option ifname 'eth0'

config device 'lan_eth0_dev'
        option name 'eth0'
        option macaddr 'xx:xx:xx:xx:xx'

config interface 'wan'
        option proto 'dhcp'
        option peerdns '0'
        option ifname 'eth1'
        list dns '103.86.96.100'
        list dns '103.86.99.100'

config device 'wan_eth1_dev'
        option name 'eth1'
        option macaddr 'xx:xx:xx:xx:xx'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config interface 'tun0'
        option proto 'none'
        option auto '0'

config interface 'nordvpntun'
        option proto 'none'
        option ifname 'tun0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option drop_invalid '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 tun0'
        option forward 'ACCEPT'
        option input 'REJECT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpnfirewall'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'nordvpntun'
        option input 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option dest 'wan'
        option src 'vpnfirewall'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
       iptables -I forwarding_rule -j REJECT
fi# Generated by iptables-save v1.8.3 on Fri Jun 12 16:44:57 2020
*nat
:PREROUTING ACCEPT [72574:13924936]
:INPUT ACCEPT [334:36002]
:OUTPUT ACCEPT [17811:1130142]
:POSTROUTING ACCEPT [343:24542]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpnfirewall_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpnfirewall_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpnfirewall_postrouting - [0:0]
:zone_vpnfirewall_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[72574:13924936] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[10199:1484493] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[62375:12440443] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpnfirewall_prerouting
[17828:1130822] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[2:376] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[17485:1106280] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpnfirewall_postrouting
[2:376] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[10199:1484493] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_vpnfirewall_postrouting -m comment --comment "!fw3: Custom vpnfirewall postrouting rule chain" -j postrouting_vpnfirewall_rule
[0:0] -A zone_vpnfirewall_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_vpnfirewall_prerouting -m comment --comment "!fw3: Custom vpnfirewall prerouting rule chain" -j prerouting_vpnfirewall_rule
[17485:1106280] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[17485:1106280] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[62375:12440443] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Fri Jun 12 16:44:57 2020
# Generated by iptables-save v1.8.3 on Fri Jun 12 16:44:57 2020
*mangle
:PREROUTING ACCEPT [296453:89450371]
:INPUT ACCEPT [225277:75715294]
:FORWARD ACCEPT [5110:637903]
:OUTPUT ACCEPT [212423:37133184]
:POSTROUTING ACCEPT [212419:37132976]
[4729:248100] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpnfirewall MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Jun 12 16:44:57 2020
# Generated by iptables-save v1.8.3 on Fri Jun 12 16:44:57 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpnfirewall_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpnfirewall_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpnfirewall_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpnfirewall_dest_ACCEPT - [0:0]
:zone_vpnfirewall_dest_REJECT - [0:0]
:zone_vpnfirewall_forward - [0:0]
:zone_vpnfirewall_input - [0:0]
:zone_vpnfirewall_output - [0:0]
:zone_vpnfirewall_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[6812:640008] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[218468:75075566] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[214136:74572313] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[88:3556] -A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[2460:319530] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[1784:180167] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpnfirewall_input
[5110:637903] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpnfirewall_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[6812:640008] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[205616:36494656] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[185856:35230155] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4:208] -A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[4:1032] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[19752:1263261] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpnfirewall_output
[16204:1508224] -A forwarding_rule -j REJECT --reject-with icmp-port-unreachable
[17:1397] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[1047:152460] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[4:1032] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2460:319530] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2460:319530] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[4:1032] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[4:1032] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2460:319530] -A zone_lan_src_ACCEPT -i br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpnfirewall_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_vpnfirewall_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpnfirewall_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_vpnfirewall_forward -m comment --comment "!fw3: Custom vpnfirewall forwarding rule chain" -j forwarding_vpnfirewall_rule
[0:0] -A zone_vpnfirewall_forward -m comment --comment "!fw3: Zone vpnfirewall to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_vpnfirewall_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpnfirewall_forward -m comment --comment "!fw3" -j zone_vpnfirewall_dest_REJECT
[0:0] -A zone_vpnfirewall_input -m comment --comment "!fw3: Custom vpnfirewall input rule chain" -j input_vpnfirewall_rule
[0:0] -A zone_vpnfirewall_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpnfirewall_input -m comment --comment "!fw3" -j zone_vpnfirewall_src_ACCEPT
[0:0] -A zone_vpnfirewall_output -m comment --comment "!fw3: Custom vpnfirewall output rule chain" -j output_vpnfirewall_rule
[0:0] -A zone_vpnfirewall_output -m comment --comment "!fw3" -j zone_vpnfirewall_dest_ACCEPT
[0:0] -A zone_vpnfirewall_src_ACCEPT -i tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[19752:1263261] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[1784:180167] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[19:6682] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[701:19628] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1064:153857] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[19752:1263261] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[19752:1263261] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[1064:153857] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Jun 12 16:44:57 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.2.90/24 brd 192.168.2.255 scope global eth1
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
default via 192.168.2.1 dev eth1 proto static src 192.168.2.90
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.90
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.2.0 dev eth1 table local proto kernel scope link src 192.168.2.90
local 192.168.2.90 dev eth1 table local proto kernel scope host src 192.168.2.90
broadcast 192.168.2.255 dev eth1 table local proto kernel scope link src 192.168.2.90
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
lrwxrwxrwx    1 root     root            16 May 16 18:32 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Jun 11 16:44 /tmp/resolv.conf
-rw-r--r--    1 root     root           132 Jun 11 15:48 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface lan
nameserver 103.86.96.100
nameserver 103.86.99.100
# Interface wan
nameserver 103.86.96.100
nameserver 103.86.99.100
root@OpenWrt:~#

fwiw, you may wish to review the " Alternative guide for OpenVPN client with LuCI" pdf quoted in bottom of the owrt wiki page. I know openvpn client works with my EA6350 v3 secondary router to my main router. Clear all openwrt settings and start from beginning to configure openvpn and for NordVPN. (ie. LuCI -> System -> Backup/Flash Firmware -> Perform Reset)

https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci

DNS is not needed under lan interface. You already have them in wan, where they should be, because they are reachable from wan.

Which one is the correct?

This is wrong. There is no reason to allow forwarding from vpn to wan.

Thank you, trendy. I corrected the things I did wrong and the problem persisted, so I started backtracking through the instructions on the nordvpn site ( https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWRT-CI-setup-with-NordVPN.htm ) and came to this optional step that I had added to the firewall.user file:
(Optional) To prevent traffic leakage in case VPN-tunnel drops you can the file /etc/firewall.user with the following content:

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
 
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
       iptables -I forwarding_rule -j REJECT
fi

After I commented out the code and rebooted the router, it was working. Thanks for your help, much appreciated.

Thanks. I did run across that alternative guide at one point. When I get some time, I plan on taking your suggestion and take everything back to defaults and try that alternative guide. I have a lot to learn.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.