Need help: No route with VPNC

Hi
I managed to get a connection to my brothers Fritzbox. I see the interface comming up and get an ip address assigned.

But the connection also sets the defaultroute to the vpn connection ... so I can access all systems in my brother's netwok, but I lost my route to the internet.
Also, when I disconnect the interface, the default route is not set back.

I found a patch in the current sources (I've installed 18.06.2) and after looking at it I added
option defaultroute '0'
to the interface in /etc/config/network

Now the default route stays on the wan interface, but I don't have a route to the 192.168.10/24 net on my brother's location. The vpnc interface does not show up in the route table.

I added 192.168.10.1/255.255.255.0 in the target network field in the confirguration but that does have no affect.

I added a static route via luci but that did also have no affect.

Any help appreciated.

Should be 192.168.10.0/255.255.255.0

Other than that post the vpnc configuration as well as the following (while connected):
cat /etc/config/network; cat /etc/config/firewall; ip -4 addr ; ip -4 ro ; ip -4 ru; nslookup www.openwrt.org

Hi
thanks for answering

That's before connecting:

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         77-XX-XX-1.dcli 0.0.0.0         UG    0      0        0 eth1.2
77.XX.XX.0      *               255.255.240.0   U     0      0        0 eth1.2
192.168.40.0    *               255.255.255.0   U     0      0        0 br-DMZ
192.168.41.0    *               255.255.255.0   U     0      0        0 br-lan
192.168.44.0    *               255.255.255.0   U     0      0        0 eth0.44

This is after connecting:

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         77-XX-XX-1.dcli 0.0.0.0         UG    0      0        0 eth1.2
62.YY.YY.YYY    77-XX-XX-1.dcli 255.255.255.255 UGH   0      0        0 eth1.2
77.XX.XX.0      *               255.255.240.0   U     0      0        0 eth1.2
192.168.40.0    *               255.255.255.0   U     0      0        0 br-DMZ
192.168.41.0    *               255.255.255.0   U     0      0        0 br-lan
192.168.44.0    *               255.255.255.0   U     0      0        0 eth0.44

There is no 192.168.10.0 ...?

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd42::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ifname 'eth0.1'
        option type 'bridge'
        option ip6assign '64'
        option ipaddr '192.168.41.1'
        option ip6hint '41'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix '60'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 1 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2 5t'
        option vid '40'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '3 5t'
        option vid '44'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option ports '5t'
        option vid '45'

config interface 'GAST'
        option proto 'static'
        option ipaddr '192.168.45.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option type 'bridge'
        option ip6hint '45'

config interface 'VOIP'
        option proto 'static'
        option ipaddr '192.168.44.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip6hint '44'
        option ifname 'eth0.44'

config interface 'DMZ'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.40.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip6hint '40'
        option ifname 'eth0.40'

config interface 'vpnc'
        option proto 'vpnc'
        option delegate '0'
        option server 'xxxxxxxxxxxxxxxxxx.myfritz.net'
        option interface 'wan'
        option dh_group 'dh2'
        option pfs 'nopfs'
        option password 'xxxxxxxxxxxxxxxxxx'
        option passgroup 'yyyyyyyyyyyyyyyyyy'
        option dpd_idle '0'
        option username 'FritzBox ZRH'
        option authgroup 'FritzBox ZRH'
        option defaultroute '0'
        option natt_mode 'natt'
        option target_network '192.168.10.0/255.255.255.0'

And ..

root@OpenWrt:~# cat /etc/config/firewall

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option proto 'esp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option name 'Allow IPsec NAT'
        option dest_port '4500'
        option enabled '0'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option name 'Allow IPsec '
        option dest_port '10000'
        option enabled '0'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option name 'Allow DNS (pi-hole)'
        option src 'dmz'
        option src_mac 'XX:XX:XX:XX:XX:XX'
        option dest 'wan'
        option dest_port '53'

config rule
        option name 'Deny DNS (LAN)'
        option src 'lan'
        option dest 'wan'
        option dest_port '53'
        option target 'REJECT'

config rule
        option proto 'tcp udp'
        option name 'Deny DNS (DMZ)'
        option src 'dmz'
        option dest 'wan'
        option dest_port '53'
        option target 'REJECT'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan'
        option forward 'REJECT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config include
        option path '/etc/firewall.user'

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'voip'
        option network 'VOIP'

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'dmz'
        option network 'DMZ'

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'gast'
        option network 'GAST'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'voip'
        option proto 'tcp udp'
        option src_dport '5160'
        option dest_ip '192.168.44.108'
        option dest_port '5160'
        option name 'sipgate'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'voip'
        option proto 'udp'
        option src_dport '5104-5120'
        option dest_ip '192.168.44.108'
        option dest_port '5104-5120'
        option name 'sipgate'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'dmz'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.40.62'
        option dest_port '80'
        option name 'nextcloud'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'dmz'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '192.168.40.62'
        option dest_port '443'
        option name 'nextcloud'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'dmz'
        option proto 'udp'
        option src_dport '1194'
        option dest_ip '192.168.40.62'
        option dest_port '1194'
        option name 'openvpn'

config zone
        option output 'ACCEPT'
        option name 'vpnc'
        option network 'vpnc'
        option family 'ipv4'
        option masq '1'
        option mtu_fix '1'
        option forward 'REJECT'
        option input 'REJECT'

config forwarding
        option dest 'dmz'
        option src 'lan'

config forwarding
        option dest 'gast'
        option src 'lan'

config forwarding
        option dest 'voip'
        option src 'lan'

config forwarding
        option dest 'vpnc'
        option src 'lan'

config rule
        option proto 'udp'
        option dest_port '3544'
        option name 'Teredo-Filter'
        option family 'ipv4'
        option src '*'
        option dest 'wan'
        option target 'REJECT'

config rule
        option proto 'tcp udp'
        option dest_port '139 445'
        option name 'NetBIOS-Filter'
        option target 'REJECT'
        option src '*'
        option dest 'wan'

config forwarding
        option dest 'wan'
        option src 'gast'

config forwarding
        option dest 'wan'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'voip'

config forwarding
        option dest 'wan'
        option src 'dmz'


config redirect
        option enabled '1'
        option target 'DNAT'
        option src 'vpnc'
        option dest 'vpnc'
        option proto 'tcp udp'


And

root@OpenWrt:~# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: br-DMZ: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.40.1/24 brd 192.168.40.255 scope global br-DMZ
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.41.1/24 brd 192.168.41.255 scope global br-lan
       valid_lft forever preferred_lft forever
12: eth0.44@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.44.1/24 brd 192.168.44.255 scope global eth0.44
       valid_lft forever preferred_lft forever
13: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 77.XX.XX.XX1/20 brd 77.XX.XX.255 scope global eth1.2
       valid_lft forever preferred_lft forever
17: vpn-vpnc: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet 192.168.10.202/32 brd 255.255.255.255 scope global vpn-vpnc
       valid_lft forever preferred_lft forever

root@OpenWrt:~# ip -4 ro
default via 77.XX.XX.1 dev eth1.2 proto static src 77.XX.XX.XXX
62.YY.YY.YYY via 77.XX.XX.1 dev eth1.2 proto static
77.56.48.0/20 dev eth1.2 proto kernel scope link src 77.56.54.101
192.168.40.0/24 dev br-DMZ proto kernel scope link src 192.168.40.1
192.168.41.0/24 dev br-lan proto kernel scope link src 192.168.41.1
192.168.44.0/24 dev eth0.44 proto kernel scope link src 192.168.44.1

root@OpenWrt:~# ip -4 ru
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

root@OpenWrt:~# nslookup www.openwrt.org
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      www.openwrt.org
www.openwrt.org canonical name = wiki-01.infra.openwrt.org
Name:      wiki-01.infra.openwrt.org
Address 1: 139.59.209.225
www.openwrt.org canonical name = wiki-01.infra.openwrt.org
Address 2: 2a03:b0c0:3:d0::1af1:1

So, that's it ...
thanks in advance

Is your brother's fritzbox also advertising back to your router the 192.168.10.0/24 or the 0/0?
Anything in the logs?
Other than that try to be as compatible as possible with the template config.

On my brothers side the endpoint is a single IP as shown in the first picture with ip in the local network (192.168.10.202). It is doint nat on my side.
This works ok ... the problem seems to be the not set correct routes on my side as well as that on going down the connection the routes are not cleand up.
Googling brings up that this is a common problem and suggest is a manual cleanup of the routes (way too complicated I think).

I thought I am absolutely following the template.

This is the IP assigned to you from the server. The problem is that it is a /32 so you cannot use it for something. Normally the server side must advertise to the client the available networks. Check if that applies.

Which command do you use to setup the routes?
Routes bound to an interface that goes down will automatically be deleted, so the clean up is not an issue.

I see some options missing. If you don't use them they will use default option, which might not be ideal.

Did you ever end up getting it to work?
I am using 19.07 on WDR4300 trying to establish a connection to a FB 6490.

I think the Fritzbox does not publish a target network so there is no route to the target network, just like ne20002 describes.
If I set the VPN connection to be the default gateway, IP addresses on the other end become pingable from the OpenWRT shell but not from clients, despite adding the vpn interface to the LAN zone.
There is very little information about the interconnectivity between OpenWRT and Fritzbox routers. I had followed this guide but like I said I run into the same problem as ne20002:
https://www.sebastianklein.de/blog/vpn-zwischen-lede-openwrt-und-fritzbox-via-luci/

The documentation of vpnc says to manually add a firewall rule to allow VPN traffic but I would have assumed that adding the VPN interface to LAN should be sufficient (https://github.com/openwrt/packages/blob/openwrt-18.06/net/vpnc/README)

Any tipps would be welcome.

I am not sure how related my issues was to this problem, but since it also involves a FritzBox chances are my fix would help someone.

First I reverted to using the VPN as a Default Gateway (in the settings of the interface). This was not an issue for me because this router has no other purpose than that.
Once I did that, I was able to ping a device on the other side from OpenWRT's shell but not from a client connected to the OpenWRT router (Wifi or LAN).

The solution was adding a new zone for the VPN:
Network-Firewall: Add…
Name ‘tun0zone’
Input: reject
check Masquerading
check MSS clamping
Covered networks: check ‘tun0’
Click ‘Save and Apply’

Followed by adding that zone in the firewall Zone settings (/admin/network/firewall) to the lan => wan entry at zone => forwarding:

In zones ‘lan => wan’ click edit
At the bottom of the general settings in "Allow forward to destination zones", leave ‘wan’ checked, and also check ‘tun0zone’
Click ‘Save and Apply’

Source: https://forum.gl-inet.com/t/vpn-tunnel-to-fritzbox-via-ipsec-ikev1-with-mutual-psk-and-xauth/6337/3

Did you ever end up getting it to work?

Yes and no. I go the encryption and the tunnel to work. But as the endpoint has been a FritzBox in germany with always changing IP address ... that didn't work and required a manual restart of the interface each day.

So I migrated all external VPN connections to wireguard and solved this issue with placing a Raspberry Pi in the remote network.