Need help with (policy based) routing

I don't see any other 10.x.x.x IP for the Mullvad interface. Just mine, and the peer endpoint.

ifup Mullvad; sleep 10; wg show Mullvad; ip route get 1 from 192.168.1.1
1 Like

Hit my post limit for the day, had to wait 2 hours

root@OpenWrt:~# ifup Mullvad; sleep 10; wg show Mullvad
interface: Mullvad
  public key: hRNcvSEkcscOgAYbDPevPyfDZDLLd10+LypmNXWv028=
  private key: (hidden)
  listening port: 42710

peer: j2Bac2450sZJyeeBTo8YQkdIFiPwwx8PSPxqkXSDN34=
  endpoint: 66.115.180.236:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 5 seconds ago
  transfer: 92 B received, 7.15 KiB sent
  persistent keepalive: every 25 seconds
1 Like

Try to ping something on the internet by IP and domain name from a LAN client when the Mullvad VPN connection is established.

Ping from OpenWrt:

root@OpenWrt:~# ping google.com
PING google.com (108.177.122.138): 56 data bytes
64 bytes from 108.177.122.138: seq=0 ttl=108 time=33.760 ms
64 bytes from 108.177.122.138: seq=1 ttl=108 time=33.333 ms
64 bytes from 108.177.122.138: seq=2 ttl=108 time=33.618 ms
64 bytes from 108.177.122.138: seq=3 ttl=108 time=32.832 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 32.832/33.385/33.760 ms
root@OpenWrt:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=119 time=19.279 ms
64 bytes from 8.8.8.8: seq=1 ttl=119 time=20.470 ms
64 bytes from 8.8.8.8: seq=2 ttl=119 time=19.774 ms
64 bytes from 8.8.8.8: seq=3 ttl=119 time=20.168 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 19.279/19.922/20.470 ms

Ping from laptop:

Microsoft Windows [Version 10.0.18363.1139]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Users\Casey>ping google.com

Pinging google.com [108.177.122.100] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 108.177.122.100:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

C:\Users\Casey>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
1 Like

Check traceroute from the laptop.

Stops at the router

Tracing route to google.com [108.177.122.113]
over a maximum of 30 hops:

  1     2 ms     1 ms     2 ms  OpenWrt.lan [192.168.1.1]
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *     ^C
C:\Users\Casey>tracert 8.8.8.8

Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:

  1     2 ms     2 ms     2 ms  OpenWrt.lan [192.168.1.1]
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
1 Like

With the Mullvad tunnel up please run these and post here the output:
iptables-save -c; ip -4 addr; ip -4 ro li tab all; ip -4 ru

1 Like
root@OpenWrt:~#  iptables-save -c; ip -4 addr; ip -4 ro li tab all; ip -4 ru
# Generated by iptables-save v1.6.2 on Wed Nov 11 12:48:43 2020
*nat
:PREROUTING ACCEPT [37:1603]
:INPUT ACCEPT [5:272]
:OUTPUT ACCEPT [4:224]
:POSTROUTING ACCEPT [0:0]
:postrouting_Mullvad_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wgserver_rule - [0:0]
:prerouting_Mullvad_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wgserver_rule - [0:0]
:zone_Mullvad_postrouting - [0:0]
:zone_Mullvad_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wgserver_postrouting - [0:0]
:zone_wgserver_prerouting - [0:0]
[37:1603] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[37:1603] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i Mullvad -m comment --comment "!fw3" -j zone_Mullvad_prerouting
[0:0] -A PREROUTING -i wgserver -m comment --comment "!fw3" -j zone_wgserver_prerouting
[36:1555] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[4:224] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[32:1331] -A POSTROUTING -o Mullvad -m comment --comment "!fw3" -j zone_Mullvad_postrouting
[0:0] -A POSTROUTING -o wgserver -m comment --comment "!fw3" -j zone_wgserver_postrouting
[32:1331] -A zone_Mullvad_postrouting -m comment --comment "!fw3: Custom Mullvad postrouting rule chain" -j postrouting_Mullvad_rule
[32:1331] -A zone_Mullvad_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_Mullvad_prerouting -m comment --comment "!fw3: Custom Mullvad prerouting rule chain" -j prerouting_Mullvad_rule
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[37:1603] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[4:224] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[4:224] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wgserver_postrouting -m comment --comment "!fw3: Custom wgserver postrouting rule chain" -j postrouting_wgserver_rule
[0:0] -A zone_wgserver_prerouting -m comment --comment "!fw3: Custom wgserver prerouting rule chain" -j prerouting_wgserver_rule
COMMIT
# Completed on Wed Nov 11 12:48:43 2020
# Generated by iptables-save v1.6.2 on Wed Nov 11 12:48:43 2020
*mangle
:PREROUTING ACCEPT [230:21476]
:INPUT ACCEPT [159:18501]
:FORWARD ACCEPT [39:1655]
:OUTPUT ACCEPT [160:44147]
:POSTROUTING ACCEPT [198:45762]
:VPR_PREROUTING - [0:0]
[230:21476] -A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
[0:0] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o Mullvad -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone Mullvad MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[161:14488] -A VPR_PREROUTING -s 192.168.1.0/24 -m comment --comment wgserver -j MARK --set-xmark 0x20000/0xff0000
COMMIT
# Completed on Wed Nov 11 12:48:43 2020
# Generated by iptables-save v1.6.2 on Wed Nov 11 12:48:43 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_Mullvad_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wgserver_rule - [0:0]
:input_Mullvad_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wgserver_rule - [0:0]
:output_Mullvad_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wgserver_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_Mullvad_dest_ACCEPT - [0:0]
:zone_Mullvad_dest_REJECT - [0:0]
:zone_Mullvad_forward - [0:0]
:zone_Mullvad_input - [0:0]
:zone_Mullvad_output - [0:0]
:zone_Mullvad_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wgserver_dest_ACCEPT - [0:0]
:zone_wgserver_dest_REJECT - [0:0]
:zone_wgserver_forward - [0:0]
:zone_wgserver_input - [0:0]
:zone_wgserver_output - [0:0]
:zone_wgserver_src_ACCEPT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[162:18701] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[156:18373] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:104] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -p udp -m udp --dport 61820 -m comment --comment "!fw3: wgserver" -j ACCEPT
[6:328] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i Mullvad -m comment --comment "!fw3" -j zone_Mullvad_input
[0:0] -A INPUT -i wgserver -m comment --comment "!fw3" -j zone_wgserver_input
[41:1775] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[8:404] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[33:1371] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i Mullvad -m comment --comment "!fw3" -j zone_Mullvad_forward
[0:0] -A FORWARD -i wgserver -m comment --comment "!fw3" -j zone_wgserver_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[165:44975] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[160:44695] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[5:280] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o Mullvad -m comment --comment "!fw3" -j zone_Mullvad_output
[0:0] -A OUTPUT -o wgserver -m comment --comment "!fw3" -j zone_wgserver_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[2:104] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:40] -A zone_Mullvad_dest_ACCEPT -o Mullvad -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[32:1331] -A zone_Mullvad_dest_ACCEPT -o Mullvad -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_Mullvad_dest_REJECT -o Mullvad -m comment --comment "!fw3" -j reject
[0:0] -A zone_Mullvad_forward -m comment --comment "!fw3: Custom Mullvad forwarding rule chain" -j forwarding_Mullvad_rule
[0:0] -A zone_Mullvad_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_Mullvad_forward -m comment --comment "!fw3" -j zone_Mullvad_dest_REJECT
[0:0] -A zone_Mullvad_input -m comment --comment "!fw3: Custom Mullvad input rule chain" -j input_Mullvad_rule
[0:0] -A zone_Mullvad_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_Mullvad_input -m comment --comment "!fw3" -j zone_Mullvad_src_REJECT
[0:0] -A zone_Mullvad_output -m comment --comment "!fw3: Custom Mullvad output rule chain" -j output_Mullvad_rule
[0:0] -A zone_Mullvad_output -m comment --comment "!fw3" -j zone_Mullvad_dest_ACCEPT
[0:0] -A zone_Mullvad_src_REJECT -i Mullvad -m comment --comment "!fw3" -j reject
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[33:1371] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[33:1371] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to Mullvad forwarding policy" -j zone_Mullvad_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[6:328] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[6:328] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[6:328] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[5:280] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[5:280] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[5:280] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wgserver_dest_ACCEPT -o wgserver -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wgserver_dest_REJECT -o wgserver -m comment --comment "!fw3" -j reject
[0:0] -A zone_wgserver_forward -m comment --comment "!fw3: Custom wgserver forwarding rule chain" -j forwarding_wgserver_rule
[0:0] -A zone_wgserver_forward -m comment --comment "!fw3: Zone wgserver to Mullvad forwarding policy" -j zone_Mullvad_dest_ACCEPT
[0:0] -A zone_wgserver_forward -m comment --comment "!fw3: Zone wgserver to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wgserver_forward -m comment --comment "!fw3: Zone wgserver to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wgserver_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wgserver_forward -m comment --comment "!fw3" -j zone_wgserver_dest_REJECT
[0:0] -A zone_wgserver_input -m comment --comment "!fw3: Custom wgserver input rule chain" -j input_wgserver_rule
[0:0] -A zone_wgserver_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wgserver_input -m comment --comment "!fw3" -j zone_wgserver_src_ACCEPT
[0:0] -A zone_wgserver_output -m comment --comment "!fw3: Custom wgserver output rule chain" -j output_wgserver_rule
[0:0] -A zone_wgserver_output -m comment --comment "!fw3" -j zone_wgserver_dest_ACCEPT
[0:0] -A zone_wgserver_src_ACCEPT -i wgserver -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Wed Nov 11 12:48:43 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 'WAN IP'/26 brd 'WAN Broadcast' scope global eth1
       valid_lft forever preferred_lft forever
30: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
32: wgserver: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.6.0.1/24 brd 10.6.0.255 scope global wgserver
       valid_lft forever preferred_lft forever
46: Mullvad: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.70.43.89/32 brd 255.255.255.255 scope global Mullvad
       valid_lft forever preferred_lft forever
default via 'WAN Gateway' dev eth1 table wan
10.6.0.0/24 dev wgserver table wan proto kernel scope link src 10.6.0.1
default via 10.70.43.89 dev Mullvad table Mullvad
10.6.0.0/24 dev wgserver table Mullvad proto kernel scope link src 10.6.0.1
default via 'WAN Gateway' dev eth1 proto static src 'WAN IP'
10.6.0.0/24 dev wgserver proto kernel scope link src 10.6.0.1
66.115.180.236 via 'WAN Gateway' dev eth1 proto static
'WAN Gateway'/26 dev eth1 proto kernel scope link src 'WAN IP'
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
broadcast 10.6.0.0 dev wgserver table local proto kernel scope link src 10.6.0.1
local 10.6.0.1 dev wgserver table local proto kernel scope host src 10.6.0.1
broadcast 10.6.0.255 dev wgserver table local proto kernel scope link src 10.6.0.1
local 10.70.43.89 dev Mullvad table local proto kernel scope host src 10.70.43.89
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 'WAN Gateway' dev eth1 table local proto kernel scope link src 'WAN IP'
local 'WAN IP' dev eth1 table local proto kernel scope host src 'WAN IP'
broadcast 'WAN Broadcast' dev eth1 table local proto kernel scope link src 'WAN IP'
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
0:      from all lookup local
32764:  from all fwmark 0x20000/0xff0000 lookup Mullvad
32765:  from all fwmark 0x10000/0xff0000 lookup wan
32766:  from all lookup main
32767:  from all lookup default

In VPN-PBR configuration add the option supported interface Mullvad, option append_src_rules '! -d 10.6.0.0/24' as it is described in the manual.
If it's still not working, post service vpn-policy-routing support and service vpn-policy-routing support after you change verbosity to 2.

An interesting observation, my LAN will have all internet access cut if the Mullvad interface is up, but if I use my phone to connect to the server I will have internet on my phone with my WAN's IP.

root@OpenWrt:~# service vpn-policy-routing support
vpn-policy-routing 0.2.2-2 running on OpenWrt 18.06.4. WAN (IPv4): wan/eth1/'WAN Gateway'.
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         'WAN Gateway'   0.0.0.0         UG    0      0        0 eth1

IPv4 Table 201: default via 'WAN Gateway' dev eth1
10.6.0.0/24 dev wgserver proto kernel scope link src 10.6.0.1
IPv4 Table 201 Rules:

IPv4 Table 202: default via 10.70.43.89 dev Mullvad
10.6.0.0/24 dev wgserver proto kernel scope link src 10.6.0.1
IPv4 Table 202 Rules:
============================================================
Mangle IP Table: PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.1.0/24 ! -d 10.6.0.0/24 -m comment --comment wgserver -c 67 5603 -j MARK --set-xmark 0x20000/0xff0000
============================================================
NAT IP Table: PREROUTING
iptables: No chain/target/match by that name.
============================================================
Current ipsets
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]


root@OpenWrt:~# service vpn-policy-routing support
vpn-policy-routing 0.2.2-2 running on OpenWrt 18.06.4. WAN (IPv4): wan/eth1/'WAN Gateway'.
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         'WAN Gateway'   0.0.0.0         UG    0      0        0 eth1

IPv4 Table 201: default via 'WAN Gateway' dev eth1
10.6.0.0/24 dev wgserver proto kernel scope link src 10.6.0.1
IPv4 Table 201 Rules:

IPv4 Table 202: default via 10.70.43.89 dev Mullvad
10.6.0.0/24 dev wgserver proto kernel scope link src 10.6.0.1
IPv4 Table 202 Rules:
============================================================
Mangle IP Table: PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.1.0/24 ! -d 10.6.0.0/24 -m comment --comment wgserver -c 321 35690 -j MARK --set-xmark 0x20000/0xff0000
============================================================
NAT IP Table: PREROUTING
iptables: No chain/target/match by that name.
============================================================
Current ipsets
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]

Sorry I made a typo in my previous post, with verbosity set to 2 the command to run is /etc/init.d/vpn-policy-routing reload

Same results as my previous comment. LAN can't get out, phone can connect to server as well as get out to the internet.

root@OpenWrt:~# /etc/init.d/vpn-policy-routing reload
Creating table 'wan/eth1/'WAN Gateway'' [✓]
Creating table 'Mullvad/0.0.0.0' [✓]
Routing 'wgserver' via Mullvad [✓]
vpn-policy-routing 0.2.2-2 started with gateways:
wan/eth1/'WAN Gateway' [✓]
Mullvad/0.0.0.0
vpn-policy-routing 0.2.2-2 monitoring interfaces: wan Mullvad

It's weird, I don't see any issue. Firewall accepts the forward and there are hits, there is masquerade in place. Let's see the packets sent. Install tcpdump opkg update; opkg install tcpdump if you don't have it already. Then run tcpdump -i Mullvad -vn and try to ping/traceroute/open a webpage from a lan host. Then post here the output.

1 Like

I only ran it for a few seconds, I can do it again if you would like more data. My laptop was pinging 1.1.1.1 (Cloudflare)

root@OpenWrt:~# tcpdump -i Mullvad -vn
tcpdump: listening on Mullvad, link-type RAW (Raw IP), capture size 262144 bytes
15:59:58.659075 IP (tos 0x0, ttl 127, id 28161, offset 0, flags [none], proto TCP (6), length 71)
    10.70.43.89.2499 > 104.26.11.153.443: Flags [P.], cksum 0xdabd (correct), seq 3088416420:3088416451, ack 715048735, win 509, length 31
15:59:58.698374 IP (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    104.26.11.153.443 > 10.70.43.89.2499: Flags [R], cksum 0x0953 (correct), seq 715048735, win 0, length 0
16:00:00.890099 IP (tos 0x0, ttl 127, id 28162, offset 0, flags [none], proto TCP (6), length 71)
    10.70.43.89.2499 > 104.26.11.153.443: Flags [P.], cksum 0xdabd (correct), seq 0:31, ack 1, win 509, length 31
16:00:00.929886 IP (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    104.26.11.153.443 > 10.70.43.89.2499: Flags [R], cksum 0x0953 (correct), seq 715048735, win 0, length 0
16:00:00.967760 IP (tos 0x0, ttl 63, id 40748, offset 0, flags [DF], proto TCP (6), length 86)
    10.70.43.89.49406 > 52.94.242.249.443: Flags [P.], cksum 0x0cf1 (correct), seq 1624375843:1624375889, ack 3839654760, win 1643, length 46
16:00:01.021417 IP (tos 0x0, ttl 234, id 53377, offset 0, flags [DF], proto TCP (6), length 40)
    52.94.242.249.443 > 10.70.43.89.49406: Flags [R], cksum 0x0fe2 (correct), seq 3839654760, win 8201, length 0
16:00:01.897134 IP (tos 0x0, ttl 127, id 23113, offset 0, flags [none], proto ICMP (1), length 60)
    10.70.43.89 > 1.1.1.1: ICMP echo request, id 1, seq 9098, length 40
16:00:01.936775 IP (tos 0x0, ttl 60, id 64281, offset 0, flags [none], proto ICMP (1), length 60)
    1.1.1.1 > 10.70.43.89: ICMP echo reply, id 1, seq 9098, length 40
16:00:03.119894 IP (tos 0x0, ttl 127, id 28163, offset 0, flags [DF], proto TCP (6), length 71)
    10.70.43.89.2499 > 104.26.11.153.443: Flags [P.], cksum 0xdabd (correct), seq 0:31, ack 1, win 509, length 31
16:00:03.158928 IP (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    104.26.11.153.443 > 10.70.43.89.2499: Flags [R], cksum 0x0953 (correct), seq 715048735, win 0, length 0
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
5 packets dropped by interface

Seems normal here. Packet was sent and reply was received.
Try it one more time, this time capture the lan interface:
tcpdump -i br-lan -evn host 1.1.1.1
@vgaetera this case looks familiar to me, I think you solved it in the past.

This appears to be the issue!

root@OpenWrt:~# tcpdump -i br-lan -evn host 1.1.1.1
tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
16:27:27.876434 c0:b8:83:2a:fd:d7 > 52:54:00:72:04:64, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 128, id 24690, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.125 > 1.1.1.1: ICMP echo request, id 1, seq 10675, length 40
16:27:32.886969 c0:b8:83:2a:fd:d7 > 52:54:00:72:04:64, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 128, id 24691, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.125 > 1.1.1.1: ICMP echo request, id 1, seq 10676, length 40
16:27:37.877078 c0:b8:83:2a:fd:d7 > 52:54:00:72:04:64, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 128, id 24692, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.125 > 1.1.1.1: ICMP echo request, id 1, seq 10677, length 40
16:27:42.875879 c0:b8:83:2a:fd:d7 > 52:54:00:72:04:64, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 128, id 24693, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.125 > 1.1.1.1: ICMP echo request, id 1, seq 10678, length 40
16:27:47.896901 c0:b8:83:2a:fd:d7 > 52:54:00:72:04:64, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 128, id 24694, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.125 > 1.1.1.1: ICMP echo request, id 1, seq 10679, length 40
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel

Try this way:

tcpdump -evn -i any icmp
1 Like
root@OpenWrt:~# tcpdump -evn -i any icmp
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
16:38:41.890565  In c0:b8:83:2a:fd:d7 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 25300, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.125 > 1.1.1.1: ICMP echo request, id 1, seq 11285, length 40
16:38:41.890565  In c0:b8:83:2a:fd:d7 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 25300, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.125 > 1.1.1.1: ICMP echo request, id 1, seq 11285, length 40
16:38:41.890770 Out ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 127, id 25300, offset 0, flags [none], proto ICMP (1), length 60)
    10.70.43.89 > 1.1.1.1: ICMP echo request, id 1, seq 11285, length 40
16:38:41.930295  In ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 60, id 37357, offset 0, flags [none], proto ICMP (1), length 60)
    1.1.1.1 > 10.70.43.89: ICMP echo reply, id 1, seq 11285, length 40
16:38:46.890839  In c0:b8:83:2a:fd:d7 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 25301, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.125 > 1.1.1.1: ICMP echo request, id 1, seq 11286, length 40
16:38:46.890839  In c0:b8:83:2a:fd:d7 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 25301, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.125 > 1.1.1.1: ICMP echo request, id 1, seq 11286, length 40
16:38:46.890998 Out ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 127, id 25301, offset 0, flags [none], proto ICMP (1), length 60)
    10.70.43.89 > 1.1.1.1: ICMP echo request, id 1, seq 11286, length 40
16:38:46.932024  In ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 60, id 24026, offset 0, flags [none], proto ICMP (1), length 60)
    1.1.1.1 > 10.70.43.89: ICMP echo reply, id 1, seq 11286, length 40
16:38:47.180572 Out 52:54:00:b0:22:1b ethertype IPv4 (0x0800), length 342: (tos 0xc8, ttl 64, id 50946, offset 0, flags [none], proto ICMP (1), length 326)
    'WAN IP' > 24.238.0.61: ICMP 'WAN IP' udp port 43400 unreachable, length 306
        (tos 0x28, ttl 51, id 42195, offset 0, flags [none], proto UDP (17), length 298)
    24.238.0.61.53 > 'WAN IP'.43400: 48476 1/6/6 api.amazon.com. A 52.119.196.31 (270)
16:38:47.276916 Out 52:54:00:b0:22:1b ethertype IPv4 (0x0800), length 104: (tos 0xc8, ttl 64, id 20636, offset 0, flags [none], proto ICMP (1), length 88)
    'WAN IP' > 193.138.218.74: ICMP 'WAN IP' udp port 43400 unreachable, length 68
        (tos 0x28, ttl 47, id 53880, offset 0, flags [DF], proto UDP (17), length 60)
    193.138.218.74.53 > 'WAN IP'.43400: 48476| 0/0/0 (32)
16:38:51.880569  In c0:b8:83:2a:fd:d7 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 25302, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.125 > 1.1.1.1: ICMP echo request, id 1, seq 11287, length 40
16:38:51.880569  In c0:b8:83:2a:fd:d7 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 25302, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.125 > 1.1.1.1: ICMP echo request, id 1, seq 11287, length 40
16:38:51.880744 Out ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 127, id 25302, offset 0, flags [none], proto ICMP (1), length 60)
    10.70.43.89 > 1.1.1.1: ICMP echo request, id 1, seq 11287, length 40
16:38:51.919764  In ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 60, id 54812, offset 0, flags [none], proto ICMP (1), length 60)
    1.1.1.1 > 10.70.43.89: ICMP echo reply, id 1, seq 11287, length 40
^C
14 packets captured
14 packets received by filter
0 packets dropped by kernel
1 Like