Need some help with OpenVPN

Installing and Using OpenWrt
1

Hello all, I need some help with OpenVPN...

In this scenario, I have the connection established between my cell phone and the server, however, I cannot browse, neither on the internal hosts of my network nor to the internet...

I also have wireguard working perfectly, but since I have 2 clients that need to use Openvpn, I need this configuration working.

Here are my configurations, I was unable to identify the problem on my own, so I will ask you for help.

Log and status

logread -e openvpn; netstat -l -n -p | grep -e openvpn

root@horus:~# logread -e openvpn; netstat -l -n -p | grep -e openvpn
Sat Jun 28 17:50:55 2025 user.notice openvpn: server.conf already started
Sat Jun 28 17:50:55 2025 daemon.notice openvpn(horus_openVPN_server)[906]: /usr/libexec/openvpn-hotplug down horus_openVPN_server tun0 1500 0 192.168.16.1 255.255.255.0 init
Sat Jun 28 17:50:55 2025 daemon.notice openvpn(horus_openVPN_server)[906]: SIGTERM[hard,] received, process exiting
Sat Jun 28 17:50:55 2025 daemon.notice openvpn(horus_openVPN_server)[3504]: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Sat Jun 28 17:50:55 2025 daemon.notice openvpn(horus_openVPN_server)[3504]: OpenVPN 2.6.14 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Jun 28 17:50:55 2025 daemon.notice openvpn(horus_openVPN_server)[3504]: library versions: OpenSSL 3.0.16 11 Feb 2025, LZO 2.10
Sat Jun 28 17:50:55 2025 daemon.warn openvpn(horus_openVPN_server)[3504]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Jun 28 17:50:55 2025 daemon.notice openvpn(horus_openVPN_server)[3504]: TUN/TAP device tun0 opened
Sat Jun 28 17:50:55 2025 daemon.notice openvpn(horus_openVPN_server)[3504]: net_iface_mtu_set: mtu 1500 for tun0
Sat Jun 28 17:50:55 2025 daemon.notice openvpn(horus_openVPN_server)[3504]: net_iface_up: set tun0 up
Sat Jun 28 17:50:55 2025 daemon.notice openvpn(horus_openVPN_server)[3504]: net_addr_v4_add: 192.168.16.1/24 dev tun0
Sat Jun 28 17:50:55 2025 daemon.notice openvpn(horus_openVPN_server)[3504]: /usr/libexec/openvpn-hotplug up horus_openVPN_server tun0 1500 0 192.168.16.1 255.255.255.0 init
Sat Jun 28 17:50:55 2025 daemon.warn openvpn(horus_openVPN_server)[3504]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Jun 28 17:50:55 2025 daemon.notice openvpn(horus_openVPN_server)[3504]: UDPv4 link local (bound): [AF_INET][undef]:1194
Sat Jun 28 17:50:55 2025 daemon.notice openvpn(horus_openVPN_server)[3504]: UDPv4 link remote: [AF_UNSPEC]
Sat Jun 28 17:50:55 2025 daemon.notice openvpn(horus_openVPN_server)[3504]: UID set to nobody
Sat Jun 28 17:50:55 2025 daemon.notice openvpn(horus_openVPN_server)[3504]: GID set to nogroup
Sat Jun 28 17:50:55 2025 daemon.notice openvpn(horus_openVPN_server)[3504]: Capabilities retained: CAP_NET_ADMIN
Sat Jun 28 17:50:55 2025 daemon.notice openvpn(horus_openVPN_server)[3504]: Initialization Sequence Completed
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           3504/openvpn
root@horus:~#
2

Runtime configuration

pgrep -f -a openvpn
ip address show; ip route show table all
ip rule show; ip -6 rule show; nft list ruleset

root@horus:~# pgrep -f -a openvpn
3504 /usr/sbin/openvpn --syslog openvpn(horus_openVPN_server) --status /var/run/openvpn.horus_openVPN_server.status --cd /etc/openvpn --config server.conf --up /usr/libexec/openvpn-hotplug up horus_openVPN_server --down /usr/libexec/openvpn-hotplug down horus_openVPN_server --route-up /usr/libexec/openvpn-hotplug route-up horus_openVPN_server --route-pre-down /usr/libexec/openvpn-hotplug route-pre-down horus_openVPN_server --script-security 2
root@horus:~# 

root@horus:~# ip address show; ip route show table al
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:e0:91:4e:16:79 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/30 brd 192.168.1.3 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::2e0:91ff:fe4e:1679/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:e0:4c:68:04:e6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.15.1/24 brd 192.168.15.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 2804:7f0:7a00:6346::1/64 scope global dynamic noprefixroute
       valid_lft 37871sec preferred_lft 37871sec
    inet6 fd60:58e4:c0c8::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::2e0:4cff:fe68:4e6/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
4: wireguard: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 192.168.17.1/24 brd 192.168.17.255 scope global wireguard
       valid_lft forever preferred_lft forever
    inet6 fd00:17::1/64 scope global
       valid_lft forever preferred_lft forever
6: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp
    inet 191.255.136.242 peer 200.204.204.126/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
    inet6 2804:7f0:703c:113d:1de5:880c:8b2c:fbaa/64 scope global dynamic noprefixroute
       valid_lft 259123sec preferred_lft 172723sec
    inet6 fd60:58e4:c0c8:1::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::1de5:880c:8b2c:fbaa peer fe80::76e9:bfff:fea6:fc8e/128 scope link nodad
       valid_lft forever preferred_lft forever
15: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 192.168.16.1/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::147f:8e2d:227b:2757/64 scope link stable-privacy proto kernel_ll
       valid_lft forever preferred_lft forever
Error: argument "al" is wrong: table id value is invalid

root@horus:~#
3 
root@horus:~# ip rule show; ip -6 rule show; nft list ruleset
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
0:      from all lookup local
32766:  from all lookup main
4200000000:     from 2804:7f0:7a00:6346::1/64 iif eth1 unreachable
table inet banIP {
        counter cnt_icmpflood {
                packets 2033 bytes 2282145
        }

        counter cnt_udpflood {
                packets 682 bytes 54989
        }

        counter cnt_synflood {
                packets 26 bytes 1040
        }

        counter cnt_tcpinvalid {
                packets 0 bytes 0
        }

        counter cnt_ctinvalid {
                packets 44019 bytes 2123173
        }

        set allowlist.v4MAC {
                type ether_addr . ipv4_addr
                policy memory
                flags interval
                auto-merge
        }

        set allowlist.v6MAC {
                type ether_addr . ipv6_addr
                policy memory
                flags interval
                auto-merge
        }

        set allowlist.v4 {
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                elements = { 191.255.136.242 }
        }

        set allowlist.v6 {
                type ipv6_addr
                policy memory
                flags interval
                auto-merge
                elements = { 2804:7f0:703c:113d::/64,
                             fd60:58e4:c0c8:1::/64 }
        }

        set blocklist.v4MAC {
                type ether_addr . ipv4_addr
                policy memory
                flags interval
                auto-merge
        }

        set blocklist.v6MAC {
                type ether_addr . ipv6_addr
                policy memory
                flags interval
                auto-merge
        }

        set blocklist.v4 {
                type ipv4_addr
                policy memory
                flags interval,timeout
                auto-merge
        }

        set blocklist.v6 {
                type ipv6_addr
                policy memory
                flags interval,timeout
                auto-merge
        }

        chain pre-routing {
                type filter hook prerouting priority -175; policy accept;
                iifname != "pppoe-wan" counter packets 38938385 bytes 13324622657 accept
                ct state invalid counter name "cnt_ctinvalid" drop
                meta nfproto . meta l4proto { ipv4 . icmp, ipv6 . ipv6-icmp } limit rate over 25/second burst 5 packets counter name "cnt_icmpflood" drop
                meta l4proto udp ct state new limit rate over 100/second burst 5 packets counter name "cnt_udpflood" drop
                tcp flags & (fin | syn | rst | ack) == syn limit rate over 10/second burst 5 packets counter name "cnt_synflood" drop
                tcp flags & (fin | syn) == fin | syn counter name "cnt_tcpinvalid" drop
                tcp flags & (syn | rst) == syn | rst counter name "cnt_tcpinvalid" drop
                tcp flags & (fin | syn | rst | psh | ack | urg) < fin counter name "cnt_tcpinvalid" drop
                tcp flags & (fin | syn | rst | psh | ack | urg) == fin | psh | urg counter name "cnt_tcpinvalid" drop
        }

        chain wan-input {
                type filter hook input priority -100; policy accept;
                iifname != "pppoe-wan" counter packets 4091408 bytes 1970916976 accept
                ct state established,related counter packets 6233337 bytes 3149580995 accept
                meta nfproto ipv4 udp sport 67-68 udp dport 67-68 counter packets 0 bytes 0 accept
                meta nfproto ipv6 udp sport 547 udp dport 546 counter packets 24 bytes 5088 accept
                icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 1 counter packets 0 bytes 0 accept
                icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 counter packets 433 bytes 45032 accept
                counter packets 235830 bytes 12149406 jump _inbound
        }

        chain wan-forward {
                type filter hook forward priority -100; policy accept;
                iifname != "pppoe-wan" counter packets 34672336 bytes 11299956051 accept
                ct state established,related counter packets 108220709 bytes 133772993963 accept
                counter packets 110610 bytes 9183143 jump _inbound
        }

        chain lan-forward {
                type filter hook forward priority -100; policy accept;
                oifname != "pppoe-wan" counter packets 108337189 bytes 133784900238 accept
                ct state established,related counter packets 34128121 bytes 11176557354 accept
                counter packets 538345 bytes 120675565 jump _outbound
        }

        chain _inbound {
                ip saddr @allowlist.v4 counter packets 13 bytes 2385 accept
                ip6 saddr @allowlist.v6 counter packets 13 bytes 2645 accept
                ip saddr @blocklist.v4 counter packets 0 bytes 0 drop
                ip6 saddr @blocklist.v6 counter packets 0 bytes 0 drop
        }

        chain _outbound {
                ether saddr . ip saddr @allowlist.v4MAC counter packets 0 bytes 0 accept
                ether saddr . ip6 saddr @allowlist.v6MAC counter packets 0 bytes 0 accept
                ip daddr @allowlist.v4 counter packets 0 bytes 0 accept
                ip6 daddr @allowlist.v6 counter packets 0 bytes 0 accept
                ether saddr . ip saddr @blocklist.v4MAC counter packets 0 bytes 0 goto _reject
                ether saddr . ip6 saddr @blocklist.v6MAC counter packets 0 bytes 0 goto _reject
                ip daddr @blocklist.v4 counter packets 0 bytes 0 goto _reject
                ip6 daddr @blocklist.v6 counter packets 0 bytes 0 goto _reject
        }

        chain _reject {
                iifname != "pppoe-wan" meta l4proto tcp reject with tcp reset
                reject with icmpx host-unreachable
        }
}
table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
                iif "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state vmap { invalid : drop, established : accept, related : accept } comment "!fw4: Handle inbound flows"
                tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname "tun*" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "eth1" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname { "eth0", "pppoe-wan" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
                iifname "wireguard" jump input_wireguard comment "!fw4: Handle wireguard IPv4/IPv6 input traffic"
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state vmap { invalid : drop, established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                iifname "tun*" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "eth1" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname { "eth0", "pppoe-wan" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                iifname "wireguard" jump forward_wireguard comment "!fw4: Handle wireguard IPv4/IPv6 forward traffic"
                jump upnp_forward comment "Hook into miniupnpd forwarding chain"
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oif "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state vmap { invalid : drop, established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "tun*" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname "eth1" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname { "eth0", "pppoe-wan" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
                oifname "wireguard" jump output_wireguard comment "!fw4: Handle wireguard IPv4/IPv6 output traffic"
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                iifname "tun*" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
                iifname "eth1" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_lan {
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump accept_from_lan
        }

        chain output_lan {
                jump accept_to_lan
        }

        chain forward_lan {
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                jump accept_to_wireguard comment "!fw4: Accept lan to wireguard forwarding"
                ct status dnat accept comment "!fw4: Accept port forwards"
                jump accept_to_lan
        }

        chain helper_lan {
        }

        chain accept_from_lan {
                iifname "tun*" counter packets 55 bytes 21519 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
                iifname "eth1" counter packets 5007 bytes 401307 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain accept_to_lan {
                oifname "tun*" counter packets 73 bytes 22851 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
                oifname "eth1" counter packets 1151 bytes 173425 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 44 bytes 2912 accept comment "!fw4: Allow-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 62 bytes 1984 accept comment "!fw4: Allow-IGMP"
                meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . 0, mld-listener-report . 0, mld-listener-done . 0, mld2-listener-report . 0 } counter packets 15 bytes 1140 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second burst 5 packets counter packets 6 bytes 464 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . 0, parameter-problem . 0, nd-neighbor-solicit . 0, nd-neighbor-advert . 0, parameter-problem . 1 } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                udp dport 1195 counter packets 0 bytes 0 accept comment "!fw4: Alow_Wireguard"
                tcp dport 1111 counter packets 0 bytes 0 accept comment "!fw4: Allow-Transmission"
                udp dport 1111 counter packets 0 bytes 0 accept comment "!fw4: Allow-Transmission"
                udp dport 1194 counter packets 1 bytes 42 accept comment "!fw4: Allow-OpenVPN"
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump reject_from_wan
        }

        chain output_wan {
                jump accept_to_wan
        }

        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . 0, parameter-problem . 0, parameter-problem . 1 } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
                ct status dnat accept comment "!fw4: Accept port forwards"
                jump reject_to_wan
        }

        chain accept_to_wan {
                oifname { "eth0", "pppoe-wan" } counter packets 19491 bytes 5597254 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
        }

        chain reject_from_wan {
                iifname { "eth0", "pppoe-wan" } counter packets 520 bytes 26105 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain reject_to_wan {
                oifname { "eth0", "pppoe-wan" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain input_wireguard {
                jump accept_from_wireguard
        }

        chain output_wireguard {
                jump accept_to_wireguard
        }

        chain forward_wireguard {
                jump accept_to_lan comment "!fw4: Accept wireguard to lan forwarding"
                jump accept_to_wan comment "!fw4: Accept wireguard to wan forwarding"
                jump accept_to_wireguard
        }

        chain accept_from_wireguard {
                iifname "wireguard" counter packets 0 bytes 0 accept comment "!fw4: accept wireguard IPv4/IPv6 traffic"
        }

        chain accept_to_wireguard {
                oifname "wireguard" counter packets 0 bytes 0 accept comment "!fw4: accept wireguard IPv4/IPv6 traffic"
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
                iifname "tun*" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
                iifname "eth1" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
                iifname { "eth0", "pppoe-wan" } jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
                jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
                oifname "tun*" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
                oifname "eth1" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
                oifname { "eth0", "pppoe-wan" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
                oifname "wireguard" jump srcnat_wireguard comment "!fw4: Handle wireguard IPv4/IPv6 srcnat traffic"
                jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
        }

        chain dstnat_lan {
                ip saddr 192.168.15.0/24 ip daddr { 191.255.136.242, 192.168.1.2 } udp dport 45000-65535 dnat ip to 192.168.15.30:45000-65535 comment "!fw4: NintendoSwitch-NAT_A (reflection)"
                ip saddr 192.168.15.0/24 ip daddr { 191.255.136.242, 192.168.1.2 } tcp dport 1111 dnat ip to 192.168.15.1:1111 comment "!fw4: Transmission (reflection)"
                ip saddr 192.168.15.0/24 ip daddr { 191.255.136.242, 192.168.1.2 } udp dport 1111 dnat ip to 192.168.15.1:1111 comment "!fw4: Transmission (reflection)"
                tcp dport 53 counter packets 0 bytes 0 redirect to :53 comment "!fw4: Adguard Home"
                udp dport 53 counter packets 9165 bytes 715376 redirect to :53 comment "!fw4: Adguard Home"
        }

        chain srcnat_lan {
                ip saddr 192.168.15.0/24 ip daddr 192.168.15.30 udp dport 45000-65535 snat ip to 192.168.15.1 comment "!fw4: NintendoSwitch-NAT_A (reflection)"
                ip saddr 192.168.15.0/24 ip daddr 192.168.15.1 tcp dport 1111 snat ip to 192.168.15.1 comment "!fw4: Transmission (reflection)"
                ip saddr 192.168.15.0/24 ip daddr 192.168.15.1 udp dport 1111 snat ip to 192.168.15.1 comment "!fw4: Transmission (reflection)"
        }

        chain dstnat_wan {
                meta nfproto ipv4 udp dport 45000-65535 counter packets 40 bytes 3204 dnat ip to 192.168.15.30:45000-65535 comment "!fw4: NintendoSwitch-NAT_A"
                meta nfproto ipv4 tcp dport 1111 counter packets 0 bytes 0 dnat ip to 192.168.15.1:1111 comment "!fw4: Transmission"
                meta nfproto ipv4 udp dport 1111 counter packets 0 bytes 0 dnat ip to 192.168.15.1:1111 comment "!fw4: Transmission"
        }

        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }

        chain srcnat_wireguard {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wireguard traffic"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }

        chain raw_output {
                type filter hook output priority raw; policy accept;
        }

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
                oifname { "eth0", "pppoe-wan" } tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
        }

        chain mangle_input {
                type filter hook input priority mangle; policy accept;
        }

        chain mangle_output {
                type route hook output priority mangle; policy accept;
        }

        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
                iifname { "eth0", "pppoe-wan" } tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
        }

        chain upnp_forward {
        }

        chain upnp_prerouting {
        }

        chain upnp_postrouting {
        }
}
root@horus:~#
4

Persistent configuration

uci show network; uci show firewall; uci show openvpn
head -v -n -0 /etc/openvpn/*.conf

root@horus:~# uci show network; uci show firewall; uci show openvpn
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd60:58e4:c0c8::/48'
network.globals.packet_steering='0'
network.lan=interface
network.lan.device='eth1'
network.lan.proto='static'
network.lan.ipaddr='192.168.15.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='64'
network.lan.prot='dhcp'
network.wan=interface
network.wan.device='eth0'
network.wan.proto='pppoe'
network.wan.username='cliente@cliente'
network.wan.password='cliente'
network.wan.ipv6='auto'
network.wan.ip6assign='64'
network.onu_vsol=interface
network.onu_vsol.proto='static'
network.onu_vsol.device='eth0'
network.onu_vsol.ipaddr='192.168.1.2'
network.onu_vsol.netmask='255.255.255.252'
network.onu_vsol.delegate='0'
network.wireguard=interface
network.wireguard.proto='wireguard'
network.wireguard.private_key='edited'
network.wireguard.listen_port='1195'
network.wireguard.dns='192.168.15.1'
network.wireguard.addresses='192.168.17.1/24'
network.wireguard.delegate='0'
network.@wireguard_wireguard[0]=wireguard_wireguard
network.@wireguard_wireguard[0].description='Celular Felipe'
network.@wireguard_wireguard[0].public_key='edited
network.@wireguard_wireguard[0].private_key='edited'
network.@wireguard_wireguard[0].allowed_ips='192.168.17.100'
network.@wireguard_wireguard[0].persistent_keepalive='25'
network.@wireguard_wireguard[1]=wireguard_wireguard
network.@wireguard_wireguard[1].description='Celular Rodrigo'
network.@wireguard_wireguard[1].public_key='edited'
network.@wireguard_wireguard[1].private_key='edited'
network.@wireguard_wireguard[1].allowed_ips='192.168.17.101'
network.@wireguard_wireguard[1].persistent_keepalive='25'
network.@wireguard_wireguard[2]=wireguard_wireguard
network.@wireguard_wireguard[2].description='Celular Viviane'
network.@wireguard_wireguard[2].public_key='edited'
network.@wireguard_wireguard[2].private_key='edited'
network.@wireguard_wireguard[2].allowed_ips='192.168.17.102'
network.@wireguard_wireguard[2].persistent_keepalive='25'
network.@wireguard_wireguard[3]=wireguard_wireguard
network.@wireguard_wireguard[3].description='Notebook Dell Felipe'
network.@wireguard_wireguard[3].private_key='edited'
network.@wireguard_wireguard[3].preshared_key=edited'
network.@wireguard_wireguard[3].allowed_ips='192.168.17.110'
network.@wireguard_wireguard[3].persistent_keepalive='25'
network.@wireguard_wireguard[3].disabled='1'
network.@wireguard_wireguard[4]=wireguard_wireguard
network.@wireguard_wireguard[4].description='Notebook Dell'
network.@wireguard_wireguard[4].public_key='edited'
network.@wireguard_wireguard[4].private_key='edited'
network.@wireguard_wireguard[4].allowed_ips='192.168.17.111'
network.@wireguard_wireguard[4].persistent_keepalive='25'
network.@wireguard_wireguard[4].disabled='1'
network.@wireguard_wireguard[5]=wireguard_wireguard
network.@wireguard_wireguard[5].description='Notebook HP'
network.@wireguard_wireguard[5].public_key='edited'
network.@wireguard_wireguard[5].private_key='edited'
network.@wireguard_wireguard[5].allowed_ips='192.168.17.112'
network.@wireguard_wireguard[5].persistent_keepalive='25'
network.@wireguard_wireguard[6]=wireguard_wireguard
network.@wireguard_wireguard[6].description='Notebook Sony'
network.@wireguard_wireguard[6].public_key='edited'
network.@wireguard_wireguard[6].private_key='edited'
network.@wireguard_wireguard[6].allowed_ips='192.168.17.114'
network.@wireguard_wireguard[6].persistent_keepalive='25'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='DROP'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='DROP'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].drop_invalid='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.device='tun+'
firewall.lan.network='lan'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan' 'onu_vsol'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='wireguard'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].masq='1'
firewall.@zone[2].network='wireguard'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='wireguard'
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='lan'
firewall.@forwarding[2].dest='wireguard'
firewall.@rule[9]=rule
firewall.@rule[9].src='wan'
firewall.@rule[9].name='Alow_Wireguard'
firewall.@rule[9].proto='udp'
firewall.@rule[9].dest_port='1195'
firewall.@rule[9].target='ACCEPT'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='NintendoSwitch-NAT_A'
firewall.@redirect[0].proto='udp'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='45000-65535'
firewall.@redirect[0].dest_ip='192.168.15.30'
firewall.@redirect[0].dest_port='45000-65535'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].name='Transmission'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].src_dport='1111'
firewall.@redirect[1].dest_ip='192.168.15.1'
firewall.@redirect[1].dest_port='1111'
firewall.@redirect[1].dest='lan'
firewall.@rule[10]=rule
firewall.@rule[10].name='Allow-Transmission'
firewall.@rule[10].src='wan'
firewall.@rule[10].dest_port='1111'
firewall.@rule[10].target='ACCEPT'
firewall.adguardhome_dns_53=redirect
firewall.adguardhome_dns_53.src='lan'
firewall.adguardhome_dns_53.proto='tcp udp'
firewall.adguardhome_dns_53.src_dport='53'
firewall.adguardhome_dns_53.target='DNAT'
firewall.adguardhome_dns_53.name='Adguard Home'
firewall.adguardhome_dns_53.dest_port='53'
firewall.adguardhome_dns_53.dest='lan'
firewall.adguardhome_dns_53.family='any'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='wireguard'
firewall.@forwarding[3].dest='wan'
firewall.ovpn=rule
firewall.ovpn.name='Allow-OpenVPN'
firewall.ovpn.src='wan'
firewall.ovpn.dest_port='1194'
firewall.ovpn.proto='udp'
firewall.ovpn.target='ACCEPT'
openvpn.horus_openVPN_server=openvpn
openvpn.horus_openVPN_server.config='/etc/openvpn/server.conf'
openvpn.horus_openVPN_server.enabled='1'
root@horus:~#

root@horus:~# head -v -n -0 /etc/openvpn/*.conf
==> /etc/openvpn/server.conf <==
user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.16.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.16.1"
push "dhcp-option DOMAIN hsh"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
edited
-----END DH PARAMETERS-----
</dh>
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 server key-----
edited
-----END OpenVPN tls-crypt-v2 server key-----
</tls-crypt-v2>
<key>
-----BEGIN PRIVATE KEY-----
edited
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
edited
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
edited
-----END CERTIFICATE-----
</ca>
root@horus:~#

Any suggestions will be appreciated.

Thanks

5

You say you are connected from your phone/client on internet to your OpenVPN server at home
If so can you:
ping your server e.g. ping 192.168.16.1
ping lan: ping 192.168.15.1
ping internet: ping 8.8.8.8

P.S. I did not read all, I find the uci output difficult to read, I prefer the plain config files e.g.:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
6

Hello @egc...

All pings work good, like screenshots below...

4a4cb80a-e4e2-405d-8306-59509ad4d969(1)
4a4cb80a-e4e2-405d-8306-59509ad4d969(1)720×1600 53.4 KB

6f82d088-0baf-4562-bf79-1821a852deba(2)
6f82d088-0baf-4562-bf79-1821a852deba(2)720×1600 57.8 KB

d6d87948-eb1b-4fd2-9bdf-b5c86d403a76(3)
d6d87948-eb1b-4fd2-9bdf-b5c86d403a76(3)720×1600 57.7 KB

fb40228d-64f0-40ef-a7e2-03b1516efa48(4)
fb40228d-64f0-40ef-a7e2-03b1516efa48(4)720×1600 55.3 KB

76225b9c-096d-40e0-8613-a8d8c49fc0b8
76225b9c-096d-40e0-8613-a8d8c49fc0b8720×1600 59.4 KB

7

ubus call system board

root@horus:~# ubus call system board
{
        "kernel": "6.6.86",
        "hostname": "horus",
        "system": "Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz",
        "model": "LG Electronics                   V320-M.BG31P1",
        "board_name": "lg-electronics-v320-m-bg31p1",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.1",
                "revision": "r28597-0425664679",
                "target": "x86/64",
                "description": "OpenWrt 24.10.1 r28597-0425664679",
                "builddate": "1744562312"
        }
}
root@horus:~#

cat /etc/config/network

root@horus:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd60:58e4:c0c8::/48'
        option packet_steering '0'

config interface 'lan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.15.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option prot 'dhcp'

config interface 'wan'
        option device 'eth0'
        option proto 'pppoe'
        option username 'cliente@cliente'
        option password 'cliente'
        option ipv6 'auto'
        option ip6assign '64'

config interface 'onu_vsol'
        option proto 'static'
        option device 'eth0'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.252'
        option delegate '0'

config interface 'wireguard'
        option proto 'wireguard'
        option private_key 'edited'
        option listen_port '1195'
        list dns '192.168.15.1'
        list addresses '192.168.17.1/24'
        option delegate '0'

config wireguard_wireguard
        option description 'Celular Felipe'
        option public_key 'edited'
        option private_key 'edited'
        list allowed_ips '192.168.17.100'
        option persistent_keepalive '25'

config wireguard_wireguard
        option description 'Celular Rodrigo'
        option public_key 'edited'
        option private_key 'edited'
        list allowed_ips '192.168.17.101'
        option persistent_keepalive '25'

config wireguard_wireguard
        option description 'Celular Viviane'
        option public_key 'edited'
        option private_key 'edited'
        list allowed_ips '192.168.17.102'
        option persistent_keepalive '25'

config wireguard_wireguard
        option description 'Notebook Dell Felipe'
        option private_key 'edited'
        option preshared_key 'edited'
        list allowed_ips '192.168.17.110'
        option persistent_keepalive '25'
        option disabled '1'

config wireguard_wireguard
        option description 'Notebook Dell'
        option public_key 'edited'
        option private_key 'edited'
        list allowed_ips '192.168.17.111'
        option persistent_keepalive '25'
        option disabled '1'

config wireguard_wireguard
        option description 'Notebook HP'
        option public_key 'edited'
        option private_key 'edited'
        list allowed_ips '192.168.17.112'
        option persistent_keepalive '25'

config wireguard_wireguard
        option description 'Notebook Sony'
        option public_key 'edited'
        option private_key 'edited'
        list allowed_ips '192.168.17.114'
        option persistent_keepalive '25'

root@horus:~#
8

cat /etc/config/dhcp

root@horus:~# cat /etc/config/dhcp

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '50'
        option leasetime '6h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option force '1'
        list dns 'fd60:58e4:c0c8::1'
        list dhcp_option '3,192.168.15.1'
        list dhcp_option '6,192.168.15.1'
        list dhcp_option '15,hsh'
        list dhcp_option '42,192.168.15.1'
        option preferred_lifetime '6h'
        option ra_useleasetime '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dnsmasq 'horus'
        option rebind_protection '1'
        option localservice '1'
        option local '/hsh/'
        option domain 'hsh'
        option expandhosts '1'
        option sequential_ip '1'
        option allservers '1'
        list cache_rr 'ANY'
        option domainneeded '1'
        option rebind_localhost '1'
        list interface 'lan'
        option dhcpleasemax '50'
        option dnsforwardmax '150'
        option authoritative '1'
        option port '54'
        option cachesize '0'
        option noresolv '1'
        list server '192.168.15.1#53'

config domain
        option name 'onu'
        option ip '192.168.1.1'

config domain
        option name 'horus'
        option ip '192.168.15.1'

config domain
        option name 'anubis'
        option ip '192.168.15.2'

config domain
        option name 'osiris'
        option ip '192.168.15.3'

config domain
        option name 'toth'
        option ip '192.168.15.4'

config domain
        option name 'an4'
        option ip '192.168.15.5'

config host
        option name 'horus'
        list mac '00:E0:4C:76:09:61'
        option ip '192.168.15.1'
        option leasetime 'infinite'
        option instance 'horus'
        list tag 'core - router'

config host
        option name 'anubis'
        list mac '30:B5:C2:B4:F3:A8'
        option ip '192.168.15.2'
        option leasetime 'infinite'
        option duid '0003000130b5c2b4f3a8'
        list tag 'AP - sala'
        option instance 'horus'

config host
        option name 'osiris'
        list mac '14:CC:20:B9:51:C0'
        option ip '192.168.15.3'
        option leasetime 'infinite'
        option duid '0003000114cc20b951c0'
        list tag 'SW - escritorio'
        option instance 'horus'

config host
        option name 'toth'
        list mac '50:C7:BF:DE:ED:D0'
        option ip '192.168.15.4'
        option leasetime 'infinite'
        option duid '0003000150c7bfdeedd0'
        list tag 'AP - Fe'
        option instance 'horus'

config host
        option name 'an4'
        list mac 'B6:D4:67:CD:CD:B2'
        option ip '192.168.15.5'
        option leasetime 'infinite'
        list tag 'deco - TV'
        option instance 'horus'

config host
        option name 'tesla'
        option dns '1'
        list mac '40:8D:5C:78:51:51'
        option ip '192.168.15.10'
        option duid '000100012ed0483cf4f26d06c79d'
        list tag 'admin PC'
        option instance 'horus'

config host
        option name 'NintendoSwitch'
        list mac '20:0B:CF:E4:75:54'
        option ip '192.168.15.30'
        option leasetime 'infinite'
        list tag 'video_game_Fe'
        option instance 'horus'

config host
        option name 'SonyVaio-VGN-NW270F'
        list mac '00:24:BE:3B:8C:3A'
        option ip '192.168.15.16'
        option leasetime 'infinite'
        option duid '00045c1e1c10eadcfe993c8dda57b565d34f'
        list tag 'note_SONY_cabeado'
        option instance 'horus'

config host
        option name 'SonyVaio-VGN-NW270F'
        list mac '00:26:5E:F5:18:A6'
        option ip '192.168.15.17'
        option leasetime 'infinite'
        option duid '00045c1e1c10eadcfe993c8dda57b565d34f'
        list tag 'note_SONY_wifi'
        option instance 'horus'

config host
        option name 'HP-Probook-4430s'
        list mac '10:1F:74:F9:A7:B1'
        option ip '192.168.15.18'
        option leasetime 'infinite'
        option duid '000100012c5f1f61101f74f9a7b1'
        list tag 'note_HP_cabeado'
        option instance 'horus'

config host
        option name 'HP-Probook-4430s'
        list mac 'D0:DF:9A:2C:12:6A'
        option ip '192.168.15.19'
        option leasetime 'infinite'
        option duid '000100012c5f1f61101f74f9a7b1'
        option instance 'horus'
        list tag 'note_HP_wifi'

config host
        option name 'sfc'
        list mac '1C:39:47:53:3E:8C'
        option ip '192.168.15.20'
        option leasetime 'infinite'
        option duid '000100012f01abd61c3947533e8c'
        list tag 'note_Fe_cabeado'
        option instance 'horus'

config host
        option name 'sfc'
        list mac '34:02:86:60:89:39'
        option ip '192.168.15.21'
        option leasetime 'infinite'
        option duid '000100012f01abd61c3947533e8c'
        list tag 'note_Fe_wifi'
        option instance 'horus'

config domain
        option name 'horus'
        option ip 'fd60:58e4:c0c8::1'

config domain
        option name 'anubis'
        option ip 'fd60:58e4:c0c8::2'

config domain
        option name 'osiris'
        option ip 'fd60:58e4:c0c8::3'

config domain
        option name 'toth'
        option ip 'fd60:58e4:c0c8::4'

root@horus:~#

cat /etc/config/firewall

root@horus:~# cat /etc/config/dhcp

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '50'
        option leasetime '6h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option force '1'
        list dns 'fd60:58e4:c0c8::1'
        list dhcp_option '3,192.168.15.1'
        list dhcp_option '6,192.168.15.1'
        list dhcp_option '15,hsh'
        list dhcp_option '42,192.168.15.1'
        option preferred_lifetime '6h'
        option ra_useleasetime '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dnsmasq 'horus'
        option rebind_protection '1'
        option localservice '1'
        option local '/hsh/'
        option domain 'hsh'
        option expandhosts '1'
        option sequential_ip '1'
        option allservers '1'
        list cache_rr 'ANY'
        option domainneeded '1'
        option rebind_localhost '1'
        list interface 'lan'
        option dhcpleasemax '50'
        option dnsforwardmax '150'
        option authoritative '1'
        option port '54'
        option cachesize '0'
        option noresolv '1'
        list server '192.168.15.1#53'

config domain
        option name 'onu'
        option ip '192.168.1.1'

config domain
        option name 'horus'
        option ip '192.168.15.1'

config domain
        option name 'anubis'
        option ip '192.168.15.2'

config domain
        option name 'osiris'
        option ip '192.168.15.3'

config domain
        option name 'toth'
        option ip '192.168.15.4'

config domain
        option name 'an4'
        option ip '192.168.15.5'

config host
        option name 'horus'
        list mac '00:E0:4C:76:09:61'
        option ip '192.168.15.1'
        option leasetime 'infinite'
        option instance 'horus'
        list tag 'core - router'

config host
        option name 'anubis'
        list mac '30:B5:C2:B4:F3:A8'
        option ip '192.168.15.2'
        option leasetime 'infinite'
        option duid '0003000130b5c2b4f3a8'
        list tag 'AP - sala'
        option instance 'horus'

config host
        option name 'osiris'
        list mac '14:CC:20:B9:51:C0'
        option ip '192.168.15.3'
        option leasetime 'infinite'
        option duid '0003000114cc20b951c0'
        list tag 'SW - escritorio'
        option instance 'horus'

config host
        option name 'toth'
        list mac '50:C7:BF:DE:ED:D0'
        option ip '192.168.15.4'
        option leasetime 'infinite'
        option duid '0003000150c7bfdeedd0'
        list tag 'AP - Fe'
        option instance 'horus'

config host
        option name 'an4'
        list mac 'B6:D4:67:CD:CD:B2'
        option ip '192.168.15.5'
        option leasetime 'infinite'
        list tag 'deco - TV'
        option instance 'horus'

config host
        option name 'tesla'
        option dns '1'
        list mac '40:8D:5C:78:51:51'
        option ip '192.168.15.10'
        option duid '000100012ed0483cf4f26d06c79d'
        list tag 'admin PC'
        option instance 'horus'

config host
        option name 'NintendoSwitch'
        list mac '20:0B:CF:E4:75:54'
        option ip '192.168.15.30'
        option leasetime 'infinite'
        list tag 'video_game_Fe'
        option instance 'horus'

config host
        option name 'SonyVaio-VGN-NW270F'
        list mac '00:24:BE:3B:8C:3A'
        option ip '192.168.15.16'
        option leasetime 'infinite'
        option duid '00045c1e1c10eadcfe993c8dda57b565d34f'
        list tag 'note_SONY_cabeado'
        option instance 'horus'

config host
        option name 'SonyVaio-VGN-NW270F'
        list mac '00:26:5E:F5:18:A6'
        option ip '192.168.15.17'
        option leasetime 'infinite'
        option duid '00045c1e1c10eadcfe993c8dda57b565d34f'
        list tag 'note_SONY_wifi'
        option instance 'horus'

config host
        option name 'HP-Probook-4430s'
        list mac '10:1F:74:F9:A7:B1'
        option ip '192.168.15.18'
        option leasetime 'infinite'
        option duid '000100012c5f1f61101f74f9a7b1'
        list tag 'note_HP_cabeado'
        option instance 'horus'

config host
        option name 'HP-Probook-4430s'
        list mac 'D0:DF:9A:2C:12:6A'
        option ip '192.168.15.19'
        option leasetime 'infinite'
        option duid '000100012c5f1f61101f74f9a7b1'
        option instance 'horus'
        list tag 'note_HP_wifi'

config host
        option name 'sfc'
        list mac '1C:39:47:53:3E:8C'
        option ip '192.168.15.20'
        option leasetime 'infinite'
root@horus:~# cat /etc/config/firewall

config defaults
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option synflood_protect '1'
        option drop_invalid '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'tun+'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'onu_vsol'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wireguard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'wireguard'

config forwarding
        option src 'wireguard'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wireguard'

config rule
        option src 'wan'
        option name 'Alow_Wireguard'
        list proto 'udp'
        option dest_port '1195'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NintendoSwitch-NAT_A'
        list proto 'udp'
        option src 'wan'
        option src_dport '45000-65535'
        option dest_ip '192.168.15.30'
        option dest_port '45000-65535'

config redirect
        option target 'DNAT'
        option name 'Transmission'
        option src 'wan'
        option src_dport '1111'
        option dest_ip '192.168.15.1'
        option dest_port '1111'
        option dest 'lan'

config rule
        option name 'Allow-Transmission'
        option src 'wan'
        option dest_port '1111'
        option target 'ACCEPT'

config redirect 'adguardhome_dns_53'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option target 'DNAT'
        option name 'Adguard Home'
        option dest_port '53'
        option dest 'lan'
        option family 'any'

config forwarding
        option src 'wireguard'
        option dest 'wan'

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'

root@horus:~#
9

Unrelated to your problem but you should remove the Masquerading for a typical server setup this is not necessary

Furthermore , although not necessary as it is the default, I would use /32 for all Allowed IPs in the WireGuard peers it is easier to read but that is just me :slight_smile:

Now on to your problem, you are connected and ping to an IP address works fine.
But ping to a domain takes unusually long.
You are pushing: push "dhcp-option DNS 192.168.16.1" but it looks like you are using Adguard which can complicate matters.
I do not use Adguard too bloated for my taste but that is just me.

As a test push e.g. 8.8.8.8 to your OpenVPN client e.g.:

push "dhcp-option DNS 8.8.8.8"

If that helps check Adguard it has to listen also for your OpenVPN subnet I guess.

For you internal hosts disable the firewall on the internal host for testing to see if you can reach your internal host

10

Hello EGC...

I will change the settings you suggested and I will do new tests...

Interestingly, since yesterday, without changing my settings, I started having many problems with Adguard, as described in this topic that I asked my colleagues for help too - Thousands of AdguardHome errors in my log - Extremely slow browsing

Let's try to solve all these pieces of the puzzle!!

1 Like
11

It indeed looks like Adguard could be the culprit.
It is possible that you have dns redirect rules which will catch the dns directed to 8.8.8.8.
So make sure you disable dns redirect rules