No forwarding to vpn tunnels


I'm now upgraded to 22.03 on an Archer C7 v2. Of course the system is crashed, the most settings is not working, i'm repair most of that. But...

I have 4 openvpn clients, and before the update worked perfectly. Now the clients connect and the hosts is reachable from openwrt. but not from the LAN. I deleted the interfaces, firewall rules, sections, recreate them, enabled the forwarding, but still no forwarding.

What is wrong?

After the upgrade, the wan interface's forwarding died too, But a full recreate the interfaces, and firewall sections, then is working. This on the openvpn interfaces is not a solution.

The nftables isn't working good, or somehow insulted by the iptables rules.

I'm not uderstand if the iptables changed to nftables (or any big change) the updater process why not archive original config file and put a working new? (or convert them a working one) i need after upgrade some config files remove by hand to working final result.


Did you read the release notes for 22.03.0?

Don't copy any config files over. Save and export the old configuration for reference only (it is a tar of text files which you can read on your PC). Reconfigure the new install from scratch.

Also it should be noted that old and new versions of OpenVPN often won't inter-operate due to old encryption standards being deprecated. The clients should be updated to a recent OpenVPN version as well.

LAN-LAN connections with OpenVPN start with automated installation of routes:

  • The OpenVPN server advertises itself as a gateway to its local LANs. The clients install those routes. This isn't strictly necessary if all Internet of the client is to go through VPN, since includes all possible LANs as well.
  • The OpenVPN server is aware of client side LANs through its client config directory. Clients don't push their LAN information, it must be installed on the server side by the server administrator. These routes are installed / removed in the server machine's routing table as clients connect and leave. For this to work, the clients have to be identifiable by issuing them unique certificates with a different CN value (the name of the client) in each certificate. Also of course all the client LANs need to have different non-overlapping IP subnets.

So look at both sides' routing tables and confirm that a route to the other LAN is in place.
Then you can consider the firewall. As a simple test, if you trust everything in both LANs, you can just place the VPN tunnel in the lan zone


Yes i read, but i wouldn't thinked the old config knock out the router. i think the system simply overstep on it, and use the usable part of the config

What version were you upgrading from? What device?

1 Like


The original is 19.xx (tplink Archer c7 v2) that's working good, but after a electricity drop, is config errors appear. So i'm upgrade. Downloaded a backup, and i searched an "after last modified" backup. Thats worked good, for long time. i'm upgraded the system, with keep settings function. i known, some settings is not working in the new version, but i hope, the Openwrt skip the old stuffs. But unfortunetely not. So I reset the whole router.

I try first: Upload the working config. The vpn-s and interfaces, time settings, etc... i known, the firewall rules is not working. But i'm lazy, and i'm happy is some settings, is go back from backup. But no. The router is... Some settings dropped error, pages not loadad, if loaded, thats very slowly. then the luci drop an error, and never reashed again. The main section not found in config. I see, the main section IN that config. So full factory reset again.

Rebuild config. I set up everithing and i see, the 3 OpenVPN connection is not working. I beg you pardon, the VPN is working, only i can not see trough. if i ping from a pc in lan,, i got

icmp_seq=XXX Destination Port Unreachable

but from the Openwrt i can ping the host over the VPN. I created an interface all 3 VPN, and own firewall zones. i setted up the firewall, to enable forvarding from lan to 3 VPN, and only one VPN to lan

But i can't see trought the vpn. Routes is good, in the luci the firewall is good. The icmp echo req is on the br-lan interface, but not on the tun interface. Where is the problem? I thing something not ok in firewall.

Sorry my english.


I'm figured out. If i create zones in firewall to the VPN-s then the nftables collapse. But not saying anything. Only not starting up. If i'm restart by hand, the got an error message:

/dev/stdin:18:9-9: Error: syntax error, unexpected number, expecting string
        define 4ce_devices = { "4ce-tun" }
/dev/stdin:19:9-9: Error: syntax error, unexpected number, expecting string
        define 4ce_subnets = {  }

this is my first VPN the interface name is starting with a number. So, this scrap is easily knock out a number starting interface. I don't known mutch nftables, but this is ridicous.