No internet access when tun0 (openvpn) connection is active

techmol · December 11, 2023, 4:12pm

After I had some issues I have restored an old configuration which was supposed to be working. I wanted that all traffic to be sent through tun0 interface. But the problem is now that I don't have internet access when the openvpn connection is enabled. The Wireguard connection is not required I believe. But I think it is not part of the problem here.

 /etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fff0:ff3f:ff34::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.201.1'

config interface 'wan'
	option device 'eth1'
	option proto 'static'
	option ipaddr '192.168.100.35'
	option netmask '255.255.255.0'
	option gateway '192.168.100.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '123'
	option listen_port '51820'
	list addresses '192.168.202.1/24'

config wireguard_wg0
	option description 'px'
	option public_key '123'
	option private_key '123'
	list allowed_ips '192.168.202.10/32'
	option route_allowed_ips '1'

config wireguard_wg0
	option public_key '1123'
	option private_key '123'
	option description 't14'
	option route_allowed_ips '1'
	list allowed_ips '192.168.202.11/32'

config interface 'novpn'
	option proto 'none'
	option device 'tun0'


 /etc/config/firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'Wireguard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg0'

config forwarding
	option src 'Wireguard'
	option dest 'lan'

config forwarding
	option src 'wan'
	option dest 'Wireguard'

config forwarding
	option src 'Wireguard'
	option dest 'wan'

config rule
	option name 'wan-local-wireguard'
	list proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

config rule
	option src 'Wireguard'
	option dest 'wan'
	option target 'ACCEPT'
	option name 'wg to wan'

config zone
	option name 'vpnfw'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'novpn'

config forwarding
	option src 'lan'
	option dest 'vpnfw'

pavelgl · December 11, 2023, 7:10pm

Is there Internet access when openvpn is disabled?
There are no DNS servers set in /etc/config/network, so what are the contents of /etc/config/dhcp?

When openvpn is enabled, what is the output of:

ip a li dev tun0
ip ro li dev tun0
nft list chain inet fw4 srcnat
nft list chain inet fw4 srcnat_vpnfw

techmol · December 11, 2023, 7:31pm

Thank you! When I was first running

~# nft list chain inet fw4 srcnat

I get this error:

Error loading shared library libmnl.so.0: No such file or directory (needed by /usr/sbin/nft)

After installing libmnl0 everything works!

I post the outputs of the commands with openvpn enabled:

ip a li dev tun0
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    link/[65534] 
    inet 10.8.3.2/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 ff80::ffab:ffc5:ffc5:820/64 scope link flags 800 
       valid_lft forever preferred_lft forever


ip ro li dev tun0
0.0.0.0/1 via 10.8.3.1 dev tun0 
10.8.3.0/24 dev tun0 scope link  src 10.8.3.2 
128.0.0.0/1 via 10.8.3.1 dev tun0 






nft list chain inet fw4 srcnat
table inet fw4 {
	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "tun0" jump srcnat_vpnfw comment "!fw4: Handle vpnfw IPv4/IPv6 srcnat traffic"
	}
}


nft list chain inet fw4 srcnat_vpnfw
table inet fw4 {
	chain srcnat_vpnfw {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 vpnfw traffic"
	}
}

system · December 21, 2023, 7:33pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.