Not getting ipv6 of my openvpn client in AP mode

firefoxOnFire · June 3, 2023, 7:46am

I am new to openwrt. Today I installed openvpn in my router. It is connected via mobile hotspot.
My openvpn config has ipv4 and ipv6 address. But when i go to ip.gs in browser, i can only see ipv4 not ipv6.

But when i do curl ip.gs -6 in openwrt ssh, i can see my vpn ipv6 ip so vpn is having ipv6 ip. but it is not going through.

{
        "kernel": "5.10.176",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Xiaomi Mi Router 4A Gigabit Edition",
        "board_name": "xiaomi,mi-router-4a-gigabit",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "ramips/mt7621",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd3c:19e5:7e52::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '10.0.0.1'
        option netmask '255.0.0.0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wwan'
        option proto 'dhcp'

config interface 'wwan6'
        option proto 'dhcpv6'
        option device 'wlan0'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'ovpn'
        option proto 'none'
        option device 'tun0'
        option type 'bridge'

config interface 'ovpn6'
        option proto 'dhcpv6'
        option device 'tun0'
        option reqaddress 'try'
        option reqprefix 'auto'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        list network 'wwan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'ovpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'ovpn'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'ovpn'

head: /etc/firewall.user: No such file or directory
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1504 state UP qlen 1000
    inet6 fe80::5e02:14ff:fe61:ac84/64 scope link
       valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd3c:19e5:7e52::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::5e02:14ff:fe61:ac84/64 scope link
       valid_lft forever preferred_lft forever
16: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::5e02:14ff:fe61:ac86/64 scope link
       valid_lft forever preferred_lft forever
17: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::5c02:14ff:fe61:ac86/64 scope link
       valid_lft forever preferred_lft forever
18: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 500
    inet6 fd42:42:42:42::4/112 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::5d11:9e83:a7eb:32c5/64 scope link flags 800
       valid_lft forever preferred_lft forever
::/3 dev tun0  metric 1024
2000::/4 dev tun0  metric 1024
3000::/4 dev tun0  metric 1024
2000::/3 dev tun0  metric 1024
fd3c:19e5:7e52::/64 dev br-lan  metric 1024
fd3c:19e5:7e52::/60 dev br-lan  metric 256  expires 6127sec
unreachable fd3c:19e5:7e52::/48 dev lo  metric 2147483647
fd42:42:42:42::/112 dev tun0  metric 256
fc00::/7 dev tun0  metric 1024
fe80::/64 dev eth0  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev wlan0  metric 256
fe80::/64 dev wlan0-1  metric 256
fe80::/64 dev tun0  metric 256
local ::1 dev lo table local  metric 0
anycast fd3c:19e5:7e52:: dev br-lan table local  metric 0
local fd3c:19e5:7e52::1 dev br-lan table local  metric 0
anycast fd42:42:42:42:: dev tun0 table local  metric 0
local fd42:42:42:42::4 dev tun0 table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev wlan0-1 table local  metric 0
anycast fe80:: dev wlan0 table local  metric 0
anycast fe80:: dev tun0 table local  metric 0
local fe80::5c02:14ff:fe61:ac86 dev wlan0-1 table local  metric 0
local fe80::5d11:9e83:a7eb:32c5 dev tun0 table local  metric 0
local fe80::5e02:14ff:fe61:ac84 dev eth0 table local  metric 0
local fe80::5e02:14ff:fe61:ac84 dev br-lan table local  metric 0
local fe80::5e02:14ff:fe61:ac86 dev wlan0 table local  metric 0
multicast ff00::/8 dev eth0 table local  metric 256
multicast ff00::/8 dev br-lan table local  metric 256
multicast ff00::/8 dev wlan0 table local  metric 256
multicast ff00::/8 dev wlan0-1 table local  metric 256
multicast ff00::/8 dev tun0 table local  metric 256
0:      from all lookup local
32766:  from all lookup main

I am very new to this. So please help in simple words. Thanks.

firefoxOnFire · June 3, 2023, 1:49pm

can anyone help ?? please

vgaetera · June 3, 2023, 2:48pm

firefoxOnFire · June 3, 2023, 3:56pm

i have sent those commands but didn't got the ipv6 in browser. I just don't understand why i can have my vpn ipv6 on openwrt ssh while using curl but can't have on Wifi AP.

firefoxOnFire · June 4, 2023, 2:37am

I tried many times. But everytime it doesn't work. Is there something else i should send here so you can understand my situation better???

firefoxOnFire · June 4, 2023, 9:27am

Hell, can anyone help???

vgaetera · June 4, 2023, 11:40am

Remove the interface ovpn6 and remove the option type from the interface ovpn.
Reboot to apply changes and collect the updated diagnostics to verify NAT66 configuration.

firefoxOnFire · June 4, 2023, 12:29pm

I have removed and this is my new configs.

{
        "kernel": "5.10.176",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Xiaomi Mi Router 4A Gigabit Edition",
        "board_name": "xiaomi,mi-router-4a-gigabit",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "ramips/mt7621",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd4e:424f:5ca4::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '10.0.0.1'
        option netmask '255.0.0.0'

config interface 'wwan'
        option proto 'dhcp'
        option device 'wlan0'

config interface 'opvpn'
        option proto 'none'
        option device 'tun0'

config interface 'wwan6'
        option device '@wwan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wwan'
        list network 'wwan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'ovpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'opvpn'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'ovpn'

head: /etc/firewall.user: No such file or directory
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1504 state UP qlen 1000
    inet6 fe80::5e02:14ff:fe61:ac84/64 scope link
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd4e:424f:5ca4::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::5e02:14ff:fe61:ac84/64 scope link
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2409:4064:e13:b062:5e02:14ff:fe61:ac86/64 scope global dynamic noprefixroute
       valid_lft 295sec preferred_lft 115sec
    inet6 2409:4064:e13:b062::1/128 scope global dynamic noprefixroute
       valid_lft 86342sec preferred_lft 86342sec
    inet6 fe80::5e02:14ff:fe61:ac86/64 scope link
       valid_lft forever preferred_lft forever
10: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::5c02:14ff:fe61:ac86/64 scope link
       valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 500
    inet6 fd42:42:42:42::4/112 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::a618:e1fd:a7a0:9931/64 scope link flags 800
       valid_lft forever preferred_lft forever
default from 2409:4064:e13:b062::1 via fe80::3660:f9ff:fe90:1705 dev wlan0  metric 384
default from 2409:4064:e13:b062::/64 via fe80::3660:f9ff:fe90:1705 dev wlan0  metric 384
::/3 dev tun0  metric 1024
2409:4064:e13:b062::/64 dev wlan0  metric 256
unreachable 2409:4064:e13:b062::/64 dev lo  metric 2147483647
2000::/4 dev tun0  metric 1024
3000::/4 dev tun0  metric 1024
2000::/3 dev tun0  metric 1024
fd42:42:42:42::/112 dev tun0  metric 256
fd4e:424f:5ca4::/64 dev br-lan  metric 1024
unreachable fd4e:424f:5ca4::/48 dev lo  metric 2147483647
fc00::/7 dev tun0  metric 1024
fe80::/64 dev eth0  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev wlan0  metric 256
fe80::/64 dev wlan0-1  metric 256
fe80::/64 dev tun0  metric 256
local ::1 dev lo table local  metric 0
anycast 2409:4064:e13:b062:: dev wlan0 table local  metric 0
local 2409:4064:e13:b062::1 dev wlan0 table local  metric 0
local 2409:4064:e13:b062:5e02:14ff:fe61:ac86 dev wlan0 table local  metric 0
anycast fd42:42:42:42:: dev tun0 table local  metric 0
local fd42:42:42:42::4 dev tun0 table local  metric 0
anycast fd4e:424f:5ca4:: dev br-lan table local  metric 0
local fd4e:424f:5ca4::1 dev br-lan table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev wlan0-1 table local  metric 0
anycast fe80:: dev wlan0 table local  metric 0
anycast fe80:: dev tun0 table local  metric 0
local fe80::5c02:14ff:fe61:ac86 dev wlan0-1 table local  metric 0
local fe80::5e02:14ff:fe61:ac84 dev eth0 table local  metric 0
local fe80::5e02:14ff:fe61:ac84 dev br-lan table local  metric 0
local fe80::5e02:14ff:fe61:ac86 dev wlan0 table local  metric 0
local fe80::a618:e1fd:a7a0:9931 dev tun0 table local  metric 0
multicast ff00::/8 dev eth0 table local  metric 256
multicast ff00::/8 dev br-lan table local  metric 256
multicast ff00::/8 dev wlan0 table local  metric 256
multicast ff00::/8 dev wlan0-1 table local  metric 256
multicast ff00::/8 dev tun0 table local  metric 256
0:      from all lookup local
32766:  from all lookup main

vgaetera · June 4, 2023, 12:44pm

Enable IPv6 masquerading on the upstream firewall zone, that is ovpn in your case.

firefoxOnFire · June 4, 2023, 12:46pm

i can't find option in luci. Can you help me with commands??
I am very much new to this. I don't want to mess with it. Please.

firefoxOnFire · June 4, 2023, 12:48pm

# Configure firewall
uci -q delete firewall.@zone[1].masq6
uci -q delete firewall.nat66
uci set firewall.nat66="nat"
uci set firewall.nat66.family="ipv6"
uci set firewall.nat66.proto="all"
uci set firewall.nat66.src="opvpn"
uci set firewall.nat66.src_ip="fc00::/7"
uci set firewall.nat66.target="MASQUERADE"
uci commit firewall
/etc/init.d/firewall restart

will this be okay??

vgaetera · June 4, 2023, 12:52pm

It is not implemented yet.

uci set firewall.@zone[2].masq6="1"
uci commit firewall
/etc/init.d/firewall restart

Another problem is that you are missing the IPv6 default route over the VPN interface.
The VPN server must explicitly support IPv6 and push the IPv6 default route to make it work.

firefoxOnFire · June 4, 2023, 12:58pm

port 8080
proto tcp6
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS <nextdns ip>"
push "dhcp-option DNS <nextdns ip>"
push "redirect-gateway def1 bypass-dhcp"
server-ipv6 fd42:42:42:42::/112
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_NXTYFmolH9z3HYe4.crt
key server_NXTYFmolH9z3HYe4.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

This is my openvpn server config. Used this script to install on my dual stack server.
I tried that command and rebooted. But still no luck.

vgaetera · June 4, 2023, 1:07pm

Change the IPv6 VPN prefix to /64, restart the server and reconnect the client, and collect the client side VPN connection log.

firefoxOnFire · June 4, 2023, 1:30pm

Config after change:

...old

push "redirect-gateway def1 bypass-dhcp"
server-ipv6 fd42:42:42:42::/64
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"

...old

Log of connection from openwrt system log:


Sun Jun  4 12:54:19 2023 daemon.warn openvpn(digi)[1973]: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/digi.ovpn:18: block-outside-dns (2.5.7)
Sun Jun  4 12:54:19 2023 daemon.notice openvpn(digi)[1973]: OpenVPN 2.5.7 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Jun  4 12:54:19 2023 daemon.notice openvpn(digi)[1973]: library versions: OpenSSL 1.1.1t  7 Feb 2023, LZO 2.10
Sun Jun  4 12:54:19 2023 daemon.warn openvpn(digi)[1973]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Jun  4 12:54:20 2023 user.notice firewall: Reloading firewall due to ifup of lan (br-lan)
Sun Jun  4 12:54:20 2023 daemon.notice openvpn(digi)[1973]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jun  4 12:54:20 2023 daemon.notice openvpn(digi)[1973]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jun  4 12:54:20 2023 daemon.notice openvpn(digi)[1973]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jun  4 12:54:20 2023 daemon.notice openvpn(digi)[1973]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jun  4 12:54:20 2023 daemon.notice openvpn(digi)[1973]: TCP/UDP: Preserving recently used remote address: [AF_INET][my server ip]:8080
Sun Jun  4 12:54:20 2023 daemon.notice openvpn(digi)[1973]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Sun Jun  4 12:54:20 2023 daemon.notice openvpn(digi)[1973]: Attempting to establish TCP connection with [AF_INET][my server ip]:8080 [nonblock]
Sun Jun  4 12:54:20 2023 daemon.err openvpn(digi)[1973]: TCP: connect to [AF_INET][my server ip]:8080 failed: Network unreachable
Sun Jun  4 12:54:20 2023 daemon.notice openvpn(digi)[1973]: SIGUSR1[connection failed(soft),init_instance] received, process restarting
Sun Jun  4 12:54:20 2023 daemon.notice openvpn(digi)[1973]: Restart pause, 5 second(s)
Sun Jun  4 12:54:20 2023 daemon.err odhcpd[1581]: Failed to send to ff02::1%lan@br-lan (Address not available)
Sun Jun  4 12:54:20 2023 kern.info kernel: [   23.346684] mt7530 mdio-bus:1f lan1: Link is Up - 100Mbps/Full - flow control rx/tx
Sun Jun  4 12:54:20 2023 kern.info kernel: [   23.354825] br-lan: port 1(lan1) entered blocking state
Sun Jun  4 12:54:20 2023 kern.info kernel: [   23.360217] br-lan: port 1(lan1) entered forwarding state
Sun Jun  4 12:54:20 2023 daemon.notice netifd: Network device 'lan1' link is up
Sun Jun  4 12:54:20 2023 daemon.notice netifd: bridge 'br-lan' link is up
Sun Jun  4 12:54:20 2023 daemon.notice netifd: Interface 'lan' has link connectivity
Sun Jun  4 12:54:20 2023 kern.info kernel: [   23.409290] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
Sun Jun  4 12:54:21 2023 daemon.err odhcpd[1581]: Failed to send to fe80::9ce6:6ce4:bdf8:673b%lan@br-lan (Address not available)
Sun Jun  4 12:54:21 2023 daemon.info procd: - init complete -
Sun Jun  4 12:54:21 2023 daemon.notice hostapd: Configuration file: /var/run/hostapd-phy0.conf (phy wlan0-1) --> new PHY
Sun Jun  4 12:54:21 2023 kern.info kernel: [   23.889622] br-lan: port 3(wlan0-1) entered blocking state
Sun Jun  4 12:54:21 2023 kern.info kernel: [   23.895244] br-lan: port 3(wlan0-1) entered disabled state
Sun Jun  4 12:54:21 2023 kern.info kernel: [   23.901486] device wlan0-1 entered promiscuous mode
Sun Jun  4 12:54:21 2023 kern.info kernel: [   23.907050] br-lan: port 3(wlan0-1) entered blocking state
Sun Jun  4 12:54:21 2023 kern.info kernel: [   23.912571] br-lan: port 3(wlan0-1) entered forwarding state
Sun Jun  4 12:54:21 2023 daemon.notice hostapd: wlan0-1: interface state UNINITIALIZED->ENABLED
Sun Jun  4 12:54:21 2023 daemon.notice hostapd: wlan0-1: AP-ENABLED
Sun Jun  4 12:54:21 2023 daemon.notice hostapd: handle_probe_req: send failed
Sun Jun  4 12:54:21 2023 daemon.notice hostapd: handle_probe_req: send failed
Sun Jun  4 12:54:21 2023 kern.info kernel: [   24.363518] br-lan: port 3(wlan0-1) entered disabled state
Sun Jun  4 12:54:21 2023 daemon.err odhcpd[1581]: Failed to send to ff02::1%lan@br-lan (Address not available)
Sun Jun  4 12:54:23 2023 daemon.notice netifd: radio0 (2042): sh: out of range
Sun Jun  4 12:54:23 2023 daemon.notice netifd: Wireless device 'radio0' is now up
Sun Jun  4 12:54:23 2023 daemon.notice netifd: Interface 'wwan' is enabled
Sun Jun  4 12:54:24 2023 daemon.notice wpa_supplicant[1479]: wlan0: SME: Trying to authenticate with 34:60:f9:90:17:05 (SSID='connecting..' freq=2422 MHz)
Sun Jun  4 12:54:24 2023 kern.info kernel: [   27.009519] wlan0: authenticate with 34:60:f9:90:17:05
Sun Jun  4 12:54:24 2023 kern.info kernel: [   27.020949] wlan0: send auth to 34:60:f9:90:17:05 (try 1/3)
Sun Jun  4 12:54:24 2023 daemon.notice wpa_supplicant[1479]: wlan0: Trying to associate with 34:60:f9:90:17:05 (SSID='connecting..' freq=2422 MHz)
Sun Jun  4 12:54:24 2023 kern.info kernel: [   27.028587] wlan0: authenticated
Sun Jun  4 12:54:24 2023 kern.info kernel: [   27.033439] wlan0: associate with 34:60:f9:90:17:05 (try 1/3)
Sun Jun  4 12:54:24 2023 daemon.notice netifd: Network device 'wlan0' link is up
Sun Jun  4 12:54:24 2023 daemon.notice netifd: Interface 'wwan' has link connectivity
Sun Jun  4 12:54:24 2023 daemon.notice netifd: Interface 'wwan' is setting up now
Sun Jun  4 12:54:24 2023 daemon.notice wpa_supplicant[1479]: wlan0: Associated with 34:60:f9:90:17:05
Sun Jun  4 12:54:24 2023 daemon.notice wpa_supplicant[1479]: wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Sun Jun  4 12:54:24 2023 kern.info kernel: [   27.046202] wlan0: RX AssocResp from 34:60:f9:90:17:05 (capab=0x1c11 status=0 aid=1)
Sun Jun  4 12:54:24 2023 kern.info kernel: [   27.054216] wlan0: associated
Sun Jun  4 12:54:24 2023 daemon.notice wpa_supplicant[1479]: RRM: Ignoring radio measurement request: Not associated
Sun Jun  4 12:54:24 2023 daemon.notice netifd: wwan (2761): udhcpc: started, v1.35.0
Sun Jun  4 12:54:24 2023 daemon.notice wpa_supplicant[1479]: wlan0: Unknown event 37
Sun Jun  4 12:54:24 2023 daemon.notice netifd: wwan (2761): udhcpc: broadcasting discover
Sun Jun  4 12:54:24 2023 daemon.notice wpa_supplicant[1479]: wlan0: WPA: Key negotiation completed with 34:60:f9:90:17:05 [PTK=CCMP GTK=CCMP]
Sun Jun  4 12:54:24 2023 daemon.notice wpa_supplicant[1479]: wlan0: CTRL-EVENT-CONNECTED - Connection to 34:60:f9:90:17:05 completed [id=0 id_str=]
Sun Jun  4 12:54:24 2023 kern.info kernel: [   27.394349] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
Sun Jun  4 12:54:25 2023 kern.info kernel: [   27.616468] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0-1: link becomes ready
Sun Jun  4 12:54:25 2023 kern.info kernel: [   27.623567] br-lan: port 3(wlan0-1) entered blocking state
Sun Jun  4 12:54:25 2023 kern.info kernel: [   27.629077] br-lan: port 3(wlan0-1) entered forwarding state
Sun Jun  4 12:54:25 2023 daemon.notice netifd: Network device 'wlan0-1' link is up
Sun Jun  4 12:54:25 2023 daemon.notice wpa_supplicant[1479]: wlan0: Unknown event 37
Sun Jun  4 12:54:25 2023 daemon.notice netifd: wwan (2761): udhcpc: broadcasting select for 192.168.1.100, server 192.168.1.1
Sun Jun  4 12:54:25 2023 daemon.warn openvpn(digi)[1973]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Jun  4 12:54:25 2023 daemon.notice openvpn(digi)[1973]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jun  4 12:54:25 2023 daemon.notice openvpn(digi)[1973]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jun  4 12:54:25 2023 daemon.notice openvpn(digi)[1973]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jun  4 12:54:25 2023 daemon.notice openvpn(digi)[1973]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jun  4 12:54:25 2023 daemon.notice openvpn(digi)[1973]: TCP/UDP: Preserving recently used remote address: [AF_INET][my server ip]:8080
Sun Jun  4 12:54:25 2023 daemon.notice openvpn(digi)[1973]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Sun Jun  4 12:54:25 2023 daemon.notice openvpn(digi)[1973]: Attempting to establish TCP connection with [AF_INET][my server ip]:8080 [nonblock]
Sun Jun  4 12:54:25 2023 daemon.err openvpn(digi)[1973]: TCP: connect to [AF_INET][my server ip]:8080 failed: Network unreachable
Sun Jun  4 12:54:25 2023 daemon.notice openvpn(digi)[1973]: SIGUSR1[connection failed(soft),init_instance] received, process restarting
Sun Jun  4 12:54:25 2023 daemon.notice openvpn(digi)[1973]: Restart pause, 5 second(s)
Sun Jun  4 12:54:25 2023 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM
Sun Jun  4 12:54:25 2023 daemon.info dnsmasq[1]: started, version 2.86 cachesize 150
Sun Jun  4 12:54:25 2023 daemon.info dnsmasq[1]: DNS service limited to local subnets
Sun Jun  4 12:54:25 2023 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Sun Jun  4 12:54:25 2023 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Sun Jun  4 12:54:25 2023 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 10.0.0.100 -- 10.0.0.249, lease time 12h
Sun Jun  4 12:54:25 2023 daemon.info dnsmasq[1]: using only locally-known addresses for test
Sun Jun  4 12:54:25 2023 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Sun Jun  4 12:54:25 2023 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Sun Jun  4 12:54:25 2023 daemon.info dnsmasq[1]: using only locally-known addresses for local
Sun Jun  4 12:54:25 2023 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Sun Jun  4 12:54:25 2023 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Sun Jun  4 12:54:25 2023 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Sun Jun  4 12:54:25 2023 daemon.warn dnsmasq[1]: no servers found in /tmp/resolv.conf.d/resolv.conf.auto, will retry
Sun Jun  4 12:54:25 2023 daemon.info dnsmasq[1]: read /etc/hosts - 4 addresses
Sun Jun  4 12:54:25 2023 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Sun Jun  4 12:54:25 2023 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Sun Jun  4 12:54:25 2023 daemon.notice netifd: wwan (2761): udhcpc: lease of 192.168.1.100 obtained from 192.168.1.1, lease time 86400
Sun Jun  4 12:54:26 2023 daemon.notice netifd: Interface 'wwan6' is enabled
Sun Jun  4 12:54:26 2023 daemon.notice netifd: Network alias 'wlan0' link is up
Sun Jun  4 12:54:26 2023 daemon.notice netifd: Interface 'wwan6' has link connectivity
Sun Jun  4 12:54:26 2023 daemon.notice netifd: Interface 'wwan6' is setting up now
Sun Jun  4 12:54:26 2023 daemon.notice netifd: Interface 'wwan' is now up
Sun Jun  4 12:54:26 2023 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Sun Jun  4 12:54:26 2023 daemon.info dnsmasq[1]: using nameserver 192.168.1.1#53
Sun Jun  4 12:54:26 2023 daemon.info dnsmasq[1]: using only locally-known addresses for test
Sun Jun  4 12:54:26 2023 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Sun Jun  4 12:54:26 2023 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Sun Jun  4 12:54:26 2023 daemon.info dnsmasq[1]: using only locally-known addresses for local
Sun Jun  4 12:54:26 2023 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Sun Jun  4 12:54:26 2023 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Sun Jun  4 12:54:26 2023 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Sun Jun  4 12:54:26 2023 daemon.err odhcp6c[2973]: Failed to send RS (Address not available)
Sun Jun  4 12:54:26 2023 user.notice firewall: Reloading firewall due to ifup of wwan (wlan0)
Sun Jun  4 12:54:26 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 10.0.0.130 f8:0d:ac:55:98:a0
Sun Jun  4 12:54:26 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 10.0.0.130 f8:0d:ac:55:98:a0 HP
Sun Jun  4 12:54:27 2023 daemon.info dnsmasq[1]: read /etc/hosts - 4 addresses
Sun Jun  4 12:54:27 2023 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Sun Jun  4 12:54:27 2023 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Sun Jun  4 12:54:28 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Sun Jun  4 12:54:29 2023 daemon.notice netifd: Interface 'wwan6' is now up
Sun Jun  4 12:54:29 2023 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Sun Jun  4 12:54:29 2023 daemon.info dnsmasq[1]: using nameserver 192.168.1.1#53
Sun Jun  4 12:54:29 2023 daemon.info dnsmasq[1]: using nameserver 2405:200:800::1#53
Sun Jun  4 12:54:29 2023 daemon.info dnsmasq[1]: using only locally-known addresses for test
Sun Jun  4 12:54:29 2023 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Sun Jun  4 12:54:29 2023 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Sun Jun  4 12:54:29 2023 daemon.info dnsmasq[1]: using only locally-known addresses for local
Sun Jun  4 12:54:29 2023 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Sun Jun  4 12:54:29 2023 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Sun Jun  4 12:54:29 2023 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Sun Jun  4 12:54:29 2023 user.notice firewall: Reloading firewall due to ifup of wwan6 (wlan0)
Sun Jun  4 12:54:30 2023 daemon.warn odhcpd[1581]: A default route is present but there is no public prefix on lan thus we don't announce a default route!
Sun Jun  4 12:54:30 2023 daemon.warn openvpn(digi)[1973]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Jun  4 12:54:30 2023 daemon.notice openvpn(digi)[1973]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jun  4 12:54:30 2023 daemon.notice openvpn(digi)[1973]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jun  4 12:54:30 2023 daemon.notice openvpn(digi)[1973]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jun  4 12:54:30 2023 daemon.notice openvpn(digi)[1973]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jun  4 12:54:30 2023 daemon.notice openvpn(digi)[1973]: TCP/UDP: Preserving recently used remote address: [AF_INET][my server ip]:8080
Sun Jun  4 12:54:30 2023 daemon.notice openvpn(digi)[1973]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Sun Jun  4 12:54:30 2023 daemon.notice openvpn(digi)[1973]: Attempting to establish TCP connection with [AF_INET][my server ip]:8080 [nonblock]
Sun Jun  4 12:54:30 2023 daemon.notice openvpn(digi)[1973]: TCP connection established with [AF_INET][my server ip]:8080
Sun Jun  4 12:54:30 2023 daemon.notice openvpn(digi)[1973]: TCP_CLIENT link local: (not bound)
Sun Jun  4 12:54:30 2023 daemon.notice openvpn(digi)[1973]: TCP_CLIENT link remote: [AF_INET][my server ip]:8080
Sun Jun  4 12:54:30 2023 daemon.notice openvpn(digi)[1973]: TLS: Initial packet from [AF_INET][my server ip]:8080, sid=8eebb5a8 46a359ae
Sun Jun  4 12:54:31 2023 daemon.notice openvpn(digi)[1973]: VERIFY OK: depth=1, CN=cn_1sZhMedwaYqxH1nV
Sun Jun  4 12:54:31 2023 daemon.notice openvpn(digi)[1973]: VERIFY KU OK
Sun Jun  4 12:54:31 2023 daemon.notice openvpn(digi)[1973]: Validating certificate extended key usage
Sun Jun  4 12:54:31 2023 daemon.notice openvpn(digi)[1973]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jun  4 12:54:31 2023 daemon.notice openvpn(digi)[1973]: VERIFY EKU OK
Sun Jun  4 12:54:31 2023 daemon.notice openvpn(digi)[1973]: VERIFY X509NAME OK: CN=server_NXTYFmolH9z3HYe4
Sun Jun  4 12:54:31 2023 daemon.notice openvpn(digi)[1973]: VERIFY OK: depth=0, CN=server_NXTYFmolH9z3HYe4
Sun Jun  4 12:54:32 2023 user.info : luci: accepted login on / for root from 10.0.0.130
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: [server_NXTYFmolH9z3HYe4] Peer Connection Initiated with [AF_INET][my server ip]:8080
Sun Jun  4 12:54:32 2023 daemon.info hostapd: wlan0-1: STA fa:ee:4a:87:f0:bf IEEE 802.11: authenticated
Sun Jun  4 12:54:32 2023 daemon.info hostapd: wlan0-1: STA fa:ee:4a:87:f0:bf IEEE 802.11: associated (aid 1)
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 45.90.28.22,dhcp-option DNS 45.90.30.22,redirect-gateway def1 bypass-dhcp,tun-ipv6,route-ipv6 2000::/3,redirect-gateway ipv6,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fd42:42:42:42::1002/64 fd42:42:42:42::1,ifconfig 10.8.0.4 255.255.255.0,peer-id 0,cipher AES-128-GCM'
Sun Jun  4 12:54:32 2023 daemon.warn openvpn(digi)[1973]: WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: OPTIONS IMPORT: timers and/or timeouts modified
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: OPTIONS IMPORT: --ifconfig/up options modified
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: OPTIONS IMPORT: route options modified
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: OPTIONS IMPORT: route-related options modified
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: OPTIONS IMPORT: peer-id set
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: OPTIONS IMPORT: adjusting link_mtu to 1626
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: OPTIONS IMPORT: data channel crypto options modified
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: net_route_v4_best_gw query: dst 0.0.0.0
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: net_route_v4_best_gw result: via 192.168.1.1 dev wlan0
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: GDG6: remote_host_ipv6=n/a
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: net_route_v6_best_gw query: dst ::
Sun Jun  4 12:54:32 2023 daemon.warn openvpn(digi)[1973]: sitnl_send: rtnl: generic error (-128): Network unreachable
Sun Jun  4 12:54:32 2023 daemon.notice netifd: Interface 'opvpn' is enabled
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: TUN/TAP device tun0 opened
Sun Jun  4 12:54:32 2023 daemon.notice netifd: Network device 'tun0' link is up
Sun Jun  4 12:54:32 2023 daemon.notice netifd: Interface 'opvpn' has link connectivity
Sun Jun  4 12:54:32 2023 daemon.notice netifd: Interface 'opvpn' is setting up now
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: net_iface_mtu_set: mtu 1500 for tun0
Sun Jun  4 12:54:32 2023 daemon.notice netifd: Interface 'opvpn' is now up
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: net_iface_up: set tun0 up
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: net_addr_v4_add: 10.8.0.4/24 dev tun0
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: net_iface_mtu_set: mtu 1500 for tun0
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: net_iface_up: set tun0 up
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: net_addr_v6_add: fd42:42:42:42::1002/64 dev tun0
Sun Jun  4 12:54:32 2023 daemon.notice openvpn(digi)[1973]: /usr/libexec/openvpn-hotplug up digi tun0 1500 1626 10.8.0.4 255.255.255.0 init
Sun Jun  4 12:54:33 2023 daemon.notice hostapd: wlan0-1: AP-STA-CONNECTED fa:ee:4a:87:f0:bf
Sun Jun  4 12:54:33 2023 daemon.info hostapd: wlan0-1: STA fa:ee:4a:87:f0:bf WPA: pairwise key handshake completed (RSN)
Sun Jun  4 12:54:33 2023 daemon.notice hostapd: EAPOL-4WAY-HS-COMPLETED fa:ee:4a:87:f0:bf
Sun Jun  4 12:54:33 2023 daemon.notice openvpn(digi)[1973]: net_route_v4_add: [my server ip]/32 via 192.168.1.1 dev [NULL] table 0 metric -1
Sun Jun  4 12:54:33 2023 daemon.notice openvpn(digi)[1973]: net_route_v4_add: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
Sun Jun  4 12:54:33 2023 daemon.notice openvpn(digi)[1973]: net_route_v4_add: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
Sun Jun  4 12:54:33 2023 daemon.notice openvpn(digi)[1973]: add_route_ipv6(2000::/3 -> fd42:42:42:42::1 metric -1) dev tun0
Sun Jun  4 12:54:33 2023 daemon.notice openvpn(digi)[1973]: net_route_v6_add: 2000::/3 via :: dev tun0 table 0 metric -1
Sun Jun  4 12:54:33 2023 daemon.notice openvpn(digi)[1973]: add_route_ipv6(::/3 -> fd42:42:42:42::1 metric -1) dev tun0
Sun Jun  4 12:54:33 2023 daemon.notice openvpn(digi)[1973]: net_route_v6_add: ::/3 via :: dev tun0 table 0 metric -1
Sun Jun  4 12:54:33 2023 daemon.notice openvpn(digi)[1973]: add_route_ipv6(2000::/4 -> fd42:42:42:42::1 metric -1) dev tun0
Sun Jun  4 12:54:33 2023 daemon.notice openvpn(digi)[1973]: net_route_v6_add: 2000::/4 via :: dev tun0 table 0 metric -1
Sun Jun  4 12:54:33 2023 daemon.notice openvpn(digi)[1973]: add_route_ipv6(3000::/4 -> fd42:42:42:42::1 metric -1) dev tun0
Sun Jun  4 12:54:33 2023 daemon.notice openvpn(digi)[1973]: net_route_v6_add: 3000::/4 via :: dev tun0 table 0 metric -1
Sun Jun  4 12:54:33 2023 daemon.notice openvpn(digi)[1973]: add_route_ipv6(fc00::/7 -> fd42:42:42:42::1 metric -1) dev tun0
Sun Jun  4 12:54:33 2023 daemon.notice openvpn(digi)[1973]: net_route_v6_add: fc00::/7 via :: dev tun0 table 0 metric -1
Sun Jun  4 12:54:33 2023 daemon.notice openvpn(digi)[1973]: Initialization Sequence Completed
Sun Jun  4 12:54:33 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 10.0.0.176 fa:ee:4a:87:f0:bf
Sun Jun  4 12:54:33 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 10.0.0.176 fa:ee:4a:87:f0:bf Redmi-Note-7-Pro
Sun Jun  4 12:54:33 2023 daemon.info dnsmasq[1]: read /etc/hosts - 4 addresses
Sun Jun  4 12:54:33 2023 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Sun Jun  4 12:54:33 2023 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 0 addresses
Sun Jun  4 12:54:33 2023 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Sun Jun  4 12:54:33 2023 user.notice firewall: Reloading firewall due to ifup of opvpn (tun0)
Sun Jun  4 12:54:33 2023 daemon.warn odhcpd[1581]: A default route is present but there is no public prefix on lan thus we don't announce a default route!
Sun Jun  4 12:54:34 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Sun Jun  4 12:54:34 2023 daemon.info dnsmasq[1]: read /etc/hosts - 4 addresses
Sun Jun  4 12:54:34 2023 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Sun Jun  4 12:54:34 2023 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 1 addresses
Sun Jun  4 12:54:34 2023 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Sun Jun  4 12:54:34 2023 daemon.warn odhcpd[1581]: A default route is present but there is no public prefix on lan thus we don't announce a default route!
Sun Jun  4 12:54:37 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Sun Jun  4 12:54:42 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Sun Jun  4 13:18:20 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Sun Jun  4 13:18:55 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com

vgaetera · June 4, 2023, 1:43pm

Announce IPv6 default route and disable GUA prefix delegation to prevent IPv6 leaks:
https://openwrt.org/docs/guide-user/network/ipv6/ipv6_extras#announcing_ipv6_default_route

firefoxOnFire · June 4, 2023, 1:55pm

This worked. Thanks. You are great.

firefoxOnFire · June 6, 2023, 4:53am

Command:

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru

Result:

{
        "kernel": "5.10.176",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Xiaomi Mi Router 4A Gigabit Edition",
        "board_name": "xiaomi,mi-router-4a-gigabit",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "ramips/mt7621",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd4e:424f:5ca4::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '10.0.0.1'
        option netmask '255.0.0.0'
        option ip6class 'local'

config interface 'wwan'
        option proto 'dhcp'
        option device 'wlan0'

config interface 'opvpn'
        option proto 'none'
        option device 'tun0'

config interface 'wwan6'
        option device '@wwan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra_default '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wwan'
        list network 'wwan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'ovpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'opvpn'
        option forward 'ACCEPT'
        option masq6 '1'

config forwarding
        option src 'lan'
        option dest 'ovpn'

head: /etc/firewall.user: No such file or directory
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1504 state UP qlen 1000
    inet6 fe80::5e02:14ff:fe61:ac84/64 scope link
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd4e:424f:5ca4::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::5e02:14ff:fe61:ac84/64 scope link
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2409:4064:e13:b062:5e02:14ff:fe61:ac86/64 scope global dynamic noprefixroute
       valid_lft 295sec preferred_lft 115sec
    inet6 2409:4064:e13:b062::2/128 scope global dynamic noprefixroute
       valid_lft 85780sec preferred_lft 85780sec
    inet6 fe80::5e02:14ff:fe61:ac86/64 scope link
       valid_lft forever preferred_lft forever
10: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::5c02:14ff:fe61:ac86/64 scope link
       valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 500
    inet6 fd42:42:42:42::1002/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::6a96:84b7:442f:1fe0/64 scope link flags 800
       valid_lft forever preferred_lft forever
default from 2409:4064:e13:b062::2 via fe80::3660:f9ff:fe90:1705 dev wlan0  metric 384
default from 2409:4064:e13:b062::/64 via fe80::3660:f9ff:fe90:1705 dev wlan0  metric 384
::/3 dev tun0  metric 1024
2409:4064:e13:b062::/64 dev wlan0  metric 256
unreachable 2409:4064:e13:b062::/64 dev lo  metric 2147483647
2000::/4 dev tun0  metric 1024
3000::/4 dev tun0  metric 1024
2000::/3 dev tun0  metric 1024
fd42:42:42:42::/64 dev tun0  metric 256
fd4e:424f:5ca4::/64 dev br-lan  metric 1024
unreachable fd4e:424f:5ca4::/48 dev lo  metric 2147483647
fc00::/7 dev tun0  metric 1024
fe80::/64 dev eth0  metric 256
fe80::/64 dev wlan0  metric 256
fe80::/64 dev wlan0-1  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev tun0  metric 256
local ::1 dev lo table local  metric 0
anycast 2409:4064:e13:b062:: dev wlan0 table local  metric 0
local 2409:4064:e13:b062::2 dev wlan0 table local  metric 0
local 2409:4064:e13:b062:5e02:14ff:fe61:ac86 dev wlan0 table local  metric 0
anycast fd42:42:42:42:: dev tun0 table local  metric 0
local fd42:42:42:42::1002 dev tun0 table local  metric 0
anycast fd4e:424f:5ca4:: dev br-lan table local  metric 0
local fd4e:424f:5ca4::1 dev br-lan table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev wlan0 table local  metric 0
anycast fe80:: dev wlan0-1 table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev tun0 table local  metric 0
local fe80::5c02:14ff:fe61:ac86 dev wlan0-1 table local  metric 0
local fe80::5e02:14ff:fe61:ac84 dev eth0 table local  metric 0
local fe80::5e02:14ff:fe61:ac84 dev br-lan table local  metric 0
local fe80::5e02:14ff:fe61:ac86 dev wlan0 table local  metric 0
local fe80::6a96:84b7:442f:1fe0 dev tun0 table local  metric 0
multicast ff00::/8 dev eth0 table local  metric 256
multicast ff00::/8 dev br-lan table local  metric 256
multicast ff00::/8 dev wlan0 table local  metric 256
multicast ff00::/8 dev wlan0-1 table local  metric 256
multicast ff00::/8 dev tun0 table local  metric 256
0:      from all lookup local
32766:  from all lookup main

Command:

nft list ruleset

Result:

table inet fw4 {
        chain input {
                type filter hook input priority filter; policy accept;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound                                                                                                              established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Ra                                                                                                             te limit TCP syn packets"
                iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/I                                                                                                             Pv6 input traffic"
                iifname "wlan0" jump input_wan comment "!fw4: Handle wan IPv4/IP                                                                                                             v6 input traffic"
                iifname "tun0" jump input_ovpn comment "!fw4: Handle ovpn IPv4/I                                                                                                             Pv6 input traffic"
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
                ct state established,related accept comment "!fw4: Allow forward                                                                                                             ed established and related flows"
                iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4                                                                                                             /IPv6 forward traffic"
                iifname "wlan0" jump forward_wan comment "!fw4: Handle wan IPv4/                                                                                                             IPv6 forward traffic"
                iifname "tun0" jump forward_ovpn comment "!fw4: Handle ovpn IPv4                                                                                                             /IPv6 forward traffic"
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopba                                                                                                             ck"
                ct state established,related accept comment "!fw4: Allow outboun                                                                                                             d established and related flows"
                oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/                                                                                                             IPv6 output traffic"
                oifname "wlan0" jump output_wan comment "!fw4: Handle wan IPv4/I                                                                                                             Pv6 output traffic"
                oifname "tun0" jump output_ovpn comment "!fw4: Handle ovpn IPv4/                                                                                                             IPv6 output traffic"
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP                                                                                                              traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Acce                                                                                                             pt SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_lan {
                jump accept_from_lan
        }

        chain output_lan {
                jump accept_to_lan
        }

        chain forward_lan {
                jump accept_to_ovpn comment "!fw4: Accept lan to ovpn forwarding                                                                                                             "
                jump accept_to_lan
        }

        chain accept_from_lan {
                iifname "br-lan" counter packets 170 bytes 14943 accept comment                                                                                                              "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain accept_to_lan {
                oifname "br-lan" counter packets 67 bytes 5760 accept comment "!                                                                                                             fw4: accept lan IPv4/IPv6 traffic"
        }

        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept                                                                                                              comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 0 bytes 0 accept comment                                                                                                              "!fw4: Allow-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 5 bytes 180                                                                                                              accept comment "!fw4: Allow-IGMP"
                meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept                                                                                                              comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-que                                                                                                             ry . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld                                                                                                             2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: A                                                                                                             llow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-reque                                                                                                             st, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second cou                                                                                                             nter packets 300 bytes 38400 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter                                                                                                             -problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-rou                                                                                                             te, parameter-problem . admin-prohibited } limit rate 1000/second counter packet                                                                                                             s 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                jump accept_from_wan
        }

        chain output_wan {
                jump accept_to_wan
        }

        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-reque                                                                                                             st, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment                                                                                                              "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter                                                                                                             -problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/seco                                                                                                             nd counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan co                                                                                                             mment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comme                                                                                                             nt "!fw4: Allow-ISAKMP"
                jump accept_to_wan
        }

        chain accept_from_wan {
                iifname "wlan0" counter packets 45 bytes 9348 accept comment "!f                                                                                                             w4: accept wan IPv4/IPv6 traffic"
        }

        chain accept_to_wan {
                oifname "wlan0" counter packets 388 bytes 40541 accept comment "                                                                                                             !fw4: accept wan IPv4/IPv6 traffic"
        }

        chain input_ovpn {
                jump accept_from_ovpn
        }

        chain output_ovpn {
                jump accept_to_ovpn
        }

        chain forward_ovpn {
                jump accept_to_ovpn
        }

        chain accept_from_ovpn {
                iifname "tun0" counter packets 9 bytes 792 accept comment "!fw4:                                                                                                              accept ovpn IPv4/IPv6 traffic"
        }

        chain accept_to_ovpn {
                oifname "tun0" counter packets 553 bytes 31143 accept comment "!                                                                                                             fw4: accept ovpn IPv4/IPv6 traffic"
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
                oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/                                                                                                             IPv6 srcnat traffic"
                oifname "wlan0" jump srcnat_wan comment "!fw4: Handle wan IPv4/I                                                                                                             Pv6 srcnat traffic"
                oifname "tun0" jump srcnat_ovpn comment "!fw4: Handle ovpn IPv4/                                                                                                             IPv6 srcnat traffic"
        }

        chain srcnat_lan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 lan                                                                                                              traffic"
        }

        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan                                                                                                              traffic"
        }

        chain srcnat_ovpn {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 ovpn                                                                                                              traffic"
                meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 ovpn                                                                                                              traffic"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }

        chain raw_output {
                type filter hook output priority raw; policy accept;
        }

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
        }

        chain mangle_input {
                type filter hook input priority mangle; policy accept;
        }

        chain mangle_output {
                type route hook output priority mangle; policy accept;
        }

        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
                iifname "wlan0" tcp flags syn tcp option maxseg size set rt mtu                                                                                                              comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
                oifname "wlan0" tcp flags syn tcp option maxseg size set rt mtu                                                                                                              comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
                iifname "tun0" tcp flags syn tcp option maxseg size set rt mtu c                                                                                                             omment "!fw4: Zone ovpn IPv4/IPv6 ingress MTU fixing"
                oifname "tun0" tcp flags syn tcp option maxseg size set rt mtu c                                                                                                             omment "!fw4: Zone ovpn IPv4/IPv6 egress MTU fixing"
        }
}

These all are the final values after fix. For future reference. Or for other users get the same issue.

system · June 16, 2023, 4:54am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.