OpenVPN access to LAN

Installing and Using OpenWrt Network and Wireless Configuration
1

Maybe this got discussed often, but I don't get it working.

What I want:
Connect from Internet to my router via OpenVPN (works).
Access to all LAN clients with this connection (does not work).
My router LAN ip: 192.168.1.1

My config files:

/etc/config/openvpn

config openvpn 'home'
 option enabled '1'
 option config "/etc/openvpn/server.ovpn"

/etc/openvpn/server.ovpn

verb 3
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 192.168.10.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.10.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
log /etc/openvpn/openvpn.log
local ***.***.***.***
[...] here are sections with my keys [...]

/etc/config/firewall

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan'
        option device 'tun0'
        option forward 'REJECT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 wan2'

config forwarding
        option src 'lan'
        option dest 'wan'

config include
        option path '/etc/firewall.user'

config zone
        option name 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'guest'
        option input 'REJECT'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option name 'Guest DNS'
        option src 'guest'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '67-68'
        option name 'Guest DHCP'
        option src 'guest'

config forwarding
        option dest 'wan'
        option src 'guest'

config rule 'vpn'
        option name 'Allow-OpenVPN'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'
        option src 'wan'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpn'
        option name 'VPN'
        option forward 'ACCEPT'

config forwarding
        option dest 'lan'
        option src 'VPN'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option dest 'lan'
        option name 'OpenVPN'
        option src 'VPN'

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd22:5fd8:c23c::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0'
        option _orig_ifname 'eth0'
        option _orig_bridge 'false'
        option proto 'pppoe'
        option username '****'
        option password '****'
        option ipv6 'auto'
        option metric '10'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 1 2 3'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '4 6t'

config interface 'wan2'
        option proto 'dhcp'
        option ifname 'eth0.3'
        option metric '20'

config interface 'guest'
        option _orig_ifname 'wlan0-1'
        option _orig_bridge 'false'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

config interface 'vpn'
        option ifname 'tun0'
        option proto 'none'
        option auto '1'

Please help, if anybody knows a solution for (maybe a little config issue?) me.
Thanks in advance!

2

  1. Take out the DNAT section relating to OpenVPN. It's not necessary. The "local" directive tells OpenVPN to listen on the public IP address anyway, so using DNAT to route incoming traffic to the LAN IP address of the same device churns CPU cycles for no benefit.

  2. Push a route to the OpenVPN clients, for the internal subnet(s) you want them to be able to reach.

3

Thanks for your reply.
Unfortunately it doesn't solve my problem. Or I did something wrong.

Edited my config files above.

4

Off the top of my head, that looks better. But I might have missed something.

Check the routing table(s) of the clients. When OpenVPN is connected, do the clients now have an explicitly-defined route to 192.168.1.0/24? And does that route disappear when OpenVPN disconnects?

5

I also missed something to tell.
Everything is working well in case I disable firewall on my router:

/etc/init.d/firewall stop

Now I can access to LAN via VPN.
It seems, clients are fine.

Any firewall stuff is not correct.

6

Now that's odd, because your firewall configuration looks like it should permit traffic from the VPN to the LAN (but not the guest subnet):

Perhaps another forum member might spot something I've missed.

7 
ip addr show; ip route show; ip rule show; iptables-save
8

Maybe important (but I don't think):
Using LEDE 17.01.5 with MWAN3

ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether f4:f2:6d:52:95:03 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f6f2:6dff:fe52:9503/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
    link/ether f4:f2:6d:52:95:02 brd ff:ff:ff:ff:ff:ff
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f4:f2:6d:52:95:02 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd22:5fd8:c23c::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::f6f2:6dff:fe52:9502/64 scope link
       valid_lft forever preferred_lft forever
6: eth0.3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f4:f2:6d:52:95:03 brd ff:ff:ff:ff:ff:ff
    inet 192.168.8.100/24 brd 192.168.8.255 scope global eth0.3
       valid_lft forever preferred_lft forever
    inet6 fe80::f6f2:6dff:fe52:9503/64 scope link
       valid_lft forever preferred_lft forever
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether f4:f2:6d:52:95:02 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f6f2:6dff:fe52:9502/64 scope link
       valid_lft forever preferred_lft forever
10: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f6:f2:6d:52:95:02 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global wlan0-1
       valid_lft forever preferred_lft forever
    inet6 fe80::f4f2:6dff:fe52:9502/64 scope link
       valid_lft forever preferred_lft forever
17: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp
    inet 91.148.136.161 peer 91.148.136.0/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
18: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 192.168.10.1/24 brd 192.168.10.255 scope global tun0
       valid_lft forever preferred_lft forever

ip route show

default via 91.148.136.0 dev pppoe-wan  proto static  metric 10
default via 192.168.8.1 dev eth0.3  proto static  src 192.168.8.100  metric 20
91.148.136.0 dev pppoe-wan  proto kernel  scope link  src 91.148.136.161
192.168.1.0/24 dev br-lan  proto kernel  scope link  src 192.168.1.1
192.168.2.0/24 dev wlan0-1  proto kernel  scope link  src 192.168.2.1
192.168.8.0/24 dev eth0.3  proto static  scope link  metric 20
192.168.8.1 dev eth0.3  proto static  scope link  src 192.168.8.100  metric 20
192.168.10.0/24 dev tun0  proto kernel  scope link  src 192.168.10.1

ip rule show

0:      from all lookup local
1001:   from all iif pppoe-wan lookup main
1002:   from all iif eth0.3 lookup main
2001:   from all fwmark 0x100/0xff00 lookup 1
2002:   from all fwmark 0x200/0xff00 lookup 2
2253:   from all fwmark 0xfd00/0xff00 blackhole
2254:   from all fwmark 0xfe00/0xff00 unreachable
32766:  from all lookup main
32767:  from all lookup default

iptables-save

# Generated by iptables-save v1.4.21 on Sat Aug  3 08:02:37 2019
*nat
:PREROUTING ACCEPT [12:2146]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:55]
:POSTROUTING ACCEPT [1:55]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: user chain for prerouting" -j prerouting_rule
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0.3 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i wlan0-1 -m comment --comment "!fw3" -j zone_guest_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A POSTROUTING -m comment --comment "!fw3: user chain for postrouting" -j postrouting_rule
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0.3 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o wlan0-1 -m comment --comment "!fw3" -j zone_guest_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A zone_guest_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_guest_rule
-A zone_guest_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_guest_rule
-A zone_lan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.160/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Dreambox (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.160/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: Dreambox (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.1.0/24 -d 91.148.136.161/32 -p tcp -m tcp --dport 25443 -m comment --comment "!fw3: Dreambox (reflection)" -j DNAT --to-destination 192.168.1.160:443
-A zone_lan_prerouting -s 192.168.1.0/24 -d 91.148.136.161/32 -p udp -m udp --dport 25443 -m comment --comment "!fw3: Dreambox (reflection)" -j DNAT --to-destination 192.168.1.160:443
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.8.100/32 -p tcp -m tcp --dport 25443 -m comment --comment "!fw3: Dreambox (reflection)" -j DNAT --to-destination 192.168.1.160:443
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.8.100/32 -p udp -m udp --dport 25443 -m comment --comment "!fw3: Dreambox (reflection)" -j DNAT --to-destination 192.168.1.160:443
-A zone_vpn_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_vpn_rule
-A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_vpn_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_vpn_rule
-A zone_wan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wan_rule
-A zone_wan_prerouting -s 37.221.197.244/32 -p tcp -m tcp --dport 25443 -m comment --comment "!fw3: Dreambox" -j DNAT --to-destination 192.168.1.160:443
-A zone_wan_prerouting -s 37.221.197.244/32 -p udp -m udp --dport 25443 -m comment --comment "!fw3: Dreambox" -j DNAT --to-destination 192.168.1.160:443
COMMIT
# Completed on Sat Aug  3 08:02:37 2019
# Generated by iptables-save v1.4.21 on Sat Aug  3 08:02:37 2019
*mangle
:PREROUTING ACCEPT [92:10609]
:INPUT ACCEPT [65:4640]
:FORWARD ACCEPT [16:3927]
:OUTPUT ACCEPT [89:17345]
:POSTROUTING ACCEPT [105:21272]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_wan - [0:0]
:mwan3_iface_in_wan2 - [0:0]
:mwan3_iface_out_wan - [0:0]
:mwan3_iface_out_wan2 - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_ifaces_out - [0:0]
:mwan3_policy_balanced - [0:0]
:mwan3_policy_wan2_only - [0:0]
:mwan3_policy_wan2_wan - [0:0]
:mwan3_policy_wan_only - [0:0]
:mwan3_policy_wan_wan2 - [0:0]
:mwan3_rule_Laptop_Roland - [0:0]
:mwan3_rule_MC_Kueche - [0:0]
:mwan3_rule_MC_Master - [0:0]
:mwan3_rules - [0:0]
-A PREROUTING -j mwan3_hook
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0.3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m limit --limit 100/sec -m comment --comment "!fw3: vpn (mtu_fix logging)" -j LOG --log-prefix "MSSFIX(vpn): "
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: vpn (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j mwan3_hook
-A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0xff00/0xff00
-A mwan3_hook -j CONNMARK --restore-mark --nfmask 0xff00 --ctmask 0xff00
-A mwan3_hook -m mark --mark 0x0/0xff00 -j mwan3_ifaces_in
-A mwan3_hook -m mark --mark 0x0/0xff00 -j mwan3_connected
-A mwan3_hook -m mark --mark 0x0/0xff00 -j mwan3_ifaces_out
-A mwan3_hook -m mark --mark 0x0/0xff00 -j mwan3_rules
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0xff00 --ctmask 0xff00
-A mwan3_hook -m mark ! --mark 0xff00/0xff00 -j mwan3_connected
-A mwan3_iface_in_wan -i pppoe-wan -m set --match-set mwan3_connected src -m mark --mark 0x0/0xff00 -m comment --comment default -j MARK --set-xmark 0xff00/0xff00
-A mwan3_iface_in_wan -i pppoe-wan -m mark --mark 0x0/0xff00 -m comment --comment wan -j MARK --set-xmark 0x100/0xff00
-A mwan3_iface_in_wan2 -i eth0.3 -m set --match-set mwan3_connected src -m mark --mark 0x0/0xff00 -m comment --comment default -j MARK --set-xmark 0xff00/0xff00
-A mwan3_iface_in_wan2 -i eth0.3 -m mark --mark 0x0/0xff00 -m comment --comment wan2 -j MARK --set-xmark 0x200/0xff00
-A mwan3_iface_out_wan -s 91.148.136.161/32 -m mark --mark 0x0/0xff00 -m comment --comment wan -j MARK --set-xmark 0x100/0xff00
-A mwan3_iface_out_wan2 -s 192.168.8.100/32 -m mark --mark 0x0/0xff00 -m comment --comment wan2 -j MARK --set-xmark 0x200/0xff00
-A mwan3_ifaces_in -m mark --mark 0x0/0xff00 -j mwan3_iface_in_wan
-A mwan3_ifaces_in -m mark --mark 0x0/0xff00 -j mwan3_iface_in_wan2
-A mwan3_ifaces_out -m mark --mark 0x0/0xff00 -j mwan3_iface_out_wan
-A mwan3_ifaces_out -m mark --mark 0x0/0xff00 -j mwan3_iface_out_wan2
-A mwan3_policy_balanced -m mark --mark 0x0/0xff00 -m statistic --mode random --probability 0.39999999991 -m comment --comment "wan2 2 5" -j MARK --set-xmark 0x200/0xff00
-A mwan3_policy_balanced -m mark --mark 0x0/0xff00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0xff00
-A mwan3_policy_wan2_only -m mark --mark 0x0/0xff00 -m comment --comment "wan2 2 2" -j MARK --set-xmark 0x200/0xff00
-A mwan3_policy_wan2_wan -m mark --mark 0x0/0xff00 -m comment --comment "wan2 2 2" -j MARK --set-xmark 0x200/0xff00
-A mwan3_policy_wan_only -m mark --mark 0x0/0xff00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0xff00
-A mwan3_policy_wan_wan2 -m mark --mark 0x0/0xff00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0xff00
-A mwan3_rule_Laptop_Roland -m mark --mark 0x0/0xff00 -j MARK --set-xmark 0x200/0xff00
-A mwan3_rule_Laptop_Roland -m mark --mark 0x200/0xff00 -m set ! --match-set mwan3_sticky_Laptop_Roland src,src -j MARK --set-xmark 0x0/0xff00
-A mwan3_rule_Laptop_Roland -m mark --mark 0x0/0xff00 -j mwan3_policy_wan2_only
-A mwan3_rule_Laptop_Roland -m mark ! --mark 0xfc00/0xfc00 -j SET --del-set mwan3_sticky_Laptop_Roland src,src
-A mwan3_rule_Laptop_Roland -m mark ! --mark 0xfc00/0xfc00 -j SET --add-set mwan3_sticky_Laptop_Roland src,src
-A mwan3_rule_MC_Kueche -m mark --mark 0x0/0xff00 -j MARK --set-xmark 0x200/0xff00
-A mwan3_rule_MC_Kueche -m mark --mark 0x200/0xff00 -m set ! --match-set mwan3_sticky_MC_Kueche src,src -j MARK --set-xmark 0x0/0xff00
-A mwan3_rule_MC_Kueche -m mark --mark 0x0/0xff00 -j mwan3_policy_wan2_only
-A mwan3_rule_MC_Kueche -m mark ! --mark 0xfc00/0xfc00 -j SET --del-set mwan3_sticky_MC_Kueche src,src
-A mwan3_rule_MC_Kueche -m mark ! --mark 0xfc00/0xfc00 -j SET --add-set mwan3_sticky_MC_Kueche src,src
-A mwan3_rule_MC_Master -m mark --mark 0x0/0xff00 -j MARK --set-xmark 0x200/0xff00
-A mwan3_rule_MC_Master -m mark --mark 0x200/0xff00 -m set ! --match-set mwan3_sticky_MC_Master src,src -j MARK --set-xmark 0x0/0xff00
-A mwan3_rule_MC_Master -m mark --mark 0x0/0xff00 -j mwan3_policy_wan2_only
-A mwan3_rule_MC_Master -m mark ! --mark 0xfc00/0xfc00 -j SET --del-set mwan3_sticky_MC_Master src,src
-A mwan3_rule_MC_Master -m mark ! --mark 0xfc00/0xfc00 -j SET --add-set mwan3_sticky_MC_Master src,src
-A mwan3_rules -s 192.168.1.123/32 -m mark --mark 0x0/0xff00 -m comment --comment Laptop_Roland -j mwan3_rule_Laptop_Roland
-A mwan3_rules -m set --match-set dreambox dst -m mark --mark 0x0/0xff00 -m comment --comment Dreambox -j mwan3_policy_wan2_only
-A mwan3_rules -s 192.168.1.134/32 -m mark --mark 0x0/0xff00 -m comment --comment MC_Master -j mwan3_rule_MC_Master
-A mwan3_rules -s 192.168.1.229/32 -m mark --mark 0x0/0xff00 -m comment --comment MC_Kueche -j mwan3_rule_MC_Kueche
-A mwan3_rules -s 192.168.1.0/24 -m mark --mark 0x0/0xff00 -m comment --comment Home -j mwan3_policy_wan_wan2
-A mwan3_rules -s 192.168.2.0/24 -m mark --mark 0x0/0xff00 -m comment --comment Guest -j mwan3_policy_wan_only
COMMIT
# Completed on Sat Aug  3 08:02:37 2019
# Generated by iptables-save v1.4.21 on Sat Aug  3 08:02:37 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.3 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i wlan0-1 -m comment --comment "!fw3" -j zone_guest_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
-A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0.3 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i wlan0-1 -m comment --comment "!fw3" -j zone_guest_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.3 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o wlan0-1 -m comment --comment "!fw3" -j zone_guest_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_guest_dest_ACCEPT -o wlan0-1 -m comment --comment "!fw3" -j ACCEPT
-A zone_guest_dest_REJECT -o wlan0-1 -m comment --comment "!fw3" -j reject
-A zone_guest_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_guest_rule
-A zone_guest_forward -m comment --comment "!fw3: forwarding guest -> wan" -j zone_wan_dest_ACCEPT
-A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
-A zone_guest_input -m comment --comment "!fw3: user chain for input" -j input_guest_rule
-A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
-A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
-A zone_guest_input -p tcp -m tcp --dport 67:68 -m comment --comment "!fw3: Guest DHCP" -j ACCEPT
-A zone_guest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Guest DHCP" -j ACCEPT
-A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
-A zone_guest_output -m comment --comment "!fw3: user chain for output" -j output_guest_rule
-A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
-A zone_guest_src_REJECT -i wlan0-1 -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_lan_dest_REJECT -o br-lan -m comment --comment "!fw3" -j reject
-A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> vpn" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_REJECT
-A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> lan" -j zone_lan_dest_ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> wan" -j zone_wan_dest_ACCEPT
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "!fw3: user chain for input" -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "!fw3: user chain for output" -j output_vpn_rule
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.3 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth0.3 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0.3 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Aug  3 08:02:37 2019
9

I have no experience with mwan3, but it seems not so simple:
https://forum.openwrt.org/search?q=openvpn+mwan

10

Got it now.
Update to 18.06.4 and all works.
VPN
VPN => LAN
MWAN3
And all other stuff (e.g. dnsmasq-full)

Everything with standard settings described in
https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic

1 Like
11

For everybody with the same problem.
Here are my actual configs. It works (LEDE 17.01.5)

/etc/config/interfaces

[...]
config interface 'vpn'
        option proto 'none'
        option ifname 'tun0'
[...]

/etc/config/firewall

[...]
config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'udp'
        option dest_port '1194'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpn'
        option forward 'REJECT'

config forwarding
        option src 'vpn'
        option dest 'wan'

config forwarding
        option src 'vpn'
        option dest 'lan'
[...]

/etc/config/openvpn

config openvpn 'home'
        option enabled '1'
        option config "/etc/openvpn/vpnserver.conf"

/etc/openvpn/vpnserver.conf

verb 3
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 192.168.10.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
log /tmp/openvpn.log
local xxx.xxx.xxx.xxx   # important to bind to your wan interface (in use with mwan3)
[...] section with keys [...]

There is also a script (running all 5 minutes) to set WAN IP to config file.
Maybe you have to change ubus call to your used WAN interface.

/etc/openvpn/set_wanip.sh

#!/bin/bash

file=/etc/openvpn/vpnserver.conf

CONFIGIP=$(cat $file | grep local | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
WANIP=$(ubus call network.interface.wan status | grep \"address\" | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}';)

if test "$CONFIGIP" != "$WANIP"
then
        sed -i '/local/d' $file
        echo "local $WANIP" >> $file
        /etc/init.d/openvpn restart
fi

No extra changes on mwan3 configuration.

12

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.