OpenVPN client - access internet via VPN

Hi
I've got a TL-WR1043ND router running LEDE Reboot 17.01.6. I want to use this router as a OpenVPN client in order to access the internet via remote router running OpenWRT and OpenVPN.
I've been digging through the manuals and the forum and by now I've succeeded in getting the server side up and running. I succeeded in connecting to the server via my android phone to check if the server setup works properly. I can access the internet through VPN via the phone properly.
However I cannot find the reason why I can't get my client on the router to work properly.

I can see that the interface is up and available.

root@LEDE:~# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.4  P-t-P:10.8.0.4  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:3 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:252 (252.0 B)  TX bytes:252 (252.0 B)

When I connect to the client router via SSH and run traceroute -i tun0 8.8.8.8, I can see that it's routing via the VPN server. Same goes for ping -I tun0 8.8.8.8, I can see the adequate time increase.

However when I try to access the internet via browser, my IP is still from the client router, not the VPN server router. It seems that nothing goes via the VPN.
I believe the problems are within firewall/interface settings but I can't get my finger on it.

Any comments are greatly appreciated.

Client router:
/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd04:78d3:8bd8::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 5t'

config interface 'tun0'
	option ifname 'tun0'
	option _orig_ifname 'tun0'
	option _orig_bridge 'false'
	option proto 'none'
	option auto '1'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option name 'tun0'
	option network 'tun0'

config forwarding
	option dest 'tun0'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'lan'

Client OpenVPN
/etc/config/openvpn

config openvpn 'sample_client'
	option client '1'
	option dev 'tun0'
	option proto 'udp'
	option resolv_retry 'infinite'
	option nobind '1'
	option tun_mtu '1500'
	option persist_key '1'
	option persist_tun '1'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option compress 'lzo'
	option enabled '1'
	list remote 'server-hostname 1194'
	option verb '3'
	option comp_lzo 'yes'
	option float '1'
	option mute_replay_warnings '1'
	option cipher 'AES-256-GCM'

Server OpenVPN
/etc/config/openvpn

config openvpn 'sample_server'
	option proto 'udp'
	option port '1194'
	option dev_type 'tun'
	option dev 'tun'
	option server '10.8.0.0 255.255.255.0'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh1024.pem'
	option tun_mtu '1500'
	option keepalive '10 120'
	option topology 'subnet'
	option route_gateway 'dhcp'
	option client_to_client '1'
	option persist_key '1'
	option persist_tun '1'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option status '/tmp/openvpn-status.log'
	option compress 'lzo'
	option comp_lzo 'yes'
	option verb '0'
	option cipher 'AES-256-GCM'
	option enabled '1'

I've tried editing the firewall but it's either internet without VPN or nothing at all (can access the both local router via 192.168.2.1 and remote via 10.8.0.1, however ping and traceroute still work properly via SSH).

Any ideas what's wrong?

Add one of those:

# Server
push "redirect-gateway def1"

# Client
redirect-gateway def1

If the issue persists, establish the VPN connection and collect the diagnostics:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client#troubleshooting

2 Likes

Added the line the server config file, didn't make a difference.

Heres the output from the troubleshooting

root@LEDE:~# # Restart services
root@LEDE:~# /etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10
root@LEDE:~#  # Log and status
root@LEDE:~# logread -e openvpn; netstat -l -n -p | grep -e openvpn
Wed Sep 16 19:47:57 2020 daemon.err openvpn(sample_client)[2353]: event_wait : Interrupted system call (code=4)
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2353]: Closing TUN/TAP interface
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2353]: /sbin/ifconfig tun0 0.0.0.0
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2353]: SIGTERM[hard,] received, process exiting
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2633]: OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2633]: library versions: OpenSSL 1.0.2t  10 Sep 2019, LZO 2.10
Wed Sep 16 19:47:57 2020 daemon.warn openvpn(sample_client)[2633]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2633]: TCP/UDP: Preserving recently used remote address: [AF_INET]server_IP_address:1194
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2633]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2633]: UDP link local: (not bound)
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2633]: UDP link remote: [AF_INET]server_IP_address:1194
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2633]: TLS: Initial packet from [AF_INET]server_IP_address:1194, sid=50f39416 a784956c
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2633]: VERIFY OK: depth=1, CN=vpnca
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2633]: VERIFY OK: depth=0, CN=vpnserver
Wed Sep 16 19:47:58 2020 daemon.notice openvpn(sample_client)[2633]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Sep 16 19:47:58 2020 daemon.notice openvpn(sample_client)[2633]: [vpnserver] Peer Connection Initiated with [AF_INET]server_IP_address:1194
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: SENT CONTROL [vpnserver]: 'PUSH_REQUEST' (status=1)
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 1,cipher AES-256-GCM'
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: OPTIONS IMPORT: timers and/or timeouts modified
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: OPTIONS IMPORT: --ifconfig/up options modified
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: OPTIONS IMPORT: route-related options modified
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: OPTIONS IMPORT: peer-id set
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: OPTIONS IMPORT: adjusting link_mtu to 1625
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: OPTIONS IMPORT: data channel crypto options modified
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: TUN/TAP device tun0 opened
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: TUN/TAP TX queue length set to 100
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: /sbin/ifconfig tun0 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Wed Sep 16 19:47:59 2020 daemon.warn openvpn(sample_client)[2633]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: Initialization Sequence Completed
udp        0      0 0.0.0.0:41391           0.0.0.0:*                           2633/openvpn
root@LEDE:~#  # Runtime configuration
root@LEDE:~# pgrep -f -a openvpn
pgrep: unrecognized option: a
BusyBox v1.25.1 () multi-call binary.

Usage: pgrep [-flnovx] [-s SID|-P PPID|PATTERN]

Display process(es) selected by regex PATTERN

        -l      Show command name too
        -f      Match against entire command line
        -n      Show the newest process only
        -o      Show the oldest process only
        -v      Negate the match
        -x      Match whole name (not substring)
        -s      Match session ID (0 for current)
        -P      Match parent process ID
root@LEDE:~# ip address show; ip route show; ip rule show; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether f4:ec:38:fc:17:4e brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f6ec:38ff:fefc:174e/64 scope link
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether f4:ec:38:fc:17:4e brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd04:78d3:8bd8::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::f6ec:38ff:fefc:174e/64 scope link
       valid_lft forever preferred_lft forever
5: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether f4:ec:38:fc:17:4e brd ff:ff:ff:ff:ff:ff
6: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether f4:ec:38:fc:17:4e brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.137/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 fe80::f6ec:38ff:fefc:174e/64 scope link
       valid_lft forever preferred_lft forever
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether f4:ec:38:fc:17:4e brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f6ec:38ff:fefc:174e/64 scope link
       valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    link/[65534]
    inet 10.8.0.2/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.2  src 192.168.1.137
10.8.0.0/24 dev tun0  src 10.8.0.2
192.168.1.0/24 dev eth0.2  src 192.168.1.137
192.168.1.1 dev eth0.2  src 192.168.1.137
192.168.2.0/24 dev br-lan  src 192.168.2.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.4.21 on Wed Sep 16 19:48:24 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [0:0]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_tun0_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_tun0_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_tun0_postrouting - [0:0]
:zone_tun0_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: user chain for prerouting" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_tun0_prerouting
-A POSTROUTING -m comment --comment "!fw3: user chain for postrouting" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_tun0_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_lan_rule
-A zone_tun0_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_tun0_rule
-A zone_tun0_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_tun0_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_tun0_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wan_rule
COMMIT
# Completed on Wed Sep 16 19:48:24 2020
# Generated by iptables-save v1.4.21 on Wed Sep 16 19:48:24 2020
*mangle
:PREROUTING ACCEPT [89:20207]
:INPUT ACCEPT [51:2662]
:FORWARD ACCEPT [38:17545]
:OUTPUT ACCEPT [94:18622]
:POSTROUTING ACCEPT [132:36167]
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: tun0 (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Sep 16 19:48:24 2020
# Generated by iptables-save v1.4.21 on Wed Sep 16 19:48:24 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_tun0_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_tun0_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_tun0_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_tun0_dest_ACCEPT - [0:0]
:zone_tun0_dest_REJECT - [0:0]
:zone_tun0_forward - [0:0]
:zone_tun0_input - [0:0]
:zone_tun0_output - [0:0]
:zone_tun0_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_tun0_input
-A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_tun0_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_tun0_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> tun0" -j zone_tun0_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_tun0_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_tun0_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_tun0_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_tun0_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_tun0_rule
-A zone_tun0_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_tun0_forward -m comment --comment "!fw3" -j zone_tun0_dest_REJECT
-A zone_tun0_input -m comment --comment "!fw3: user chain for input" -j input_tun0_rule
-A zone_tun0_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_tun0_input -m comment --comment "!fw3" -j zone_tun0_src_REJECT
-A zone_tun0_output -m comment --comment "!fw3: user chain for output" -j output_tun0_rule
-A zone_tun0_output -m comment --comment "!fw3" -j zone_tun0_dest_ACCEPT
-A zone_tun0_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Sep 16 19:48:24 2020
root@LEDE:~# ip -6 address show; ip -6 route show; ip -6 rule show; ip6tables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::f6ec:38ff:fefc:174e/64 scope link
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd04:78d3:8bd8::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::f6ec:38ff:fefc:174e/64 scope link
       valid_lft forever preferred_lft forever
6: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::f6ec:38ff:fefc:174e/64 scope link
       valid_lft forever preferred_lft forever
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::f6ec:38ff:fefc:174e/64 scope link
       valid_lft forever preferred_lft forever
fd04:78d3:8bd8::/64 dev br-lan  metric 1024
unreachable fd04:78d3:8bd8::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev eth0.2  metric 256
fe80::/64 dev wlan0  metric 256
unreachable default dev lo  metric -1  error -128
ff00::/8 dev eth0  metric 256
ff00::/8 dev br-lan  metric 256
ff00::/8 dev eth0.2  metric 256
ff00::/8 dev wlan0  metric 256
unreachable default dev lo  metric -1  error -128
0:      from all lookup local
32766:  from all lookup main
4200000001:     from all iif lo lookup unspec 12
4200000004:     from all iif br-lan lookup unspec 12
4200000006:     from all iif eth0.2 lookup unspec 12
4200000013:     from all iif tun0 lookup unspec 12
# Generated by ip6tables-save v1.4.21 on Wed Sep 16 19:48:24 2020
*mangle
:PREROUTING ACCEPT [4:288]
:INPUT ACCEPT [4:288]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:432]
:POSTROUTING ACCEPT [5:432]
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: tun0 (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Sep 16 19:48:24 2020
# Generated by ip6tables-save v1.4.21 on Wed Sep 16 19:48:24 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_tun0_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_tun0_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_tun0_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_tun0_dest_ACCEPT - [0:0]
:zone_tun0_dest_REJECT - [0:0]
:zone_tun0_forward - [0:0]
:zone_tun0_input - [0:0]
:zone_tun0_output - [0:0]
:zone_tun0_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_tun0_input
-A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_tun0_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_tun0_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> tun0" -j zone_tun0_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_tun0_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_tun0_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_tun0_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_tun0_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_tun0_rule
-A zone_tun0_forward -m comment --comment "!fw3" -j zone_tun0_dest_REJECT
-A zone_tun0_input -m comment --comment "!fw3: user chain for input" -j input_tun0_rule
-A zone_tun0_input -m comment --comment "!fw3" -j zone_tun0_src_REJECT
-A zone_tun0_output -m comment --comment "!fw3: user chain for output" -j output_tun0_rule
-A zone_tun0_output -m comment --comment "!fw3" -j zone_tun0_dest_ACCEPT
-A zone_tun0_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Sep 16 19:48:24 2020
root@LEDE:~#


1 Like

part two

root@LEDE:~# # Persistent configuration
root@LEDE:~# uci show network; uci show firewall; uci show openvpn
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd04:78d3:8bd8::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.2.1'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 2 3 4 5t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='0 5t'
network.tun0=interface
network.tun0.ifname='tun0'
network.tun0._orig_ifname='tun0'
network.tun0._orig_bridge='false'
network.tun0.proto='none'
network.tun0.auto='1'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.@zone[2]=zone
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].name='tun0'
firewall.@zone[2].network='tun0'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='tun0'
firewall.@forwarding[0].src='lan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='lan'
openvpn.custom_config=openvpn
openvpn.custom_config.config='/etc/openvpn/my-vpn.conf'
openvpn.sample_server=openvpn
openvpn.sample_server.port='1194'
openvpn.sample_server.proto='udp'
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca='/etc/openvpn/ca.crt'
openvpn.sample_server.cert='/etc/openvpn/server.crt'
openvpn.sample_server.key='/etc/openvpn/server.key'
openvpn.sample_server.dh='/etc/openvpn/dh1024.pem'
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.compress='lzo'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun0'
openvpn.sample_client.proto='udp'
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.tun_mtu='1500'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.ca='/etc/openvpn/ca.crt'
openvpn.sample_client.cert='/etc/openvpn/client.crt'
openvpn.sample_client.key='/etc/openvpn/client.key'
openvpn.sample_client.compress='lzo'
openvpn.sample_client.enabled='1'
openvpn.sample_client.remote='server_IP_address 1194'
openvpn.sample_client.verb='3'
openvpn.sample_client.comp_lzo='yes'
openvpn.sample_client.float='1'
openvpn.sample_client.mute_replay_warnings='1'
openvpn.sample_client.cipher='AES-256-GCM'
root@LEDE:~# head -n -0 /etc/openvpn/*.conf
head: /etc/openvpn/*.conf: No such file or directory
root@LEDE:~#
1 Like

Run route on the client and look for the two "psuedo-default" routes 0.0.0.0/1 via 10.8.0.1/tun0 and 128.0.0.0/1 also via the VPN.

I don't think you want to have the firewall forwarding lan to wan if you're actually going to forward lan to tun0.

2 Likes

If I remove the lan>wan forwarding then I cannot access the internet via browser at all. I believe it's because the VPN connection isn't configured properly.

Client router

root@LEDE:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0.2
10.8.0.0        *               255.255.255.0   U     0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0.2
192.168.1.1     *               255.255.255.255 UH    0      0        0 eth0.2
192.168.2.0     *               255.255.255.0   U     0      0        0 br-lan

Server router

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         X-X-X-X.s       0.0.0.0         UG    0      0        0 eth1
10.8.0.0        *               255.255.255.0   U     0      0        0 tun0
10.10.0.0       *               255.255.0.0     U     0      0        0 eth0.6
X.X.X.0         *               255.255.192.0   U     0      0        0 eth1
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
224.0.0.0       *               240.0.0.0       U     0      0        0 eth0.6

You should see two additional default routes:

default         10.8.0.1        128.0.0.0       UG    0      0        0 tun0
default         10.8.0.1        0.0.0.0         UG    0      0        0 tun0

Have you restarted server after config modification by @vgaetera?

Set 'verb' option equaling 4 in client-config, and give log after connect.

1 Like

I've restarted both routers after config changes.
When I set verb 4 I don't see any difference in the logs though. Should I try restarting the openvpn process separately?

root@LEDE:~# logread -e openvpn; netstat -l -n -p | grep -e openvpn
Wed Sep 16 22:08:28 2020 daemon.notice openvpn(sample_client)[806]: OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Sep 16 22:08:28 2020 daemon.notice openvpn(sample_client)[806]: library versions: OpenSSL 1.0.2t  10 Sep 2019, LZO 2.10
Wed Sep 16 22:08:28 2020 daemon.warn openvpn(sample_client)[806]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Sep 16 22:08:29 2020 daemon.notice openvpn(sample_client)[806]: LZO compression initializing
Wed Sep 16 22:08:29 2020 daemon.notice openvpn(sample_client)[806]: Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Wed Sep 16 22:08:30 2020 daemon.notice openvpn(sample_client)[806]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Wed Sep 16 22:08:30 2020 daemon.notice openvpn(sample_client)[806]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Wed Sep 16 22:08:30 2020 daemon.notice openvpn(sample_client)[806]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Wed Sep 16 22:08:30 2020 daemon.notice openvpn(sample_client)[806]: TCP/UDP: Preserving recently used remote address: [AF_INET]server_IP_address:1194
Wed Sep 16 22:08:30 2020 daemon.notice openvpn(sample_client)[806]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Sep 16 22:08:30 2020 daemon.notice openvpn(sample_client)[806]: UDP link local: (not bound)
Wed Sep 16 22:08:30 2020 daemon.notice openvpn(sample_client)[806]: UDP link remote: [AF_INET]server_IP_address:1194
Wed Sep 16 22:08:30 2020 daemon.notice openvpn(sample_client)[806]: TLS: Initial packet from [AF_INET]server_IP_address:1194, sid=20e8965d c7222776
Wed Sep 16 22:08:30 2020 daemon.err openvpn(sample_client)[806]: write UDP: Operation not permitted (code=1)
Wed Sep 16 22:08:30 2020 daemon.err openvpn(sample_client)[806]: write UDP: Operation not permitted (code=1)
Wed Sep 16 22:08:33 2020 daemon.notice openvpn(sample_client)[806]: VERIFY OK: depth=1, CN=vpnca
Wed Sep 16 22:08:33 2020 daemon.notice openvpn(sample_client)[806]: VERIFY OK: depth=0, CN=vpnserver
Wed Sep 16 22:08:34 2020 daemon.notice openvpn(sample_client)[806]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Sep 16 22:08:34 2020 daemon.notice openvpn(sample_client)[806]: [vpnserver] Peer Connection Initiated with [AF_INET]server_IP_address:1194
Wed Sep 16 22:08:35 2020 daemon.notice openvpn(sample_client)[806]: SENT CONTROL [vpnserver]: 'PUSH_REQUEST' (status=1)
Wed Sep 16 22:08:35 2020 daemon.notice openvpn(sample_client)[806]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Sep 16 22:08:35 2020 daemon.notice openvpn(sample_client)[806]: OPTIONS IMPORT: timers and/or timeouts modified
Wed Sep 16 22:08:35 2020 daemon.notice openvpn(sample_client)[806]: OPTIONS IMPORT: --ifconfig/up options modified
Wed Sep 16 22:08:35 2020 daemon.notice openvpn(sample_client)[806]: OPTIONS IMPORT: route-related options modified
Wed Sep 16 22:08:35 2020 daemon.notice openvpn(sample_client)[806]: OPTIONS IMPORT: peer-id set
Wed Sep 16 22:08:35 2020 daemon.notice openvpn(sample_client)[806]: OPTIONS IMPORT: adjusting link_mtu to 1625
Wed Sep 16 22:08:35 2020 daemon.notice openvpn(sample_client)[806]: OPTIONS IMPORT: data channel crypto options modified
Wed Sep 16 22:08:35 2020 daemon.notice openvpn(sample_client)[806]: Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
Wed Sep 16 22:08:35 2020 daemon.notice openvpn(sample_client)[806]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Sep 16 22:08:35 2020 daemon.notice openvpn(sample_client)[806]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Sep 16 22:08:35 2020 daemon.notice openvpn(sample_client)[806]: TUN/TAP device tun0 opened
Wed Sep 16 22:08:35 2020 daemon.notice openvpn(sample_client)[806]: TUN/TAP TX queue length set to 100
Wed Sep 16 22:08:35 2020 daemon.notice openvpn(sample_client)[806]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Sep 16 22:08:35 2020 daemon.notice openvpn(sample_client)[806]: /sbin/ifconfig tun0 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Wed Sep 16 22:08:35 2020 daemon.warn openvpn(sample_client)[806]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Sep 16 22:08:35 2020 daemon.notice openvpn(sample_client)[806]: Initialization Sequence Completed
udp        0      0 0.0.0.0:34320           0.0.0.0:*                           806/openvpn
root@LEDE:~#

# Server
uci add_list openvpn.sample_server.push="redirect-gateway def1"
uci commit openvpn
/etc/init.d/openvpn restart

# Client
uci set openvpn.sample_client.redirect_gateway="def1"
uci commit openvpn
/etc/init.d/openvpn restart

Client OpenVPN
/etc/config/openvpn, append:
option redirect_gateway 'def1'

Server OpenVPN
/etc/config/openvpn, append:
option push 'redirect-gateway def1'

After that restart server, and after that client.

I don't like to set parameters in UCI due to: It is important to know that UCI identifiers and config file names may contain only the characters a-z , 0-9 and _ . E.g. no hyphens ( - ) are allowed. Option values may contain any character (as long they are properly quoted).

So I recommend you to create separate files, and add just links to them in UCI-config.

Thank you for your help, everything works fine as intended
Apparently I failed to add the last lines to the config file in the right syntax/format. Now that it's done everything is working fine.

In case anyone wonders what the right settings are here are the config files
Server
/etc/config/openvpn

config openvpn 'VPN_server'
	option proto 'udp'
	option port '1194'
	option dev_type 'tun'
	option dev 'tun'
	option server '10.8.0.0 255.255.255.0'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh1024.pem'
	option tun_mtu '1500'
	option keepalive '10 120'
	option topology 'subnet'
	option route_gateway 'dhcp'
	option client_to_client '1'
	option persist_key '1'
	option persist_tun '1'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option status '/tmp/openvpn-status.log'
	option compress 'lzo'
	option comp_lzo 'yes'
	option verb '0'
	option cipher 'AES-256-GCM'
	option enabled '1'
	list push 'redirect-gateway def1'

Client
/etc/config/openvpn

config openvpn 'VPN_client'
	option client '1'
	option dev 'tun0'
	option proto 'udp'
	option resolv_retry 'infinite'
	option nobind '1'
	option tun_mtu '1500'
	option persist_key '1'
	option persist_tun '1'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option compress 'lzo'
	option enabled '1'
	list remote 'X.X.X.X 1194'
	option comp_lzo 'yes'
	option float '1'
	option mute_replay_warnings '1'
	option cipher 'AES-256-GCM'
	option verb '4'
	option redirect_gateway 'def1'
1 Like

17.01.x is unmaintained and contains unfixed security vulnerabilities.
Please consider upgrading to a more recent OpenWrt release.

According to the wiki, the TL-WR1043ND is supported by the current release, 19.07.4.

1 Like