Added the line the server config file, didn't make a difference.
Heres the output from the troubleshooting
root@LEDE:~# # Restart services
root@LEDE:~# /etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10
root@LEDE:~# # Log and status
root@LEDE:~# logread -e openvpn; netstat -l -n -p | grep -e openvpn
Wed Sep 16 19:47:57 2020 daemon.err openvpn(sample_client)[2353]: event_wait : Interrupted system call (code=4)
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2353]: Closing TUN/TAP interface
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2353]: /sbin/ifconfig tun0 0.0.0.0
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2353]: SIGTERM[hard,] received, process exiting
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2633]: OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2633]: library versions: OpenSSL 1.0.2t 10 Sep 2019, LZO 2.10
Wed Sep 16 19:47:57 2020 daemon.warn openvpn(sample_client)[2633]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2633]: TCP/UDP: Preserving recently used remote address: [AF_INET]server_IP_address:1194
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2633]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2633]: UDP link local: (not bound)
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2633]: UDP link remote: [AF_INET]server_IP_address:1194
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2633]: TLS: Initial packet from [AF_INET]server_IP_address:1194, sid=50f39416 a784956c
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2633]: VERIFY OK: depth=1, CN=vpnca
Wed Sep 16 19:47:57 2020 daemon.notice openvpn(sample_client)[2633]: VERIFY OK: depth=0, CN=vpnserver
Wed Sep 16 19:47:58 2020 daemon.notice openvpn(sample_client)[2633]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Sep 16 19:47:58 2020 daemon.notice openvpn(sample_client)[2633]: [vpnserver] Peer Connection Initiated with [AF_INET]server_IP_address:1194
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: SENT CONTROL [vpnserver]: 'PUSH_REQUEST' (status=1)
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 1,cipher AES-256-GCM'
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: OPTIONS IMPORT: timers and/or timeouts modified
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: OPTIONS IMPORT: --ifconfig/up options modified
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: OPTIONS IMPORT: route-related options modified
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: OPTIONS IMPORT: peer-id set
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: OPTIONS IMPORT: adjusting link_mtu to 1625
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: OPTIONS IMPORT: data channel crypto options modified
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: TUN/TAP device tun0 opened
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: TUN/TAP TX queue length set to 100
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: /sbin/ifconfig tun0 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Wed Sep 16 19:47:59 2020 daemon.warn openvpn(sample_client)[2633]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Sep 16 19:47:59 2020 daemon.notice openvpn(sample_client)[2633]: Initialization Sequence Completed
udp 0 0 0.0.0.0:41391 0.0.0.0:* 2633/openvpn
root@LEDE:~# # Runtime configuration
root@LEDE:~# pgrep -f -a openvpn
pgrep: unrecognized option: a
BusyBox v1.25.1 () multi-call binary.
Usage: pgrep [-flnovx] [-s SID|-P PPID|PATTERN]
Display process(es) selected by regex PATTERN
-l Show command name too
-f Match against entire command line
-n Show the newest process only
-o Show the oldest process only
-v Negate the match
-x Match whole name (not substring)
-s Match session ID (0 for current)
-P Match parent process ID
root@LEDE:~# ip address show; ip route show; ip rule show; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
link/ether f4:ec:38:fc:17:4e brd ff:ff:ff:ff:ff:ff
inet6 fe80::f6ec:38ff:fefc:174e/64 scope link
valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether f4:ec:38:fc:17:4e brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fd04:78d3:8bd8::1/60 scope global
valid_lft forever preferred_lft forever
inet6 fe80::f6ec:38ff:fefc:174e/64 scope link
valid_lft forever preferred_lft forever
5: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether f4:ec:38:fc:17:4e brd ff:ff:ff:ff:ff:ff
6: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether f4:ec:38:fc:17:4e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.137/24 brd 192.168.1.255 scope global eth0.2
valid_lft forever preferred_lft forever
inet6 fe80::f6ec:38ff:fefc:174e/64 scope link
valid_lft forever preferred_lft forever
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether f4:ec:38:fc:17:4e brd ff:ff:ff:ff:ff:ff
inet6 fe80::f6ec:38ff:fefc:174e/64 scope link
valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
link/[65534]
inet 10.8.0.2/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.2 src 192.168.1.137
10.8.0.0/24 dev tun0 src 10.8.0.2
192.168.1.0/24 dev eth0.2 src 192.168.1.137
192.168.1.1 dev eth0.2 src 192.168.1.137
192.168.2.0/24 dev br-lan src 192.168.2.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
# Generated by iptables-save v1.4.21 on Wed Sep 16 19:48:24 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [0:0]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_tun0_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_tun0_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_tun0_postrouting - [0:0]
:zone_tun0_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: user chain for prerouting" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_tun0_prerouting
-A POSTROUTING -m comment --comment "!fw3: user chain for postrouting" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_tun0_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_lan_rule
-A zone_tun0_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_tun0_rule
-A zone_tun0_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_tun0_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_tun0_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wan_rule
COMMIT
# Completed on Wed Sep 16 19:48:24 2020
# Generated by iptables-save v1.4.21 on Wed Sep 16 19:48:24 2020
*mangle
:PREROUTING ACCEPT [89:20207]
:INPUT ACCEPT [51:2662]
:FORWARD ACCEPT [38:17545]
:OUTPUT ACCEPT [94:18622]
:POSTROUTING ACCEPT [132:36167]
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: tun0 (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Sep 16 19:48:24 2020
# Generated by iptables-save v1.4.21 on Wed Sep 16 19:48:24 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_tun0_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_tun0_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_tun0_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_tun0_dest_ACCEPT - [0:0]
:zone_tun0_dest_REJECT - [0:0]
:zone_tun0_forward - [0:0]
:zone_tun0_input - [0:0]
:zone_tun0_output - [0:0]
:zone_tun0_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_tun0_input
-A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_tun0_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_tun0_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> tun0" -j zone_tun0_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_tun0_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_tun0_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_tun0_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_tun0_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_tun0_rule
-A zone_tun0_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_tun0_forward -m comment --comment "!fw3" -j zone_tun0_dest_REJECT
-A zone_tun0_input -m comment --comment "!fw3: user chain for input" -j input_tun0_rule
-A zone_tun0_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_tun0_input -m comment --comment "!fw3" -j zone_tun0_src_REJECT
-A zone_tun0_output -m comment --comment "!fw3: user chain for output" -j output_tun0_rule
-A zone_tun0_output -m comment --comment "!fw3" -j zone_tun0_dest_ACCEPT
-A zone_tun0_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Sep 16 19:48:24 2020
root@LEDE:~# ip -6 address show; ip -6 route show; ip -6 rule show; ip6tables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::f6ec:38ff:fefc:174e/64 scope link
valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fd04:78d3:8bd8::1/60 scope global
valid_lft forever preferred_lft forever
inet6 fe80::f6ec:38ff:fefc:174e/64 scope link
valid_lft forever preferred_lft forever
6: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::f6ec:38ff:fefc:174e/64 scope link
valid_lft forever preferred_lft forever
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::f6ec:38ff:fefc:174e/64 scope link
valid_lft forever preferred_lft forever
fd04:78d3:8bd8::/64 dev br-lan metric 1024
unreachable fd04:78d3:8bd8::/48 dev lo metric 2147483647 error -148
fe80::/64 dev eth0 metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev eth0.2 metric 256
fe80::/64 dev wlan0 metric 256
unreachable default dev lo metric -1 error -128
ff00::/8 dev eth0 metric 256
ff00::/8 dev br-lan metric 256
ff00::/8 dev eth0.2 metric 256
ff00::/8 dev wlan0 metric 256
unreachable default dev lo metric -1 error -128
0: from all lookup local
32766: from all lookup main
4200000001: from all iif lo lookup unspec 12
4200000004: from all iif br-lan lookup unspec 12
4200000006: from all iif eth0.2 lookup unspec 12
4200000013: from all iif tun0 lookup unspec 12
# Generated by ip6tables-save v1.4.21 on Wed Sep 16 19:48:24 2020
*mangle
:PREROUTING ACCEPT [4:288]
:INPUT ACCEPT [4:288]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:432]
:POSTROUTING ACCEPT [5:432]
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: tun0 (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Sep 16 19:48:24 2020
# Generated by ip6tables-save v1.4.21 on Wed Sep 16 19:48:24 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_tun0_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_tun0_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_tun0_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_tun0_dest_ACCEPT - [0:0]
:zone_tun0_dest_REJECT - [0:0]
:zone_tun0_forward - [0:0]
:zone_tun0_input - [0:0]
:zone_tun0_output - [0:0]
:zone_tun0_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_tun0_input
-A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_tun0_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_tun0_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> tun0" -j zone_tun0_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_tun0_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_tun0_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_tun0_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_tun0_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_tun0_rule
-A zone_tun0_forward -m comment --comment "!fw3" -j zone_tun0_dest_REJECT
-A zone_tun0_input -m comment --comment "!fw3: user chain for input" -j input_tun0_rule
-A zone_tun0_input -m comment --comment "!fw3" -j zone_tun0_src_REJECT
-A zone_tun0_output -m comment --comment "!fw3: user chain for output" -j output_tun0_rule
-A zone_tun0_output -m comment --comment "!fw3" -j zone_tun0_dest_ACCEPT
-A zone_tun0_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Sep 16 19:48:24 2020
root@LEDE:~#