Many of you have trouble with using OpenVPN (Client and/or Server) with MWAN3 package.
I'm using 19.07.1 with a working config.
There're different OpenVPN clients defined for my outgoing routing
and also a OpenVPN server (not in use with WMAN3) to be able to connect from outside to my network.
My VPN provider is "ExpressVPN".
I would like to present my config to help others with this problem.
ExpressVPN allows up to 5 connections. In this example I'll use 2 connection at the same time.
As I said before, there is also a working OpenVPN server active.
Hint: I'm using in addition to that 2 WAN connection, but they're not in this config files here.
This is very good described in https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3
Hopefully this helps some other users to get this working as well.
/etc/config/network
config interface 'vpnclient1'
option proto 'none'
option ifname 'tun1'
config interface 'vpnclient2'
option proto 'none'
option ifname 'tun2'
config interface 'vpnserver'
option proto 'none'
option ifname 'tun9'
/etc/config/firewall
config zone
option name 'vpnserver'
option network 'vpnserver'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
config zone
option name 'vpnclient'
option network 'vpnclient1 vpnclient2'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
config forwarding
option src 'lan'
option dest 'vpnclient'
config forwarding
option src 'vpnserver'
option dest 'wan'
config forwarding
option src 'vpnserver'
option dest 'lan'
config forwarding
option src 'vpnserver'
option dest 'vpnclient'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option dest_port '1194'
list proto 'udp'
option src 'wan'
/etc/config/openvpn
config openvpn 'ExpressVPN_Client1'
option config '/etc/openvpn/ExpressVPN_Client1.ovpn'
option enabled '1'
config openvpn 'ExpressVPN_Client2'
option config '/etc/openvpn/ExpressVPN_Client2.ovpn'
option enabled '1'
config openvpn 'Server'
option config '/etc/openvpn/Server.ovpn'
option enabled '1'
/etc/config/wman3
config interface 'vpnclient1'
option enabled '1'
option initial_state 'online'
option family 'ipv4'
list track_ip '8.8.8.8'
option track_method 'ping'
option reliability '1'
option count '1'
option size '56'
option max_ttl '60'
option check_quality '0'
option timeout '2'
option interval '5'
option failure_interval '5'
option recovery_interval '5'
option down '3'
option up '3'
config interface 'vpnclient2'
option enabled '1'
option initial_state 'online'
option family 'ipv4'
list track_ip '8.8.8.8'
option track_method 'ping'
option reliability '1'
option count '1'
option size '56'
option max_ttl '60'
option check_quality '0'
option timeout '2'
option interval '5'
option failure_interval '5'
option recovery_interval '5'
option down '3'
option up '3'
config member 'm_vpnclient1'
option interface 'vpnclient1'
option metric '1'
option weight '1'
config policy 'p_vpnclient1'
list use_member 'm_vpnclient1'
option last_resort 'unreachable'
config member 'm_vpnclient2'
option interface 'vpnclient2'
option metric '1'
option weight '1'
config policy 'p_vpnclient2'
list use_member 'm_vpnclient2'
option last_resort 'unreachable'
config rule 'laptop_1'
option src_ip '192.168.1.120'
option proto 'all'
option sticky '0'
option use_policy 'p_vpnclient1'
config rule 'laptop_2'
option src_ip '192.168.1.121'
option proto 'all'
option sticky '0'
option use_policy 'p_vpnclient2'
/etc/openvpn/ExpressVPN_Client1.ovpn
dev-type tun
dev tun1
fast-io
persist-key
persist-tun
nobind
remote <server> <port>
float
remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
remote-cert-tls server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-nocache
auth-user-pass /etc/openvpn/expressvpn.auth
log /etc/openvpn/expressvpn1.log
pull-filter ignore "dhcp-option"
pull-filter ignore "redirect-gateway"
pull-filter ignore "route"
route 0.0.0.0 0.0.0.0 vpn_gateway 31
route-metric 31
route-nopull
[...]
/etc/openvpn/ExpressVPN_Client2.ovpn
dev-type tun
dev tun2
fast-io
persist-key
persist-tun
nobind
remote <server> <port>
float
remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
remote-cert-tls server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-nocache
auth-user-pass /etc/openvpn/expressvpn.auth
log /etc/openvpn/expressvpn2.log
pull-filter ignore "dhcp-option"
pull-filter ignore "redirect-gateway"
pull-filter ignore "route"
route 0.0.0.0 0.0.0.0 vpn_gateway 32
route-metric 32
route-nopull
[...]
/etc/openvpn/Server.ovpn
verb 3
user nobody
group nogroup
dev-type tun
dev tun9
port 1194
proto udp
server 192.168.3.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS 192.168.3.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
log /etc/openvpn/server.log
[...]
