What exactly is the problem here? What is the network flow that doesn't work? Some user connected remotely to your OpenVPN server cannot exit from the OpenVPN client interface for example?
Are you sure that there is no IP confict with the server and the client?
When you try to connect with openvpn for android, it gets stuck waiting on a reply from the server. If i disable the openvpn client, or set route_nopull, openvpn for android works immediately.
System log shows the following:
Tue Jul 2 14:36:57 2019 daemon.notice openvpn(vpnserver)[1902]: *** TLS: Initial packet from [AF_INET]***, sid=*** but nothing else
to avoid any confusion: im running a server and client on the same machine, and tried to get them to play nice using the following https://openwrt.org/docs/guide-user/services/vpn/server_client
Thanks for your help
I understood that.
What about this? Are you sure that there is no IP confict with the server and the client?
Let's see the whole picture here. Could you post the following?
uci show network; uci show firewall; \
ip -4 addr ; ip -4 ro ; ip -4 ru
firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'VPN_SERVER lan'
config include
option path '/etc/firewall.user'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'wan'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option network 'PIA_VPN wan'
option device 'tun0'
config forwarding
option dest 'wan'
option src 'lan'
config rule 'vpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '51413'
option dest_ip '192.168.0.141'
option dest_port '51413'
option name 'transmission'
network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdba:e4fa:f2e8::/48'
config interface 'lan'
option proto 'static'
option ifname 'eth0'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
option ip6assign '60'
option dns '209.222.18.218 209.222.18.222'
config interface 'wan'
option proto 'dhcp'
option ifname 'eth0.2'
option peerdns '0'
option dns '209.222.18.222 209.222.18.218'
config interface 'PIA_VPN'
option proto 'none'
option ifname 'tun0'
config interface 'VPN_SERVER'
option proto 'none'
option ifname 'tun1'
ip magick
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
3: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 163.158.129.181/20 brd 163.158.143.255 scope global eth0.2
valid_lft forever preferred_lft forever
4: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 192.168.8.1/24 brd 192.168.8.255 scope global tun1
valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 10.22.10.6 peer 10.22.10.5/32 scope global tun0
valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.22.10.5 dev tun0
default via 163.158.128.1 dev eth0.2 proto static src 163.158.129.181
10.22.10.1 via 10.22.10.5 dev tun0
10.22.10.5 dev tun0 proto kernel scope link src 10.22.10.6
46.166.186.249 via 163.158.128.1 dev eth0.2
128.0.0.0/1 via 10.22.10.5 dev tun0
163.158.128.0/20 dev eth0.2 proto kernel scope link src 163.158.129.181
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1
192.168.8.0/24 dev tun1 proto kernel scope link src 192.168.8.1
0: from all lookup local
32760: from all fwmark 0x30000 lookup 203
32761: from all fwmark 0x20000 lookup 202
32762: from all fwmark 0x10000 lookup 201
32766: from all lookup main
32767: from all lookup default
You have defined the OpenVPN interface twice in WAN firewall zone.
option network 'PIA_VPN wan'
option device 'tun0'
You can remove the second line.
Other than that, please post the following too:
ip -4 ro ls tab all; iptables-save
Did you use some policy routing application to create these extra routing tables? (201-203)
If so post also here the configuration as well.
Thanks for your reply,
I've used vpn-policy routing, VPN Policy-Based Routing + Web UI -- Discussion
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option strict_enforcement '1'
option boot_timeout '30'
option output_chain_enabled '1'
option enabled '1'
option dnsmasq_enabled '1'
list ignored_interface 'vpn_server'
config policy
option interface 'wan'
option name 'vpn server'
option local_port '1194'
option chain 'PREROUTING'
option proto 'udp'
config policy
option chain 'PREROUTING'
option interface 'wan'
option name 'netflix'
option remote_address 'netflix.com nflxext.com nflxvideo.net nflximg.com'
option proto 'tcp udp'
more ip magick:
default via 163.158.128.1 dev eth0.2 table 201
default via 10.34.10.5 dev tun0 table 202
default via 192.168.8.1 dev tun1 table 203
0.0.0.0/1 via 10.34.10.5 dev tun0
default via 163.158.128.1 dev eth0.2 proto static src 163.158.129.181
10.34.10.1 via 10.34.10.5 dev tun0
10.34.10.5 dev tun0 proto kernel scope link src 10.34.10.6
46.166.188.215 via 163.158.128.1 dev eth0.2
128.0.0.0/1 via 10.34.10.5 dev tun0
163.158.128.0/20 dev eth0.2 proto kernel scope link src 163.158.129.181
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1
192.168.8.0/24 dev tun1 proto kernel scope link src 192.168.8.1
local 10.34.10.6 dev tun0 table local proto kernel scope host src 10.34.10.6
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 163.158.128.0 dev eth0.2 table local proto kernel scope link src 163.158.129.181
local 163.158.129.181 dev eth0.2 table local proto kernel scope host src 163.158.129.181
broadcast 163.158.143.255 dev eth0.2 table local proto kernel scope link src 163.158.129.181
broadcast 192.168.0.0 dev eth0 table local proto kernel scope link src 192.168.0.1
local 192.168.0.1 dev eth0 table local proto kernel scope host src 192.168.0.1
broadcast 192.168.0.255 dev eth0 table local proto kernel scope link src 192.168.0.1
broadcast 192.168.8.0 dev tun1 table local proto kernel scope link src 192.168.8.1
local 192.168.8.1 dev tun1 table local proto kernel scope host src 192.168.8.1
broadcast 192.168.8.255 dev tun1 table local proto kernel scope link src 192.168.8.1
# Generated by iptables-save v1.6.2 on Wed Jul 3 11:16:16 2019
*nat
:PREROUTING ACCEPT [1134:329128]
:INPUT ACCEPT [176:14713]
:OUTPUT ACCEPT [217:15506]
:POSTROUTING ACCEPT [38:2346]
:postrouting_lan_rule - [0:0]
:postrouting_newzone_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpnserver_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_newzone_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpnserver_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i tun1 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o tun1 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.141/32 -p tcp -m tcp --dport 51413 -m comment --comment "!fw3: transmission (reflection)" -j SNAT --to-source 192.168.0.1
-A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.141/32 -p udp -m udp --dport 51413 -m comment --comment "!fw3: transmission (reflection)" -j SNAT --to-source 192.168.0.1
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.0.0/24 -d 163.158.129.181/32 -p tcp -m tcp --dport 51413 -m comment --comment "!fw3: transmission (reflection)" -j DNAT --to-destination 192.168.0.141:51413
-A zone_lan_prerouting -s 192.168.0.0/24 -d 163.158.129.181/32 -p udp -m udp --dport 51413 -m comment --comment "!fw3: transmission (reflection)" -j DNAT --to-destination 192.168.0.141:51413
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 51413 -m comment --comment "!fw3: transmission" -j DNAT --to-destination 192.168.0.141:51413
-A zone_wan_prerouting -p udp -m udp --dport 51413 -m comment --comment "!fw3: transmission" -j DNAT --to-destination 192.168.0.141:51413
COMMIT
# Completed on Wed Jul 3 11:16:16 2019
# Generated by iptables-save v1.6.2 on Wed Jul 3 11:16:16 2019
*mangle
:PREROUTING ACCEPT [390566:448580654]
:INPUT ACCEPT [181193:252837603]
:FORWARD ACCEPT [209371:195742987]
:OUTPUT ACCEPT [81479:11537430]
:POSTROUTING ACCEPT [290850:207280417]
:VPR_FORWARD - [0:0]
:VPR_INPUT - [0:0]
:VPR_OUTPUT - [0:0]
:VPR_PREROUTING - [0:0]
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A VPR_PREROUTING -d 207.45.72.215/32 -m comment --comment netflix_nflximg_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 207.45.72.215/32 -m comment --comment netflix_nflximg_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.32.78.165/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.32.78.165/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 184.73.192.76/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 184.73.192.76/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.32.240.186/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.32.240.186/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.32.140.41/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.32.140.41/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.16.244.17/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.16.244.17/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 54.89.245.208/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 54.89.245.208/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 50.17.247.31/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 50.17.247.31/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.18.140.121/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.18.140.121/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.17.14.207/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.17.14.207/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 207.45.72.215/32 -m comment --comment netflix_nflxext_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 207.45.72.215/32 -m comment --comment netflix_nflxext_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 54.77.143.196/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 54.77.143.196/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.31.109.246/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.31.109.246/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.30.103.23/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.30.103.23/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 34.242.59.189/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 34.242.59.189/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.18.15.9/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.18.15.9/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 34.252.179.162/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 34.252.179.162/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.17.219.77/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.17.219.77/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.208.245.169/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.208.245.169/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -p udp -m multiport --sports 1194 -m comment --comment vpn_server -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set VPN_SERVER dst -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set PIA_VPN dst -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
COMMIT
# Completed on Wed Jul 3 11:16:16 2019
# Generated by iptables-save v1.6.2 on Wed Jul 3 11:16:16 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_newzone_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpnserver_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_newzone_rule - [0:0]
:input_rule - [0:0]
:input_vpnserver_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_newzone_rule - [0:0]
:output_rule - [0:0]
:output_vpnserver_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_newzone_forward - [0:0]
:zone_newzone_input - [0:0]
:zone_newzone_output - [0:0]
:zone_vpnserver_forward - [0:0]
:zone_vpnserver_input - [0:0]
:zone_vpnserver_output - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i tun1 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i tun1 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o tun1 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o tun1 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i tun1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Jul 3 11:16:16 2019
I don't see any logic to include the vpn server in the policy routing. You are creating a routing table with default gateway the router itself, while it is not providing any internet connectivity.
All this routing table stuff is way over my head 
I noticed the misspelling of vpn_server in list ignored_interface 'vpn_server' which needs to be all caps. I have already made this change, and VPN_SERVER is now ignored by policy routing.
This didnt help in resolving the connectivity issue, still waiting on server
ill post updated ip thingies as soon as im home
I suggest you disable policy routing temporarily until you sort out that both OpenVPN tunnels work fine. Then you can take it to the next step to classify the traffic according to the desired gateway.
I'm not sure how to proceed,
The client connection with PIA works fine.
If i disable the client connection, or set route-nopull on the client, the server works fine.
Does this mean im ready for the next step, classifying traffic?
As far as I understand it, this should be achieved through vpn-policy-routing, directing all the traffic on port 1194 (VPN_SERVER's udp port) to WAN. Which does not work 
Thanks for your patience so far, any input is greatly appreciated
i tried the following, in stead of routing the vpn server tunnel over wan, i have configured route-nopull on the client, and used vpn-policy-routing to route 192.168.0.0/24 and 192.168.8.0/24 over PIA_VPN.
This seems to have the desired effect, whatsmyip reports a PIA ip address from my home pc and my mobile phone connected to the vpn server (which now works).
Is this a good idea, or did i just turn my vpn into swiss cheese 
okay, that didnt do what i think it did.. back to the drawing board
Your initial problem is that the server is not working when client is enabled and the possible solutions are to
- disable the client
- nopull routes
It looks like the default gateway from the client vpn is overriding the gateway of the wan interface, so when some remote user tries to connect to your server over the wan interface, the reply goes back via the vpn client. You can verify that by running tcpdump.
tcpdump -i eth0.2 -vvn udp port 1194
tcpdump -i tun0 -vvn udp port 1194
In the first case you'll see the incoming and in the second the outgoing.
It is weird though because the policy routing is in place and should send all packets from OpenVPN server to wan interface.
Can you verify that there are hits on the firewall?
iptables -t nat -L -vn | grep "0x10000"
running tcpdump shows incoming and outgoing traffic. incoming shows phone ip > my home ip, outgoing shows PIA vpn ip > phone ip. So traffic is getting ninja'd.
iptables -t nat -L -vn | grep "0x10000" does not return anything, including the entire thing just to be sure
Chain PREROUTING (policy ACCEPT 832 packets, 220K bytes)
pkts bytes target prot opt in out source destination
832 220K prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom prerouting rule chain */
0 0 zone_lan_prerouting all -- tun1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
777 215K zone_lan_prerouting all -- eth0 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_prerouting all -- tun0 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
55 5061 zone_wan_prerouting all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain INPUT (policy ACCEPT 124 packets, 10049 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 218 packets, 15603 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 32 packets, 2147 bytes)
pkts bytes target prot opt in out source destination
897 217K postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom postrouting rule chain */
0 0 zone_lan_postrouting all -- * tun1 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_lan_postrouting all -- * eth0 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
865 215K zone_wan_postrouting all -- * tun0 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_postrouting all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain zone_lan_postrouting (2 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan postrouting rule chain */
0 0 SNAT tcp -- * * 192.168.0.0/24 192.168.0.141 tcp dpt:51413 /* !fw3: transmission (reflection) */ to:192.168.0.1
0 0 SNAT udp -- * * 192.168.0.0/24 192.168.0.141 udp dpt:51413 /* !fw3: transmission (reflection) */ to:192.168.0.1
Chain zone_lan_prerouting (2 references)
pkts bytes target prot opt in out source destination
777 215K prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan prerouting rule chain */
0 0 DNAT tcp -- * * 192.168.0.0/24 163.158.129.181 tcp dpt:51413 /* !fw3: transmission (reflection) */ to:192.168.0.141:51413
0 0 DNAT udp -- * * 192.168.0.0/24 163.158.129.181 udp dpt:51413 /* !fw3: transmission (reflection) */ to:192.168.0.141:51413
Chain zone_wan_postrouting (2 references)
pkts bytes target prot opt in out source destination
865 215K postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan postrouting rule chain */
865 215K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_prerouting (2 references)
pkts bytes target prot opt in out source destination
55 5061 prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan prerouting rule chain */
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:51413 /* !fw3: transmission */ to:192.168.0.141:51413
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51413 /* !fw3: transmission */ to:192.168.0.141:51413
I am sorry, it is in mangle table, not nat.
iptables -t mangle -L -vn | grep "0x10000"
0 0 MARK all -- * * 0.0.0.0/0 207.45.72.215 /* netflix_nflximg_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 207.45.72.215 /* netflix_nflximg_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 54.89.245.208 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 54.89.245.208 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 184.73.192.76 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 184.73.192.76 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.18.140.121 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.18.140.121 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 50.17.247.31 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 50.17.247.31 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.16.244.17 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.16.244.17 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.17.14.207 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.17.14.207 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.32.240.186 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.32.240.186 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.32.140.41 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.32.140.41 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.32.78.165 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.32.78.165 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 207.45.72.215 /* netflix_nflxext_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 207.45.72.215 /* netflix_nflxext_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.51.252.111 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.51.252.111 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.30.103.23 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.30.103.23 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 54.77.143.196 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 54.77.143.196 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.17.219.77 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.17.219.77 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 34.252.179.162 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 34.252.179.162 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.18.15.9 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.18.15.9 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 34.242.59.189 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 34.242.59.189 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.208.245.169 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.208.245.169 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 1194 /* vpn_server */ MARK xset 0x10000/0xff0000
0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 1194 /* vpn_server */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 match-set wan dst MARK xset 0x10000/0xff0000
The counters (first two columns) are both 0. This means that nothing was marked in order to use the desired gateway.
Did you recently restart the firewall or cleared the counters?
If you try to connect with the Android do you see the counters grow?
Or if you try to watch Netflix?
once again thanks for all your help
this is after rebooting and then running netflix and connecting with android, so netflix works, but 1194 is ignored somehow?
0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 1194 /* vpn_server */ MARK xset 0x10000/0xff0000
0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 1194 /* vpn_server */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 207.45.72.215 /* netflix_nflximg_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 207.45.72.215 /* netflix_nflximg_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.32.140.41 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.32.140.41 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.18.140.121 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.18.140.121 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 184.73.192.76 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 184.73.192.76 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.17.14.207 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.17.14.207 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.32.78.165 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.32.78.165 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.32.240.186 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.32.240.186 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 54.89.245.208 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 54.89.245.208 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.16.244.17 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.16.244.17 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 50.17.247.31 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 50.17.247.31 /* netflix_nflxvideo_net */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 207.45.72.215 /* netflix_nflxext_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 207.45.72.215 /* netflix_nflxext_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.31.5.242 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.31.5.242 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 54.171.21.76 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 54.171.21.76 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 54.77.162.193 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 54.77.162.193 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.51.246.114 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.51.246.114 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 54.76.60.39 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 54.76.60.39 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.30.12.70 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.30.12.70 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
21 1932 MARK all -- * * 0.0.0.0/0 52.49.120.6 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
21 1932 MARK all -- * * 0.0.0.0/0 52.49.120.6 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.48.104.170 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 52.48.104.170 /* netflix_netflix_com */ MARK xset 0x10000/0xff0000
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 match-set wan dst MARK xset 0x10000/0xff0000
something else i noticed,
if i tracert netflix.com from my pc, this happens
Tracing route to netflix.com [52.49.120.6]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms [192.168.0.1]
2 1 ms 1 ms 1 ms 002-112-158-163.dynamic.caiway.nl [163.158.112.2]
3 3 ms 2 ms 2 ms cn-asd-kl-cr15-be2003-2010.caiw.net [62.45.30.229]
if i traceroute from router the following happens:
traceroute to netflix.com (52.31.109.246), 30 hops max, 46 byte packets
1 10.40.10.1 (10.40.10.1) 2.736 ms 2.689 ms 2.589 ms
2 109.201.154.254 (109.201.154.254) 4.335 ms 2.806 ms 2.767 ms
3 185.107.116.21 (185.107.116.21) 3.241 ms 3.211 ms 3.053 ms
4 amsix02-ams1.amazon.com (80.249.210.217) 3.892 ms 4.760 ms 3.822 ms
5 54.239.114.12 (54.239.114.12) 6.480 ms 54.239.114.60 (54.239.114.60) 7.496 ms 54.239.114.48 (54.239.114.48) 11.206 ms
6 54.239.114.69 (54.239.114.69) 3.705 ms 54.239.114.91 (54.239.114.91) 3.655 ms 52.93.0.41 (52.93.0.41) 4.035 ms
so again my ip vs PIA ip. dunno if this is related or even expected, just thought i'd mention it.
Very good remark! Locally generated packets should not be marked in Prerouting, but in Output!
Add the following rule and test:
config policy
option interface 'wan'
option name 'vpn server'
option local_port '1194'
option chain 'OUTPUT'
option proto 'udp'