Openvpn client and server policy routing not working

trendy · July 6, 2019, 10:14pm

Very good remark! Locally generated packets should not be marked in Prerouting, but in Output!
Add the following rule and test:

config policy
	option interface 'wan'
	option name 'vpn server'
	option local_port '1194'
	option chain 'OUTPUT'
	option proto 'udp'

SPOooON · July 6, 2019, 11:47pm

Ok, did that, still waiting on server.

tcpdump still shows traffic on eth0.2, but traffic on tun0 is gone.

things seem to be happening here as well:

 43  3790 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport sports 1194 /* vpn_server */ MARK xset 0x10000/0xff0000

i checked tcpdump tun1 as well, no traffic.

trendy · July 7, 2019, 1:16am

So I suppose now you are able to connect from the Android to the VPN server at home without issues?

SPOooON · July 7, 2019, 7:59am

nope, still "waiting on server"

trendy · July 7, 2019, 1:59pm

Can you post the output of the tcpdump from eth0.2 while trying to connect from the android?

SPOooON · July 7, 2019, 2:54pm

tcpdump -i eth0.2 -vvn udp port 1194
tcpdump: listening on eth0.2, link-type EN10MB (Ethernet), capture size 262144 bytes
14:50:33.914765 IP (tos 0x0, ttl 52, id 33155, offset 0, flags [DF], proto UDP (17), length 82)
    89.205.133.1.31634 > 163.158.129.181.1194: [udp sum ok] UDP, length 54
14:50:35.678542 IP (tos 0x0, ttl 52, id 33368, offset 0, flags [DF], proto UDP (17), length 82)
    89.205.133.1.31634 > 163.158.129.181.1194: [udp sum ok] UDP, length 54
14:50:39.864167 IP (tos 0x0, ttl 52, id 34330, offset 0, flags [DF], proto UDP (17), length 82)
    89.205.133.1.31634 > 163.158.129.181.1194: [udp sum ok] UDP, length 54
14:50:47.863611 IP (tos 0x0, ttl 52, id 35650, offset 0, flags [DF], proto UDP (17), length 82)
    89.205.133.1.31634 > 163.158.129.181.1194: [udp sum ok] UDP, length 54
14:51:06.328063 IP (tos 0x0, ttl 52, id 38845, offset 0, flags [DF], proto UDP (17), length 82)
    89.205.133.1.31634 > 163.158.129.181.1194: [udp sum ok] UDP, length 54
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel

thats it, after 60 seconds the android client will retry, and the same thing happens again.

14  1208 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport sports 1194 /* vpn_server */ MARK xset 0x10000/0xff0000

trendy · July 8, 2019, 7:27pm

Is there anything in the logs why did the packets drop? If you cannot see the replies going out of neither eth0.2 or tun0, then they must be dropped.

SPOooON · July 9, 2019, 7:58am

i've added logging to the firewall, but its not showing any outgoing traffic being dropped.

	option log '1'
	option log_limit '5/second'

on both lan and wan zones

Tue Jul  9 07:57:09 2019 kern.warn kernel: [ 4257.963472] REJECT wan in: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:03:08:00 SRC=185.176.27.6 DST=163.158.129.181 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=35681 PROTO=TCP SPT=59852 DPT=4538 WINDOW=1024 RES=0x00 SYN URGP=0
Tue Jul  9 07:57:24 2019 kern.warn kernel: [ 4272.963325] REJECT wan in: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:03:08:00 SRC=185.176.27.6 DST=163.158.129.181 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=50277 PROTO=TCP SPT=59852 DPT=7302 WINDOW=1024 RES=0x00 SYN URGP=0
Tue Jul  9 07:58:14 2019 kern.warn kernel: [ 4322.178380] REJECT wan in: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=103.10.59.74 DST=163.158.129.181 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=21249 DF PROTO=TCP SPT=50165 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0
Tue Jul  9 07:58:14 2019 kern.warn kernel: [ 4322.848245] REJECT wan in: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:03:08:00 SRC=208.93.152.20 DST=163.158.129.181 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=54321 PROTO=TCP SPT=45330 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
Tue Jul  9 07:58:22 2019 kern.warn kernel: [ 4330.410021] REJECT wan in: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=46.3.96.66 DST=163.158.129.181 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=36527 PROTO=TCP SPT=59218 DPT=1973 WINDOW=1024 RES=0x00 SYN URGP=0
Tue Jul  9 07:58:29 2019 kern.warn kernel: [ 4337.231951] REJECT wan in: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:03:08:00 SRC=185.222.211.114 DST=163.158.129.181 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=32026 PROTO=TCP SPT=41610 DPT=9029 WINDOW=1024 RES=0x00 SYN URGP=0
Tue Jul  9 07:59:10 2019 kern.warn kernel: [ 4378.947436] REJECT wan in: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:03:08:00 SRC=185.176.27.6 DST=163.158.129.181 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=64008 PROTO=TCP SPT=59852 DPT=7313 WINDOW=1024 RES=0x00 SYN URGP=0
Tue Jul  9 07:59:17 2019 kern.warn kernel: [ 4385.285522] REJECT wan in: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=185.30.46.245 DST=163.158.129.181 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=32460 DF PROTO=TCP SPT=42525 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
Tue Jul  9 07:59:25 2019 kern.warn kernel: [ 4393.274918] REJECT wan in: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:03:08:00 SRC=185.176.27.6 DST=163.158.129.181 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=2280 PROTO=TCP SPT=59852 DPT=7158 WINDOW=1024 RES=0x00 SYN URGP=0
Tue Jul  9 07:59:47 2019 kern.warn kernel: [ 4416.081249] REJECT wan in: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:03:08:00 SRC=185.176.27.6 DST=163.158.129.181 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=33043 PROTO=TCP SPT=59852 DPT=4413 WINDOW=1024 RES=0x00 SYN URGP=0
Tue Jul  9 07:59:51 2019 kern.warn kernel: [ 4419.987715] REJECT wan in: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:03:08:00 SRC=45.227.254.26 DST=163.158.129.181 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=56947 PROTO=TCP SPT=8080 DPT=2018 WINDOW=1024 RES=0x00 SYN URGP=0
Tue Jul  9 08:00:19 2019 kern.warn kernel: [ 4447.108260] REJECT wan in: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=37.49.231.107 DST=163.158.129.181 LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=30232 PROTO=TCP SPT=59210 DPT=5038 WINDOW=1024 RES=0x00 SYN URGP=0
Tue Jul  9 08:00:20 2019 kern.warn kernel: [ 4448.836014] REJECT wan in: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=196.52.43.119 DST=163.158.129.181 LEN=44 TOS=0x00 PREC=0x00 TTL=250 ID=52751 PROTO=TCP SPT=55336 DPT=5901 WINDOW=1024 RES=0x00 SYN URGP=0
Tue Jul  9 08:00:47 2019 kern.warn kernel: [ 4475.331833] REJECT wan in: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=92.119.160.105 DST=163.158.129.181 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=2386 PROTO=TCP SPT=56073 DPT=3389 WINDOW=1024 RES=0x00 SYN URGP=0

trendy · July 9, 2019, 10:22am

Can you try one more time on all interfaces to verify that no response is sent back?

tcpdump -i any -vvn udp port 1194

SPOooON · July 9, 2019, 10:52am

tcpdump -i any -vvn udp port 1194
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
10:49:38.811450 ethertype IPv4, IP (tos 0x0, ttl 52, id 27774, offset 0, flags [DF], proto UDP (17), length 82)
    89.205.130.241.5486 > 163.158.129.181.1194: [udp sum ok] UDP, length 54
10:49:38.811450 IP (tos 0x0, ttl 52, id 27774, offset 0, flags [DF], proto UDP (17), length 82)
    89.205.130.241.5486 > 163.158.129.181.1194: [udp sum ok] UDP, length 54
10:49:43.672525 ethertype IPv4, IP (tos 0x0, ttl 52, id 27957, offset 0, flags [DF], proto UDP (17), length 82)
    89.205.130.241.5487 > 163.158.129.181.1194: [udp sum ok] UDP, length 54
10:49:43.672525 IP (tos 0x0, ttl 52, id 27957, offset 0, flags [DF], proto UDP (17), length 82)
    89.205.130.241.5487 > 163.158.129.181.1194: [udp sum ok] UDP, length 54
10:49:44.791365 ethertype IPv4, IP (tos 0x0, ttl 52, id 28061, offset 0, flags [DF], proto UDP (17), length 82)
    89.205.130.241.5487 > 163.158.129.181.1194: [udp sum ok] UDP, length 54
10:49:44.791365 IP (tos 0x0, ttl 52, id 28061, offset 0, flags [DF], proto UDP (17), length 82)
    89.205.130.241.5487 > 163.158.129.181.1194: [udp sum ok] UDP, length 54
10:49:49.271460 ethertype IPv4, IP (tos 0x0, ttl 52, id 28086, offset 0, flags [DF], proto UDP (17), length 82)
    89.205.130.241.5487 > 163.158.129.181.1194: [udp sum ok] UDP, length 54
10:49:49.271460 IP (tos 0x0, ttl 52, id 28086, offset 0, flags [DF], proto UDP (17), length 82)
    89.205.130.241.5487 > 163.158.129.181.1194: [udp sum ok] UDP, length 54
10:49:57.901193 ethertype IPv4, IP (tos 0x0, ttl 52, id 29535, offset 0, flags [DF], proto UDP (17), length 82)
    89.205.130.241.5487 > 163.158.129.181.1194: [udp sum ok] UDP, length 54
10:49:57.901193 IP (tos 0x0, ttl 52, id 29535, offset 0, flags [DF], proto UDP (17), length 82)
    89.205.130.241.5487 > 163.158.129.181.1194: [udp sum ok] UDP, length 54
10:50:12.866432 ethertype IPv4, IP (tos 0x0, ttl 52, id 32299, offset 0, flags [DF], proto UDP (17), length 82)
    89.205.130.241.5487 > 163.158.129.181.1194: [udp sum ok] UDP, length 54
10:50:12.866432 IP (tos 0x0, ttl 52, id 32299, offset 0, flags [DF], proto UDP (17), length 82)
    89.205.130.241.5487 > 163.158.129.181.1194: [udp sum ok] UDP, length 54

 26  2256 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport sports 1194 /* vpn_server */ MARK xset 0x10000/0xff0000

trendy · July 9, 2019, 11:04am

@vgaetera any ideas? Looks like the policy routing for the OUTPUT is blackholing the packets, although according to the MARK they should be routed out of the wan (eth0.2).

@SPOooON could you please post once again all the configs and show commands to have an updated status?

uci show network; uci show firewall; \
ip -4 addr ; ip -4 ru; \
ip -4 ro ls tab all; iptables-save

+the config of policy based routing. I think the OpenVPN configs were not altered from the first post.

SPOooON · July 9, 2019, 11:11am

network

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdba:e4fa:f2e8::/48'
network.lan=interface
network.lan.proto='static'
network.lan.ifname='eth0'
network.lan.ipaddr='192.168.0.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.dns='209.222.18.218 209.222.18.222'
network.wan=interface
network.wan.proto='dhcp'
network.wan.ifname='eth0.2'
network.wan.peerdns='0'
network.wan.dns='209.222.18.222 209.222.18.218'
network.PIA_VPN=interface
network.PIA_VPN.proto='none'
network.PIA_VPN.ifname='tun0'
network.VPN_SERVER=interface
network.VPN_SERVER.proto='none'
network.VPN_SERVER.ifname='tun1'

firewall


network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdba:e4fa:f2e8::/48'
network.lan=interface
network.lan.proto='static'
network.lan.ifname='eth0'
network.lan.ipaddr='192.168.0.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.dns='209.222.18.218 209.222.18.222'
network.wan=interface
network.wan.proto='dhcp'
network.wan.ifname='eth0.2'
network.wan.peerdns='0'
network.wan.dns='209.222.18.222 209.222.18.218'
network.PIA_VPN=interface
network.PIA_VPN.proto='none'
network.PIA_VPN.ifname='tun0'
network.VPN_SERVER=interface
network.VPN_SERVER.proto='none'
network.VPN_SERVER.ifname='tun1'
root@OpenWrt:~# ^C
root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].drop_invalid='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].log='1'
firewall.@zone[0].log_limit='5/second'
firewall.@zone[0].network='VPN_SERVER lan'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[1]=zone
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].name='wan'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].log='1'
firewall.@zone[1].log_limit='5/second'
firewall.@zone[1].network='PIA_VPN wan'
firewall.vpn=rule
firewall.vpn.name='Allow-OpenVPN'
firewall.vpn.src='wan'
firewall.vpn.target='ACCEPT'
firewall.vpn.proto='tcp udp'
firewall.vpn.dest_port='1194'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp udp'
firewall.@redirect[0].src_dport='51413'
firewall.@redirect[0].dest_ip='192.168.0.141'
firewall.@redirect[0].dest_port='51413'
firewall.@redirect[0].name='transmission'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='lan'

policy routing

vpn-policy-routing.@policy[0]=policy
vpn-policy-routing.@policy[0].chain='PREROUTING'
vpn-policy-routing.@policy[0].interface='wan'
vpn-policy-routing.@policy[0].name='netflix'
vpn-policy-routing.@policy[0].remote_address='netflix.com nflxext.com nflxvideo.net nflximg.com'
vpn-policy-routing.@policy[0].proto='tcp udp'
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.verbosity='2'
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.boot_timeout='30'
vpn-policy-routing.config.output_chain_enabled='1'
vpn-policy-routing.config.dnsmasq_enabled='1'
vpn-policy-routing.config.proto_control='1'
vpn-policy-routing.config.chain_control='1'
vpn-policy-routing.config.ignored_interface='VPN_SERVER'
vpn-policy-routing.config.enabled='1'
vpn-policy-routing.@policy[1]=policy
vpn-policy-routing.@policy[1].interface='wan'
vpn-policy-routing.@policy[1].local_port='1194'
vpn-policy-routing.@policy[1].name='vpn server'
vpn-policy-routing.@policy[1].proto='tcp udp'
vpn-policy-routing.@policy[1].chain='OUTPUT'
vpn-policy-routing.@policy[2]=policy
vpn-policy-routing.@policy[2].chain='PREROUTING'
vpn-policy-routing.@policy[2].interface='wan'
vpn-policy-routing.@policy[2].name='vpn server 2'
vpn-policy-routing.@policy[2].local_port='1194'
vpn-policy-routing.@policy[2].proto='tcp udp'

ip magicks

root@OpenWrt:~# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
       valid_lft forever preferred_lft forever
3: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 163.158.129.181/20 brd 163.158.143.255 scope global eth0.2
       valid_lft forever preferred_lft forever
69: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 192.168.8.1/24 brd 192.168.8.255 scope global tun1
       valid_lft forever preferred_lft forever
71: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.27.10.6 peer 10.27.10.5/32 scope global tun0
       valid_lft forever preferred_lft forever
root@OpenWrt:~# ip -4 addr ; ip -4 ru; \
> ip -4 ro ls tab all; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
       valid_lft forever preferred_lft forever
3: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 163.158.129.181/20 brd 163.158.143.255 scope global eth0.2
       valid_lft forever preferred_lft forever
69: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 192.168.8.1/24 brd 192.168.8.255 scope global tun1
       valid_lft forever preferred_lft forever
71: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.27.10.6 peer 10.27.10.5/32 scope global tun0
       valid_lft forever preferred_lft forever
0:      from all lookup local
32718:  from all fwmark 0x20000 lookup 202
32719:  from all fwmark 0x10000 lookup 201
32766:  from all lookup main
32767:  from all lookup default
default via 163.158.128.1 dev eth0.2 table 201
default via 10.27.10.5 dev tun0 table 202
0.0.0.0/1 via 10.27.10.5 dev tun0
default via 163.158.128.1 dev eth0.2 proto static src 163.158.129.181
10.27.10.1 via 10.27.10.5 dev tun0
10.27.10.5 dev tun0 proto kernel scope link src 10.27.10.6
46.166.186.241 via 163.158.128.1 dev eth0.2
128.0.0.0/1 via 10.27.10.5 dev tun0
163.158.128.0/20 dev eth0.2 proto kernel scope link src 163.158.129.181
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1
192.168.8.0/24 dev tun1 proto kernel scope link src 192.168.8.1
local 10.27.10.6 dev tun0 table local proto kernel scope host src 10.27.10.6
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 163.158.128.0 dev eth0.2 table local proto kernel scope link src 163.158.129.181
local 163.158.129.181 dev eth0.2 table local proto kernel scope host src 163.158.129.181
broadcast 163.158.143.255 dev eth0.2 table local proto kernel scope link src 163.158.129.181
broadcast 192.168.0.0 dev eth0 table local proto kernel scope link src 192.168.0.1
local 192.168.0.1 dev eth0 table local proto kernel scope host src 192.168.0.1
broadcast 192.168.0.255 dev eth0 table local proto kernel scope link src 192.168.0.1
broadcast 192.168.8.0 dev tun1 table local proto kernel scope link src 192.168.8.1
local 192.168.8.1 dev tun1 table local proto kernel scope host src 192.168.8.1
broadcast 192.168.8.255 dev tun1 table local proto kernel scope link src 192.168.8.1
# Generated by iptables-save v1.6.2 on Tue Jul  9 11:08:02 2019
*nat
:PREROUTING ACCEPT [883:257457]
:INPUT ACCEPT [150:12550]
:OUTPUT ACCEPT [172:12437]
:POSTROUTING ACCEPT [8:490]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i tun1 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o tun1 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.141/32 -p tcp -m tcp --dport 51413 -m comment --comment "!fw3: transmission (reflection)" -j SNAT --to-source 192.168.0.1
-A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.141/32 -p udp -m udp --dport 51413 -m comment --comment "!fw3: transmission (reflection)" -j SNAT --to-source 192.168.0.1
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.0.0/24 -d 163.158.129.181/32 -p tcp -m tcp --dport 51413 -m comment --comment "!fw3: transmission (reflection)" -j DNAT --to-destination 192.168.0.141:51413
-A zone_lan_prerouting -s 192.168.0.0/24 -d 163.158.129.181/32 -p udp -m udp --dport 51413 -m comment --comment "!fw3: transmission (reflection)" -j DNAT --to-destination 192.168.0.141:51413
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 51413 -m comment --comment "!fw3: transmission" -j DNAT --to-destination 192.168.0.141:51413
-A zone_wan_prerouting -p udp -m udp --dport 51413 -m comment --comment "!fw3: transmission" -j DNAT --to-destination 192.168.0.141:51413
COMMIT
# Completed on Tue Jul  9 11:08:02 2019
# Generated by iptables-save v1.6.2 on Tue Jul  9 11:08:02 2019
*mangle
:PREROUTING ACCEPT [52281:45341364]
:INPUT ACCEPT [21835:23062861]
:FORWARD ACCEPT [30446:22278503]
:OUTPUT ACCEPT [11709:2876061]
:POSTROUTING ACCEPT [42133:25153420]
:VPR_FORWARD - [0:0]
:VPR_INPUT - [0:0]
:VPR_OUTPUT - [0:0]
:VPR_PREROUTING - [0:0]
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A VPR_OUTPUT -p udp -m multiport --sports 1194 -m comment --comment vpn_server -j MARK --set-xmark 0x10000/0xff0000
-A VPR_OUTPUT -p tcp -m multiport --sports 1194 -m comment --comment vpn_server -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -p udp -m multiport --sports 1194 -m comment --comment vpn_server_2 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -p tcp -m multiport --sports 1194 -m comment --comment vpn_server_2 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 207.45.72.215/32 -m comment --comment netflix_nflximg_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 207.45.72.215/32 -m comment --comment netflix_nflximg_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.32.78.165/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.32.78.165/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 54.89.245.208/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 54.89.245.208/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.32.140.41/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.32.140.41/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 50.17.247.31/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 50.17.247.31/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.16.244.17/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.16.244.17/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.18.140.121/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.18.140.121/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.32.240.186/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.32.240.186/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 184.73.192.76/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 184.73.192.76/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.17.14.207/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.17.14.207/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 207.45.72.215/32 -m comment --comment netflix_nflxext_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 207.45.72.215/32 -m comment --comment netflix_nflxext_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 54.171.21.76/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 54.171.21.76/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 54.76.60.39/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 54.76.60.39/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.51.246.114/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.51.246.114/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.49.120.6/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.49.120.6/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.30.12.70/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.30.12.70/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.48.104.170/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.48.104.170/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.31.5.242/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.31.5.242/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 54.77.162.193/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 54.77.162.193/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set PIA_VPN dst -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
COMMIT
# Completed on Tue Jul  9 11:08:02 2019
# Generated by iptables-save v1.6.2 on Tue Jul  9 11:08:02 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i tun1 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A FORWARD -i tun1 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A OUTPUT -o tun1 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o tun1 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i tun1 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o tun0 -m limit --limit 5/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT wan out: "
-A zone_wan_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth0.2 -m limit --limit 5/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT wan out: "
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i tun0 -m limit --limit 5/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT wan in: "
-A zone_wan_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0.2 -m limit --limit 5/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT wan in: "
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Jul  9 11:08:02 2019

vgaetera · July 9, 2019, 11:57am

I don't really use VPR, so I'm not sure.
Probably the OP should update the VPR package and verify that VPN server is listening on that port.
Add some iptables logging rules, perhaps it will help to see the packets and troubleshoot the issue.

What about this?

trendy · July 9, 2019, 1:37pm

Yeah I was going throught the documentation and noticed the same:

The following policy allows you to run an OpenVPN server on router (at port 1194) if you're already running a tunnel with default routing set.

option append_local_rules '! -d 192.168.200.0/24' # from your VPN Server settings
config policy
  option name 'OpenVPN Server'
  option interface 'wan'
  option local_port '1194'
  option chain 'OUTPUT'

So @SPOooON in your case modify the rule to exclude 192.168.8.0/24

SPOooON · July 9, 2019, 5:51pm

adding option append_local_rules '! -d 192.168.8.0/24' didnt help, still waiting on server

if you mean logging discarded packets, we already tried that.

I googled iptable logging but i didnt really understand it

vgaetera · July 9, 2019, 11:57pm

iptables -t mangle -I INPUT -p udp -m udp --dport 1194 -j LOG --log-prefix "iptables:mangle:INPUT: "
iptables -t mangle -I OUTPUT -p udp -m udp --sport 1194 -j LOG --log-prefix "iptables:mangle:OUTPUT: "
iptables -t filter -I INPUT -p udp -m udp --dport 1194 -j LOG --log-prefix "iptables:filter:INPUT: "
iptables -t filter -I OUTPUT -p udp -m udp --sport 1194 -j LOG --log-prefix "iptables:filter:OUTPUT: "
# Try to reconnect
logread -e iptables:.*:INPUT | tail
logread -e iptables:.*:OUTPUT | tail

SPOooON · July 10, 2019, 8:13am

logread -e iptables:.*:INPUT | tail
Wed Jul 10 08:02:22 2019 kern.warn kernel: [  112.140289] iptables:mangle:INPUT: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=84.241.195.186 DST=163.158.129.181 LEN=82 TOS=0x00 PREC=0x00 TTL=52 ID=42333 DF PROTO=UDP SPT=32749 DPT=1194 LEN=62
Wed Jul 10 08:02:22 2019 kern.warn kernel: [  112.159721] iptables:filter:INPUT: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=84.241.195.186 DST=163.158.129.181 LEN=82 TOS=0x00 PREC=0x00 TTL=52 ID=42333 DF PROTO=UDP SPT=32749 DPT=1194 LEN=62
Wed Jul 10 08:02:24 2019 kern.warn kernel: [  114.267480] iptables:mangle:INPUT: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=84.241.195.186 DST=163.158.129.181 LEN=82 TOS=0x00 PREC=0x00 TTL=52 ID=42847 DF PROTO=UDP SPT=32749 DPT=1194 LEN=62
Wed Jul 10 08:02:24 2019 kern.warn kernel: [  114.286918] iptables:filter:INPUT: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=84.241.195.186 DST=163.158.129.181 LEN=82 TOS=0x00 PREC=0x00 TTL=52 ID=42847 DF PROTO=UDP SPT=32749 DPT=1194 LEN=62
Wed Jul 10 08:02:29 2019 kern.warn kernel: [  118.513634] iptables:mangle:INPUT: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=84.241.195.186 DST=163.158.129.181 LEN=82 TOS=0x00 PREC=0x00 TTL=52 ID=43019 DF PROTO=UDP SPT=32749 DPT=1194 LEN=62
Wed Jul 10 08:02:29 2019 kern.warn kernel: [  118.533068] iptables:filter:INPUT: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=84.241.195.186 DST=163.158.129.181 LEN=82 TOS=0x00 PREC=0x00 TTL=52 ID=43019 DF PROTO=UDP SPT=32749 DPT=1194 LEN=62
Wed Jul 10 08:02:36 2019 kern.warn kernel: [  126.106980] iptables:mangle:INPUT: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=84.241.195.186 DST=163.158.129.181 LEN=82 TOS=0x00 PREC=0x00 TTL=52 ID=44691 DF PROTO=UDP SPT=32749 DPT=1194 LEN=62
Wed Jul 10 08:02:36 2019 kern.warn kernel: [  126.126417] iptables:filter:INPUT: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=84.241.195.186 DST=163.158.129.181 LEN=82 TOS=0x00 PREC=0x00 TTL=52 ID=44691 DF PROTO=UDP SPT=32749 DPT=1194 LEN=62

logread -e iptables:.*:OUTPUT | tail
Wed Jul 10 08:02:28 2019 kern.warn kernel: [  117.485732] iptables:mangle:OUTPUT: IN= OUT=tun0 SRC=10.2.10.6 DST=84.241.195.186 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=19826 DF PROTO=UDP SPT=1194 DPT=32749 LEN=62
Wed Jul 10 08:02:28 2019 kern.warn kernel: [  117.500545] iptables:filter:OUTPUT: IN= OUT=tun0 SRC=10.2.10.6 DST=84.241.195.186 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=19826 DF PROTO=UDP SPT=1194 DPT=32749 LEN=62 MARK=0x10000
Wed Jul 10 08:02:29 2019 kern.warn kernel: [  118.552587] iptables:mangle:OUTPUT: IN= OUT=tun0 SRC=10.2.10.6 DST=84.241.195.186 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=19889 DF PROTO=UDP SPT=1194 DPT=32749 LEN=70
Wed Jul 10 08:02:29 2019 kern.warn kernel: [  118.567408] iptables:filter:OUTPUT: IN= OUT=tun0 SRC=10.2.10.6 DST=84.241.195.186 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=19889 DF PROTO=UDP SPT=1194 DPT=32749 LEN=70 MARK=0x10000
Wed Jul 10 08:02:36 2019 kern.warn kernel: [  125.329383] iptables:mangle:OUTPUT: IN= OUT=tun0 SRC=10.2.10.6 DST=84.241.195.186 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=20039 DF PROTO=UDP SPT=1194 DPT=32749 LEN=62
Wed Jul 10 08:02:36 2019 kern.warn kernel: [  125.344206] iptables:filter:OUTPUT: IN= OUT=tun0 SRC=10.2.10.6 DST=84.241.195.186 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=20039 DF PROTO=UDP SPT=1194 DPT=32749 LEN=62 MARK=0x10000
Wed Jul 10 08:02:36 2019 kern.warn kernel: [  126.145950] iptables:mangle:OUTPUT: IN= OUT=tun0 SRC=10.2.10.6 DST=84.241.195.186 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=20114 DF PROTO=UDP SPT=1194 DPT=32749 LEN=70
Wed Jul 10 08:02:36 2019 kern.warn kernel: [  126.160775] iptables:filter:OUTPUT: IN= OUT=tun0 SRC=10.2.10.6 DST=84.241.195.186 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=20114 DF PROTO=UDP SPT=1194 DPT=32749 LEN=70 MARK=0x10000
Wed Jul 10 08:02:52 2019 kern.warn kernel: [  141.526750] iptables:mangle:OUTPUT: IN= OUT=tun0 SRC=10.2.10.6 DST=84.241.195.186 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=21228 DF PROTO=UDP SPT=1194 DPT=32749 LEN=62
Wed Jul 10 08:02:52 2019 kern.warn kernel: [  141.541566] iptables:filter:OUTPUT: IN= OUT=tun0 SRC=10.2.10.6 DST=84.241.195.186 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=21228 DF PROTO=UDP SPT=1194 DPT=32749 LEN=62 MARK=0x10000

vgaetera · July 10, 2019, 8:53am

So, it is marked correctly, but routed incorrectly.
It doesn't seem like mangle/OUTPUT can affect the routing decision for the local process:
https://en.wikipedia.org/wiki/Iptables#/media/File:Netfilter-packet-flow.svg
Try to mark the input traffic on the 1194/UDP in the mangle/PREROUTING.

Though the iptables documentation states it should be mangle/OUTPUT:

SPOooON · July 10, 2019, 9:12am

I really really wish I knew what that means

This doesnt do anything:

config policy
	option interface 'wan'
	option name 'vpn server 2'
	option local_port '1194'
	option proto 'tcp udp'
	option chain 'PREROUTING'

its what i had configured before Trendy said

trendy · July 10, 2019, 9:32am

If I am not mistaken there are currently 2 policies for UDP/1194, one in OUTPUT and one in PREROUTING.
You can try to add one more rule for INPUT.