OpenVPN Client on MyBookLive firewall setup

Hello, I am having trouble setting up the firewall on my MyBookLive running OpenWrt with OpenVPN connected as a client. I would like to be able to route all internet traffic from the MBL through the VPN while maintaining LAN access.

This is my configuration:

Fiber modem : 192.168.0.254/255.255.255.0 (also DHCP host)
MBL : 192.168.0.68/255.255.255.0

OpenVPN is installed and connected, I can ping through both interfaces, however OpenWrt software lists cant be refreshed, and transmission admin page cant be accessed. Im sure it has something to do with my firewall rules. I've searched around and most examples deal with multiple NICs and I couldn't adapt them for my application.

Below is my firewall config, any help would be much appreciated.

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	list device 'tun0'

config zone
	option name 'PIA'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'VPN'

config rule
	option name 'Allow-DHCP-Renew'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
	option src 'lan'

config rule
	option name 'Allow-Ping'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'
	option src 'lan'

config rule
	option name 'Allow-IGMP'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option src 'lan'

config rule
	option name 'Allow-DHCPv6'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option src 'lan'
	list src_ip 'fc00::/6'
	list dest_ip 'fc00::/6'

config rule
	option name 'Allow-MLD'
	option proto 'icmp'
	option family 'ipv6'
	option target 'ACCEPT'
	option src 'lan'
	list src_ip 'fe80::/10'

config rule
	option name 'Allow-ICMPv6-Input'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'neighbour-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'packet-too-big'
	list icmp_type 'router-advertisement'
	list icmp_type 'router-solicitation'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'
	option src 'lan'

config rule
	option name 'Allow-ICMPv6-Forward'
	option dest '*'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'
	option src 'lan'

config rule
	option name 'Allow-IPSec-ESP'
	option proto 'esp'
	option target 'ACCEPT'
	option src 'lan'
	option dest 'PIA'

config rule
	option name 'Allow-ISAKMP'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option src 'lan'
	option dest 'PIA'

config rule
	option name 'Support-UDP-Traceroute'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'
	option src 'lan'
	option dest_port '33434-33689'

config include
	option path '/etc/firewall.user'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'PIA'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'PIA'

remove masquerading from the lan zone.

remove the tun0 device from the wan zone

Add masquerading to the PIA zone. Also, importantly, set input and forward to REJECT (these are for security):

And remove these two forwarding rules:

1 Like

Thanks for getting back to me, I made the recommended changes however, I'm still having trouble. This and transmission was working prior to installing OpenVPN.

Let me know if there is any configs that i can share to help figure out what's going on

root@Nova:~# opkg update
Downloading https://downloads.openwrt.org/releases/21.02.1/targets/apm821xx/sata                                           /packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/relea                                           ses/21.02.1/targets/apm821xx/sata/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.1/packages/powerpc_464f                                           p/base/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/relea                                           ses/21.02.1/packages/powerpc_464fp/base/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.1/packages/powerpc_464f                                           p/luci/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/relea                                           ses/21.02.1/packages/powerpc_464fp/luci/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.1/packages/powerpc_464f                                           p/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/relea                                           ses/21.02.1/packages/powerpc_464fp/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.1/packages/powerpc_464f                                           p/routing/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/relea                                           ses/21.02.1/packages/powerpc_464fp/routing/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.1/packages/powerpc_464f                                           p/telephony/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/relea                                           ses/21.02.1/packages/powerpc_464fp/telephony/Packages.gz

Collected errors:
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.0                                           2.1/targets/apm821xx/sata/packages/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.0                                           2.1/packages/powerpc_464fp/base/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.0                                           2.1/packages/powerpc_464fp/luci/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.0                                           2.1/packages/powerpc_464fp/packages/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.0                                           2.1/packages/powerpc_464fp/routing/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.0                                           2.1/packages/powerpc_464fp/telephony/Packages.gz, wget returned 5.
root@Nova:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=59 time=9.004 ms
64 bytes from 8.8.8.8: seq=1 ttl=59 time=9.015 ms
64 bytes from 8.8.8.8: seq=2 ttl=59 time=8.745 ms
64 bytes from 8.8.8.8: seq=3 ttl=59 time=8.897 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 8.745/8.915/9.015 ms

Here is my OpenVPN config

client
dev tun
proto udp
remote us-texas.privacy.network 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server

auth-user-pass /etc/openvpn/PIA.auth
compress
verb 1
reneg-sec 0
<crl-verify>

Could this be a port forwarding problem? or more firewall. Im having trouble understanding why after OpenVPN this started happening