OpenVPN client stopped working

Hey Peeps,

I am new in using openwrt on a router with OpenVPN and I am facing the next problem.

About 30 minutes back, I have installed OpenVPN (using this tutorial https://openwrt.org/docs/guide-user/services/vpn/openvpn/client)

After 10 minutes I got it up and running. But after some time it stopped working and to be honest. I do not know exactly why.

When openvpn isn't running on the router (by using the stop command) internet just works fine.

When I look at the logs, I can't find something weird

root@OpenWrt:~# uci show firewall; echo && uci show network; echo && uci show openvpn; echo && logread -e openvpn
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd4f:4461:9fde::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.gateway='192.168.0.1'
network.lan_dev=device
network.lan_dev.name='eth0.1'
network.lan_dev.macaddr='54:36:9b:2c:2a:76'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan_dev=device
network.wan_dev.name='eth0.2'
network.wan_dev.macaddr='54:36:9b:2c:2a:77'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6t'
network.vpnclient=interface
network.vpnclient.ifname='tun0'
network.vpnclient.proto='none'
network.vpnclient.auto='1'

openvpn.custom_config=openvpn
openvpn.custom_config.config='/etc/openvpn/my-vpn.conf'
openvpn.sample_server=openvpn
openvpn.sample_server.port='1194'
openvpn.sample_server.proto='udp'
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca='/etc/openvpn/ca.crt'
openvpn.sample_server.cert='/etc/openvpn/server.crt'
openvpn.sample_server.key='/etc/openvpn/server.key'
openvpn.sample_server.dh='/etc/openvpn/dh1024.pem'
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.compress='lzo'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.proto='udp'
openvpn.sample_client.remote='my_server_1 1194'
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.user='nobody'
openvpn.sample_client.ca='/etc/openvpn/ca.crt'
openvpn.sample_client.cert='/etc/openvpn/client.crt'
openvpn.sample_client.key='/etc/openvpn/client.key'
openvpn.sample_client.compress='lzo'
openvpn.sample_client.verb='3'
openvpn.vpnclient=openvpn
openvpn.vpnclient.enabled='1'
openvpn.vpnclient.config='/etc/openvpn/client.ovpn'
openvpn.vpnclient.verb='7'
openvpn.vpnclient.proto='tcp'

Thu Jan 31 20:58:30 2019 daemon.warn openvpn(vpnclient)[1062]: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/client.ovpn:14: block-outside-dns (2.4.5)
Thu Jan 31 20:58:30 2019 daemon.notice openvpn(vpnclient)[1062]: OpenVPN 2.4.5 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Jan 31 20:58:30 2019 daemon.notice openvpn(vpnclient)[1062]: library versions: OpenSSL 1.0.2q  20 Nov 2018, LZO 2.10
Thu Jan 31 20:58:31 2019 daemon.notice openvpn(vpnclient)[1062]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Jan 31 20:58:31 2019 daemon.notice openvpn(vpnclient)[1062]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Jan 31 20:58:31 2019 daemon.notice openvpn(vpnclient)[1062]: TCP/UDP: Preserving recently used remote address: [AF_INET]217.xx.xx.xx:1194
Thu Jan 31 20:58:31 2019 daemon.notice openvpn(vpnclient)[1062]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Jan 31 20:58:31 2019 daemon.notice openvpn(vpnclient)[1062]: UDP link local: (not bound)
Thu Jan 31 20:58:31 2019 daemon.notice openvpn(vpnclient)[1062]: UDP link remote: [AF_INET]217.xx.xx.xx:1194
Thu Jan 31 20:58:31 2019 daemon.notice openvpn(vpnclient)[1062]: TLS: Initial packet from [AF_INET]217.xx.xx.xx:1194, sid=ac0c9307 df27dd2a
Thu Jan 31 20:58:31 2019 daemon.notice openvpn(vpnclient)[1062]: VERIFY OK: depth=1, CN=ChangeMe
Thu Jan 31 20:58:31 2019 daemon.notice openvpn(vpnclient)[1062]: VERIFY KU OK
Thu Jan 31 20:58:31 2019 daemon.notice openvpn(vpnclient)[1062]: Validating certificate extended key usage
Thu Jan 31 20:58:31 2019 daemon.notice openvpn(vpnclient)[1062]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Jan 31 20:58:31 2019 daemon.notice openvpn(vpnclient)[1062]: VERIFY EKU OK
Thu Jan 31 20:58:31 2019 daemon.notice openvpn(vpnclient)[1062]: VERIFY OK: depth=0, CN=server
Thu Jan 31 20:58:33 2019 daemon.notice openvpn(vpnclient)[1062]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Jan 31 20:58:33 2019 daemon.notice openvpn(vpnclient)[1062]: [server] Peer Connection Initiated with [AF_INET]217.xx.xx.xx:1194
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 108.61.10.10,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: OPTIONS IMPORT: timers and/or timeouts modified
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: OPTIONS IMPORT: route options modified
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: OPTIONS IMPORT: route-related options modified
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: OPTIONS IMPORT: peer-id set
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: OPTIONS IMPORT: adjusting link_mtu to 1624
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: OPTIONS IMPORT: data channel crypto options modified
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: TUN/TAP device tun0 opened
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: TUN/TAP TX queue length set to 100
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: /sbin/ifconfig tun0 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: /sbin/route add -net 217.xx.xx.xx netmask 255.255.255.255 gw 192.168.0.1
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Thu Jan 31 20:58:34 2019 daemon.warn openvpn(vpnclient)[1062]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jan 31 20:58:34 2019 daemon.notice openvpn(vpnclient)[1062]: Initialization Sequence Completed
Thu Jan 31 21:04:19 2019 daemon.err openvpn(vpnclient)[1062]: event_wait : Interrupted system call (code=4)
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[1062]: /sbin/route del -net 217.xx.xx.xx netmask 255.255.255.255
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[1062]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Thu Jan 31 21:04:19 2019 daemon.warn openvpn(vpnclient)[1062]: ERROR: Linux route delete command failed: external program exited with error status: 1
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[1062]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Thu Jan 31 21:04:19 2019 daemon.warn openvpn(vpnclient)[1062]: ERROR: Linux route delete command failed: external program exited with error status: 1
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[1062]: Closing TUN/TAP interface
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[1062]: /sbin/ifconfig tun0 0.0.0.0
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[1062]: SIGTERM[hard,] received, process exiting
Thu Jan 31 21:04:19 2019 daemon.warn openvpn(vpnclient)[2269]: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/client.ovpn:14: block-outside-dns (2.4.5)
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[2269]: OpenVPN 2.4.5 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[2269]: library versions: OpenSSL 1.0.2q  20 Nov 2018, LZO 2.10
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[2269]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[2269]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[2269]: TCP/UDP: Preserving recently used remote address: [AF_INET]217.xx.xx.xx:1194
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[2269]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[2269]: UDP link local: (not bound)
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[2269]: UDP link remote: [AF_INET]217.xx.xx.xx:1194
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[2269]: TLS: Initial packet from [AF_INET]217.xx.xx.xx:1194, sid=ec11cfe6 26dc183c
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[2269]: VERIFY OK: depth=1, CN=ChangeMe
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[2269]: VERIFY KU OK
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[2269]: Validating certificate extended key usage
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[2269]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[2269]: VERIFY EKU OK
Thu Jan 31 21:04:19 2019 daemon.notice openvpn(vpnclient)[2269]: VERIFY OK: depth=0, CN=server
Thu Jan 31 21:04:20 2019 daemon.notice openvpn(vpnclient)[2269]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Jan 31 21:04:20 2019 daemon.notice openvpn(vpnclient)[2269]: [server] Peer Connection Initiated with [AF_INET]217.xx.xx.xx:1194
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 108.61.10.10,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 1,cipher AES-256-GCM'
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: OPTIONS IMPORT: timers and/or timeouts modified
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: OPTIONS IMPORT: route options modified
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: OPTIONS IMPORT: route-related options modified
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: OPTIONS IMPORT: peer-id set
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: OPTIONS IMPORT: adjusting link_mtu to 1624
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: OPTIONS IMPORT: data channel crypto options modified
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: TUN/TAP device tun0 opened
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: TUN/TAP TX queue length set to 100
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: /sbin/ifconfig tun0 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: /sbin/route add -net 217.xx.xx.xx netmask 255.255.255.255 gw 192.168.0.1
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Thu Jan 31 21:04:21 2019 daemon.warn openvpn(vpnclient)[2269]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jan 31 21:04:21 2019 daemon.notice openvpn(vpnclient)[2269]: Initialization Sequence Completed


On the router I can ping Google

I added the Cable in the Wan port

53-min

I have tested in using a Lan cable and it isn't a Wifi problen :slight_smile:

When I do ip route, I get this back

0.0.0.0/1 via 10.8.0.1 dev tun0
default via 192.168.0.1 dev eth0.2  src 192.168.0.9
10.8.0.0/24 dev tun0 scope link  src 10.8.0.2
128.0.0.0/1 via 10.8.0.1 dev tun0
192.168.0.0/16 dev eth0.2 scope link  src 192.168.0.9
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
217.69.5.212 via 192.168.0.1 dev eth0.2

Repeat firewall setup section.