Openvpn connection blocks SSH access from WAN port

fclairamb · March 6, 2023, 9:59am

Hi everyone,

I'm coming back to openwrt after a few (something like 10) years, and I'm amazed by all the changes, especially the uci config interface and the number of packages available.

I want to access the router's SSH remotely from an openvpn client connection. This is what happens:

Before the openvpn connection is established, I can access the SSH server fine both through the LAN & WAN ports (on the LAN & WAN IPs)
Once the OpenVPN client connection is open, I can still access it from the LAN port but not the WAN one
Once the OpenVPN client connection is closed (because I stop openvpn or I close it on the server side), SSH becomes accessible again

I enabled the logging of rejected packets but couldn't find anything valuable.

Here is my config, I can add any info that might be missing:

# cat /proc/cpuinfo |grep machine
machine			: GL.iNet GL-AR300M (NOR)

# uci export firewall
package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option log '1'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option log '1'

config zone 'vpn'
	option name 'vpn'
	list network 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun0'
	option log '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'opennds'
	option type 'script'
	option path '/usr/lib/opennds/restart.sh'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'tcp'
	option dest_port '22'

# uci export dropbear
package dropbear

config dropbear
	option PasswordAuth 'on'
	option Port '22'

# ifconfig
br-lan    Link encap:Ethernet  HWaddr 94:83:C4:26:FF:10
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fd57:8184:6709::1/60 Scope:Global
          inet6 addr: fe80::9683:c4ff:fe26:ff10/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:178673 errors:0 dropped:0 overruns:0 frame:0
          TX packets:222689 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:46268254 (44.1 MiB)  TX bytes:219509655 (209.3 MiB)

eth0      Link encap:Ethernet  HWaddr 94:83:C4:26:FF:10
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4154 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:588895 (575.0 KiB)
          Interrupt:5

eth1      Link encap:Ethernet  HWaddr 94:83:C4:26:FF:0F
          inet addr:192.168.1.3  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::9683:c4ff:fe26:ff0f/64 Scope:Link
          inet6 addr: 2a01:e0a:c03:240:9683:c4ff:fe26:ff0f/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:321891 errors:0 dropped:0 overruns:0 frame:0
          TX packets:171695 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:276553998 (263.7 MiB)  TX bytes:49276688 (46.9 MiB)
          Interrupt:4

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:11048 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11048 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:778898 (760.6 KiB)  TX bytes:778898 (760.6 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.27.67  P-t-P:212.27.38.253  Mask:255.255.255.255
          inet6 addr: fe80::cab8:e322:8a3f:8888/64 Scope:Link
          inet6 addr: 2a01:e0a:c03:248::10/124 Scope:Global
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:3 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:403 (403.0 B)  TX bytes:649 (649.0 B)

wlan0     Link encap:Ethernet  HWaddr 94:83:C4:26:FF:0F
          inet6 addr: fe80::9683:c4ff:fe26:ff0f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:178677 errors:0 dropped:0 overruns:0 frame:0
          TX packets:221560 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:48770435 (46.5 MiB)  TX bytes:220805593 (210.5 MiB)

# logread -f -e openv
Mon Mar  6 09:47:26 2023 daemon.warn openvpn(client)[11364]: Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Mon Mar  6 09:47:26 2023 daemon.warn openvpn(client)[11364]: DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
Mon Mar  6 09:47:26 2023 daemon.notice openvpn(client)[11364]: OpenVPN 2.5.7 mips-openwrt-linux-gnu [SSL (mbed TLS)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Mar  6 09:47:26 2023 daemon.notice openvpn(client)[11364]: library versions: mbed TLS 2.28.2
Mon Mar  6 09:47:26 2023 daemon.warn openvpn(client)[11364]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Mar  6 09:47:26 2023 daemon.notice openvpn(client)[11364]: UDP link local: (not bound)
Mon Mar  6 09:47:26 2023 daemon.notice openvpn(client)[11364]: UDP link remote: [AF_INET]82.66.165.49:5709
Mon Mar  6 09:47:27 2023 daemon.notice openvpn(client)[11364]: [Freebox OpenVPN server 29c1037b27983188fc883af1e5c6ce7a] Peer Connection Initiated with [AF_INET]82.66.165.49:5709
Mon Mar  6 09:47:28 2023 daemon.notice openvpn(client)[11364]: TUN/TAP device tun0 opened
Mon Mar  6 09:47:28 2023 daemon.notice openvpn(client)[11364]: net_iface_mtu_set: mtu 1500 for tun0
Mon Mar  6 09:47:28 2023 daemon.notice openvpn(client)[11364]: net_iface_up: set tun0 up
Mon Mar  6 09:47:28 2023 daemon.notice openvpn(client)[11364]: net_addr_ptp_v4_add: 192.168.27.67 peer 212.27.38.253 dev tun0
Mon Mar  6 09:47:28 2023 daemon.notice openvpn(client)[11364]: net_iface_mtu_set: mtu 1500 for tun0
Mon Mar  6 09:47:28 2023 daemon.notice openvpn(client)[11364]: net_iface_up: set tun0 up
Mon Mar  6 09:47:28 2023 daemon.notice openvpn(client)[11364]: net_addr_v6_add: 2a01:e0a:c03:248::10/124 dev tun0
Mon Mar  6 09:47:28 2023 daemon.notice openvpn(client)[11364]: /usr/libexec/openvpn-hotplug up client tun0 1500 1556 192.168.27.67 212.27.38.253 init
Mon Mar  6 09:47:28 2023 daemon.warn openvpn(client)[11364]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Mar  6 09:47:28 2023 daemon.notice openvpn(client)[11364]: Initialization Sequence Completed

Just in case you see something suspicious:

#  ps
  PID USER       VSZ STAT COMMAND
    1 root      1672 S    /sbin/procd
    2 root         0 SW   [kthreadd]
    6 root         0 IW<  [mm_percpu_wq]
    7 root         0 SW   [rcu_tasks_trace]
    8 root         0 SW   [ksoftirqd/0]
    9 root         0 IW<  [netns]
  108 root         0 SW   [oom_reaper]
  109 root         0 IW   [kworker/0:1-eve]
  123 root         0 IW<  [writeback]
  125 root         0 SW   [kcompactd0]
  146 root         0 IW<  [kblockd]
  147 root         0 IW<  [blkcg_punt_bio]
  148 root         0 SW   [watchdogd]
  178 root         0 SW   [kswapd0]
  180 root         0 IW<  [kthrotld]
  220 root         0 SW   [spi0]
  316 root         0 IW<  [ipv6_addrconf]
  329 root         0 IW<  [kworker/0:1H-kb]
  342 root         0 SW   [irq/14-keys]
  343 root         0 SW   [irq/15-keys]
  344 root         0 SW   [irq/16-keys]
  449 root         0 SWN  [jffs2_gcd_mtd5]
  511 ubus      1332 S    /sbin/ubusd
  512 root       996 S    /sbin/askfirst /usr/libexec/login.sh
  547 root      1108 S    /sbin/urngd
  686 root         0 IW<  [cfg80211]
  771 root         0 IW<  [kworker/0:2H]
  880 logd      1340 S    /sbin/logd -S 64
  934 root      2124 S    /sbin/rpcd -s /var/run/ubus/ubus.sock -t 30
 1468 root      1208 S    /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p 22 -K 300 -T 3
 1662 root      2656 S    {hostapd} /sbin/ujail -t 5 -n hostapd -U network -G network -C /etc/capabilities/wpad.json -c -- /usr/sbin/hostapd -s -g /var/run/hostapd/global
 1663 root      2656 S    {wpa_supplicant} /sbin/ujail -t 5 -n wpa_supplicant -U network -G network -C /etc/capabilities/wpad.json -c -- /usr/sbin/wpa_supplicant -n -s -g /var/run/wpa_supplicant/glob
 1666 network   4436 S    /usr/sbin/wpa_supplicant -n -s -g /var/run/wpa_supplicant/global
 1667 network   4492 S    /usr/sbin/hostapd -s -g /var/run/hostapd/global
 1734 root      1816 S    /sbin/netifd
 1798 root      1544 S    /usr/sbin/odhcpd
 1925 root      4144 S    /usr/sbin/uhttpd -f -h /www -r OpenWrt -x /cgi-bin -u /ubus -t 60 -T 30 -k 20 -A 1 -n 3 -N 100 -R -p 0.0.0.0:8080 -p [::]:8080 -C /etc/uhttpd.crt -K /etc/uhttpd.key -s 0.0.0
 2290 root         0 IW   [kworker/u2:0-ev]
 2444 root      2656 S    {ntpd} /sbin/ujail -t 5 -n ntpd -U ntp -G ntp -C /etc/capabilities/ntpd.json -c -u -r /bin/ubus -r /usr/bin/env -r /usr/bin/jshn -r /usr/sbin/ntpd-hotplug -r /usr/share/libu
 2495 ntp       1308 S    /usr/sbin/ntpd -n -N -S /usr/sbin/ntpd-hotplug -p 0.openwrt.pool.ntp.org -p 1.openwrt.pool.ntp.org -p 2.openwrt.pool.ntp.org -p 3.openwrt.pool.ntp.org
 2651 root      1308 S    udhcpc -p /var/run/udhcpc-eth1.pid -s /lib/netifd/dhcp.script -f -t 0 -i eth1 -x hostname:OpenWrt -C -R -O 121
 2655 root      1124 S    odhcp6c -s /lib/netifd/dhcpv6.script -P0 -t120 eth1
 5519 root      1228 S    /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p 22 -K 300 -T 3 -2 9
 5520 root      1312 S    -ash
 6076 root         0 IW   [kworker/u2:1-ev]
 6312 root      1744 S    /usr/bin/opennds -c /tmp/etc/opennds_cfg01995c.conf -f -s
 6898 root      2656 S    {dnsmasq} /sbin/ujail -t 5 -n dnsmasq -u -l -r /bin/ubus -r /etc/TZ -r /etc/dnsmasq.conf -r /etc/ethers -r /etc/group -r /etc/hosts -r /etc/passwd -w /tmp/dhcp.leases -r /tm
 6906 dnsmasq   3024 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
 8291 root         0 IW   [kworker/0:0-eve]
11364 root      2280 S    /usr/sbin/openvpn --syslog openvpn(client) --status /var/run/openvpn.client.status --cd /etc/openvpn --config /etc/openvpn/client.conf --up /usr/libexec/openvpn-hotplug up c

# opkg list-installed
base-files - 1498-r20028-43d71ad93e
busybox - 1.35.0-5
ca-bundle - 20211016-1
cgi-io - 2022-08-10-901b0f04-21
dnsmasq-full - 2.86-15
dropbear - 2022.82-2
firewall4 - 2022-10-18-7ae5e14b-1
fstools - 2022-06-02-93369be0-2
fwtool - 2019-11-12-8f7fe925-1
getrandom - 2021-08-03-205defb5-2
hostapd-common - 2022-01-16-cff80b4f-15.2
ipset - 7.15-2
iptables-nft - 1.8.7-7
iw - 5.16-1
iwinfo - 2022-12-15-8d158096-1
jansson4 - 2.13.1-2
jshn - 2022-05-15-d2223ef9-1
jsonfilter - 2018-02-04-c7e938d6-1
kernel - 5.10.161-1-9d271b860b5d8e89f9abd47f0ee26886
kmod-ath - 5.10.161+5.15.81-1-1
kmod-ath9k - 5.10.161+5.15.81-1-1
kmod-ath9k-common - 5.10.161+5.15.81-1-1
kmod-cfg80211 - 5.10.161+5.15.81-1-1
kmod-crypto-aead - 5.10.161-1
kmod-crypto-ccm - 5.10.161-1
kmod-crypto-cmac - 5.10.161-1
kmod-crypto-crc32c - 5.10.161-1
kmod-crypto-ctr - 5.10.161-1
kmod-crypto-gcm - 5.10.161-1
kmod-crypto-gf128 - 5.10.161-1
kmod-crypto-ghash - 5.10.161-1
kmod-crypto-hash - 5.10.161-1
kmod-crypto-hmac - 5.10.161-1
kmod-crypto-manager - 5.10.161-1
kmod-crypto-null - 5.10.161-1
kmod-crypto-rng - 5.10.161-1
kmod-crypto-seqiv - 5.10.161-1
kmod-crypto-sha256 - 5.10.161-1
kmod-gpio-button-hotplug - 5.10.161-3
kmod-ipt-conntrack - 5.10.161-1
kmod-ipt-core - 5.10.161-1
kmod-ipt-ipset - 5.10.161-1
kmod-ipt-nat - 5.10.161-1
kmod-lib-crc-ccitt - 5.10.161-1
kmod-lib-crc32c - 5.10.161-1
kmod-mac80211 - 5.10.161+5.15.81-1-1
kmod-nf-conntrack - 5.10.161-1
kmod-nf-conntrack-netlink - 5.10.161-1
kmod-nf-conntrack6 - 5.10.161-1
kmod-nf-flow - 5.10.161-1
kmod-nf-ipt - 5.10.161-1
kmod-nf-log - 5.10.161-1
kmod-nf-log6 - 5.10.161-1
kmod-nf-nat - 5.10.161-1
kmod-nf-reject - 5.10.161-1
kmod-nf-reject6 - 5.10.161-1
kmod-nfnetlink - 5.10.161-1
kmod-nft-compat - 5.10.161-1
kmod-nft-core - 5.10.161-1
kmod-nft-fib - 5.10.161-1
kmod-nft-nat - 5.10.161-1
kmod-nft-offload - 5.10.161-1
kmod-nls-base - 5.10.161-1
kmod-phy-ath79-usb - 5.10.161-1
kmod-ppp - 5.10.161-1
kmod-pppoe - 5.10.161-1
kmod-pppox - 5.10.161-1
kmod-slhc - 5.10.161-1
kmod-tun - 5.10.161-1
kmod-usb-core - 5.10.161-1
kmod-usb-ehci - 5.10.161-1
kmod-usb-printer - 5.10.161-1
kmod-usb2 - 5.10.161-1
libblobmsg-json20220515 - 2022-05-15-d2223ef9-1
libc - 1.2.3-4
libevdev - 1.13.0-1
libgcc1 - 11.2.0-4
libgmp10 - 6.2.1-1
libipset13 - 7.15-2
libiptext-nft0 - 1.8.7-7
libiptext0 - 1.8.7-7
libiptext6-0 - 1.8.7-7
libiwinfo-data - 2022-12-15-8d158096-1
libiwinfo-lua - 2022-12-15-8d158096-1
libiwinfo20210430 - 2022-12-15-8d158096-1
libjson-c5 - 0.15-2
libjson-script20220515 - 2022-05-15-d2223ef9-1
liblua5.1.5 - 5.1.5-10
liblucihttp-lua - 2022-07-08-6e68a106-1
liblucihttp0 - 2022-07-08-6e68a106-1
libmbedtls12 - 2.28.2-1
libmicrohttpd-no-ssl - 0.9.75-1
libmnl0 - 1.0.5-1
libnetfilter-conntrack3 - 1.0.9-2
libnettle8 - 3.7.3-2
libnfnetlink0 - 1.0.2-1
libnftnl11 - 1.2.1-2
libnl-tiny1 - 2021-11-21-8e0555fb-1
libpthread - 1.2.3-4
librt - 1.2.3-4
libubox20220515 - 2022-05-15-d2223ef9-1
libubus-lua - 2022-06-01-2bebf93c-1
libubus20220601 - 2022-06-01-2bebf93c-1
libuci20130104 - 2021-10-22-f84f49f0-6
libuclient20201210 - 2021-05-14-6a6011df-1
libucode20220812 - 2022-12-02-46d93c9c-1
libudev-zero - 1.0.1-1
libusb-1.0-0 - 1.0.24-5
libustream-wolfssl20201210 - 2022-12-08-9217ab46-2
libwolfssl5.5.4.ee39414e - 5.5.4-stable-1
libxtables12 - 1.8.7-7
logd - 2021-08-03-205defb5-2
lua - 5.1.5-10
luci - git-20.074.84698-ead5e81
luci-app-firewall - git-22.089.67563-7e3c1b4
luci-app-opkg - git-22.273.29004-9f6876b
luci-base - git-22.361.69894-438c598
luci-lib-base - git-20.232.39649-1f6dc29
luci-lib-ip - git-20.250.76529-62505bd
luci-lib-jsonc - git-22.097.61921-7513345
luci-lib-nixio - git-20.234.06894-c4a4e43
luci-mod-admin-full - git-19.253.48496-3f93650
luci-mod-network - git-22.345.48602-4853e7b
luci-mod-status - git-22.302.42268-2878b35
luci-mod-system - git-22.339.34970-004e47c
luci-proto-ipv6 - git-21.148.48881-79947af
luci-proto-ppp - git-21.158.38888-88b9d84
luci-ssl - git-20.244.36115-e10f954
luci-theme-bootstrap - git-22.288.45147-96ec0cd
mtd - 26
netifd - 2022-08-25-76d2d41b-1
nftables-json - 1.0.2-2.1
odhcp6c - 2022-08-05-7d21e8d8-18
odhcpd-ipv6only - 2023-01-02-4a673e1c-2
opennds - 9.10.0-1
openvpn-mbedtls - 2.5.7-3
openwrt-keyring - 2022-03-25-62471e69-3
opkg - 2022-02-24-d038e5b6-1
ppp - 2.4.9.git-2021-01-04-3
ppp-mod-pppoe - 2.4.9.git-2021-01-04-3
procd - 2022-06-01-7a009685-2
procd-seccomp - 2022-06-01-7a009685-2
procd-ujail - 2022-06-01-7a009685-2
px5g-wolfssl - 6.2
rpcd - 2022-12-15-7de4820c-1
rpcd-mod-file - 2022-12-15-7de4820c-1
rpcd-mod-iwinfo - 2022-12-15-7de4820c-1
rpcd-mod-luci - 20210614
rpcd-mod-rrdns - 20170710
swconfig - 12
ubi-utils - 2.1.4-1
uboot-envtools - 2022.01-36
ubox - 2021-08-03-205defb5-2
ubus - 2022-06-01-2bebf93c-1
ubusd - 2022-06-01-2bebf93c-1
uci - 2021-10-22-f84f49f0-6
uclient-fetch - 2021-05-14-6a6011df-1
ucode - 2022-12-02-46d93c9c-1
ucode-mod-fs - 2022-12-02-46d93c9c-1
ucode-mod-ubus - 2022-12-02-46d93c9c-1
ucode-mod-uci - 2022-12-02-46d93c9c-1
uhttpd - 2022-10-31-23977554-1
uhttpd-mod-ubus - 2022-10-31-23977554-1
urandom-seed - 3
urngd - 2020-01-21-c7f7b6b6-1
usbutils - 014-1
usign - 2020-05-23-f1f65026-1
wireless-regdb - 2022.08.12-1
wpad-basic-wolfssl - 2022-01-16-cff80b4f-15.2
xtables-nft - 1.8.7-7
xxd - 8.2-5

trendy · March 6, 2023, 11:54am

I suppose that the openvpn tunnel is installing its own default route on the router and all packets are routed over it. So when you try to connect to wan, the responses are sent to openvpn causing invalid packets to be dropped due to asymmetric routing.

fclairamb · March 7, 2023, 11:25am

Hi @trendy, thank you very much for your answer.

On the OpenVPN config I didn't set redirect-gateway so that it doesn't change the default route. So it's not exactly that but it did change a gateway for a route and I'm not sure why:

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.254   0.0.0.0         UG    0      0        0 eth1
192.168.1.0     freeplayer.free 255.255.255.0   UG    0      0        0 tun0
192.168.2.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.27.64   freeplayer.free 255.255.255.224 UG    0      0        0 tun0
212.27.38.253   *               255.255.255.255 UH    0      0        0 tun0

The 192.168.1.0/255.255.255.0 network should be routed through the eth1 interface instead of tun0. I'm not sure why the routing table was changed since tun0 is on an entirely different network (192.168.27.64/255.255.255.224).

I will look into it. My guess is that this route is pushed by the OpenVPN server and it conflicts with the WAN addresses (which is not an actual WAN in this case).

fclairamb · March 7, 2023, 11:46am

So I tested changing the OpenVPN config to:

route-nopull
route 192.168.27.64 255.255.255.224 212.27.38.253
# redirect-gateway

And this solved it! I can now access my router from the VPN.

Thank you very much!

trendy · March 7, 2023, 11:52am

Very good! It looked like something was off with the routing.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

egc · March 7, 2023, 3:24pm

If it is only that you want to stop the redirect -gateway pushed by the server you might also be able to do it with:
pull-filter ignore "redirect-gateway"

system · March 17, 2023, 3:25pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.