OpenVPN does not work properly

lucca · July 4, 2023, 3:10pm

Hello and good day to the community,

On the internet connection I have a fritzbox 7590 . I am absolute newbie with openwrt and have my old fritzbox 7360 with OpenWrt 22.03.5 r20134-5f15225c1e successfully flashed and plugged via lankkabel to the first fritzbox.
I also successfully set up my OpenVPN on openwrt and got it running. I can connect to openwrt with my laptop via wifi and have internet access.
When I check the external IP address of my laptop, I have the one from my internet provider in Germany. What am I doing wrong or what have I forgotten to set. My VPN provider is cyberghost. In the VPN config is a Ukrainian server entered. Greetings Lucca

Translated with www.DeepL.com/Translator (free version)

iplaywithtoys · July 4, 2023, 3:21pm

push route on the OVPN server.

iplaywithtoys · July 4, 2023, 3:40pm

Ah. My mistake. You want to connect to a VPN server operated by a third-party (Cyberghost). I thought you were also managing the VPN server as well as the clients.

In that case, you will have no control over what directives the OVPN server pushes to clients. However, Cyberghost might have some information about configuring OpenWRT to work with it. Many VPN providers recognise this use case and offer advice for implementing it.

I'm not a Cyberghost customer, so I don't know how good its help information is, but that's where I'd suggest looking first, to see if there is any information specific to Cyberghost and OpenWRT.

trendy · July 4, 2023, 3:41pm

Run the troubleshooting commands at the bottom of the page and post here the output.

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.

mk24 · July 4, 2023, 3:58pm

The startup of an OpenVPN client logs a lot to the system log, so you should start by reading it. One of the log entries should be a default route being pushed and accepted. If you run route or examine the routing status in LuCI, you should see that a "split default" route has been installed by OpenVPN. The new route routes 0.0.0.0/1 and 128.0.0.0/1 into tun0 (or whatever the OpenVPN tunnel device is). These two subnets together cover the whole IPv4 Internet.

For redirecting all Internet usage through a VPN service, the VPN tunnel should be placed into the wan firewall zone.

lucca · July 4, 2023, 5:10pm

/etc/openvpn/openvpn.log

2023-07-04 17:06:41 us=26440 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-c>
2 2023-07-04 17:06:41 us=45554 OpenVPN 2.5.7 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
3 2023-07-04 17:06:41 us=59212 library versions: OpenSSL 1.1.1u 30 May 2023, LZO 2.10
4 2023-07-04 17:06:41 us=70961 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
5 2023-07-04 17:06:41 us=151122 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
6 2023-07-04 17:06:41 us=178377 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
7 2023-07-04 17:06:41 us=186146 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
8 2023-07-04 17:06:41 us=203959 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
9 2023-07-04 17:06:41 us=211714 TCP/UDP: Preserving recently used remote address: [AF_INET]102.129.143.23:443
10 2023-07-04 17:06:41 us=244633 Socket Buffers: R=[180224->180224] S=[180224->180224]
11 2023-07-04 17:06:41 us=251720 UDP link local: (not bound)
12 2023-07-04 17:06:41 us=259176 UDP link remote: [AF_INET]102.129.143.23:443
13 2023-07-04 17:06:43 us=570426 TLS: Initial packet from [AF_INET]102.129.143.23:443, sid=e7b410a6 2f78c79f
14 2023-07-04 17:06:43 us=629683 VERIFY OK: depth=1, C=RO, L=Bucharest, O=CyberGhost S.A., CN=CyberGhost Root CA, emailAddress=info@cyberghost.ro
15 2023-07-04 17:06:43 us=660594 VERIFY KU OK
16 2023-07-04 17:06:43 us=665247 Validating certificate extended key usage
17 2023-07-04 17:06:43 us=669978 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
18 2023-07-04 17:06:43 us=675242 VERIFY EKU OK
19 2023-07-04 17:06:43 us=679739 VERIFY OK: depth=0, CN=huenenberg-rack409.nodes.gen4.ninja
20 2023-07-04 17:06:45 us=210423 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1553'
21 2023-07-04 17:06:45 us=215679 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
22 2023-07-04 17:06:45 us=222072 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
23 2023-07-04 17:06:45 us=226797 [huenenberg-rack409.nodes.gen4.ninja] Peer Connection Initiated with [AF_INET]102.129.143.23:443
24 2023-07-04 17:06:45 us=247465 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.0.0.243,route-gateway 10.22.4.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.22.4.108 255.2>
25 2023-07-04 17:06:45 us=253080 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
26 2023-07-04 17:06:45 us=258641 OPTIONS IMPORT: timers and/or timeouts modified
27 2023-07-04 17:06:45 us=262720 OPTIONS IMPORT: --ifconfig/up options modified
28 2023-07-04 17:06:45 us=266881 OPTIONS IMPORT: route options modified
29 2023-07-04 17:06:45 us=270953 OPTIONS IMPORT: route-related options modified
30 2023-07-04 17:06:45 us=275150 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
31 2023-07-04 17:06:45 us=279288 OPTIONS IMPORT: peer-id set
32 2023-07-04 17:06:45 us=283745 OPTIONS IMPORT: adjusting link_mtu to 1624
33 2023-07-04 17:06:45 us=287817 OPTIONS IMPORT: data channel crypto options modified
34 2023-07-04 17:06:45 us=292252 Data Channel: using negotiated cipher 'AES-128-GCM'
35 2023-07-04 17:06:45 us=296733 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
36 2023-07-04 17:06:45 us=303497 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
37 2023-07-04 17:06:45 us=308391 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
38 2023-07-04 17:06:45 us=336360 net_route_v4_best_gw query: dst 0.0.0.0
39 2023-07-04 17:06:45 us=340968 net_route_v4_best_gw result: via 192.168.178.1 dev br-lan
40 2023-07-04 17:06:45 us=345739 GDG6: remote_host_ipv6=n/a
41 2023-07-04 17:06:45 us=349776 net_route_v6_best_gw query: dst ::
42 2023-07-04 17:06:45 us=354194 sitnl_send: rtnl: generic error (-128): Network unreachable
43 2023-07-04 17:06:45 us=363172 TUN/TAP device tun0 opened
44 2023-07-04 17:06:45 us=369226 do_ifconfig, ipv4=1, ipv6=0
45 2023-07-04 17:06:45 us=376182 net_iface_mtu_set: mtu 1500 for tun0
46 2023-07-04 17:06:45 us=382916 net_iface_up: set tun0 up
47 2023-07-04 17:06:45 us=395715 net_addr_v4_add: 10.22.4.108/24 dev tun0
48 2023-07-04 17:06:45 us=405776 /usr/libexec/openvpn-hotplug up OPENVPN tun0 1500 1552 10.22.4.108 255.255.255.0 init
49 2023-07-04 17:06:50 us=290485 net_route_v4_add: 102.129.143.23/32 via 192.168.178.1 dev [NULL] table 0 metric -1
50 2023-07-04 17:06:50 us=295763 net_route_v4_add: 0.0.0.0/1 via 10.22.4.1 dev [NULL] table 0 metric -1
51 2023-07-04 17:06:50 us=300914 net_route_v4_add: 128.0.0.0/1 via 10.22.4.1 dev [NULL] table 0 metric -1
52 2023-07-04 17:06:50 us=306163 WARNING: OpenVPN was configured to add an IPv6 route. However, no IPv6 has been configured for tun0, therefore the route installation may fail or may not work as expected.
53 2023-07-04 17:06:50 us=310901 add_route_ipv6(2000::/3 -> :: metric -1) dev tun0
54 2023-07-04 17:06:50 us=315261 net_route_v6_add: 2000::/3 via :: dev tun0 table 0 metric -1
55 2023-07-04 17:06:50 us=320828 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
56 2023-07-04 17:06:50 us=325466 Initialization Sequence Completed

iplaywithtoys · July 4, 2023, 5:39pm

There you go.

lucca · July 4, 2023, 6:32pm

Sorry, what do I have to do?

iplaywithtoys · July 4, 2023, 6:54pm

This:

lucca · July 4, 2023, 7:03pm

I can't see any troubleshooting commands at the bottom of the page. Where do I need to look?

iplaywithtoys · July 4, 2023, 7:23pm

There's a big header which reads "Troubleshooting". The link took you directly there when you clicked on it.

lucca · July 5, 2023, 7:38am

sorry now i understand

root@OpenWrt:~# /etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10

root@OpenWrt:~# logread -e openvpn; netstat -l -n -p | grep -e openvpn

Wed Jul 5 07:23:56 2023 daemon.err openvpn(OPENVPN)[2065]: event_wait : Interru Wed Jul 5 07:23:56 2023 daemon.notice openvpn(OPENVPN)[2065]: SIGTERM received, Wed Jul 5 07:23:58 2023 daemon.notice openvpn(OPENVPN)[2065]: TCP/UDP: Closing Wed Jul 5 07:23:58 2023 daemon.notice openvpn(OPENVPN)[2065]: net_route_v4_del: Wed Jul 5 07:23:58 2023 daemon.notice openvpn(OPENVPN)[2065]: net_route_v4_del: Wed Jul 5 07:23:58 2023 daemon.notice openvpn(OPENVPN)[2065]: net_route_v4_del: Wed Jul 5 07:23:58 2023 daemon.notice openvpn(OPENVPN)[2065]: delete_route_ipv6 Wed Jul 5 07:23:58 2023 daemon.notice openvpn(OPENVPN)[2065]: net_route_v6_del: Wed Jul 5 07:23:58 2023 daemon.notice openvpn(OPENVPN)[2065]: Closing TUN/TAP i Wed Jul 5 07:23:58 2023 daemon.notice openvpn(OPENVPN)[2065]: net_addr_v4_del: Wed Jul 5 07:23:58 2023 daemon.notice openvpn(OPENVPN)[2065]: /usr/libexec/open Wed Jul 5 07:23:58 2023 daemon.notice openvpn(OPENVPN)[2065]: SIGTERM[soft,exit Wed Jul 5 07:23:58 2023 daemon.warn openvpn(OPENVPN)[3507]: DEPRECATED OPTION: Wed Jul 5 07:23:58 2023 daemon.notice openvpn(OPENVPN)[3507]: OpenVPN 2.5.7 mip Wed Jul 5 07:23:58 2023 daemon.notice openvpn(OPENVPN)[3507]: library versions: Wed Jul 5 07:23:58 2023 daemon.warn openvpn(OPENVPN)[3507]: NOTE: the current - Wed Jul 5 07:23:58 2023 daemon.notice openvpn(OPENVPN)[3507]: Control Channel M Wed Jul 5 07:23:59 2023 daemon.notice openvpn(OPENVPN)[3507]: Data Channel MTU Wed Jul 5 07:23:59 2023 daemon.notice openvpn(OPENVPN)[3507]: Local Options Str Wed Jul 5 07:23:59 2023 daemon.notice openvpn(OPENVPN)[3507]: Expected Remote O Wed Jul 5 07:23:59 2023 daemon.notice openvpn(OPENVPN)[3507]: TCP/UDP: Preservi Wed Jul 5 07:23:59 2023 daemon.notice openvpn(OPENVPN)[3507]: Socket Buffers: R Wed Jul 5 07:23:59 2023 daemon.notice openvpn(OPENVPN)[3507]: UDP link local: ( Wed Jul 5 07:23:59 2023 daemon.notice openvpn(OPENVPN)[3507]: UDP link remote: Wed Jul 5 07:23:59 2023 daemon.notice openvpn(OPENVPN)[3507]: TLS: Initial pack Wed Jul 5 07:23:59 2023 daemon.notice openvpn(OPENVPN)[3507]: VERIFY OK: depth= Wed Jul 5 07:23:59 2023 daemon.notice openvpn(OPENVPN)[3507]: VERIFY KU OK
Wed Jul 5 07:23:59 2023 daemon.notice openvpn(OPENVPN)[3507]: Validating certif Wed Jul 5 07:23:59 2023 daemon.notice openvpn(OPENVPN)[3507]: ++ Certificate ha Wed Jul 5 07:23:59 2023 daemon.notice openvpn(OPENVPN)[3507]: VERIFY EKU OK
Wed Jul 5 07:23:59 2023 daemon.notice openvpn(OPENVPN)[3507]: VERIFY OK: depth= Wed Jul 5 07:24:01 2023 daemon.warn openvpn(OPENVPN)[3507]: WARNING: 'link-mtu' Wed Jul 5 07:24:01 2023 daemon.warn openvpn(OPENVPN)[3507]: WARNING: 'keysize' Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: Control Channel: Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: [zurich-rack402.n Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: PUSH: Received co Wed Jul 5 07:24:01 2023 daemon.warn openvpn(OPENVPN)[3507]: WARNING: You have s Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: OPTIONS IMPORT: t Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: OPTIONS IMPORT: - Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: OPTIONS IMPORT: r Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: OPTIONS IMPORT: r Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: OPTIONS IMPORT: - Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: OPTIONS IMPORT: p Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: OPTIONS IMPORT: a Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: OPTIONS IMPORT: d Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: Data Channel: usi Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: Data Channel MTU Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: Outgoing Data Cha Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: Incoming Data Cha Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: net_route_v4_best Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: net_route_v4_best Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: GDG6: remote_host Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: net_route_v6_best Wed Jul 5 07:24:01 2023 daemon.warn openvpn(OPENVPN)[3507]: sitnl_send: rtnl: g Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: TUN/TAP device tu Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: do_ifconfig, ipv4 Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: net_iface_mtu_set Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: net_iface_up: set Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: net_addr_v4_add: Wed Jul 5 07:24:01 2023 daemon.notice openvpn(OPENVPN)[3507]: /usr/libexec/open Wed Jul 5 07:24:06 2023 daemon.notice openvpn(OPENVPN)[3507]: net_route_v4_add: Wed Jul 5 07:24:06 2023 daemon.notice openvpn(OPENVPN)[3507]: net_route_v4_add: Wed Jul 5 07:24:06 2023 daemon.notice openvpn(OPENVPN)[3507]: net_route_v4_add: Wed Jul 5 07:24:06 2023 daemon.notice openvpn(OPENVPN)[3507]: WARNING: OpenVPN Wed Jul 5 07:24:06 2023 daemon.notice openvpn(OPENVPN)[3507]: add_route_ipv6(20 Wed Jul 5 07:24:06 2023 daemon.notice openvpn(OPENVPN)[3507]: net_route_v6_add: Wed Jul 5 07:24:06 2023 daemon.warn openvpn(OPENVPN)[3507]: WARNING: this confi Wed Jul 5 07:24:06 2023 daemon.notice openvpn(OPENVPN)[3507]: Initialization Se udp 0 0 0.0.0.0:56964 0.0.0.0:* root@OpenWrt:~# ^C pted system call (code=4)
sending exit notification to peer
socket
102.129.143.20/32 via 192.168.178.1 dev [NULL] table 0 metric -1
0.0.0.0/1 via 10.19.4.1 dev [NULL] table 0 metric -1
128.0.0.0/1 via 10.19.4.1 dev [NULL] table 0 metric -1
(2000::/3)
2000::/3 via :: dev tun0 table 0 metric -1
nterface
10.19.4.31 dev tun0
vpn-hotplug down OPENVPN tun0 1500 1552 10.19.4.31 255.255.255.0 init
-with-notification] received, process exiting
--cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128 -GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphe rs-fallback 'AES-256-CBC' to silence this warning.
s-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
OpenSSL 1.1.1u 30 May 2023, LZO 2.10
-script-security setting may allow this configuration to call user-defined scrip ts
TU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
ing (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES -256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
ptions String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4, cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
ng recently used remote address: [AF_INET]84.17.52.49:443
=[180224->180224] S=[180224->180224]
not bound)
[AF_INET]84.17.52.49:443
et from [AF_INET]84.17.52.49:443, sid=8c2d5bf3 ade98a45
1, C=RO, L=Bucharest, O=CyberGhost S.A., CN=CyberGhost Root CA, emailAddress=inf o@cyberghost.ro
icate extended key usage
s EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
0, CN=zurich-rack402.nodes.gen4.ninja
is used inconsistently, local='link-mtu 1569', remote='link-mtu 1553'
is used inconsistently, local='keysize 256', remote='keysize 128'
TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
odes.gen4.ninja] Peer Connection Initiated with [AF_INET]84.17.52.49:443
ntrol message: 'PUSH_REPLY,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.0.0.243,route-gateway 10.18.4.1,topology subnet,ping 10,ping-restart 60, ifconfig 10.18.4.154 255.255.255.0,peer-id 22,cipher AES-128-GCM'
pecified redirect-gateway and redirect-private at the same time (or the same opt ion multiple times). This is not well supported and may lead to unexpected resul ts
imers and/or timeouts modified
-ifconfig/up options modified
oute options modified
oute-related options modified
-ip-win32 and/or --dhcp-option options modified
eer-id set
djusting link_mtu to 1624
ata channel crypto options modified
ng negotiated cipher 'AES-128-GCM'
parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
nnel: Cipher 'AES-128-GCM' initialized with 128 bit key
nnel: Cipher 'AES-128-GCM' initialized with 128 bit key
_gw query: dst 0.0.0.0
_gw result: via 192.168.178.1 dev br-lan
_ipv6=n/a
_gw query: dst ::
eneric error (-128): Network unreachable
n0 opened
=1, ipv6=0
: mtu 1500 for tun0
tun0 up
10.18.4.154/24 dev tun0
vpn-hotplug up OPENVPN tun0 1500 1552 10.18.4.154 255.255.255.0 init
84.17.52.49/32 via 192.168.178.1 dev [NULL] table 0 metric -1
0.0.0.0/1 via 10.18.4.1 dev [NULL] table 0 metric -1
128.0.0.0/1 via 10.18.4.1 dev [NULL] table 0 metric -1
was configured to add an IPv6 route. However, no IPv6 has been configured for tu n0, therefore the route installation may fail or may not work as expected.
00::/3 -> :: metric -1) dev tun0
2000::/3 via :: dev tun0 table 0 metric -1
guration may cache passwords in memory -- use the auth-nocache option to prevent this
quence Completed
3507/openvpn

root@OpenWrt:~# pgrep -f -a openvpn

3507 /usr/sbin/openvpn --syslog openvpn(OPENVPN) --status /var/run/openvpn.OPENVPN.status --cd /etc/openvpn --config /etc/openvpn/OPENVPN.ovpn --up /usr/libexec/openvpn-hotplug up OPENVPN --down /usr/libexec/openvpn-hotplug down OPENVPN --script-security 2
root@OpenWrt:~# ip address show; ip route show table all
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 qdisc fq_codel state UNKNOWN qlen 1000
link/ether 9c:c7:a6:41:2b:0e brd ff:ff:ff:ff:ff:ff
inet6 fe80::9ec7:a6ff:fe41:2b0e/64 scope link
valid_lft forever preferred_lft forever
3: lan3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
link/ether 9c:c7:a6:41:2b:0e brd ff:ff:ff:ff:ff:ff
4: lan4@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
link/ether 9c:c7:a6:41:2b:0e brd ff:ff:ff:ff:ff:ff
5: lan2@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
link/ether 9c:c7:a6:41:2b:0e brd ff:ff:ff:ff:ff:ff
6: lan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether 9c:c7:a6:41:2b:0e brd ff:ff:ff:ff:ff:ff
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 9c:c7:a6:41:2b:0e brd ff:ff:ff:ff:ff:ff
inet 192.168.178.2/24 brd 192.168.178.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fd74:3dcd:880::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::9ec7:a6ff:fe41:2b0e/64 scope link
valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether 9c:c7:a6:41:2b:10 brd ff:ff:ff:ff:ff:ff
inet6 fe80::9ec7:a6ff:fe41:2b10/64 scope link
valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
link/[65534]
inet 10.18.4.154/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::9b2f:5f1e:3691:3941/64 scope link flags 800
valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.18.4.1 dev tun0
default via 192.168.178.1 dev br-lan
10.18.4.0/24 dev tun0 scope link src 10.18.4.154
84.17.52.49 via 192.168.178.1 dev br-lan
128.0.0.0/1 via 10.18.4.1 dev tun0
192.168.178.0/24 dev br-lan scope link src 192.168.178.2
broadcast 10.18.4.0 dev tun0 table local scope link src 10.18.4.154
local 10.18.4.154 dev tun0 table local scope host src 10.18.4.154
broadcast 10.18.4.255 dev tun0 table local scope link src 10.18.4.154
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.178.0 dev br-lan table local scope link src 192.168.178.2
local 192.168.178.2 dev br-lan table local scope host src 192.168.178.2
broadcast 192.168.178.255 dev br-lan table local scope link src 192.168.178.2
2000::/3 dev tun0 metric 1024
fd74:3dcd:880::/64 dev br-lan metric 1024
unreachable fd74:3dcd:880::/48 dev lo metric 2147483647
fe80::/64 dev eth0 metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev wlan0 metric 256
fe80::/64 dev tun0 metric 256
local ::1 dev lo table local metric 0
anycast fd74:3dcd:880:: dev br-lan table local metric 0
local fd74:3dcd:880::1 dev br-lan table local metric 0
anycast fe80:: dev eth0 table local metric 0
anycast fe80:: dev br-lan table local metric 0
anycast fe80:: dev wlan0 table local metric 0
anycast fe80:: dev tun0 table local metric 0
local fe80::9b2f:5f1e:3691:3941 dev tun0 table local metric 0
local fe80::9ec7:a6ff:fe41:2b0e dev eth0 table local metric 0
local fe80::9ec7:a6ff:fe41:2b0e dev br-lan table local metric 0
local fe80::9ec7:a6ff:fe41:2b10 dev wlan0 table local metric 0
multicast ff00::/8 dev eth0 table local metric 256
multicast ff00::/8 dev br-lan table local metric 256
multicast ff00::/8 dev wlan0 table local metric 256
multicast ff00::/8 dev tun0 table local metric 256

lucca · July 5, 2023, 7:39am

root@OpenWrt:~# ip rule show; ip -6 rule show; nft list ruleset

0: from all lookup local
32766: from all lookup main
32767: from all lookup default
0: from all lookup local
32766: from all lookup main
table inet fw4 {
chain input {
type filter hook input priority filter; policy accept;
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname { "br-lan", "tun0" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
meta nfproto ipv4 iifname "dsl0" jump input_wan comment "!fw4: Handle wan IPv4 input traffic"
}

    chain forward {
            type filter hook forward priority filter; policy accept;
            ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
            iifname { "br-lan", "tun0" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
            meta nfproto ipv4 iifname "dsl0" jump forward_wan comment "!fw4: Handle wan IPv4 forward traffic"
    }

    chain output {
            type filter hook output priority filter; policy accept;
            oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
            ct state established,related accept comment "!fw4: Allow outbound established and related flows"
            oifname { "br-lan", "tun0" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
            meta nfproto ipv4 oifname "dsl0" jump output_wan comment "!fw4: Handle wan IPv4 output traffic"
    }

    chain prerouting {
            type filter hook prerouting priority filter; policy accept;
            iifname { "br-lan", "tun0" } jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
    }

    chain handle_reject {
            meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
            reject comment "!fw4: Reject any other traffic"
    }

    chain syn_flood {
            limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
            drop comment "!fw4: Drop excess packets"
    }

    chain input_lan {
            jump accept_from_lan
    }

    chain output_lan {
            jump accept_to_lan
    }

    chain forward_lan {
            jump accept_to_ovpn_fw comment "!fw4: Accept lan to ovpn_fw forwarding"
            jump accept_to_lan
    }

    chain helper_lan {
    }

    chain accept_from_lan {
            iifname { "br-lan", "tun0" } counter packets 321 bytes 71012 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
    }

    chain accept_to_lan {
            oifname { "br-lan", "tun0" } counter packets 18 bytes 1768 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
    }

    chain input_wan {
            meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
            icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
            meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
            jump reject_from_wan
    }

    chain output_wan {
            jump accept_to_wan
    }

    chain forward_wan {
            meta nfproto ipv4 meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
            meta nfproto ipv4 udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
            jump reject_to_wan
    }

    chain accept_to_wan {
            meta nfproto ipv4 oifname "dsl0" counter packets 0 bytes 0 accept comment "!fw4: accept wan IPv4 traffic"
    }

    chain reject_from_wan {
            meta nfproto ipv4 iifname "dsl0" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4 traffic"
    }

    chain reject_to_wan {
            meta nfproto ipv4 oifname "dsl0" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4 traffic"
    }

    chain input_ovpn_fw {
            jump reject_from_ovpn_fw
    }

    chain output_ovpn_fw {
            jump accept_to_ovpn_fw
    }

    chain forward_ovpn_fw {
            jump reject_to_ovpn_fw
    }

    chain accept_to_ovpn_fw {
    }

    chain reject_from_ovpn_fw {
    }

    chain reject_to_ovpn_fw {
    }

    chain dstnat {
            type nat hook prerouting priority dstnat; policy accept;
    }

    chain srcnat {
            type nat hook postrouting priority srcnat; policy accept;
            meta nfproto ipv4 oifname "dsl0" jump srcnat_wan comment "!fw4: Handle wan IPv4 srcnat traffic"
    }

    chain srcnat_wan {
            meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
    }

    chain srcnat_ovpn_fw {
            meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 ovpn_fw traffic"
    }

    chain raw_prerouting {
            type filter hook prerouting priority raw; policy accept;
    }

    chain raw_output {
            type filter hook output priority raw; policy accept;
    }

    chain mangle_prerouting {
            type filter hook prerouting priority mangle; policy accept;
    }

    chain mangle_postrouting {
            type filter hook postrouting priority mangle; policy accept;
    }

    chain mangle_input {
            type filter hook input priority mangle; policy accept;
    }

    chain mangle_output {
            type route hook output priority mangle; policy accept;
    }

    chain mangle_forward {
            type filter hook forward priority mangle; policy accept;
            meta nfproto ipv4 iifname "dsl0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4 ingress MTU fixing"
            meta nfproto ipv4 oifname "dsl0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4 egress MTU fixing"
    }

}

root@OpenWrt:~# uci show network; uci show firewall; uci show openvpn

network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd74:3dcd:0880::/48'
network.atm=atm-bridge
network.atm.vpi='1'
network.atm.vci='32'
network.atm.encaps='llc'
network.atm.payload='bridged'
network.atm.nameprefix='dsl'
network.dsl=dsl
network.dsl.annex='b'
network.dsl.tone='av'
network.dsl.ds_snr_offset='0'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.178.2'
network.lan.gateway='192.168.178.1'
network.lan.dns='192.168.178.1'
network.@device[1]=device
network.@device[1].name='dsl0'
network.@device[1].macaddr='9c:c7:a6:41:2b:11'
network.wan=interface
network.wan.device='dsl0'
network.wan.proto='pppoe'
network.wan.username='username'
network.wan.password='password'
network.wan.ipv6='1'
network.wan6=interface
network.wan6.device='@wan'
network.wan6.proto='dhcpv6'
network.OPENVPN=interface
network.OPENVPN.proto='none'
network.OPENVPN.device='tun0'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].forward='ACCEPT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan' 'OPENVPN'
firewall.@zone[0].device='tun0'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].family='ipv4'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='ovpn_fw'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='ovpn_fw'
openvpn.OPENVPN=openvpn
openvpn.OPENVPN.config='/etc/openvpn/OPENVPN.ovpn'
openvpn.OPENVPN.enabled='1'

root@OpenWrt:~# head -v -n -0 /etc/openvpn/*.conf

iplaywithtoys · July 5, 2023, 8:12am

Replace .conf with .ovpn and run that command again. Make sure to redact any keys, certs, and passwords which may be exposed.

egc · July 5, 2023, 9:19am

Is this router not setup as a dumb AP i.e. connected LAN<>LAN on the same subnet?

The OVPN does make a connection but if this is a dumb AP then the LAN clients like your laptop will just bypass the VPN

If so point the gateway of your LAN clients like your laptop to the router e.g.: 192.168.178.2?
But easier is to just setup as a regular router (connected with its WAN on its own subnet) so all connected clients will always use the VPN.

lucca · July 5, 2023, 3:27pm

I have now started again from the beginning.
The Lan interface has IPv4: 192.168.15.2/24 DHCP is on.
At the Wan port comes the network cable from my first Fritzbox. The wan interface is configured as DHCP Client and
got the IP from the first fritzbox 192.168.178.122.

I am connected with my laptop via WLAN with the OpenWRT router, but still have no Internet. What do I have to configure now? I will deal with VPN later.

trendy · July 6, 2023, 7:08am

You need to repost again the configurations from above in preformatted text not in blockquote.
For what it's worth, there was no issue with the tunnel itself. The problem is that you had it configured in the lan zone, so no masquerade was applied and it is questionable whether the lan clients were using OpenWrt as the gateway.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

lucca · July 6, 2023, 7:36pm

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.10.176",
        "hostname": "OpenWrt",
        "system": "xRX200 rev 1.2",
        "model": "AVM FRITZ!Box 7360 SL",
        "board_name": "avm,fritz7360sl",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "lantiq/xrx200",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}

root@OpenWrt:~# uci export network; uci export wireless;
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd74:3dcd:0880::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'b'
        option tone 'av'
        option ds_snr_offset '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.15.1'

config device
        option name 'dsl0'
        option macaddr '9c:c7:a6:41:2b:11'

config interface 'wan'
        option proto 'static'
        option device 'eth0'
        option ipaddr '192.168.178.2'
        option gateway '192.168.178.1'
        option broadcast '192.168.178.255'
        list dns '8.8.8.8'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'LucV'
        option encryption 'psk2'
        option key 'qwertzui'

root@OpenWrt:~# uci export dhcp; uci export firewall;
package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'ovpn_fw'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'ovpn_fw'

root@OpenWrt:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 qdisc fq_codel state UNKNOWN qlen 1000
    inet 192.168.178.2/32 brd 192.168.178.255 scope global eth0
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.15.1/24 brd 192.168.15.255 scope global br-lan
       valid_lft forever preferred_lft forever
192.168.15.0/24 dev br-lan scope link  src 192.168.15.1
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.15.0 dev br-lan table local scope link  src 192.168.15.1
local 192.168.15.1 dev br-lan table local scope host  src 192.168.15.1
broadcast 192.168.15.255 dev br-lan table local scope link  src 192.168.15.1
local 192.168.178.2 dev eth0 table local scope host  src 192.168.178.2
broadcast 192.168.178.255 dev eth0 table local scope link  src 192.168.178.2
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
root@OpenWrt:~#

root@OpenWrt:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 qdisc fq_codel state UNKNOWN qlen 1000
    inet 192.168.178.2/32 brd 192.168.178.255 scope global eth0
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.15.1/24 brd 192.168.15.255 scope global br-lan
       valid_lft forever preferred_lft forever
192.168.15.0/24 dev br-lan scope link  src 192.168.15.1
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.15.0 dev br-lan table local scope link  src 192.168.15.1
local 192.168.15.1 dev br-lan table local scope host  src 192.168.15.1
broadcast 192.168.15.255 dev br-lan table local scope link  src 192.168.15.1
local 192.168.178.2 dev eth0 table local scope host  src 192.168.178.2
broadcast 192.168.178.255 dev eth0 table local scope link  src 192.168.178.2
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
root@OpenWrt:~# ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
lrwxrwxrwx    1 root     root            16 Apr 27 20:28 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Jul  3 18:40 /tmp/resolv.conf
-rw-r--r--    1 root     root            35 Jul  3 18:40 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            35 Jul  3 18:40 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 8.8.8.8

lucca · July 6, 2023, 7:41pm

I would be happy if I could first
Internet from my network 192.168.178.1 over the new network
192.168.15.1 network.
VPN I can try later.

Thanks for the support.

trendy · July 6, 2023, 7:42pm

wan interface is missing the subnet mask.