Hello,
the Fritzbox 7490 is connected to the internet via LAN1. OpenVPN is connected to the server, but LAN 2, 3 and 4 are unfortunately not connected via OpenVPN. I'm pretty new to OpenWRT, so I'm asking for your help. What am I doing wrong?
# ubus call system board
{
"kernel": "6.6.58",
"hostname": "OpenWrt",
"system": "xRX200 rev 1.2",
"model": "AVM FRITZ!Box 7490 (Micron NAND)",
"board_name": "avm,fritz7490-micron",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"description": "OpenWrt SNAPSHOT",
"revision": "r27998-591272d197",
"target": "lantiq/xrx200",
"builddate": "1730587054"
}
}
# uci export network
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd51:49a6:3b3e::/48'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option annex 'b'
option tone 'av'
option ds_snr_offset '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr '08:96:D7:62:F7:6D'
config device
option name 'lan2'
option macaddr '08:96:D7:62:F7:6D'
config device
option name 'lan3'
option macaddr '08:96:D7:62:F7:6D'
config device
option name 'lan4'
option macaddr '08:96:D7:62:F7:6D'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.8.51'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.8.1'
list dns '10.8.0.1'
list dns '192.168.8.1'
config device
option name 'dsl0'
option macaddr '08:96:D7:62:F7:71'
config interface 'wan'
option device 'dsl0'
option proto 'pppoe'
option username 'username'
option password 'password'
option ipv6 '1'
option peerdns '0'
config interface 'wan6'
option device '@wan'
option proto 'dhcpv6'
config interface 'winnfedd_ip'
option proto 'none'
option device 'tun0'
# uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '6,10.8.0.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
# uci export firewall
package firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'VPN_fedd'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'winnfedd_ip'
config forwarding
option src 'lan'
option dest 'VPN_fedd'
# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.8.51/24 brd 192.168.8.255 scope global br-lan
valid_lft forever preferred_lft forever
8: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
inet 10.8.0.18/24 scope global tun0
valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.8.0.1 dev tun0
default via 192.168.8.1 dev br-lan
10.8.0.0/24 dev tun0 scope link src 10.8.0.18
**.**.**.** via 192.168.8.1 dev br-lan
128.0.0.0/1 via 10.8.0.1 dev tun0
192.168.8.0/24 dev br-lan scope link src 192.168.8.51
local 10.8.0.18 dev tun0 table local scope host src 10.8.0.18
broadcast 10.8.0.255 dev tun0 table local scope link src 10.8.0.18
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
local 192.168.8.51 dev br-lan table local scope host src 192.168.8.51
broadcast 192.168.8.255 dev br-lan table local scope link src 192.168.8.51
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.8.1 0.0.0.0 UG 0 0 0 br-lan
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
**.**.**.** 192.168.8.1 255.255.255.255 UGH 0 0 0 br-lan
128.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
ip route
0.0.0.0/1 via 10.8.0.1 dev tun0
default via 192.168.8.1 dev br-lan
10.8.0.0/24 dev tun0 scope link src 10.8.0.18
**.**.**.** via 192.168.8.1 dev br-lan
128.0.0.0/1 via 10.8.0.1 dev tun0
192.168.8.0/24 dev br-lan scope link src 192.168.8.51
Tue Nov 5 18:50:46 2024 kern.notice kernel: [ 0.000000] Linux version 6.6.58 (builder@buildhost) (mips-openwrt-linux-musl-gcc (OpenWrt GCC 13.3.0 r27998-591272d197) 13.3.0, GNU ld (GNU Binutils) 2.42) #0 SMP Sat Nov 2 22:37:34 2024
Tue Nov 5 18:50:46 2024 kern.info kernel: [ 0.000000] SoC: xRX200 rev 1.2
Tue Nov 5 18:50:46 2024 kern.info kernel: [ 0.000000] printk: bootconsole [early0] enabled
Tue Nov 5 18:50:46 2024 kern.info kernel: [ 0.000000] CPU0 revision is: 00019556 (MIPS 34Kc)
Tue Nov 5 18:50:46 2024 kern.info kernel: [ 0.000000] MIPS: machine is AVM FRITZ!Box 7490 (Micron NAND)
...
Tue Nov 5 18:51:13 2024 daemon.notice openvpn(winfedd)[2298]: TCP/UDP: Preserving recently used remote address: [AF_INET]**.**.**.**:1194
Tue Nov 5 18:51:13 2024 daemon.notice openvpn(winfedd)[2298]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Tue Nov 5 18:51:13 2024 daemon.notice openvpn(winfedd)[2298]: UDPv4 link local: (not bound)
Tue Nov 5 18:51:13 2024 daemon.notice openvpn(winfedd)[2298]: UDPv4 link remote: [AF_INET]**.**.**.**:1194
Tue Nov 5 18:51:13 2024 daemon.notice openvpn(winfedd)[2298]: TLS: Initial packet from [AF_INET]**.**.**.**:1194, sid=ff3d84c7 ce3b7ae2
Tue Nov 5 18:51:13 2024 daemon.notice openvpn(winfedd)[2298]: VERIFY OK: depth=1, CN=ChangeMe
Tue Nov 5 18:51:13 2024 daemon.notice openvpn(winfedd)[2298]: VERIFY KU OK
Tue Nov 5 18:51:13 2024 daemon.notice openvpn(winfedd)[2298]: Validating certificate extended key usage
Tue Nov 5 18:51:13 2024 daemon.notice openvpn(winfedd)[2298]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Nov 5 18:51:13 2024 daemon.notice openvpn(winfedd)[2298]: VERIFY EKU OK
Tue Nov 5 18:51:13 2024 daemon.notice openvpn(winfedd)[2298]: VERIFY OK: depth=0, CN=server
Tue Nov 5 18:51:15 2024 daemon.notice openvpn(winfedd)[2298]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
Tue Nov 5 18:51:15 2024 daemon.notice openvpn(winfedd)[2298]: [server] Peer Connection Initiated with [AF_INET]**.**.**.**:1194
Tue Nov 5 18:51:15 2024 daemon.notice openvpn(winfedd)[2298]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Tue Nov 5 18:51:15 2024 daemon.notice openvpn(winfedd)[2298]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Tue Nov 5 18:51:16 2024 daemon.notice openvpn(winfedd)[2298]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Nov 5 18:51:16 2024 daemon.notice openvpn(winfedd)[2298]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.18 255.255.255.0,peer-id 3,cipher AES-256-GCM'
Tue Nov 5 18:51:16 2024 daemon.notice openvpn(winfedd)[2298]: OPTIONS IMPORT: --ifconfig/up options modified
Tue Nov 5 18:51:16 2024 daemon.notice openvpn(winfedd)[2298]: OPTIONS IMPORT: route options modified
Tue Nov 5 18:51:16 2024 daemon.notice openvpn(winfedd)[2298]: OPTIONS IMPORT: route-related options modified
Tue Nov 5 18:51:16 2024 daemon.notice openvpn(winfedd)[2298]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Nov 5 18:51:16 2024 daemon.notice openvpn(winfedd)[2298]: net_route_v4_best_gw query: dst 0.0.0.0
Tue Nov 5 18:51:16 2024 daemon.notice openvpn(winfedd)[2298]: net_route_v4_best_gw result: via 192.168.8.1 dev br-lan
Tue Nov 5 18:51:16 2024 daemon.notice openvpn(winfedd)[2298]: TUN/TAP device tun0 opened
Tue Nov 5 18:51:16 2024 daemon.notice openvpn(winfedd)[2298]: net_iface_mtu_set: mtu 1500 for tun0
Tue Nov 5 18:51:16 2024 daemon.notice openvpn(winfedd)[2298]: net_iface_up: set tun0 up
Tue Nov 5 18:51:16 2024 daemon.notice netifd: Interface 'winnfedd_ip' is enabled
Tue Nov 5 18:51:16 2024 daemon.notice netifd: Network device 'tun0' link is up
Tue Nov 5 18:51:16 2024 daemon.notice netifd: Interface 'winnfedd_ip' has link connectivity
Tue Nov 5 18:51:16 2024 daemon.notice netifd: Interface 'winnfedd_ip' is setting up now
Tue Nov 5 18:51:16 2024 daemon.notice openvpn(winfedd)[2298]: net_addr_v4_add: 10.8.0.18/24 dev tun0
Tue Nov 5 18:51:16 2024 daemon.notice openvpn(winfedd)[2298]: /usr/libexec/openvpn-hotplug up winfedd tun0 1500 0 10.8.0.18 255.255.255.0 init
Tue Nov 5 18:51:16 2024 daemon.notice netifd: Interface 'winnfedd_ip' is now up
Tue Nov 5 18:51:17 2024 daemon.notice openvpn(winfedd)[2298]: net_route_v4_add: **.**.**.**/32 via 192.168.8.1 dev [NULL] table 0 metric -1
Tue Nov 5 18:51:17 2024 daemon.notice openvpn(winfedd)[2298]: net_route_v4_add: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
Tue Nov 5 18:51:17 2024 daemon.notice openvpn(winfedd)[2298]: net_route_v4_add: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
Tue Nov 5 18:51:17 2024 daemon.notice openvpn(winfedd)[2298]: Initialization Sequence Completed
Tue Nov 5 18:51:17 2024 daemon.notice openvpn(winfedd)[2298]: Data Channel: cipher 'AES-256-GCM', peer-id: 3
Tue Nov 5 18:51:17 2024 daemon.notice openvpn(winfedd)[2298]: Timers: ping 10, ping-restart 120
Tue Nov 5 18:51:17 2024 daemon.warn odhcpd[1408]: No default route present, overriding ra_lifetime to 0!
Tue Nov 5 18:51:18 2024 kern.err kernel: [ 74.737809] xhci_hcd 0000:01:00.0: failed to load firmware renesas_usb_fw.mem: -145
Tue Nov 5 18:51:18 2024 kern.warn kernel: [ 74.744129] xhci_hcd: probe of 0000:01:00.0 failed with error -145
Tue Nov 5 18:51:18 2024 user.info kernel: [ 74.768102] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
Tue Nov 5 18:51:19 2024 user.notice firewall: Reloading firewall due to ifup of winnfedd_ip (tun0)
Tue Nov 5 18:51:20 2024 daemon.info procd: - init complete -
Tue Nov 5 18:56:01 2024 daemon.err uhttpd[1628]: [info] luci: accepted login on / for root from 192.168.8.105
Tue Nov 5 18:56:11 2024 daemon.warn odhcpd[1408]: No default route present, overriding ra_lifetime to 0!
Tue Nov 5 18:56:27 2024 daemon.warn odhcpd[1408]: No default route present, overriding ra_lifetime to 0!
Tue Nov 5 18:57:15 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Tue Nov 5 18:57:15 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 0 names
Tue Nov 5 18:57:15 2024 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 0 names
Tue Nov 5 19:03:39 2024 daemon.warn odhcpd[1408]: No default route present, overriding ra_lifetime to 0!
Tue Nov 5 19:12:00 2024 daemon.warn odhcpd[1408]: No default route present, overriding ra_lifetime to 0!
Tue Nov 5 19:16:29 2024 daemon.warn odhcpd[1408]: No default route present, overriding ra_lifetime to 0!
Tue Nov 5 19:19:27 2024 kern.info kernel: [ 1485.776023] gswip 1e108000.switch lan4: Link is Up - 1Gbps/Full - flow control off
Tue Nov 5 19:19:27 2024 kern.info kernel: [ 1485.782294] br-lan: port 4(lan4) entered blocking state
Tue Nov 5 19:19:27 2024 kern.info kernel: [ 1485.787505] br-lan: port 4(lan4) entered forwarding state
Tue Nov 5 19:19:27 2024 daemon.notice netifd: Network device 'lan4' link is up
Tue Nov 5 19:21:57 2024 kern.info kernel: [ 1636.574537] gswip 1e108000.switch lan4: Link is Down
Tue Nov 5 19:21:57 2024 kern.info kernel: [ 1636.578263] br-lan: port 4(lan4) entered disabled state
Tue Nov 5 19:21:57 2024 daemon.notice netifd: Network device 'lan4' link is down
Tue Nov 5 19:21:59 2024 kern.info kernel: [ 1638.644788] gswip 1e108000.switch lan4: Link is Up - 1Gbps/Full - flow control rx/tx
Tue Nov 5 19:21:59 2024 kern.info kernel: [ 1638.651240] br-lan: port 4(lan4) entered blocking state
Tue Nov 5 19:21:59 2024 kern.info kernel: [ 1638.656449] br-lan: port 4(lan4) entered forwarding state
Tue Nov 5 19:21:59 2024 daemon.notice netifd: Network device 'lan4' link is up
Tue Nov 5 19:22:05 2024 daemon.warn odhcpd[1408]: No default route present, overriding ra_lifetime to 0!
Tue Nov 5 19:23:24 2024 daemon.warn odhcpd[1408]: No default route present, overriding ra_lifetime to 0!
Tue Nov 5 19:25:11 2024 daemon.notice netifd: Network device 'lan4' link is down
Tue Nov 5 19:25:11 2024 kern.info kernel: [ 1830.012285] gswip 1e108000.switch lan4: Link is Down
Tue Nov 5 19:25:11 2024 kern.info kernel: [ 1830.016009] br-lan: port 4(lan4) entered disabled state
Tue Nov 5 19:27:17 2024 daemon.warn odhcpd[1408]: No default route present, overriding ra_lifetime to 0!
Tue Nov 5 19:32:27 2024 daemon.warn odhcpd[1408]: No default route present, overriding ra_lifetime to 0!
Tue Nov 5 19:32:56 2024 authpriv.info dropbear[4040]: Child connection from 192.168.8.105:63797
Tue Nov 5 19:33:03 2024 authpriv.notice dropbear[4040]: Password auth succeeded for 'root' from 192.168.8.105:63797
Tue Nov 5 19:40:30 2024 daemon.warn odhcpd[1408]: No default route present, overriding ra_lifetime to 0!
Tue Nov 5 19:46:58 2024 daemon.warn odhcpd[1408]: No default route present, overriding ra_lifetime to 0!
Tue Nov 5 19:51:15 2024 daemon.notice openvpn(winfedd)[2298]: TLS: soft reset sec=3600/3600 bytes=46812/-1 pkts=835/0
Tue Nov 5 19:51:15 2024 daemon.notice openvpn(winfedd)[2298]: VERIFY OK: depth=1, CN=ChangeMe
Tue Nov 5 19:51:15 2024 daemon.notice openvpn(winfedd)[2298]: VERIFY KU OK
Tue Nov 5 19:51:15 2024 daemon.notice openvpn(winfedd)[2298]: Validating certificate extended key usage
Tue Nov 5 19:51:15 2024 daemon.notice openvpn(winfedd)[2298]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Nov 5 19:51:15 2024 daemon.notice openvpn(winfedd)[2298]: VERIFY EKU OK
Tue Nov 5 19:51:15 2024 daemon.notice openvpn(winfedd)[2298]: VERIFY OK: depth=0, CN=server
Tue Nov 5 19:51:15 2024 daemon.notice openvpn(winfedd)[2298]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519