Openvpn only internet access no udp or tcp

moamo67 · July 17, 2020, 8:57pm

hello all !

i have some problem with new update of openvpen , i use this script for the route of vpn for my lan2

but i get only web connexion , on my sony playstation psn not working ( udp ) , on my smartphone with nordvpn and hot spot wifi its working

#!/bin/sh
echo "$dev : $ifconfig_local -> $ifconfig_remote gw: $route_vpn_gateway"
# Remove default routes pushed by VPN server (we don't want to route # all network traffic through the VPN gateway)
/sbin/ip route del 128.0.0.0/1 via ${route_vpn_gateway}
/sbin/ip route del 0.0.0.0/1 via ${route_vpn_gateway}
# Search route for traffic coming from 192.168.0.4/24 in table 'vpn' # (unicast: This rule type simple causes the kernel to refer to the # specified routing table in the search for a route.)
/sbin/ip rule add from 192.168.4.0/24 table vpn
# Search route for traffic going to 192.168.0.4/24 in table 'vpn'
/sbin/ip rule add to 192.168.4.0/24 table vpn
# Use 'vpn' table as default for tun0
/sbin/ip route add table vpn default dev ${dev}
# Route traffic from/to 192.168.4.0/24 on br-lan2 using the 'vpn'.  # table. (192.168.4.1 is the source address for outgoing packets)
/sbin/ip route add 192.168.4.0/24 dev br-LAN2 src 192.168.4.1 table vpn

moamo67 · July 17, 2020, 8:57pm

trendy · July 18, 2020, 7:53pm

FIrst of all I would recommend you to install VPN-PBR.
If you still insist on doing things manually, at least do them properly using rules, routes and ignore the default gateway.

moamo67 · July 19, 2020, 1:55am

hello thanks for you reply .
i installed vpn pbr and the playstation are connected without vlan to vpn .

but still same problem : Internet , okay , playstation network udp NOT OKAY

with my phone and vpn , wifi hotspot its good but not with openwrt why ?

trendy · July 19, 2020, 4:39am

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
uci export vpn-policy-routing; iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

moamo67 · July 19, 2020, 12:45pm

**ubus call system board ;** 

"kernel": "5.4.52",
	"hostname": "OpenWrt",
	"model": "Raspberry Pi 4 Model B Rev 1.1",
	"board_name": "raspberrypi,4-model-b",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r13880-b78a266888",
		"target": "bcm27xx/bcm2711",
		"description": "OpenWrt SNAPSHOT r13880-b78a266888"

**uci export network; uci export wireless; \**



package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4b:2bea:030f:fcc8::/64'

config interface 'wan'
	option ifname 'eth0.836'
	option proto 'dhcpv6'
	option macaddr '34:**:**:**:fd:9c'

config interface 'lan'
	option ifname 'eth1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	option ip6assign '64'

config interface 'vpn'
	option proto 'none'
	option ifname 'tun0'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option hwmode '11g'
	option channel 'auto'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option network 'lan'

**uci export dhcp; uci export firewall;**

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option start '2'
	option limit '50'
	option leasetime '60d'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'Sony_andoid'
	option ip '192.168.1.6'

config domain
	option name 'chauffage'
	option ip '192.168.1.243'

config domain
	option name 'ps3'
	option ip '192.168.1.12'

config dhcp 'wifi'
	option interface 'wifi'
	option start '2'
	option limit '100'
	option leasetime '30d'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 vpn'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'
	option family 'IPv4'
	option reload '1'

**head -n -0 /etc/firewall.user;** 

 iptables -I OUTPUT -p tcp --dport 80 --tcp-flags RST RST -j DROP
 iptables -I OUTPUT -p tcp --dport 80 --tcp-flags RST ACK -j DROP

moamo67 · July 19, 2020, 12:52pm

*uci export vpn-policy-routing; iptables-save -c; *

package vpn-policy-routing

config vpn-policy-routing 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option dest_ipset 'dnsmasq.ipset'
	option ipv6_enabled '0'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option iprule_enabled '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option webui_protocol_column '1'
	option webui_enable_column '1'
	option src_ipset '1'
	option webui_chain_column '1'
	option enabled '1'
	list supported_interface 'tun0'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

config policy
	option name 'ps3'
	option src_addr '192.168.1.12'
	option interface 'vpn'

config policy
	option name 'pc'
	option src_addr '192.168.1.40'
	option interface 'vpn'

# Generated by iptables-save v1.8.4 on Sun Jul 19 12:43:41 2020
*nat
:PREROUTING ACCEPT [325:21752]
:INPUT ACCEPT [169:12278]
:OUTPUT ACCEPT [96:7768]
:POSTROUTING ACCEPT [8:1080]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[325:21752] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[210:15534] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0.836 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_wan_prerouting
[115:6218] -A PREROUTING -i map-wan_4 -m comment --comment "!fw3" -j zone_wan_prerouting
[227:14784] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o map-wan_4 -p icmp -m comment --comment "!fw3: ubus:wan_4[map] nat 0" -j SNAT --to-source 91.***.***.142:1-16383
[111:4612] -A POSTROUTING -o map-wan_4 -p tcp -m comment --comment "!fw3: ubus:wan_4[map] nat 1" -j SNAT --to-source 91.***.***.142:1-16383
[88:6688] -A POSTROUTING -o map-wan_4 -p udp -m comment --comment "!fw3: ubus:wan_4[map] nat 2" -j SNAT --to-source 91.***.***.142:1-16383
[2:468] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.836 -m comment --comment "!fw3" -j zone_wan_postrouting
[20:2404] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o map-wan_4 -m comment --comment "!fw3" -j zone_wan_postrouting
[2:468] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[210:15534] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[20:2404] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[20:2404] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
[20:2404] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
[20:2404] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[115:6218] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[115:6218] -A zone_wan_prerouting -j MINIUPNPD
[115:6218] -A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Sun Jul 19 12:43:41 2020
# Generated by iptables-save v1.8.4 on Sun Jul 19 12:43:41 2020
*raw
:PREROUTING ACCEPT [2997:1000549]
:OUTPUT ACCEPT [2862:1609316]
:zone_lan_helper - [0:0]
[1783:321141] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Sun Jul 19 12:43:41 2020
# Generated by iptables-save v1.8.4 on Sun Jul 19 12:43:41 2020
*mangle
:PREROUTING ACCEPT [2995:999757]
:INPUT ACCEPT [2165:625157]
:FORWARD ACCEPT [810:373960]
:OUTPUT ACCEPT [2859:1609022]
:POSTROUTING ACCEPT [3673:1983062]
:VPR_FORWARD - [0:0]
:VPR_INPUT - [0:0]
:VPR_OUTPUT - [0:0]
:VPR_PREROUTING - [0:0]
[3000:1000705] -A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
[1022:484057] -A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
[0:0] -A FORWARD -o eth0.836 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[17:1020] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o map-wan_4 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[438:316711] -A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
[2861:1609186] -A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
[0:0] -A VPR_FORWARD -m set --match-set vpn dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_FORWARD -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_INPUT -m set --match-set vpn dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_INPUT -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_OUTPUT -m set --match-set vpn dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_OUTPUT -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set vpn_mac src -j MARK --set-xmark 0x20000/0xff0000
[1540:199937] -A VPR_PREROUTING -m set --match-set vpn_ip src -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set vpn dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set wan_mac src -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set wan_ip src -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
COMMIT
# Completed on Sun Jul 19 12:43:41 2020
# Generated by iptables-save v1.8.4 on Sun Jul 19 12:43:41 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[72:7121] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[2110:619460] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1371:462688] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[573:148274] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.836 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_wan_input
[166:8498] -A INPUT -i map-wan_4 -m comment --comment "!fw3" -j zone_wan_input
[812:374212] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[791:371596] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[21:2616] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.836 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i map-wan_4 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -p tcp -m tcp --dport 80 --tcp-flags RST ACK -j DROP
[0:0] -A OUTPUT -p tcp -m tcp --dport 80 --tcp-flags RST RST -j DROP
[72:7121] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2806:1606107] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1558:1045075] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1154:554104] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.836 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_wan_output
[94:6928] -A OUTPUT -o map-wan_4 -m comment --comment "!fw3" -j zone_wan_output
[161:7200] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[5:1298] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[1154:554104] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[21:2616] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[21:2616] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[573:148274] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[573:148274] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1154:554104] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1154:554104] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[573:148274] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.836 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.836 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[20:2404] -A zone_wan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[6:240] -A zone_wan_dest_ACCEPT -o map-wan_4 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[89:6900] -A zone_wan_dest_ACCEPT -o map-wan_4 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.836 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o map-wan_4 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[166:8498] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[166:8498] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[94:6928] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[94:6928] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.836 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
[166:8498] -A zone_wan_src_REJECT -i map-wan_4 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun Jul 19 12:43:41 2020
root@OpenWrt:~# uci export vpn-policy-routing; iptables-save -c;
package vpn-policy-routing

config vpn-policy-routing 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option dest_ipset 'dnsmasq.ipset'
	option ipv6_enabled '0'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option iprule_enabled '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option webui_protocol_column '1'
	option webui_enable_column '1'
	option src_ipset '1'
	option webui_chain_column '1'
	option enabled '1'
	list supported_interface 'tun0'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

config policy
	option name 'ps3'
	option src_addr '192.168.1.12'
	option interface 'vpn'

config policy
	option name 'pc'
	option src_addr '192.168.1.40'
	option interface 'vpn'

# Generated by iptables-save v1.8.4 on Sun Jul 19 12:46:27 2020
*nat
:PREROUTING ACCEPT [356:23517]
:INPUT ACCEPT [181:13303]
:OUTPUT ACCEPT [103:8342]
:POSTROUTING ACCEPT [9:1198]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[356:23517] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[226:16687] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0.836 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_wan_prerouting
[130:6830] -A PREROUTING -i map-wan_4 -m comment --comment "!fw3" -j zone_wan_prerouting
[249:15958] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o map-wan_4 -p icmp -m comment --comment "!fw3: ubus:wan_4[map] nat 0" -j SNAT --to-source 91.***.***.142:1-16383
[126:5212] -A POSTROUTING -o map-wan_4 -p tcp -m comment --comment "!fw3: ubus:wan_4[map] nat 1" -j SNAT --to-source 91.***.***.142:1-16383
[94:7144] -A POSTROUTING -o map-wan_4 -p udp -m comment --comment "!fw3: ubus:wan_4[map] nat 2" -j SNAT --to-source 91.***.***.142:1-16383
[2:468] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.836 -m comment --comment "!fw3" -j zone_wan_postrouting
[20:2404] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o map-wan_4 -m comment --comment "!fw3" -j zone_wan_postrouting
[2:468] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[226:16687] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[20:2404] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[20:2404] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
[20:2404] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
[20:2404] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[130:6830] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[130:6830] -A zone_wan_prerouting -j MINIUPNPD
[130:6830] -A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Sun Jul 19 12:46:27 2020
# Generated by iptables-save v1.8.4 on Sun Jul 19 12:46:27 2020
*raw
:PREROUTING ACCEPT [3180:1032023]
:OUTPUT ACCEPT [3123:1713424]
:zone_lan_helper - [0:0]
[1925:349733] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Sun Jul 19 12:46:27 2020
# Generated by iptables-save v1.8.4 on Sun Jul 19 12:46:27 2020
*mangle
:PREROUTING ACCEPT [3177:1031179]
:INPUT ACCEPT [2343:656451]
:FORWARD ACCEPT [810:373960]
:OUTPUT ACCEPT [3121:1713506]
:POSTROUTING ACCEPT [3936:2087234]
:VPR_FORWARD - [0:0]
:VPR_INPUT - [0:0]
:VPR_OUTPUT - [0:0]
:VPR_PREROUTING - [0:0]
[3182:1032127] -A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
[1097:502997] -A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
[0:0] -A FORWARD -o eth0.836 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[17:1020] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o map-wan_4 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[438:316711] -A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
[3123:1713670] -A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
[0:0] -A VPR_FORWARD -m set --match-set vpn dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_FORWARD -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_INPUT -m set --match-set vpn dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_INPUT -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_OUTPUT -m set --match-set vpn dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_OUTPUT -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set vpn_mac src -j MARK --set-xmark 0x20000/0xff0000
[1647:212419] -A VPR_PREROUTING -m set --match-set vpn_ip src -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set vpn dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set wan_mac src -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set wan_ip src -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
COMMIT
# Completed on Sun Jul 19 12:46:27 2020
# Generated by iptables-save v1.8.4 on Sun Jul 19 12:46:27 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[86:8644] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[2275:649283] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1460:473552] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[630:166461] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.836 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_wan_input
[185:9270] -A INPUT -i map-wan_4 -m comment --comment "!fw3" -j zone_wan_input
[812:374212] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[791:371596] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[21:2616] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.836 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i map-wan_4 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -p tcp -m tcp --dport 80 --tcp-flags RST ACK -j DROP
[0:0] -A OUTPUT -p tcp -m tcp --dport 80 --tcp-flags RST RST -j DROP
[86:8644] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[3053:1708740] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1667:1084258] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1286:617098] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.836 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_wan_output
[100:7384] -A OUTPUT -o map-wan_4 -m comment --comment "!fw3" -j zone_wan_output
[180:7972] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[5:1298] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[1286:617098] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[21:2616] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[21:2616] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[630:166461] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[630:166461] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1286:617098] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1286:617098] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[630:166461] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.836 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.836 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[20:2404] -A zone_wan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[6:240] -A zone_wan_dest_ACCEPT -o map-wan_4 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[95:7356] -A zone_wan_dest_ACCEPT -o map-wan_4 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.836 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o map-wan_4 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[185:9270] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[185:9270] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[100:7384] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[100:7384] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.836 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
[185:9270] -A zone_wan_src_REJECT -i map-wan_4 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun Jul 19 12:46:27 2020
root@OpenWrt:~#

*ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; *

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: map-wan_4@eth0.836: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 91.***.***.142/32 brd 255.255.255.255 scope global map-wan_4
       valid_lft forever preferred_lft forever
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.8.3.4/24 brd 10.8.3.255 scope global tun0
       valid_lft forever preferred_lft forever
unreachable default table 201 
default via 10.8.3.4 dev tun0 table 202 
default dev map-wan_4 proto static scope link 
10.8.3.0/24 dev tun0 proto kernel scope link src 10.8.3.4 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
broadcast 10.8.3.0 dev tun0 table local proto kernel scope link src 10.8.3.4 
local 10.8.3.4 dev tun0 table local proto kernel scope host src 10.8.3.4 
broadcast 10.8.3.255 dev tun0 table local proto kernel scope link src 10.8.3.4 
local 91.***.***.142 dev map-wan_4 table local proto kernel scope host src 91.***.***.142 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
0:	from all lookup local
32762:	from all fwmark 0x20000/0xff0000 lookup 202
32763:	from all fwmark 0x10000/0xff0000 lookup 201
32766:	from all lookup main
32767:	from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: map-wan_4@eth0.836: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 91.***.***.142/32 brd 255.255.255.255 scope global map-wan_4
       valid_lft forever preferred_lft forever
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.8.3.4/24 brd 10.8.3.255 scope global tun0
       valid_lft forever preferred_lft forever
unreachable default table 201 
default via 10.8.3.4 dev tun0 table 202 
default dev map-wan_4 proto static scope link 
10.8.3.0/24 dev tun0 proto kernel scope link src 10.8.3.4 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
broadcast 10.8.3.0 dev tun0 table local proto kernel scope link src 10.8.3.4 
local 10.8.3.4 dev tun0 table local proto kernel scope host src 10.8.3.4 
broadcast 10.8.3.255 dev tun0 table local proto kernel scope link src 10.8.3.4 
local 91.***.***.142 dev map-wan_4 table local proto kernel scope host src 91.***.***.142 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
0:	from all lookup local
32762:	from all fwmark 0x20000/0xff0000 lookup 202
32763:	from all fwmark 0x10000/0xff0000 lookup 201
32766:	from all lookup main
32767:	from all lookup default

ls -l /etc/resolv. /tmp/resolv.; head -n -0 /etc/resolv. /tmp/resolv.**


lrwxrwxrwx    1 root     root            16 Jul 17 10:14 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Jul 19 12:20 /tmp/resolv.conf

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            62 Jul 19 12:20 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

trendy · July 21, 2020, 7:46am

Here is one problem, why everything other than vpn is not working. For some reason the VPN-PBR is not able to detect the gateway of the wan interface. Since your wan interface is in fact an IPv6 interface, I suspect that you have some weird transition mechanism for IPv6 from your provider, like DS-lite.

moamo67 · July 22, 2020, 1:45am

hello im behind a ipv6 tun with ipv4 like ds-lite

YESS



Protocole: Client DHCPv6
Temps de service: 0h 14m 24s
MAC: 34:2xxxxx9:FD:9C
Reçu: 167.59 MB (43812 Pqts.)
Transmis: 6.82 MB (53241 Pqts.)
IPv6: xxxxxxxxxxx36:7cbd::39/128
IPv6-PD: 2axxxxxxxxx2380::/60

WAN6_4

Type: Interface du tunnel
Appareil: map-wan6_4
Connecté: Oui
Reçu: 42.07 MB (6094 Pqts.)
Transmis: 675.56 KB (10536 Pqts.)

map-wan6_4
Protocole: Interface dynamique virtuelle (MAP / LW4over6)
Temps de service: 0h 11m 47s
***IPv4: 91.xxxxxx.142/32***    

WAN6_4_

Type: VLAN logiciel
Appareil: eth1.836
Connecté: Oui
MAC: 34:xxxx:39:FD:9C
Reçu: 167.29 MB (43368 Pqts.)
Transmis: 6.67 MB (52799 Pqts.)

eth1.836
Protocole: Interface dynamique virtuelle (Adresse statique)
Temps de service: 0h 11m 47s
IPv6: 2xxxxxxxxxxxx80:0:5ba2:c88e:0/128

the public 91.1....... its my old ip from that isp :s .......... my new ip is on fullstack now 84.65...... but no 84.65.

trendy · July 22, 2020, 6:44am

I don't know how you can configure routes with DS-Lite, since there is no default gateway.
So I suggest that you ignore the default gateway from the vpn (explained in my first post) and only add rules and routes in a vpn table for the traffic which should go to the vpn.

moamo67 · July 22, 2020, 1:37pm

i perfomed u advise and is good now for some openvpn server of nordvpn . on some server nordvpn i cant get a connectivity on psn service of sony (internet ok xbox ok ), on same server with android hotspot its ok on psn sony all is good.
on openvpn openwrt its wroking only on 6/32 server of nordvpn what ?

with pbr its working but with time i get a disconnection of psn sony

trendy · July 22, 2020, 2:52pm

It sounds like problems connected to PSN and VPN provider. I am afraid OpenWrt cannot do much here.

vgaetera · July 22, 2020, 3:37pm

You may need to limit the server address and the protocol which the tunnel is built over with remote host port {tcp4|tcp6|udp4|udp6} in the VPN client configuration, as the servers may have different connectivity for IPv4 and IPv6 protocols.
If the VPN tunnel provides dual-stack connectivity, you may need to set up NAT6 to allow the LAN clients utilize IPv6 over the tunnel.
In addition, you probably need to make sure the LAN clients use DNS over VPN, otherwise this may lead to some unexpected results, e.g. DNS leak, geolocation leak, partial connectivity loss due to incorrect DNS replies, etc.

moamo67 · July 23, 2020, 3:46pm

im trying with udp4 connected but no connectiong to psn , with udp6 error of nam ip server .. , netxt im trying nat6 and nat4 .. thanks