Hey everybody.
everthing works fine, bun when i start the ovpn client connection (openwrt is the client)
a second default route is created and there is no internet connection any more.
Below the ovpen file wich i imported to the openwrt router
client
dev tun
proto udp
explicit-exit-notify
verify-x509-name "C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_HbOvZ5Gd7YZMGW3, emailAddress=na@example.com"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
Mblalba
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
blabla
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
blala
-----END RSA PRIVATE KEY-----
</key>
auth-user-pass
cipher AES-128-CBC
auth SHA256
comp-lzo yes
;can_save no
;otp no
;run_logon_script no
;auto_connect
route-delay 4
verb 3
reneg-sec 0
remote XXX.XXX.XXX 4443
Route printout WITHOUT active VPN
root@GL-MIFI:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.152.107.37 0.0.0.0 UG 40 0 0 wwan0
10.22.1.0 * 255.255.255.0 U 0 0 0 br-lan
10.152.107.36 * 255.255.255.252 U 40 0 0 wwan0
172.25.254.0 * 255.255.255.224 U 0 0 0 br-lan
Route printout with active VPN
root@GL-MIFI:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default * 128.0.0.0 U 0 0 0 tun0
default 10.152.107.37 0.0.0.0 UG 40 0 0 wwan0
10.22.1.0 * 255.255.255.0 U 0 0 0 br-lan
10.152.107.36 * 255.255.255.252 U 40 0 0 wwan0
10.244.90.25 172.25.22.10 255.255.255.255 UGH 0 0 0 tun0
128.0.0.0 * 128.0.0.0 U 0 0 0 tun0
153.92.30.205 10.152.107.37 255.255.255.255 UGH 40 0 0 wwan0
172.25.22.0 * 255.255.255.0 U 0 0 0 tun0
172.25.254.0 * 255.255.255.224 U 0 0 0 br-lan
google Ping
root@GL-MIFI:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
google Ping with iface
root@GL-MIFI:~# ping -I wwan0 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=112 time=37.585 ms
64 bytes from 8.8.8.8: seq=1 ttl=112 time=44.937 ms
64 bytes from 8.8.8.8: seq=2 ttl=112 time=35.534 ms
64 bytes from 8.8.8.8: seq=3 ttl=112 time=35.517 ms
network config
root@GL-MIFI:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fddb:0bc4:69b1::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option hostname 'GL-MIFI-257'
option ipaddr '10.22.1.4'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
option hostname 'GL-MIFI-257'
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
option disabled '1'
config interface 'guest'
option ifname 'guest'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'modem_1_1_2'
option ifname 'wwan0'
option service 'umts'
option apn 'internet.telekom'
option proto 'qmi'
option device '/dev/cdc-wdm0'
option node '1-1.2:1.4'
option username 't-mobile'
option password 'tm'
option auth 'PAP'
option metric '40'
option disabled '0'
config redirect
config interface 'LTE_Backup'
option ifname 'br-lan'
option proto 'static'
option ipaddr '172.25.254.2'
option netmask '255.255.255.224'
config interface 'ovpn'
option ifname 'tun0'
option proto 'none'
firewall config
root@GL-MIFI:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 modem_1_1_2'
config forwarding
option src 'lan'
option dest 'wan'
option enabled '0'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
option reload '1'
config include 'gls2s'
option type 'script'
option path '/var/etc/gls2s.include'
option reload '1'
config include 'glfw'
option type 'script'
option path '/usr/bin/glfw.sh'
option reload '1'
config include 'glqos'
option type 'script'
option path '/usr/sbin/glqos.sh'
option reload '1'
config zone 'guestzone'
option name 'guestzone'
option network 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding 'guestzone_fwd'
option src 'guestzone'
option dest 'wan'
option enabled '0'
config rule 'guestzone_dhcp'
option name 'guestzone_DHCP'
option src 'guestzone'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule 'guestzone_dns'
option name 'guestzone_DNS'
option src 'guestzone'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config rule 'sambasharewan'
option src 'wan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'DROP'
config rule 'sambasharelan'
option src 'lan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'ACCEPT'
config redirect
option target 'DNAT'
option name 'ILO'
option src 'ovpn'
option dest 'lan'
option proto 'tcp udp'
option src_dport '1443'
option dest_ip 'XX.XX.XX.3'
option dest_port '443'
option enabled '1'
option gl '1'
config redirect
option target 'DNAT'
option name 'ESX'
option src 'ovpn'
option dest 'lan'
option proto 'tcp udp'
option src_dport '443'
option dest_ip 'XX.XX.XX.2'
option dest_port '443'
option enabled '1'
option gl '1'
config redirect
option target 'DNAT'
option name 'FIREWALL'
option src 'ovpn'
option dest 'lan'
option proto 'tcp udp'
option src_dport '4444'
option dest_ip 'XX.XX.XX.1'
option dest_port '4444'
option enabled '1'
option gl '1'
config redirect
option target 'DNAT'
option name 'ROUTER'
option src 'ovpn'
option dest 'lan'
option proto 'tcp udp'
option src_dport '80'
option dest_ip 'XX.XX.XX.4'
option dest_port '80'
option enabled '1'
option gl '1'
config nat
option src 'lan'
option name 'SNAT'
option target 'SNAT'
option snat_ip 'XX.XX.XX.4'
list proto 'all'
config zone 'vpn_zone'
option name 'ovpn'
option input 'DROP'
option forward 'REJECT'
option output 'ACCEPT'
option network 'ovpn'
option masq '1'
option mtu_fix '1'
option masq6 '1'
config forwarding 'forwarding_vpn1'
option dest 'ovpn'
option src 'lan'
config forwarding 'forwarding_guest_ovpn'
option dest 'ovpn'
option src 'guestzone'
add route no-exec and route no-pull doesn't worked.
Please help me...
Thank you