UPDATE: I think I have mostly solved the issue it was to do with the way I was assigning static ips to my users on openvpn.. I was using a script file to do:
ifconfig-push 192.168.4.10 192.168.0.9
what I got from a guide on the interwebs.. but I changed it to:
ifconfig-push 192.168.4.10 255.255.555.0
and now my router can see internet, my clients get internet, and I can still ping the router from home
Only problem left is I cant get to my router from LAN, nor can I ssh into it. well maybe I will fix that.. lets see
Backstory: I am a network novice however the Internet does work when the open vpn client is connected until I changed the IP address of the LAN
Basically I had a setup where router was on IP: 192.168.0.2 connecting to vpn server over lte and getting the VPN ip of 192.168.4.20
the VPN is hosted on my home router which has the IP of 192.168.1. I didn't think this should be an issue having both routers on the same network as both routers are remote
However, I wondered why I couldn't ping 192.168.4.1 from home so I then decided maybe its not a good idea having both routers on the same network address so I changed the router with the openvpn client to 192.168.3.1 and suddenly I could ping it from home so I thought I was done!
Until I then discovered no internet when connected to the router and the router cant see the internet either.. Strange I can still ping the router from my home lan but but nothing else goes in or out of the router?
ok so internet worked when LAN was 192.168.0.2 and home router was 192.168.0.1 but change the router to 192.168.3.1 and its broked.. so surely my issue has to be something to do with static routing?
However I am a noob and I have no idea how to sort that if you can please help!
I want to also mention the same vpn works fine on my android phone no issues can see all devices and get internet. Openvpn is running on Asus RT-AX88U
Also one strange to mention is even when it was working when IP was 192.168.0.2 the vpn interface always shows RX of 0 but TX is always >1 on both IPS
Also FWIW my WAN setup is: Router -> E3372 USB dongle with LTE. No wired devices connected only WLAN (intended)
Also I googled the crap out of this and found a lot of guides to setting up VPN most are similar, some conflicting.. (same say create a VPN zone, others just say attach the vpn to the wan zone) some say to forward lan to vpn, or just add tun0 to the wan zone covered devices) in the end I found what worked when IP was 192.168.0.2 just adding vpn interface to the wan zone that worked (until I changed the IP)
some guides also said to go to your wan interface and put in custom dns and others had guides for creating rules and port forwards and setting masquerade on the LAN zone.
I dont think its dns related since I cant even ping by IP Address
The guide I followed in the end that worked (before I change the IP) is here: https://www.youtube.com/watch?v=WRWZmcKejhg&t=571s&ab_channel=VanTechCorner
also my IP Address of the USB dongle is 192.168.8.177/24
ip address of LAN is 192.168.3.1/24
ipv6 is enabled maybe I should disable that?
Here is all my config:
openvpn profile:
xxx 1194
float
nobind
proto udp
dev tun
sndbuf 0
rcvbuf 0
keepalive 10 30
# for OpenVPN 2.4 or older
comp-lzo yes
# for OpenVPN 2.4 or newer
#compress lzo
auth-user-pass /etc/openvpn/xxxx.auth
client
auth SHA1
cipher AES-128-CBC
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
blah
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
blah
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
blah
-----END PRIVATE KEY-----
</key>
network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd64:3473:1860::/48'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config device
option name 'eth0'
option macaddr 'c2:3f:0e:77:3a:2a'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.3.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
option blinkrate '2'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_port
option device 'switch0'
option port '1'
option led '6'
config switch_port
option device 'switch0'
option port '2'
option led '9'
config switch_port
option device 'switch0'
option port '5'
option led '2'
config interface 'lte'
option proto 'dhcp'
option device 'eth2'
config interface 'vpn'
option proto 'dhcp'
option device 'tun0'
firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'lte'
list network 'vpn'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
Hope you can help me! Thanks!