Hi,
I need a help as the issue I'm experiencing is taking me mad.
Router with OpenWRT 18.06.0 I have is in the LAN behind VDSL modem connected to WAN port. Historically WAN network was bridged with WiFi and used as actual home LAN whereas LAN ports where used as another network for some other purposes. I wanted to clean a bit my config and reconfigured it to be as normally it is - WAN for WAN and LAN bridged with WiFi for local home access. All works fine apart from the OpenVPN which is not NAT'ed although setting tells it to be (I checked with tcpdump - on eth0.1 traffic goes out with internal openvpn addressing)
I hate erasing configuration and start from scratch as I need to understand the problem at least for educational purposes.
IMHO config looks ok so either there is some obvious mistake which I can't spot or some rubbish leftovers in some file which I haven't found.
Please see it below (problem with vpn0):
root@owrt:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fde2:4964:533a::/48'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.1'
option broadcast '192.168.1.255'
option ipaddr '192.168.1.30'
option type 'bridge'
option ifname 'eth0.1 tap0 radio1'
option dns '192.168.1.30'
config interface 'wan'
option proto 'dhcp'
option ifname 'eth0.2'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 2 3 4 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '0t 1'
config interface 'vpn0'
option ifname 'tun0'
option proto 'none'
option auto '1'
config interface 'vpn1'
option proto 'none'
option ifname 'tap0'
option auto '1'
config route
option interface 'lan'
option target '10.8.1.0'
option netmask '255.255.255.0'
option gateway '192.168.1.23'
root@owrt:~# cat /etc/config/firewall
config rule
option name 'Allow-DHCP-Renew'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
option src 'lan'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config rule
option target 'ACCEPT'
option proto 'tcp'
option dest_port '1883'
option name 'MQTT'
option src 'lan'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'lan vpn1'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
option masq '1'
option input 'ACCEPT'
option network 'wan'
option forward 'REJECT'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option output 'ACCEPT'
option network 'vpn0'
option forward 'REJECT'
option input 'ACCEPT'
option masq '1'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'wan'
option src 'vpn'
root@owrt:~#
root@owrt:~# cat /etc/config/openvpn
config openvpn 'vpnNAT'
option enabled '1'
option verb '3'
option dev 'tun'
option topology 'subnet'
option server '10.8.0.0 255.255.255.0'
option ifconfig '10.8.0.1 255.255.255.0'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/dom-owrt.crt'
option key '/etc/openvpn/dom-owrt.key'
option dh '/etc/openvpn/dh2048.pem'
option tls_auth '/etc/openvpn/tls-auth.key'
option tls_version_min '1.2'
option client_to_client '1'
option persist_key '1'
option persist_tun '1'
list push 'redirect-gateway def1'
list push 'dhcp-option DNS 192.168.1.30'
option cipher 'AES-256-CBC'
option port '443'
option tls_server '1'
option auth 'SHA512'
option key_direction '0'
option compress 'lzo'
option proto 'tcp'
config openvpn 'vpnBridge'
option keepalive '10 60'
option compress 'lzo'
option mode 'server'
option tls_server '1'
list push 'route-gateway dhcp'
list push 'redirect-gateway def1'
option client_to_client '1'
option enabled '1'
option dev 'tap0'
option persist_tun '1'
option persist_key '1'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/dom-owrt.crt'
option key '/etc/openvpn/dom-owrt.key'
option dh '/etc/openvpn/dh2048.pem'
option cipher 'AES-256-CBC'
option port '1194'
option proto 'udp'
option auth 'SHA512'
option tls_version_min '1.2'
option tls_auth '/etc/openvpn/tls-auth-bridge.key'
option key_direction '0'
option verb '3'
root@owrt:~#
Any hints are welcome. Maybe I need to clean up some other files or so? Router was restarted (I actually started with 18.06rc1 and then upgraded to rc2 and 18.06.01 as I thought maybe this is an issue). Before reconfiguration NAT was working well for the VPN so I am pretty sure this is configuration issue