Redirect traffic to L2TP connection

I've installed and configured strongswan and it's start normaly:

root@OpenWrt:~# ipsec up L2TP-PSK
establishing CHILD_SA L2TP-PSK{3}
generating CREATE_CHILD_SA request 3 [ N(USE_TRANSP) SA No KE TSi TSr ]
sending packet: from 192.168.100.118[4500] to 185.104.185.121[4500] (576 bytes)
received packet: from 185.104.185.121[4500] to 192.168.100.118[4500] (480 bytes)
parsed CREATE_CHILD_SA response 3 [ N(USE_TRANSP) SA No KE TSi TSr ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
CHILD_SA L2TP-PSK{3} established with SPIs c64ccbdd_i c738f4f5_o and TS 192.168.100.118/32[udp/l2f] === 185.104.185.121/32[udp/l2f]
connection 'L2TP-PSK' established successfully

but know i don't know how to redirect the traffic through the VPN..
I'm using https://villasyslog.net/openwrt-pptp-l2tp-ikev2-setup-strongswan-vpn-client/
but i have this on the interface:



Is someone can help me ?

We have setup already everything to make it work. Now we just need some routing details to properly run it.
Give output of route, or ip route

output:
default via 192.168.100.1 dev eth0.2 proto static src 192.168.100.118 
185.104.185.121 via 192.168.1.1 dev br-lan 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.100.0/24 dev eth0.2 proto kernel scope link src 192.168.100.118 

i've changed my configuration.
I've created directly a L2TP intercace from the ui:


But now i can access to website like google.fr but nothing else and i can't access my lan so i don't know why..:


ping:

PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=53 time=52.756 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=53 time=35.162 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=53 time=34.180 ms

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 34.180/40.699/52.756/8.535 ms

traceroute:

Traceroute a démarré…

traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 72 byte packets
 1  openwrt (192.168.1.1)  2.151 ms  1.026 ms  0.964 ms
 2  * * *
 3  185.104.185.193 (185.104.185.193)  86.453 ms  137.562 ms  65.243 ms
 4  vlan399.bb1.par1.fr.m247.com (185.206.226.40)  908.219 ms  909.313 ms  781.059 ms
 5  te-3-13-0.bb1.nyc1.us.m247.com (193.9.115.230)  57.702 ms  181.272 ms  272.641 ms
 6  89.44.212.140 (89.44.212.140)  65.011 ms  142.554 ms  144.809 ms
 7  * 37.120.128.128 (37.120.128.128)  181.926 ms  177.655 ms
 8  xe-11-0-1-0.ffm2nqp1.de.ip.tdc.net (62.243.245.9)  542.084 ms  73.004 ms  282.901 ms
 9  de-cix-frankfurt.as13335.net (80.81.194.180)  82.224 ms  65.474 ms  81.423 ms
10  one.one.one.one (1.1.1.1)  66.205 ms  54.337 ms  63.016 ms

ipsec status:

root@OpenWrt:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.14.180, mips):
  uptime: 17 minutes, since Sep 05 14:44:41 2020
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark stroke updown xauth-generic
Listening IP addresses:
  192.168.1.1
  fd2b:b2e8:e48e::1
  192.168.100.118
  10.222.0.21
Connections:
    L2TP-PSK:  %any...185.104.185.121  IKEv2, dpddelay=40s
    L2TP-PSK:   local:  uses pre-shared key authentication
    L2TP-PSK:   remote: [185.104.185.121] uses pre-shared key authentication
    L2TP-PSK:   child:  dynamic[udp/l2f] === dynamic[udp/l2f] TRANSPORT, dpdaction=clear
Security Associations (1 up, 0 connecting):
    L2TP-PSK[1]: ESTABLISHED 17 minutes ago, 192.168.100.118[192.168.100.118]...185.104.185.121[185.104.185.121]
    L2TP-PSK[1]: IKEv2 SPIs: 01835e1cbf37ec6a_i* cbc97603a21289aa_r, pre-shared key reauthentication in 2 hours
    L2TP-PSK[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    L2TP-PSK{1}:  INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: ce4f6795_i c8026312_o
    L2TP-PSK{1}:  AES_CBC_256/HMAC_SHA2_256_128, 6895228 bytes_i (15017 pkts, 0s ago), 1868922 bytes_o (12259 pkts, 59s ago), rekeying in 38 minutes
    L2TP-PSK{1}:   192.168.100.118/32[udp/l2f] === 185.104.185.121/32[udp/l2f]

I don't see any modification, so I suppose, you see the same output when connection is not established?

I'm connected to the vpn, but access to website like google or netflix but nothing else and with the othrer config i have:

Error: Network device is not present

for ppp0

Do you see difference in this output for cases, when connection is established, and not?

When it's not established it's:

default via 192.168.100.1 dev eth0.2 proto static src 192.168.100.118 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.100.0/24 dev eth0.2 proto kernel scope link src 192.168.100.118 

BTW I don't understand it.

You should change default route. See:
leftsubnet = the scope of VPN. 0.0.0.0/0 is a full tunnel, meaning ALL traffic will go through the VPN.
https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/roadwarrior

It's was with the other config. I'm not editing strongswan i'm using add new interface > L2TP:


so route is:

root@OpenWrt:~# ip route
default via 10.222.0.1 dev l2tp-L2TP proto static 
10.222.0.1 dev l2tp-L2TP proto kernel scope link src 10.222.0.69 
185.104.185.118 via 192.168.100.1 dev eth0.2 proto static 
185.104.185.121 via 192.168.100.1 dev eth0.2 proto static 
185.104.185.124 via 192.168.100.1 dev eth0.2 proto static 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.100.0/24 dev eth0.2 proto kernel scope link src 192.168.100.118 

it's automaticaly config like that when interface start

Seems correct, what is the issue you are having?
Also post the configurations to have a look, I have spotted already a few mistakes in the images.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
1 Like

I can ping, i can access some website like google or netflix but nothing else. forum.openwrt.org not working for example and i don't know why

You forgot to post the commands I mentioned before.

I have this:

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
{
	"kernel": "4.14.180",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer C7 v5",
	"board_name": "tplink,archer-c7-v5",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.3",
		"revision": "r11063-85e04e9f46",
		"target": "ath79/generic",
		"description": "OpenWrt 19.07.3 r11063-85e04e9f46"
	}
}
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2b:b2e8:e48e::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '74:da:88:de:02:1a'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'L2TP'
	option delegate '0'
	option ifname 'ipsec1'
	option proto 'l2tp'
	option password 'PASSWORD'
	option ipv6 'auto'
	option username 'THEPASSWORD'
	option server 'fr1-ubuntu-l2tp.expressprovider.com'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'VHT80'
	option channel 'auto'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option wpa_disable_eapol_key_retries '1'
	option ssid 'Romeo 5GHz'
	option encryption 'psk-mixed'
	option key 'PASSWORD'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac'
	option htmode 'HT40'
	option channel 'auto'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option wpa_disable_eapol_key_retries '1'
	option ssid 'Romeo 2.4GHz'
	option key 'PASSWORD'
	option encryption 'psk-mixed'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wan wan6'

config include
	option path '/etc/firewall.user'

config rule
	option src '*'
	option target 'ACCEPT'
	option dest '*'

config zone
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option output 'ACCEPT'
	option network 'lan wan wan6'
	option name 'wan'

config zone
	option name 'IPSecVPNFW'
	option input 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option output 'ACCEPT'

config zone
	option name 'L2TPFW'
	option network 'L2TP'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option forward 'REJECT'

config forwarding
	option dest 'L2TPFW'
	option src 'lan'

config forwarding
	option dest 'L2TPFW'
	option src 'wan'

iptables -I INPUT 1 -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
iptables -I INPUT  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT   -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
iptables -t nat -I POSTROUTING -s 10.0.1.0/24 -o pppoe-wan -j MASQUERADE
# Generated by iptables-save v1.8.3 on Sat Sep  5 22:21:51 2020
*nat
:PREROUTING ACCEPT [2159:371566]
:INPUT ACCEPT [194:16514]
:OUTPUT ACCEPT [69:5264]
:POSTROUTING ACCEPT [0:0]
:postrouting_IPSecVPNFW_rule - [0:0]
:postrouting_L2TPFW_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_IPSecVPNFW_rule - [0:0]
:prerouting_L2TPFW_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_IPSecVPNFW_postrouting - [0:0]
:zone_IPSecVPNFW_prerouting - [0:0]
:zone_L2TPFW_postrouting - [0:0]
:zone_L2TPFW_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[2158:371312] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[2147:370557] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[7:356] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_lan_prerouting
[2147:370557] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_wan_prerouting
[7:356] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[4:399] -A PREROUTING -i l2tp-L2TP -m comment --comment "!fw3" -j zone_L2TPFW_prerouting
[0:0] -A POSTROUTING -s 10.0.1.0/24 -o pppoe-wan -j MASQUERADE
[0:0] -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
[541:39501] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[1:328] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[42:3155] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_lan_postrouting
[1:328] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_wan_postrouting
[42:3155] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[498:36018] -A POSTROUTING -o l2tp-L2TP -m comment --comment "!fw3" -j zone_L2TPFW_postrouting
[0:0] -A zone_IPSecVPNFW_postrouting -m comment --comment "!fw3: Custom IPSecVPNFW postrouting rule chain" -j postrouting_IPSecVPNFW_rule
[0:0] -A zone_IPSecVPNFW_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_IPSecVPNFW_prerouting -m comment --comment "!fw3: Custom IPSecVPNFW prerouting rule chain" -j prerouting_IPSecVPNFW_rule
[498:36018] -A zone_L2TPFW_postrouting -m comment --comment "!fw3: Custom L2TPFW postrouting rule chain" -j postrouting_L2TPFW_rule
[498:36018] -A zone_L2TPFW_postrouting -m comment --comment "!fw3" -j MASQUERADE
[4:399] -A zone_L2TPFW_prerouting -m comment --comment "!fw3: Custom L2TPFW prerouting rule chain" -j prerouting_L2TPFW_rule
[43:3483] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[2154:370913] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[43:3483] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[43:3483] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[2154:370913] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sat Sep  5 22:21:51 2020
# Generated by iptables-save v1.8.3 on Sat Sep  5 22:21:51 2020
*raw
:PREROUTING ACCEPT [19519:7750030]
:OUTPUT ACCEPT [4939:737820]
:zone_lan_helper - [0:0]
[8507:1365904] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[6452:3335424] -A PREROUTING -i eth0.2 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Sat Sep  5 22:21:51 2020
# Generated by iptables-save v1.8.3 on Sat Sep  5 22:21:51 2020
*mangle
:PREROUTING ACCEPT [210351:88907847]
:INPUT ACCEPT [103886:43346210]
:FORWARD ACCEPT [91159:41996766]
:OUTPUT ACCEPT [51366:8527197]
:POSTROUTING ACCEPT [142231:50511635]
COMMIT
# Completed on Sat Sep  5 22:21:51 2020
# Generated by iptables-save v1.8.3 on Sat Sep  5 22:21:51 2020
*filter
:INPUT ACCEPT [4:160]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_IPSecVPNFW_rule - [0:0]
:forwarding_L2TPFW_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_IPSecVPNFW_rule - [0:0]
:input_L2TPFW_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_IPSecVPNFW_rule - [0:0]
:output_L2TPFW_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:zone_IPSecVPNFW_dest_ACCEPT - [0:0]
:zone_IPSecVPNFW_dest_REJECT - [0:0]
:zone_IPSecVPNFW_forward - [0:0]
:zone_IPSecVPNFW_input - [0:0]
:zone_IPSecVPNFW_output - [0:0]
:zone_IPSecVPNFW_src_ACCEPT - [0:0]
:zone_L2TPFW_dest_ACCEPT - [0:0]
:zone_L2TPFW_dest_REJECT - [0:0]
:zone_L2TPFW_forward - [0:0]
:zone_L2TPFW_input - [0:0]
:zone_L2TPFW_output - [0:0]
:zone_L2TPFW_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
[0:0] -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
[0:0] -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[9358:3866508] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[6715:3358564] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2628:507029] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[7:356] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[8:559] -A INPUT -i l2tp-L2TP -m comment --comment "!fw3" -j zone_L2TPFW_input
[0:0] -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
[0:0] -A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
[8669:3534828] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[8106:3483719] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[207:21018] -A FORWARD -p tcp -m comment --comment "!fw3: @rule[0]" -j ACCEPT
[260:22027] -A FORWARD -p udp -m comment --comment "!fw3: @rule[0]" -j ACCEPT
[96:8064] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i l2tp-L2TP -m comment --comment "!fw3" -j zone_L2TPFW_forward
[0:0] -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[4954:742659] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[4882:737229] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:328] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[44:3281] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[27:1821] -A OUTPUT -o l2tp-L2TP -m comment --comment "!fw3" -j zone_L2TPFW_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[0:0] -A zone_IPSecVPNFW_forward -m comment --comment "!fw3: Custom IPSecVPNFW forwarding rule chain" -j forwarding_IPSecVPNFW_rule
[0:0] -A zone_IPSecVPNFW_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_IPSecVPNFW_forward -m comment --comment "!fw3" -j zone_IPSecVPNFW_dest_REJECT
[0:0] -A zone_IPSecVPNFW_input -m comment --comment "!fw3: Custom IPSecVPNFW input rule chain" -j input_IPSecVPNFW_rule
[0:0] -A zone_IPSecVPNFW_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_IPSecVPNFW_input -m comment --comment "!fw3" -j zone_IPSecVPNFW_src_ACCEPT
[0:0] -A zone_IPSecVPNFW_output -m comment --comment "!fw3: Custom IPSecVPNFW output rule chain" -j output_IPSecVPNFW_rule
[0:0] -A zone_IPSecVPNFW_output -m comment --comment "!fw3" -j zone_IPSecVPNFW_dest_ACCEPT
[1:40] -A zone_L2TPFW_dest_ACCEPT -o l2tp-L2TP -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[122:9845] -A zone_L2TPFW_dest_ACCEPT -o l2tp-L2TP -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_L2TPFW_dest_REJECT -o l2tp-L2TP -m comment --comment "!fw3" -j reject
[0:0] -A zone_L2TPFW_forward -m comment --comment "!fw3: Custom L2TPFW forwarding rule chain" -j forwarding_L2TPFW_rule
[0:0] -A zone_L2TPFW_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_L2TPFW_forward -m comment --comment "!fw3" -j zone_L2TPFW_dest_REJECT
[8:559] -A zone_L2TPFW_input -m comment --comment "!fw3: Custom L2TPFW input rule chain" -j input_L2TPFW_rule
[0:0] -A zone_L2TPFW_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[8:559] -A zone_L2TPFW_input -m comment --comment "!fw3" -j zone_L2TPFW_src_ACCEPT
[27:1821] -A zone_L2TPFW_output -m comment --comment "!fw3: Custom L2TPFW output rule chain" -j output_L2TPFW_rule
[27:1821] -A zone_L2TPFW_output -m comment --comment "!fw3" -j zone_L2TPFW_dest_ACCEPT
[4:399] -A zone_L2TPFW_src_ACCEPT -i l2tp-L2TP -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[1:328] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[44:3281] -A zone_lan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[96:8064] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[96:8064] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to L2TPFW forwarding policy" -j zone_L2TPFW_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2635:507385] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2635:507385] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[45:3609] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[45:3609] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2628:507029] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[7:356] -A zone_lan_src_ACCEPT -i eth0.2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o br-lan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to L2TPFW forwarding policy" -j zone_L2TPFW_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_src_ACCEPT -i eth0.2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Sat Sep  5 22:21:51 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
14: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.100.118/24 brd 192.168.100.255 scope global eth0.2
       valid_lft forever preferred_lft forever
28: l2tp-L2TP: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1200 qdisc fq_codel state UNKNOWN group default qlen 3
    inet 10.222.0.24 peer 10.222.0.1/32 scope global l2tp-L2TP
       valid_lft forever preferred_lft forever
default via 10.222.0.1 dev l2tp-L2TP proto static 
10.222.0.1 dev l2tp-L2TP proto kernel scope link src 10.222.0.24 
185.104.185.118 via 192.168.100.1 dev eth0.2 proto static 
185.104.185.121 via 192.168.100.1 dev eth0.2 proto static 
185.104.185.124 via 192.168.100.1 dev eth0.2 proto static 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.100.0/24 dev eth0.2 proto kernel scope link src 192.168.100.118 
local 10.222.0.24 dev l2tp-L2TP table local proto kernel scope host src 10.222.0.24 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
broadcast 192.168.100.0 dev eth0.2 table local proto kernel scope link src 192.168.100.118 
local 192.168.100.118 dev eth0.2 table local proto kernel scope host src 192.168.100.118 
broadcast 192.168.100.255 dev eth0.2 table local proto kernel scope link src 192.168.100.118 
0:	from all lookup local 
220:	from all lookup 220 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 May 16 20:32 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Sep  5 16:05 /tmp/resolv.conf
-rw-r--r--    1 root     root            91 Sep  5 21:48 /tmp/resolv.conf.auto
-rw-r--r--    1 root     root            44 Sep  5 21:48 /tmp/resolv.conf.ppp
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface L2TP
nameserver 10.222.0.1
# Interface wan
nameserver 192.168.100.1
search lan

==> /tmp/resolv.conf.ppp <==
nameserver 10.222.0.1
nameserver 10.222.0.1

Is there a good reason to have wan and wan6 interfaces in lan zone? If no, remove them.

What is this for?

Again all interfaces in one zone?
Also no mtu fix, INPUT and FORWARD should be REJECT.

Empty zone, delete it.

No mtu fix, you might as well have mtu issues, which could explain your issues.
Also INPUT should be REJECT, or your router is open to the internet.

That is wrong, delete it.

I am not sure what are you trying to accomplish with all these custom IPSEC rules. OpenWrt comes with a set of rules in the default firewall configuration to allow IPSEC.

There are a lot of wrong things in here, I'd strongly advise you to back up settings, reset the router do defaults and start from a clean slate.
Add the IPSEC configuration, create the interface and assign it to wan zone. That should be all.

1 Like

Ok,
so i will reset the software but i need access to the router and the wans by the other router on the lan.
I think i just need that:

config zone
		option name 'lan'
		option input 'ACCEPT'
		option output 'ACCEPT'
		option forward 'ACCEPT'
		option network 'lan wan wan6'
		
config zone
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option output 'ACCEPT'
	option network 'lan wan wan6'
	option name 'wan'

I just need xl2tpd and ipsec-tools for add the ipsec interface ?

Router is reset, L2TP connection established

Sun Sep  6 10:30:11 2020 daemon.notice netifd: Interface 'ExpressVPN' is setting up now
Sun Sep  6 10:30:11 2020 daemon.notice xl2tpd[1543]: Connecting to host fr1-ubuntu-l2tp.expressprovider.com, port 1701
Sun Sep  6 10:30:12 2020 daemon.notice xl2tpd[1543]: Connection established to 185.104.185.124, 1701.  Local: 18810, Remote: 50845 (ref=0/0).
Sun Sep  6 10:30:12 2020 daemon.notice xl2tpd[1543]: Calling on tunnel 18810
Sun Sep  6 10:30:12 2020 daemon.notice xl2tpd[1543]: Call established with 185.104.185.124, Local: 60935, Remote: 6613, Serial: 1 (ref=0/0)
Sun Sep  6 10:30:12 2020 daemon.debug xl2tpd[1543]: start_pppd: I'm running:
Sun Sep  6 10:30:12 2020 daemon.debug xl2tpd[1543]: "/usr/sbin/pppd"
Sun Sep  6 10:30:12 2020 daemon.debug xl2tpd[1543]: "plugin"
Sun Sep  6 10:30:12 2020 daemon.debug xl2tpd[1543]: "pppol2tp.so"
Sun Sep  6 10:30:12 2020 daemon.debug xl2tpd[1543]: "pppol2tp"
Sun Sep  6 10:30:12 2020 daemon.debug xl2tpd[1543]: "8"
Sun Sep  6 10:30:12 2020 daemon.debug xl2tpd[1543]: "passive"
Sun Sep  6 10:30:12 2020 daemon.debug xl2tpd[1543]: "nodetach"
Sun Sep  6 10:30:12 2020 daemon.debug xl2tpd[1543]: ":"
Sun Sep  6 10:30:12 2020 daemon.debug xl2tpd[1543]: "file"
Sun Sep  6 10:30:12 2020 daemon.debug xl2tpd[1543]: "/tmp/l2tp/options.ExpressVPN"
Sun Sep  6 10:30:13 2020 daemon.info pppd[2309]: Plugin pppol2tp.so loaded.
Sun Sep  6 10:30:13 2020 daemon.notice pppd[2309]: pppd 2.4.7 started by root, uid 0
Sun Sep  6 10:30:13 2020 kern.info kernel: [  187.700923] l2tp-ExpressVPN: renamed from ppp0
Sun Sep  6 10:30:13 2020 daemon.info pppd[2309]: Renamed interface ppp0 to l2tp-ExpressVPN
Sun Sep  6 10:30:13 2020 daemon.info pppd[2309]: Using interface l2tp-ExpressVPN
Sun Sep  6 10:30:13 2020 daemon.notice pppd[2309]: Connect: l2tp-ExpressVPN <-->
Sun Sep  6 10:30:16 2020 daemon.notice pppd[2309]: CHAP authentication succeeded
Sun Sep  6 10:30:17 2020 daemon.notice pppd[2309]: local  IP address 10.222.0.18
Sun Sep  6 10:30:17 2020 daemon.notice pppd[2309]: remote IP address 10.222.0.1
Sun Sep  6 10:30:17 2020 daemon.notice pppd[2309]: primary   DNS address 10.222.0.1
Sun Sep  6 10:30:17 2020 daemon.notice pppd[2309]: secondary DNS address 10.222.0.1
Sun Sep  6 10:30:17 2020 daemon.notice netifd: Network device 'l2tp-ExpressVPN' link is up
Sun Sep  6 10:30:17 2020 daemon.notice netifd: Interface 'ExpressVPN' is now up
Sun Sep  6 10:30:17 2020 daemon.info dnsmasq[2079]: reading /tmp/resolv.conf.auto
Sun Sep  6 10:30:17 2020 daemon.info dnsmasq[2079]: using local addresses only for domain test
Sun Sep  6 10:30:17 2020 daemon.info dnsmasq[2079]: using local addresses only for domain onion
Sun Sep  6 10:30:17 2020 daemon.info dnsmasq[2079]: using local addresses only for domain localhost
Sun Sep  6 10:30:17 2020 daemon.info dnsmasq[2079]: using local addresses only for domain local
Sun Sep  6 10:30:17 2020 daemon.info dnsmasq[2079]: using local addresses only for domain invalid
Sun Sep  6 10:30:17 2020 daemon.info dnsmasq[2079]: using local addresses only for domain bind
Sun Sep  6 10:30:17 2020 daemon.info dnsmasq[2079]: using local addresses only for domain lan
Sun Sep  6 10:30:17 2020 daemon.info dnsmasq[2079]: using nameserver 10.222.0.1#53
Sun Sep  6 10:30:17 2020 daemon.info dnsmasq[2079]: using nameserver 192.168.100.1#53

I have access to some website like google and i can ping but nothing else working:

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
{
	"kernel": "4.14.180",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer C7 v5",
	"board_name": "tplink,archer-c7-v5",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.3",
		"revision": "r11063-85e04e9f46",
		"target": "ath79/generic",
		"description": "OpenWrt 19.07.3 r11063-85e04e9f46"
	}
}
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda2:3321:30fc::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '74:da:88:de:02:1a'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'ExpressVPN'
	option proto 'l2tp'
	option username '3b6m7y'
	option ipv6 'auto'
	option password 'PASSWORD'
	option server 'fr1-ubuntu-l2tp.expressprovider.com'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'VHT80'
	option channel 'auto'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option wpa_disable_eapol_key_retries '1'
	option key 'PASSWORD'
	option ssid 'Romeo 5GHz'
	option encryption 'psk-mixed'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac'
	option htmode 'HT40'
	option channel 'auto'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option wpa_disable_eapol_key_retries '1'
	option key 'PASSWORD'
	option encryption 'psk-mixed'
	option ssid 'Romeo 2.4GHz'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'EVPNFW'
	option network 'ExpressVPN'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option output 'ACCEPT'

config forwarding
	option dest 'EVPNFW'
	option src 'lan'

config forwarding
	option dest 'EVPNFW'
	option src 'wan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Sun Sep  6 10:41:01 2020
*nat
:PREROUTING ACCEPT [9:642]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_EVPNFW_postrouting - [0:0]
:zone_EVPNFW_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[9:642] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[9:642] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i l2tp-ExpressVPN -m comment --comment "!fw3" -j zone_EVPNFW_prerouting
[9:642] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[9:642] -A POSTROUTING -o l2tp-ExpressVPN -m comment --comment "!fw3" -j zone_EVPNFW_postrouting
[9:642] -A zone_EVPNFW_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[9:642] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sun Sep  6 10:41:01 2020
# Generated by iptables-save v1.8.3 on Sun Sep  6 10:41:01 2020
*mangle
:PREROUTING ACCEPT [153:15137]
:INPUT ACCEPT [109:9768]
:FORWARD ACCEPT [44:5369]
:OUTPUT ACCEPT [104:23949]
:POSTROUTING ACCEPT [148:29318]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Sep  6 10:41:01 2020
# Generated by iptables-save v1.8.3 on Sun Sep  6 10:41:01 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_EVPNFW_dest_ACCEPT - [0:0]
:zone_EVPNFW_dest_REJECT - [0:0]
:zone_EVPNFW_forward - [0:0]
:zone_EVPNFW_input - [0:0]
:zone_EVPNFW_output - [0:0]
:zone_EVPNFW_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[111:9872] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[107:9063] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[4:809] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i l2tp-ExpressVPN -m comment --comment "!fw3" -j zone_EVPNFW_input
[44:5369] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[35:4727] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[9:642] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i l2tp-ExpressVPN -m comment --comment "!fw3" -j zone_EVPNFW_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[106:24645] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[106:24645] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o l2tp-ExpressVPN -m comment --comment "!fw3" -j zone_EVPNFW_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_EVPNFW_dest_ACCEPT -o l2tp-ExpressVPN -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[9:642] -A zone_EVPNFW_dest_ACCEPT -o l2tp-ExpressVPN -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_EVPNFW_dest_REJECT -o l2tp-ExpressVPN -m comment --comment "!fw3" -j reject
[0:0] -A zone_EVPNFW_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_EVPNFW_forward -m comment --comment "!fw3" -j zone_EVPNFW_dest_REJECT
[0:0] -A zone_EVPNFW_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_EVPNFW_input -m comment --comment "!fw3" -j zone_EVPNFW_src_REJECT
[0:0] -A zone_EVPNFW_output -m comment --comment "!fw3" -j zone_EVPNFW_dest_ACCEPT
[0:0] -A zone_EVPNFW_src_REJECT -i l2tp-ExpressVPN -m comment --comment "!fw3" -j reject
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[9:642] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[9:642] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[9:642] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to EVPNFW forwarding policy" -j zone_EVPNFW_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[4:809] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[4:809] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[4:809] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to EVPNFW forwarding policy" -j zone_EVPNFW_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun Sep  6 10:41:01 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.100.118/24 brd 192.168.100.255 scope global eth0.2
       valid_lft forever preferred_lft forever
18: l2tp-ExpressVPN: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1200 qdisc fq_codel state UNKNOWN qlen 3
    inet 10.222.0.24 peer 10.222.0.1/32 scope global l2tp-ExpressVPN
       valid_lft forever preferred_lft forever
default via 10.222.0.1 dev l2tp-ExpressVPN 
10.222.0.1 dev l2tp-ExpressVPN scope link  src 10.222.0.24 
185.104.185.118 via 192.168.100.1 dev eth0.2 
185.104.185.121 via 192.168.100.1 dev eth0.2 
185.104.185.124 via 192.168.100.1 dev eth0.2 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.100.0/24 dev eth0.2 scope link  src 192.168.100.118 
local 10.222.0.24 dev l2tp-ExpressVPN table local scope host  src 10.222.0.24 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1 
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1 
broadcast 192.168.100.0 dev eth0.2 table local scope link  src 192.168.100.118 
local 192.168.100.118 dev eth0.2 table local scope host  src 192.168.100.118 
broadcast 192.168.100.255 dev eth0.2 table local scope link  src 192.168.100.118 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 May 16 18:32 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Sep  6 10:28 /tmp/resolv.conf
-rw-r--r--    1 root     root            97 Sep  6 10:40 /tmp/resolv.conf.auto
-rw-r--r--    1 root     root            44 Sep  6 10:40 /tmp/resolv.conf.ppp
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface ExpressVPN
nameserver 10.222.0.1
# Interface wan
nameserver 192.168.100.1
search lan

==> /tmp/resolv.conf.ppp <==
nameserver 10.222.0.1
nameserver 10.222.0.1

And when i try with pptp i have that:

Sun Sep  6 13:17:28 2020 daemon.info pppd[13673]: Plugin pptp.so loaded.
Sun Sep  6 13:17:28 2020 daemon.info pppd[13673]: PPTP plugin version 1.00
Sun Sep  6 13:17:28 2020 daemon.notice pppd[13673]: pppd 2.4.7 started by root, uid 0
Sun Sep  6 13:17:28 2020 daemon.debug pppd[13674]: pptp: call manager for 185.104.185.124
Sun Sep  6 13:17:28 2020 daemon.debug pppd[13674]: window size:	50
Sun Sep  6 13:17:28 2020 daemon.debug pppd[13674]: call id:	116
Sun Sep  6 13:17:28 2020 daemon.debug pppd[13674]: control connection
Sun Sep  6 13:17:28 2020 daemon.debug pppd[13674]: unix_sock
Sun Sep  6 13:17:28 2020 daemon.debug pppd[13675]: Sent control packet type is 1 'Start-Control-Connection-Request'
Sun Sep  6 13:17:28 2020 daemon.debug pppd[13675]: Received Start Control Connection Reply
Sun Sep  6 13:17:28 2020 daemon.debug pppd[13675]: Client connection established.
Sun Sep  6 13:17:29 2020 daemon.debug pppd[13675]: Sent control packet type is 7 'Outgoing-Call-Request'
Sun Sep  6 13:17:29 2020 daemon.debug pppd[13675]: Received Outgoing Call Reply.
Sun Sep  6 13:17:29 2020 daemon.debug pppd[13675]: Outgoing call established (call ID 116, peer's call ID 56448).
Sun Sep  6 13:17:29 2020 daemon.debug pppd[13673]: using channel 116
Sun Sep  6 13:17:29 2020 kern.info kernel: [ 3635.007787] pptp-ExpressVPN: renamed from ppp0
Sun Sep  6 13:17:29 2020 daemon.info pppd[13673]: Renamed interface ppp0 to pptp-ExpressVPN
Sun Sep  6 13:17:29 2020 daemon.info pppd[13673]: Using interface pptp-ExpressVPN
Sun Sep  6 13:17:29 2020 daemon.notice pppd[13673]: Connect: pptp-ExpressVPN <--> pptp (185.104.185.124)
Sun Sep  6 13:17:29 2020 daemon.debug pppd[13673]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xcfeb5fbf>]
Sun Sep  6 13:17:32 2020 daemon.debug pppd[13673]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xcfeb5fbf>]
Sun Sep  6 13:17:35 2020 daemon.debug pppd[13673]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xcfeb5fbf>]
Sun Sep  6 13:17:38 2020 daemon.debug pppd[13673]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xcfeb5fbf>]
Sun Sep  6 13:17:41 2020 daemon.debug pppd[13673]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xcfeb5fbf>]
Sun Sep  6 13:17:44 2020 daemon.debug pppd[13673]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xcfeb5fbf>]
Sun Sep  6 13:17:47 2020 daemon.debug pppd[13673]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xcfeb5fbf>]
Sun Sep  6 13:17:50 2020 daemon.debug pppd[13673]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xcfeb5fbf>]
Sun Sep  6 13:17:53 2020 daemon.debug pppd[13673]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xcfeb5fbf>]
Sun Sep  6 13:17:56 2020 daemon.debug pppd[13673]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xcfeb5fbf>]
Sun Sep  6 13:17:59 2020 daemon.warn pppd[13675]: read returned zero, peer has closed
Sun Sep  6 13:17:59 2020 daemon.debug pppd[13675]: Closing connection (shutdown)
Sun Sep  6 13:17:59 2020 daemon.debug pppd[13675]: Sent control packet type is 12 'Call-Clear-Request'
Sun Sep  6 13:17:59 2020 daemon.warn pppd[13675]: read returned zero, peer has closed
Sun Sep  6 13:17:59 2020 daemon.debug pppd[13675]: Closing connection (call state)
Sun Sep  6 13:17:59 2020 daemon.warn pppd[13673]: LCP: timeout sending Config-Requests
Sun Sep  6 13:17:59 2020 daemon.notice pppd[13673]: Connection terminated.
Sun Sep  6 13:17:59 2020 daemon.notice pppd[13673]: Modem hangup
Sun Sep  6 13:17:59 2020 daemon.info pppd[13673]: Exit.

and:

root@OpenWrt:~# tcpdump -i eth0.2  | grep 185.104.185.124
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.2, link-type EN10MB (Ethernet), capture size 262144 bytes
13:36:03.502421 IP 192.168.100.118 > 185.104.185.124: GREv1, call 63616, seq 6, length 32: LCP, Conf-Request (0x01), id 1, length 18
13:36:06.505721 IP 192.168.100.118 > 185.104.185.124: GREv1, call 63616, seq 7, length 32: LCP, Conf-Request (0x01), id 1, length 18
13:36:09.509071 IP 192.168.100.118 > 185.104.185.124: GREv1, call 63616, seq 8, length 32: LCP, Conf-Request (0x01), id 1, length 18
13:36:12.512430 IP 192.168.100.118 > 185.104.185.124: GREv1, call 63616, seq 9, length 32: LCP, Conf-Request (0x01), id 1, length 18
13:36:15.515735 IP 192.168.100.118 > 185.104.185.124: GREv1, call 63616, seq 10, length 32: LCP, Conf-Request (0x01), id 1, length 18
13:36:18.431115 IP 185.104.185.124.1723 > 192.168.100.118.46748: Flags [F.], seq 2337381372, ack 3497410056, win 22, options [nop,nop,TS val 2844190802 ecr 3032302489], length 0
13:36:18.431544 IP 192.168.100.118.46748 > 185.104.185.124.1723: Flags [P.], seq 1:17, ack 1, win 1892, options [nop,nop,TS val 3032332474 ecr 2844190802], length 16: pptp CTRL_MSGTYPE=CCRQ CALL_ID(11)
13:36:18.431786 IP 185.104.185.124.1723 > 192.168.100.118.46748: Flags [R], seq 2337381373, win 0, length 0
13:36:18.871686 IP 192.168.100.118.46750 > 185.104.185.124.1723: Flags [S], seq 2759416534, win 29200, options [mss 1460,sackOK,TS val 3032332914 ecr 0,nop,wscale 4], length 0
13:36:18.872014 IP 185.104.185.124.1723 > 192.168.100.118.46750: Flags [S.], seq 1880316010, ack 2759416535, win 43440, options [mss 1460,sackOK,TS val 2844191243 ecr 3032332914,nop,wscale 11], length 0
13:36:18.872170 IP 192.168.100.118.46750 > 185.104.185.124.1723: Flags [.], ack 1, win 1825, options [nop,nop,TS val 3032332915 ecr 2844191243], length 0
13:36:18.874247 IP 192.168.100.118.46750 > 185.104.185.124.1723: Flags [P.], seq 1:157, ack 1, win 1825, options [nop,nop,TS val 3032332917 ecr 2844191243], length 156: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(AS) BEARER_CAP(DA) MAX_CHAN(65535) FIRM_REV(1) HOSTNAME(local) VENDOR(cananian)
13:36:18.874497 IP 185.104.185.124.1723 > 192.168.100.118.46750: Flags [.], ack 157, win 22, options [nop,nop,TS val 2844191245 ecr 3032332917], length 0
13:36:19.069159 IP 185.104.185.124.1723 > 192.168.100.118.46750: Flags [P.], seq 1:157, ack 157, win 22, options [nop,nop,TS val 2844191440 ecr 3032332917], length 156: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP() BEARER_CAP() MAX_CHAN(1) FIRM_REV(1) HOSTNAME(local) VENDOR(linux)
13:36:19.069283 IP 192.168.100.118.46750 > 185.104.185.124.1723: Flags [.], ack 157, win 1892, options [nop,nop,TS val 3032333112 ecr 2844191440], length 0
13:36:19.874244 IP 192.168.100.118.46750 > 185.104.185.124.1723: Flags [P.], seq 157:325, ack 157, win 1892, options [nop,nop,TS val 3032333917 ecr 2844191440], length 168: pptp CTRL_MSGTYPE=OCRQ CALL_ID(12) CALL_SER_NUM(0) MIN_BPS(2400) MAX_BPS(1000000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(50) PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR()
13:36:19.874531 IP 185.104.185.124.1723 > 192.168.100.118.46750: Flags [.], ack 325, win 22, options [nop,nop,TS val 2844192245 ecr 3032333917], length 0
13:36:19.955202 IP 185.104.185.124.1723 > 192.168.100.118.46750: Flags [P.], seq 157:189, ack 325, win 22, options [nop,nop,TS val 2844192326 ecr 3032333917], length 32: pptp CTRL_MSGTYPE=OCRP CALL_ID(63872) PEER_CALL_ID(12) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(1000000000) RECV_WIN(50) PROC_DELAY(0) PHY_CHAN_ID(0)
13:36:19.955357 IP 192.168.100.118.46750 > 185.104.185.124.1723: Flags [.], ack 189, win 1892, options [nop,nop,TS val 3032333998 ecr 2844192326], length 0

Now L2TP work, i don't know why but i have this on the logs:

root@OpenWrt:~# logread -f 
Sun Sep  6 13:49:41 2020 daemon.debug xl2tpd[1668]: check_control: Received out of order control packet on tunnel 46824 (got 2, expected 3)
Sun Sep  6 13:49:41 2020 daemon.debug xl2tpd[1668]: handle_control: bad control packet!
Sun Sep  6 13:49:44 2020 daemon.debug xl2tpd[1668]: check_control: Received out of order control packet on tunnel 46824 (got 2, expected 3)
Sun Sep  6 13:49:44 2020 daemon.debug xl2tpd[1668]: handle_control: bad control packet!
Sun Sep  6 13:49:47 2020 daemon.debug xl2tpd[1668]: check_control: Received out of order control packet on tunnel 46824 (got 2, expected 3)
Sun Sep  6 13:49:47 2020 daemon.debug xl2tpd[1668]: handle_control: bad control packet!

If you want to configure the router from the wan, you can either temporarily switch wan INPUT to ACCEPT, or more permanently create a rule to accept ssh and http from the wan 192.168.100.0/24

This is wrong, delete this forwarding.

The VPN interface has MTU 1200, is this correct according to your provider?

1 Like