Routing stops on second openvpn tunnel coming up

Installing and Using OpenWrt Network and Wireless Configuration
1

I have a "dumb router" that has one network with WIFI (OpenWrt) connected to lan and lan is DHCP client with default routing to the DHCP assigned GW. Works perfectly, no issues.

In addition, I have two more networks (netCR and netUS) with their dedicated WIFIs that are to be routed via VPN (tunCGcr and tunCGus).

That works, as long as only either of the tunnels are up. Once the second tunnel comes up, routing stops for the clients in the other network. Both openvpn configurations have no "redirect-gateway def1".

I didn't want to spam my whole config here as I don't know which files would be of interest, but if someone's willing to look into it, I will provide whatever is required.

2

Without seeing your configs and logs just a long shot
Redirect gateway is often pushed by the server, so to be sure that that is not set, add to both openvpn configs:

pull-filter ignore "redirect-gateway"

Mind you then the tunnels might be up but nothing is routed via the tunnels as there is no default route via the tunnels, for routing you then have to use Policy Based Routing

3

You were right, routes are no longer pushed with this, however, now I'm stuck with pbr. It complains, it cannot initialze my tun interfaces.

root@Netgear-OWRT:~# service pbr start
Using uplink interface (on_start): lan [✓]
Found uplink gateway (on_start): 192.168.71.1 [✓]
Setting up routing for 'tunCR/tunCGcr/10.2.4.58' [✗]
Setting up routing for 'tunUS/tunCGus/10.36.4.241' [✗]
pbr.cfg066ff5.name=Plex/Emby Local Server validates as string with true
pbr.cfg066ff5.enabled=0 validates as bool with true
pbr.cfg066ff5.interface=wan validates as or("ignore", "tor", regex("xray_.*"), uci("network", "@interface")) with false
pbr.cfg066ff5.proto is unset and defaults to or(string) (null)
pbr.cfg066ff5.chain is unset and defaults to or("", "forward", "input", "output", "prerouting", "postrouting") prerouting
pbr.cfg066ff5.src_addr is unset and defaults to list(neg(or(host,network,macaddr,string))) (null)
pbr.cfg066ff5.src_port=8096 8920 32400 validates as list(neg(or(portrange,string))) with true
pbr.cfg066ff5.dest_addr is unset and defaults to list(neg(or(host,network,string))) (null)
pbr.cfg066ff5.dest_port is unset and defaults to list(neg(or(portrange,string))) (null)
pbr.cfg076ff5.name=Plex/Emby Remote Servers validates as string with true
pbr.cfg076ff5.enabled=0 validates as bool with true
pbr.cfg076ff5.interface=wan validates as or("ignore", "tor", regex("xray_.*"), uci("network", "@interface")) with false
pbr.cfg076ff5.proto is unset and defaults to or(string) (null)
pbr.cfg076ff5.chain is unset and defaults to or("", "forward", "input", "output", "prerouting", "postrouting") prerouting
pbr.cfg076ff5.src_addr is unset and defaults to list(neg(or(host,network,macaddr,string))) (null)
pbr.cfg076ff5.src_port is unset and defaults to list(neg(or(portrange,string))) (null)
pbr.cfg076ff5.dest_addr=plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media validates as list(neg(or(host,network,string))) with true
pbr.cfg076ff5.dest_port is unset and defaults to list(neg(or(portrange,string))) (null)
Routing 'CR Routing' via tunCR [✓]
Routing 'US Routing' via tunUS [✓]
Installing fw4 nft file [✓]
Setting interface trigger for tunCR [✓]
Setting interface trigger for tunUS [✓]
pbr 1.1.8-r16 monitoring interfaces: tunCR tunUS
ERROR:
ip -4 route add default via 192.168.71.1 dev br-lan proto static src 192.168.71.38 table 256
ERROR: Failed to set up 'tunCR/tunCGcr/10.2.4.58'!
ERROR:
ip -4 route add default via 192.168.71.1 dev br-lan proto static src 192.168.71.38 table 257
ERROR: Failed to set up 'tunUS/tunCGus/10.36.4.241'!
ERROR: Failed to set up any gateway!
root@Netgear-OWRT:~#

Do you think, you can help me with that?
Regards
Robert

4

PBR is not made with a DumbAP in mind so no guarantee but it might help if we see your configs.
Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
cat /etc/config/pbr
service pbr status
cat /var/run/pbr.nft
nft -c -f /var/run/pbr.nft
5

Here is the output of those commands.

ubus call system board

{
	"kernel": "6.6.73",
	"hostname": "Netgear-OWRT",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Netgear WAC104",
	"board_name": "netgear,wac104",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0",
		"revision": "r28427-6df0e3d02a",
		"target": "ramips/mt7621",
		"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
		"builddate": "1738624177"
	}
}

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'netUS'
	option interface 'netUS'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,10.0.0.243'

config dhcp 'netCR'
	option interface 'netCR'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,10.0.0.243'

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'lan'

config rule
	option name 'Allow-netUS-DNS'
	option src 'netUS'
	option target 'ACCEPT'
	option dest_port '53'

config zone
	option name 'netUS'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'netUS'

config rule
	option name 'Allow-netUS-DHCP'
	list proto 'udp'
	option src 'netUS'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Block-netUS-from-LAN'
	list proto 'all'
	option src 'netUS'
	option dest 'lan'
	list dest_ip '192.168.71.0/24'
	option target 'REJECT'
	option enabled '0'

config zone
	option name 'vpnUS'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list device 'tunCGus'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'netUS'
	option dest 'vpnUS'

config rule
	option name 'Allow-netCR-DNS'
	option src 'netCR'
	option target 'ACCEPT'
	option dest_port '53'

config zone
	option name 'netCR'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'netCR'

config rule
	option name 'Allow-netCR-DHCP'
	list proto 'udp'
	option src 'netCR'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Block-netCR-from-LAN'
	list proto 'all'
	option src 'netCR'
	option dest 'lan'
	list dest_ip '192.168.71.0/24'
	option target 'REJECT'
	option enabled '0'

config zone
	option name 'vpnCR'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list device 'tunCGcr'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'netCR'
	option dest 'vpnCR'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

ip route show

default via 192.168.71.1 dev br-lan proto static src 192.168.71.38 
10.2.4.0/24 dev tunCGcr proto kernel scope link src 10.2.4.58 
10.36.4.0/24 dev tunCGus proto kernel scope link src 10.36.4.241 
192.168.43.0/24 dev br-netCR proto kernel scope link src 192.168.43.1 
192.168.55.0/24 dev br-netUS proto kernel scope link src 192.168.55.1 
192.168.71.0/24 dev br-lan proto kernel scope link src 192.168.71.38 

cat /etc/config/pbr

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	list resolver_instance '*'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	option nft_rule_counter '0'
	option nft_set_auto_merge '1'
	option nft_set_counter '0'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list supported_interface 'tun*'
	option procd_wan_interface 'lan'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config dns_policy
	option name 'Redirect Local IP DNS'
	option src_addr '192.168.1.5'
	option dest_dns '1.1.1.1'
	option enabled '0'

config policy
	option name 'Ignore Local Requests'
	option interface 'ignore'
	option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

config policy
	option name 'CR Routing'
	option src_addr '192.168.43.0/24'
	option dest_addr '0.0.0.0/32'
	option interface 'tunCR'

config policy
	option name 'US Routing'
	option src_addr '192.168.55.0/24'
	option dest_addr '0.0.0.0/32'
	option interface 'tunUS'

service pbr status

pbr - environment
pbr 1.1.8-r16 running on OpenWrt 24.10.0.

Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile

pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000  mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000  mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add rule inet fw4 pbr_prerouting ip saddr { 192.168.43.0/24 } ip daddr { 0.0.0.0/32 }  goto pbr_mark_0x010000 comment "CR Routing"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.55.0/24 } ip daddr { 0.0.0.0/32 }  goto pbr_mark_0x020000 comment "US Routing"

pbr chains - policies
	chain pbr_forward { # handle 52
	}
	chain pbr_input { # handle 53
	}
	chain pbr_output { # handle 54
	}
	chain pbr_postrouting { # handle 56
	}
	chain pbr_prerouting { # handle 55
		ip saddr 192.168.43.0/24 ip daddr 0.0.0.0 goto pbr_mark_0x010000 comment "CR Routing" # handle 617
		ip saddr 192.168.55.0/24 ip daddr 0.0.0.0 goto pbr_mark_0x020000 comment "US Routing" # handle 618
	}
	chain pbr_dstnat { # handle 51
	}

pbr chains - marking
	chain pbr_mark_0x010000 { # handle 611
		meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 612
		return # handle 613
	}
	chain pbr_mark_0x020000 { # handle 614
		meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 615
		return # handle 616
	}

pbr nft sets

pbr tables & routing
IPv4 table 256 pbr_tunCR route:
default via 10.2.4.58 dev tunCGcr 
IPv4 table 256 pbr_tunCR rule(s):
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_tunCR

IPv4 table 257 pbr_tunUS route:
default via 10.36.4.241 dev tunCGus 
IPv4 table 257 pbr_tunUS rule(s):
29998:	from all fwmark 0x20000/0xff0000 lookup pbr_tunUS

cat /var/run/pbr.nft

#!/usr/sbin/nft -f

add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000  mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000  mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add rule inet fw4 pbr_prerouting ip saddr { 192.168.43.0/24 } ip daddr { 0.0.0.0/32 }  goto pbr_mark_0x010000 comment "CR Routing"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.55.0/24 } ip daddr { 0.0.0.0/32 }  goto pbr_mark_0x020000 comment "US Routing"

nft -c -f /var/run/pbr.nft  <-- this command produces no output
6

Remove from both policies 0.0.0.0/32

Reboot and test again, can you also show the output of:

cat /etc/config/network

Edit: it does not look that bad but I am missing your wan interface, you have set procd_wan_face as lan but I think it has to be the device so usually br-lan but for that I have to see your cat /etc/config/network

7

Okay, I will remove the destination addresses from the two routing entries and I will change the device from lan to br-lan. Here is cat /etc/config/network

root@Netgear-OWRT:~# cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
config globals 'globals'
        option ula_prefix 'fde4:d575:7ef0::/48'
        option packet_steering '1'
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'
config device
        option type 'bridge'
        option name 'br-netUS'
        option bridge_empty '1'
config interface 'netUS'
        option proto 'static'
        option device 'br-netUS'
        option ipaddr '192.168.55.1'
        option netmask '255.255.255.0'
config device
        option type 'bridge'
        option name 'br-netCR'
        option bridge_empty '1'
config interface 'netCR'
        option proto 'static'
        option device 'br-netCR'
        option ipaddr '192.168.43.1'
        option netmask '255.255.255.0'
config interface 'tunCR'
        option proto 'none'
        option device 'tunCGcr'
config interface 'tunUS'
        option proto 'none'
        option device 'tunCGus'
root@Netgear-OWRT:~#
8

With pbr.config.procd_wan_interface set to br-lan, I get this:

root@Netgear-OWRT:~# service pbr restart
Resetting chains and sets [✓]
Removing routing for 'tunCR/tunCGcr/10.7.4.169' [✓]
Removing routing for 'tunUS/tunCGus/10.27.4.233' [✓]
pbr 1.1.8-r16 (fw4 nft file mode) stopped [✓]
Using uplink interface (on_start): br-lan [✓]
Setting interface trigger for tunCR [✓]
Setting interface trigger for tunUS [✓]
ERROR: The br-lan interface not found, you need to set the 'pbr.config.procd_wan_interface' option!
ERROR: Refer to https://docs.openwrt.melmac.net/pbr/#procd_wan_interface.
root@Netgear-OWRT:~#
9

I'm giving up on this. I started a new config with Travelmate and that seem to allow a working version of this.
Please do not invest any more time into this.