Routing table and VPN

ledeUser1 · April 9, 2019, 10:18am

Hello !

I want to set up my router as VPN client and route internet traffic via that VPN. This is what the routing table looks like before and after connecting to the VPN. Once connected to VPN, I can't reach any remote destination anymore (e.g. ping 8.8.8.8), anything wrong with that routing table ??

root@LEDE:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.254   0.0.0.0         UG    0      0        0 eth1
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
192.168.1.0     *               255.255.255.0   U     10     0        0 br-lan

root@LEDE:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.252.200.177  128.0.0.0       UG    0      0        0 tun0
default         192.168.0.254   0.0.0.0         UG    0      0        0 eth1
10.252.200.1    10.252.200.177  255.255.255.255 UGH   0      0        0 tun0
10.252.200.177  *               255.255.255.255 UH    0      0        0 tun0
128.0.0.0       10.252.200.177  128.0.0.0       UG    0      0        0 tun0
185.93.180.52   192.168.0.254   255.255.255.255 UGH   0      0        0 eth1
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
192.168.1.0     *               255.255.255.0   U     10     0        0 br-lan

vgaetera · April 9, 2019, 10:30am

uci show network; uci show firewall

trendy · April 9, 2019, 10:30am

Please post here the output of the following command, all in one line
cat /etc/config/network; cat /etc/config/firewall; cat /etc/config/wireless ; cat /etc/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru

ledeUser1 · April 9, 2019, 10:51am

root@LEDE:~# cat /etc/config/network; cat /etc/config/firewall; cat /etc/config/
wireless ; cat /etc/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdba:9fcf:fd6c::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'eth0'
	option metric '10'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 2 3t 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '3t 4t'
	option vid '100'

config interface 'VPNDEWAN'
	option ifname 'tun0'
	option proto 'dhcp'
	option auto '0'


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option input 'REJECT'
	option forward 'REJECT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option network 'VPNDEWAN'
	option output 'ACCEPT'
	option name 'vpndewan'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option dest 'vpndewan'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'lan'


config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option htmode 'VHT80'
	option country 'DE'
	option txpower '20'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option macaddr '62:38:e0:d7:87:dd'
	option ssid 'Livebox-557c'
	option encryption 'psk2'
	option key '6130E238E4625E1FE9A605E481'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option htmode 'HT20'
	option country 'DE'
	option txpower '20'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option macaddr '62:38:e0:d7:87:dc'
	option ssid 'Livebox-557c'
	option encryption 'psk2'
	option key '6130E238E4625E1FE9A605E481'


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option serversfile '/tmp/adb_list.overall'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 532
    inet 192.168.0.10/24 brd 192.168.0.255 scope global eth1
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.250.202.66 peer 10.250.202.65/32 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.250.202.65 dev tun0 
default via 192.168.0.254 dev eth1 proto static src 192.168.0.10 
10.250.200.1 via 10.250.202.65 dev tun0 
10.250.202.65 dev tun0 proto kernel scope link src 10.250.202.66 
128.0.0.0/1 via 10.250.202.65 dev tun0 
178.162.209.79 via 192.168.0.254 dev eth1 
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.10 
192.168.1.0/24 dev br-lan proto static scope link metric 10 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default

ledeUser1 · April 9, 2019, 10:52am

root@LEDE:~# uci show network; uci show firewall

network.loopback=interface

network.loopback.ifname='lo'

network.loopback.proto='static'

network.loopback.ipaddr='127.0.0.1'

network.loopback.netmask='255.0.0.0'

network.globals=globals

network.globals.ula_prefix='fdba:9fcf:fd6c::/48'

network.lan=interface

network.lan.type='bridge'

network.lan.proto='static'

network.lan.ipaddr='192.168.1.1'

network.lan.netmask='255.255.255.0'

network.lan.ip6assign='60'

network.lan.ifname='eth0'

network.lan.metric='10'

network.wan=interface

network.wan.ifname='eth1'

network.wan.proto='dhcp'

network.wan6=interface

network.wan6.ifname='eth1'

network.wan6.proto='dhcpv6'

network.@switch[0]=switch

network.@switch[0].name='switch0'

network.@switch[0].reset='1'

network.@switch_vlan[0]=switch_vlan

network.@switch_vlan[0].device='switch0'

network.@switch_vlan[0].vlan='1'

network.@switch_vlan[0].vid='1'

network.@switch_vlan[0].ports='0 1 2 3t 5'

network.@switch_vlan[1]=switch_vlan

network.@switch_vlan[1].device='switch0'

network.@switch_vlan[1].vlan='2'

network.@switch_vlan[1].ports='4 6'

network.@switch_vlan[1].vid='2'

network.@switch_vlan[2]=switch_vlan

network.@switch_vlan[2].device='switch0'

network.@switch_vlan[2].vlan='3'

network.@switch_vlan[2].ports='3t 4t'

network.@switch_vlan[2].vid='100'

network.VPNDEWAN=interface

network.VPNDEWAN.ifname='tun0'

network.VPNDEWAN.proto='dhcp'

network.VPNDEWAN.auto='0'

firewall.@defaults[0]=defaults

firewall.@defaults[0].syn_flood='1'

firewall.@defaults[0].input='ACCEPT'

firewall.@defaults[0].output='ACCEPT'

firewall.@defaults[0].forward='REJECT'

firewall.@zone[0]=zone

firewall.@zone[0].name='lan'

firewall.@zone[0].input='ACCEPT'

firewall.@zone[0].output='ACCEPT'

firewall.@zone[0].forward='ACCEPT'

firewall.@zone[0].network='lan'

firewall.@zone[1]=zone

firewall.@zone[1].name='wan'

firewall.@zone[1].output='ACCEPT'

firewall.@zone[1].masq='1'

firewall.@zone[1].mtu_fix='1'

firewall.@zone[1].network='wan wan6'

firewall.@zone[1].input='REJECT'

firewall.@zone[1].forward='REJECT'

firewall.@rule[0]=rule

firewall.@rule[0].name='Allow-DHCP-Renew'

firewall.@rule[0].src='wan'

firewall.@rule[0].proto='udp'

firewall.@rule[0].dest_port='68'

firewall.@rule[0].target='ACCEPT'

firewall.@rule[0].family='ipv4'

firewall.@rule[1]=rule

firewall.@rule[1].name='Allow-Ping'

firewall.@rule[1].src='wan'

firewall.@rule[1].proto='icmp'

firewall.@rule[1].icmp_type='echo-request'

firewall.@rule[1].family='ipv4'

firewall.@rule[1].target='ACCEPT'

firewall.@rule[2]=rule

firewall.@rule[2].name='Allow-IGMP'

firewall.@rule[2].src='wan'

firewall.@rule[2].proto='igmp'

firewall.@rule[2].family='ipv4'

firewall.@rule[2].target='ACCEPT'

firewall.@rule[3]=rule

firewall.@rule[3].name='Allow-DHCPv6'

firewall.@rule[3].src='wan'

firewall.@rule[3].proto='udp'

firewall.@rule[3].src_ip='fc00::/6'

firewall.@rule[3].dest_ip='fc00::/6'

firewall.@rule[3].dest_port='546'

firewall.@rule[3].family='ipv6'

firewall.@rule[3].target='ACCEPT'

firewall.@rule[4]=rule

firewall.@rule[4].name='Allow-MLD'

firewall.@rule[4].src='wan'

firewall.@rule[4].proto='icmp'

firewall.@rule[4].src_ip='fe80::/10'

firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'

firewall.@rule[4].family='ipv6'

firewall.@rule[4].target='ACCEPT'

firewall.@rule[5]=rule

firewall.@rule[5].name='Allow-ICMPv6-Input'

firewall.@rule[5].src='wan'

firewall.@rule[5].proto='icmp'

firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'

firewall.@rule[5].limit='1000/sec'

firewall.@rule[5].family='ipv6'

firewall.@rule[5].target='ACCEPT'

firewall.@rule[6]=rule

firewall.@rule[6].name='Allow-ICMPv6-Forward'

firewall.@rule[6].src='wan'

firewall.@rule[6].dest='*'

firewall.@rule[6].proto='icmp'

firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'

firewall.@rule[6].limit='1000/sec'

firewall.@rule[6].family='ipv6'

firewall.@rule[6].target='ACCEPT'

firewall.@rule[7]=rule

firewall.@rule[7].name='Allow-IPSec-ESP'

firewall.@rule[7].src='wan'

firewall.@rule[7].dest='lan'

firewall.@rule[7].proto='esp'

firewall.@rule[7].target='ACCEPT'

firewall.@rule[8]=rule

firewall.@rule[8].name='Allow-ISAKMP'

firewall.@rule[8].src='wan'

firewall.@rule[8].dest='lan'

firewall.@rule[8].dest_port='500'

firewall.@rule[8].proto='udp'

firewall.@rule[8].target='ACCEPT'

firewall.@include[0]=include

firewall.@include[0].path='/etc/firewall.user'

firewall.@zone[2]=zone

firewall.@zone[2].network='VPNDEWAN'

firewall.@zone[2].output='ACCEPT'

firewall.@zone[2].name='vpndewan'

firewall.@zone[2].input='REJECT'

firewall.@zone[2].forward='REJECT'

firewall.@forwarding[0]=forwarding

firewall.@forwarding[0].dest='vpndewan'

firewall.@forwarding[0].src='lan'

firewall.@forwarding[1]=forwarding

firewall.@forwarding[1].dest='wan'

firewall.@forwarding[1].src='lan'

trendy · April 9, 2019, 10:52am

Please use preformated text (Ctrl+Shift+c or the 6th button from the left) to make it more clear to read.

trendy · April 9, 2019, 10:54am

Add the VPN interface in the WAN firewall zone.
Or add MASQUERADE and MSS fix in the VPN zone.

vgaetera · April 9, 2019, 11:00am

uci -q delete network.VPNDEWAN
uci commit network
service network restart
uci set firewall.@zone[1].device="tun0"
uci commit firewall
service firewall restart
service openvpn restart

ledeUser1 · April 9, 2019, 11:11am

tried it, seems somewhat better but still no connection:

root@LEDE:~# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
 1  192.168.0.254 (192.168.0.254)  0.827 ms  0.608 ms  0.598 ms
 2  ama63-1-88-188-201-254.fbx.proxad.net (88.188.201.254)  22.880 ms  19.472 ms  20.386 ms
 3  213.228.36.190 (213.228.36.190)  21.992 ms  21.464 ms  22.563 ms
 4  194.149.165.77 (194.149.165.77)  28.417 ms  26.914 ms  25.551 ms
 5  194.149.166.58 (194.149.166.58)  25.927 ms  26.954 ms  25.777 ms
 6  72.14.221.62 (72.14.221.62)  27.172 ms  26.396 ms  25.597 ms
 7  108.170.245.1 (108.170.245.1)  26.423 ms  108.170.244.225 (108.170.244.225)  27.551 ms  108.170.244.193 (108.170.244.193)  27.244 ms
 8  209.85.251.153 (209.85.251.153)  27.009 ms  *  *
 9  *  *  *
10  *  *  *
11  *  *  *
12  *  *  *
13^C

vgaetera · April 9, 2019, 11:14am

Looks like your VPN-connection is down.

service log restart; service openvpn restart
sleep 10; logread -e openvpn; ip r

trendy · April 9, 2019, 11:15am

Moreover you can reach the Internet so this is not a problem.
Try some other destination, like 1.1.1.1

ledeUser1 · April 9, 2019, 11:27am

looks indeed like VPN was down and that's why there was a route at all, this is what it looks like when restarting VPN:

root@LEDE:~# service log restart; service openvpn restart
root@LEDE:~# sleep 10; logread -e openvpn; ip r
Tue Apr  9 13:25:07 2019 daemon.err openvpn(cyberghost_de)[4022]: event_wait : Interrupted system call (code=4)
Tue Apr  9 13:25:07 2019 daemon.notice openvpn(cyberghost_de)[4022]: /sbin/ifconfig tun0 0.0.0.0
Tue Apr  9 13:25:07 2019 daemon.notice openvpn(cyberghost_de)[4022]: SIGTERM[hard,] received, process exiting
Tue Apr  9 13:25:07 2019 daemon.warn openvpn(cyberghost_de)[4259]: WARNING: Ignoring option 'dh' in tls-client mode, please only include this in your server configuration
Tue Apr  9 13:25:07 2019 daemon.notice openvpn(cyberghost_de)[4259]: OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Apr  9 13:25:07 2019 daemon.notice openvpn(cyberghost_de)[4259]: library versions: OpenSSL 1.0.2q  20 Nov 2018, LZO 2.10
Tue Apr  9 13:25:07 2019 daemon.notice openvpn(cyberghost_de)[4259]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.216.33.190:443
Tue Apr  9 13:25:07 2019 daemon.notice openvpn(cyberghost_de)[4259]: UDP link local: (not bound)
Tue Apr  9 13:25:07 2019 daemon.notice openvpn(cyberghost_de)[4259]: UDP link remote: [AF_INET]185.216.33.190:443
Tue Apr  9 13:25:07 2019 daemon.warn openvpn(cyberghost_de)[4259]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Apr  9 13:25:08 2019 daemon.warn openvpn(cyberghost_de)[4259]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1574'
Tue Apr  9 13:25:08 2019 daemon.warn openvpn(cyberghost_de)[4259]: WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'
Tue Apr  9 13:25:08 2019 daemon.notice openvpn(cyberghost_de)[4259]: [CyberGhost VPN Server Node frankfurt-s41] Peer Connection Initiated with [AF_INET]185.216.33.190:443
Tue Apr  9 13:25:09 2019 daemon.notice openvpn(cyberghost_de)[4259]: TUN/TAP device tun0 opened
Tue Apr  9 13:25:09 2019 daemon.notice openvpn(cyberghost_de)[4259]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Apr  9 13:25:09 2019 daemon.notice openvpn(cyberghost_de)[4259]: /sbin/ifconfig tun0 10.242.201.126 pointopoint 10.242.201.125 mtu 1500
Tue Apr  9 13:25:09 2019 daemon.notice openvpn(cyberghost_de)[4259]: Initialization Sequence Completed
0.0.0.0/1 via 10.242.201.125 dev tun0 
default via 192.168.0.254 dev eth1 proto static src 192.168.0.10 
10.242.200.1 via 10.242.201.125 dev tun0 
10.242.201.125 dev tun0 proto kernel scope link src 10.242.201.126 
128.0.0.0/1 via 10.242.201.125 dev tun0 
185.216.33.190 via 192.168.0.254 dev eth1 
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.10 
192.168.1.0/24 dev br-lan proto static scope link metric 10 
root@LEDE:~# traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 38 byte packets
 1  *  *^C

vgaetera · April 9, 2019, 11:28am

iptables-save

ledeUser1 · April 9, 2019, 11:35am

root@LEDE:~# iptables-save
# Generated by iptables-save v1.6.2 on Tue Apr  9 13:34:42 2019
*nat
:PREROUTING ACCEPT [2418:452870]
:INPUT ACCEPT [683:60379]
:OUTPUT ACCEPT [378:25160]
:POSTROUTING ACCEPT [22:2088]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Tue Apr  9 13:34:42 2019
# Generated by iptables-save v1.6.2 on Tue Apr  9 13:34:42 2019
*mangle
:PREROUTING ACCEPT [26916:8407774]
:INPUT ACCEPT [3996:434556]
:FORWARD ACCEPT [22571:7805740]
:OUTPUT ACCEPT [8385:1958940]
:POSTROUTING ACCEPT [30369:9736395]
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Apr  9 13:34:42 2019
# Generated by iptables-save v1.6.2 on Tue Apr  9 13:34:42 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Apr  9 13:34:42 2019
root@LEDE:~#

vgaetera · April 9, 2019, 11:57am

Routing and firewall seem fine now, but OpenVPN log looks suspicious:

ledeUser1 · April 9, 2019, 12:29pm

im still inclined to believe there's something wrong with the routing, shouldn't I be able to ping all defined destinations from the router ??

root@LEDE:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.248.203.181  128.0.0.0       UG    0      0        0 tun0
default         192.168.0.254   0.0.0.0         UG    0      0        0 eth1
10.248.200.1    10.248.203.181  255.255.255.255 UGH   0      0        0 tun0
10.248.203.181  *               255.255.255.255 UH    0      0        0 tun0
10.252.203.117  192.168.0.254   255.255.255.255 UGH   0      0        0 eth1
89.249.64.179   192.168.0.254   255.255.255.255 UGH   0      0        0 eth1
128.0.0.0       10.248.203.181  128.0.0.0       UG    0      0        0 tun0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
192.168.1.0     *               255.255.255.0   U     10     0        0 br-lan
root@LEDE:~# ^C
root@LEDE:~# ping 10.248.200.1
PING 10.248.200.1 (10.248.200.1): 56 data bytes
^C
--- 10.248.200.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
root@LEDE:~# ping 10.248.203.181
PING 10.248.203.181 (10.248.203.181): 56 data bytes
^C
--- 10.248.203.181 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
root@LEDE:~# ping 10.252.203.117
PING 10.252.203.117 (10.252.203.117): 56 data bytes
^C
--- 10.252.203.117 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
root@LEDE:~# ping 89.249.64.179
PING 89.249.64.179 (89.249.64.179): 56 data bytes
64 bytes from 89.249.64.179: seq=0 ttl=52 time=44.686 ms
64 bytes from 89.249.64.179: seq=1 ttl=52 time=44.094 ms

trendy · April 9, 2019, 1:11pm

Yes and no. If the VPN provider is blocking the pings you won't see replies. You should try to ping something that for certain replies back, like 1.1.1.1 or 8.8.8.8

This line looks weird to me:

It wasn't there in the original post and I doubt that you should route this private IP via your ISP.
Do a reboot on the router just to make sure there are no stale entries.

vgaetera · April 9, 2019, 1:22pm

OpenVPN log clearly states that your client MTU-related options don't match the server side.
Show your client configuration except private keys and certificates.

ledeUser1 · April 9, 2019, 1:49pm

i did a reboot, this is what routing table and openvpn config look like:

root@LEDE:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.249.200.133  128.0.0.0       UG    0      0        0 tun0
default         192.168.0.254   0.0.0.0         UG    0      0        0 eth1
10.249.200.1    10.249.200.133  255.255.255.255 UGH   0      0        0 tun0
10.249.200.133  *               255.255.255.255 UH    0      0        0 tun0
83.97.23.119    192.168.0.254   255.255.255.255 UGH   0      0        0 eth1
128.0.0.0       10.249.200.133  128.0.0.0       UG    0      0        0 tun0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
192.168.1.0     *               255.255.255.0   U     10     0        0 br-lan
root@LEDE:~# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
^C
--- 1.1.1.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
root@LEDE:~# cat /etc/open
openvpn/         openwrt_release  openwrt_version
root@LEDE:~# cat /etc/config/openvpn
openvpn          openvpn-opkg     openvpn_recipes
root@LEDE:~# cat /etc/config/openvpn

config openvpn 'custom_config'
	option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh1024.pem'
	option server '10.8.0.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option compress 'lzo'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option verb '3'

config openvpn 'sample_client'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	list remote 'my_server_1 1194'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option compress 'lzo'
	option verb '3'

config openvpn 'cyberghost_de'
	option dh 'dh1024.pem'
	option float '1'
	option client '1'
	option comp_lzo 'yes'
	option reneg_sec '0'
	option persist_key '1'
	option remote_cert_tls 'server'
	option key '/etc/openvpn/cbid.openvpn.cyberghost_de.key'
	list remote '1-de.cg-dialup.net'
	option ca '/etc/openvpn/cbid.openvpn.cyberghost_de.ca'
	option cert '/etc/openvpn/cbid.openvpn.cyberghost_de.cert'
	option port '443'
	option proto 'udp'
	option dev 'tun'
	option cipher 'AES-256-CBC'
	option auth_user_pass '/etc/openvpn/userpass.txt'
	option auth 'SHA256'
	option verb '1'
	option redirect_gateway 'def1'
	option pull '1'
	option auth_nocache '1'
	option tun_mtu '1500'
	option mtu_test '1'
	option enabled '1'

what do you think ?

vgaetera · April 9, 2019, 2:50pm

uci delete openvpn.cyberghost_de.tun_mtu
uci delete openvpn.cyberghost_de.mtu_test
uci set openvpn.cyberghost_de.mtu_dynamic="1"
uci set openvpn.cyberghost_de.dev="tun0"
uci commit openvpn

service log restart; service openvpn restart
sleep 10; logread -e openvpn