Setting up a dedicated VPN VLAN

Hello,

I need help to configure a VPN on a dedicated VLAN.
I configure the following interfaces in my router :
- 'lan' : IP 192.168.1.1 (associated to eth0.1)
- 'LAN_VPN' : IP 192.168.2.1 (associated to eth0.3)
- 'WAN' and 'WAN6' : IP 192.168.0.97 (associated to eth0.2)
- 'tun3' associated with OpenVPN configuration.

I want devices in 'lan' network to go to 'WAN' and 'WAN6' and devices in 'LAN_VPN' to go to 'tun3'.

I set up a traffic rule in /etc/config/network :

config rule
        option in 'LAN_VPN'
        option src '192.168.2.1/24'
        option lookup '100'

config route
        option interface ''tun3"
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option metric '200'
        option table '100'

But the routing is not working.
When OpenVPN is started, I have access to internet with devices in "LAN_VPN" (with the VPN IP adress) but no internet with devices in 'lan'.
When OpenVPN is stopped, I have acces to internet with devices in 'lan' (with WAN adress) but no internet with devices in 'LAN_VPN'

Have I forgotten something or made an error during configuration ?

Here is pics of the configuration :
VLAN configuration :

Interfaces configuration :

Firewall configuration :

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip6tables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

fix this too

1 Like

Hello,

@anon50098793 : yes, this is an error when copying on the forum, the code is good on the router.

@trendy :
Here is the commands (wireless is disactivated so I don't post "uci export wireless")

uci export network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'XXXXXXXXXXX'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.0.1'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr '40:31:XX:XX:XX:XX'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 2 1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 4'
        option vid '2'

config interface 'LAN_VPN'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option ifname 'eth0.3'
        option type 'bridge'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'

config interface 'tun3'
        option ifname 'tun3'
        option proto 'none'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '6t 3'
        option vid '3'

config rule
        option in 'LAN_VPN'
        option src '192.168.2.1/24'
        option lookup '100'

config route
        option interface 'tun3'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option metric '200'
        option table '100'

uci export dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'LAN_VPN'
        option interface 'LAN_VPN'
        option start '100'
        option leasetime '12h'
        option limit '150'

uci export firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'lan_vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'LAN_VPN'

config zone
        option name 'wan_vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'tun3'

config forwarding
        option src 'lan_vpn'
        option dest 'wan_vpn'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

head -n -0 /etc/firewall.user;
iptables-save -c; ip6tables-save -c;
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru;
ls -l /etc/resolv.* /tmp/resolv.; head -n -0 /etc/resolv. /tmp/resolv.*

*nat
:PREROUTING ACCEPT [4187:899287]
:INPUT ACCEPT [463:29702]
:OUTPUT ACCEPT [617:42613]
:POSTROUTING ACCEPT [848:35476]
:postrouting_lan_rule - [0:0]
:postrouting_lan_vpn_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wan_vpn_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_lan_vpn_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wan_vpn_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_lan_vpn_postrouting - [0:0]
:zone_lan_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wan_vpn_postrouting - [0:0]
:zone_wan_vpn_prerouting - [0:0]
[4187:899287] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[1400:358226] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[1777:350497] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[1010:190564] -A PREROUTING -i br-LAN_VPN -m comment --comment "!fw3" -j zone_lan_vpn_prerouting
[0:0] -A PREROUTING -i tun3 -m comment --comment "!fw3" -j zone_wan_vpn_prerouting
[2078:352865] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[814:32856] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[649:159431] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o br-LAN_VPN -m comment --comment "!fw3" -j zone_lan_vpn_postrouting
[581:157958] -A POSTROUTING -o tun3 -m comment --comment "!fw3" -j zone_wan_vpn_postrouting
[814:32856] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[1400:358226] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_vpn_postrouting -m comment --comment "!fw3: Custom lan_vpn postrouting rule chain" -j postrouting_lan_vpn_rule
[1010:190564] -A zone_lan_vpn_prerouting -m comment --comment "!fw3: Custom lan_vpn prerouting rule chain" -j prerouting_lan_vpn_rule
[649:159431] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[649:159431] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[1777:350497] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[581:157958] -A zone_wan_vpn_postrouting -m comment --comment "!fw3: Custom wan_vpn postrouting rule chain" -j postrouting_wan_vpn_rule
[581:157958] -A zone_wan_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_vpn_prerouting -m comment --comment "!fw3: Custom wan_vpn prerouting rule chain" -j prerouting_wan_vpn_rule
COMMIT
# Completed on Fri May  1 09:19:57 2020
# Generated by iptables-save v1.8.3 on Fri May  1 09:19:57 2020
*mangle
:PREROUTING ACCEPT [426803:457696774]
:INPUT ACCEPT [80988:103230661]
:FORWARD ACCEPT [343929:354088890]
:OUTPUT ACCEPT [35610:8192693]
:POSTROUTING ACCEPT [378565:362086529]
[52:2704] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[1255:65260] -A FORWARD -o tun3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan_vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri May  1 09:19:57 2020
# Generated by iptables-save v1.8.3 on Fri May  1 09:19:57 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_lan_vpn_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wan_vpn_rule - [0:0]
:input_lan_rule - [0:0]
:input_lan_vpn_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wan_vpn_rule - [0:0]
:output_lan_rule - [0:0]
:output_lan_vpn_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wan_vpn_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_lan_vpn_dest_ACCEPT - [0:0]
:zone_lan_vpn_dest_REJECT - [0:0]
:zone_lan_vpn_forward - [0:0]
:zone_lan_vpn_input - [0:0]
:zone_lan_vpn_output - [0:0]
:zone_lan_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wan_vpn_dest_ACCEPT - [0:0]
:zone_wan_vpn_dest_REJECT - [0:0]
:zone_wan_vpn_forward - [0:0]
:zone_wan_vpn_input - [0:0]
:zone_wan_vpn_output - [0:0]
:zone_wan_vpn_src_REJECT - [0:0]
[497:54335] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[80493:103176406] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[79376:103098135] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[94:4888] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[178:15597] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[274:20103] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[654:42019] -A INPUT -i br-LAN_VPN -m comment --comment "!fw3" -j zone_lan_vpn_input
[11:552] -A INPUT -i tun3 -m comment --comment "!fw3" -j zone_wan_vpn_input
[343929:354088890] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[342013:353438501] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1217:389605] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[699:260784] -A FORWARD -i br-LAN_VPN -m comment --comment "!fw3" -j zone_lan_vpn_forward
[0:0] -A FORWARD -i tun3 -m comment --comment "!fw3" -j zone_wan_vpn_forward
[967:195943] -A FORWARD -m comment --comment "!fw3" -j reject
[497:54335] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[35120:8139678] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[34326:8085454] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[5:1377] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[704:46783] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-LAN_VPN -m comment --comment "!fw3" -j zone_lan_vpn_output
[85:6064] -A OUTPUT -o tun3 -m comment --comment "!fw3" -j zone_wan_vpn_output
[823:42776] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[377:172366] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[94:4888] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[5:1377] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[1217:389605] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[1217:389605] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[967:195943] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[178:15597] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[178:15597] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[5:1377] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[5:1377] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[178:15597] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_vpn_dest_ACCEPT -o br-LAN_VPN -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_vpn_dest_REJECT -o br-LAN_VPN -m comment --comment "!fw3" -j reject
[699:260784] -A zone_lan_vpn_forward -m comment --comment "!fw3: Custom lan_vpn forwarding rule chain" -j forwarding_lan_vpn_rule
[699:260784] -A zone_lan_vpn_forward -m comment --comment "!fw3: Zone lan_vpn to wan_vpn forwarding policy" -j zone_wan_vpn_dest_ACCEPT
[0:0] -A zone_lan_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_vpn_forward -m comment --comment "!fw3" -j zone_lan_vpn_dest_REJECT
[654:42019] -A zone_lan_vpn_input -m comment --comment "!fw3: Custom lan_vpn input rule chain" -j input_lan_vpn_rule
[0:0] -A zone_lan_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[654:42019] -A zone_lan_vpn_input -m comment --comment "!fw3" -j zone_lan_vpn_src_ACCEPT
[0:0] -A zone_lan_vpn_output -m comment --comment "!fw3: Custom lan_vpn output rule chain" -j output_lan_vpn_rule
[0:0] -A zone_lan_vpn_output -m comment --comment "!fw3" -j zone_lan_vpn_dest_ACCEPT
[654:42019] -A zone_lan_vpn_src_ACCEPT -i br-LAN_VPN -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[954:240445] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[274:20103] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[52:1456] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[222:18647] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[704:46783] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[704:46783] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[222:18647] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[11:440] -A zone_wan_vpn_dest_ACCEPT -o tun3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[773:266408] -A zone_wan_vpn_dest_ACCEPT -o tun3 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_vpn_dest_REJECT -o tun3 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_vpn_forward -m comment --comment "!fw3: Custom wan_vpn forwarding rule chain" -j forwarding_wan_vpn_rule
[0:0] -A zone_wan_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_vpn_forward -m comment --comment "!fw3" -j zone_wan_vpn_dest_REJECT
[11:552] -A zone_wan_vpn_input -m comment --comment "!fw3: Custom wan_vpn input rule chain" -j input_wan_vpn_rule
[0:0] -A zone_wan_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[11:552] -A zone_wan_vpn_input -m comment --comment "!fw3" -j zone_wan_vpn_src_REJECT
[85:6064] -A zone_wan_vpn_output -m comment --comment "!fw3: Custom wan_vpn output rule chain" -j output_wan_vpn_rule
[85:6064] -A zone_wan_vpn_output -m comment --comment "!fw3" -j zone_wan_vpn_dest_ACCEPT
[11:552] -A zone_wan_vpn_src_REJECT -i tun3 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri May  1 09:19:57 2020
# Generated by ip6tables-save v1.8.3 on Fri May  1 09:19:57 2020
*mangle
:PREROUTING ACCEPT [11968:5342181]
:INPUT ACCEPT [717:80460]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [988:118567]
:POSTROUTING ACCEPT [988:118567]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o tun3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan_vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri May  1 09:19:57 2020
# Generated by ip6tables-save v1.8.3 on Fri May  1 09:19:57 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_lan_vpn_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wan_vpn_rule - [0:0]
:input_lan_rule - [0:0]
:input_lan_vpn_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wan_vpn_rule - [0:0]
:output_lan_rule - [0:0]
:output_lan_vpn_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wan_vpn_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_lan_vpn_dest_ACCEPT - [0:0]
:zone_lan_vpn_dest_REJECT - [0:0]
:zone_lan_vpn_forward - [0:0]
:zone_lan_vpn_input - [0:0]
:zone_lan_vpn_output - [0:0]
:zone_lan_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wan_vpn_dest_ACCEPT - [0:0]
:zone_wan_vpn_dest_REJECT - [0:0]
:zone_wan_vpn_forward - [0:0]
:zone_wan_vpn_input - [0:0]
:zone_wan_vpn_output - [0:0]
:zone_wan_vpn_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[717:80460] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[274:46091] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[263:21273] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[180:13096] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i br-LAN_VPN -m comment --comment "!fw3" -j zone_lan_vpn_input
[0:0] -A INPUT -i tun3 -m comment --comment "!fw3" -j zone_wan_vpn_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-LAN_VPN -m comment --comment "!fw3" -j zone_lan_vpn_forward
[0:0] -A FORWARD -i tun3 -m comment --comment "!fw3" -j zone_wan_vpn_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[988:118567] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[371:67330] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[111:8782] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[506:42455] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-LAN_VPN -m comment --comment "!fw3" -j zone_lan_vpn_output
[0:0] -A OUTPUT -o tun3 -m comment --comment "!fw3" -j zone_wan_vpn_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[111:8782] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[263:21273] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[263:21273] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[111:8782] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[111:8782] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[263:21273] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_vpn_dest_ACCEPT -o br-LAN_VPN -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_vpn_dest_REJECT -o br-LAN_VPN -m comment --comment "!fw3" -j reject
[0:0] -A zone_lan_vpn_forward -m comment --comment "!fw3: Custom lan_vpn forwarding rule chain" -j forwarding_lan_vpn_rule
[0:0] -A zone_lan_vpn_forward -m comment --comment "!fw3: Zone lan_vpn to wan_vpn forwarding policy" -j zone_wan_vpn_dest_ACCEPT
[0:0] -A zone_lan_vpn_forward -m comment --comment "!fw3" -j zone_lan_vpn_dest_REJECT
[0:0] -A zone_lan_vpn_input -m comment --comment "!fw3: Custom lan_vpn input rule chain" -j input_lan_vpn_rule
[0:0] -A zone_lan_vpn_input -m comment --comment "!fw3" -j zone_lan_vpn_src_ACCEPT
[0:0] -A zone_lan_vpn_output -m comment --comment "!fw3: Custom lan_vpn output rule chain" -j output_lan_vpn_rule
[0:0] -A zone_lan_vpn_output -m comment --comment "!fw3" -j zone_lan_vpn_dest_ACCEPT
[0:0] -A zone_lan_vpn_src_ACCEPT -i br-LAN_VPN -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[506:42455] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[180:13096] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[5:256] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[75:5400] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[12:1728] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[88:5712] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[506:42455] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[506:42455] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_vpn_dest_ACCEPT -o tun3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_vpn_dest_ACCEPT -o tun3 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_vpn_dest_REJECT -o tun3 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_vpn_forward -m comment --comment "!fw3: Custom wan_vpn forwarding rule chain" -j forwarding_wan_vpn_rule
[0:0] -A zone_wan_vpn_forward -m comment --comment "!fw3" -j zone_wan_vpn_dest_REJECT
[0:0] -A zone_wan_vpn_input -m comment --comment "!fw3: Custom wan_vpn input rule chain" -j input_wan_vpn_rule
[0:0] -A zone_wan_vpn_input -m comment --comment "!fw3" -j zone_wan_vpn_src_REJECT
[0:0] -A zone_wan_vpn_output -m comment --comment "!fw3: Custom wan_vpn output rule chain" -j output_wan_vpn_rule
[0:0] -A zone_wan_vpn_output -m comment --comment "!fw3" -j zone_wan_vpn_dest_ACCEPT
[0:0] -A zone_wan_vpn_src_REJECT -i tun3 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri May  1 09:19:57 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-LAN_VPN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-LAN_VPN
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.0.97/24 brd 192.168.0.255 scope global eth0.2
       valid_lft forever preferred_lft forever
default via 192.168.0.1 dev eth0.2  src 192.168.0.97
192.168.0.0/24 dev eth0.2 scope link  src 192.168.0.97
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.2.0/24 dev br-LAN_VPN scope link  src 192.168.2.1
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.0.0 dev eth0.2 table local scope link  src 192.168.0.97
local 192.168.0.97 dev eth0.2 table local scope host  src 192.168.0.97
broadcast 192.168.0.255 dev eth0.2 table local scope link  src 192.168.0.97
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1
broadcast 192.168.2.0 dev br-LAN_VPN table local scope link  src 192.168.2.1
local 192.168.2.1 dev br-LAN_VPN table local scope host  src 192.168.2.1
broadcast 192.168.2.255 dev br-LAN_VPN table local scope link  src 192.168.2.1
0:      from all lookup local
1:      from 192.168.2.1/24 iif br-LAN_VPN lookup 100
32766:  from all lookup main
32767:  from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 1000
    inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link
       valid_lft forever preferred_lft forever
5: br-LAN_VPN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd1f:bd69:bd00::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link
       valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a00:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:65e3/64 scope global dynamic
       valid_lft 604628sec preferred_lft 604628sec
    inet6 fe80::4231:3cff:fe0b:xxxx/64 scope link
       valid_lft forever preferred_lft forever
default from 2a00:xxxx:xxxx:xxxxx::/64 via fe80::xxxx:xxxx:xxxx:xxxxx dev eth0.2  metric 384
2a00:xxxx:xxxx:xxxx::/64 dev eth0.2  metric 256
fd1f:xxxx:xxxx::/64 dev br-lan  metric 1024
unreachable fd1f:xxxx:xxxx::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev eth0.2  metric 256
fe80::/64 dev br-LAN_VPN  metric 256
local ::1 dev lo table local  metric 0
anycast 2a00:xxxx:xxxx:xxxx:: dev eth0.2 table local  metric 0
local 2a00:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dev eth0.2 table local  metric 0
anycast fd1f:xxxx:xxxx:: dev br-lan table local  metric 0
local fd1f:xxxx:xxxx::1 dev br-lan table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev eth0.2 table local  metric 0
anycast fe80:: dev br-LAN_VPN table local  metric 0
local fe80::4231:xxxx:xxxx:xxxx dev eth0 table local  metric 0
local fe80::4231:xxxx:xxxx:xxxx dev eth0.2 table local  metric 0
local fe80::4231:xxxx:xxxx:xxxx dev br-LAN_VPN table local  metric 0
local fe80::4231:xxxx:xxxx:xxxx dev br-lan table local  metric 0
ff00::/8 dev eth0 table local  metric 256
ff00::/8 dev br-lan table local  metric 256
ff00::/8 dev eth0.2 table local  metric 256
ff00::/8 dev br-LAN_VPN table local  metric 256
0:      from all lookup local
32766:  from all lookup main
4200000001:     from all iif lo lookup unspec 12
4200000005:     from all iif br-LAN_VPN lookup unspec 12
4200000007:     from all iif br-lan lookup unspec 12
4200000009:     from all iif eth0.2 lookup unspec 12
4200000009:     from all iif eth0.2 lookup unspec 12
lrwxrwxrwx    1 root     root            16 Feb 27 21:05 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 May  1 08:25 /tmp/resolv.conf
-rw-r--r--    1 root     root            90 May  1 08:26 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 192.168.0.1
# Interface wan6
nameserver 2a00:xxxx:xxxx:xxxx::1

Thank you in advance.

Remove this from lan and LAN_VPN interface:

Change this to 192.168.2.0/24

config rule
...
       option src '192.168.2.1/24'

Thanks for your response.
I changed what you told me, so my network config is now that :

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd1f:bd69:bd00::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr '40:31:3c:0b:65:e4'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 2 1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 4'
        option vid '2'

config interface 'LAN_VPN'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option ifname 'eth0.3'
        option type 'bridge'
        option netmask '255.255.255.0'

config interface 'tun3'
        option ifname 'tun3'
        option proto 'none'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '6t 3'
        option vid '3'

config rule
        option in 'LAN_VPN'
        option src '192.168.2.0/24'
        option lookup '100'

config route
        option interface 'tun3'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option metric '200'
        option table '100'

I reboot the router but it doesn't work as I want.
Like on my first post :

  • When OpenVPN is stopped, it works :
    I have acces to internet with devices in 'lan' (with WAN adress) but no internet with devices in 'LAN_VPN'
  • When OpenVPN is started, it don't work :
    I have access to internet with devices in "LAN_VPN" (with the VPN IP adress) but no internet with devices in 'lan'.

I also noticed that, when I start OpenVPN, 4 network tun3 and 1 wan is created in IPv4 routes. I don't know if this is normal or not.

OpenVPN disabled :

OpenVPN enabled :

The routes 0.0.0.0/1 and 128.0.0.0/1 are overriding your default route (0.0.0.0/0) for the 'main' table. You need to configure the openvpn client to not install these routes.

These routes can be configured locally or pushed from the server. If they are configured locally, it's fairly straightforward to remove them. If pushed from the server, there are several options for preventing the client from installing them, for example –route-noexec or –route-nopull. You can see a description for these options in the manual.

In your previous answer there was no tunnel active so I couldn't tell what else was the problem.
Disregard the default gateway as @Joshua mentioned above and it will be fine.

Thank you for your responses.

I put –route-noexec in my ovpn file.
Since, I don't have problem with wan and vpn with the default route.
But I don't have access to the VPN internet in LAN_VPN.

So I try two things :

  • I add to the ovpn file :
route-noexec
route 192.168.2.0 255.255.255.0

But it isn't work.

#!/bin/sh
echo "$dev : $ifconfig_local -> $ifconfig_remote gw: $route_vpn_gateway"

# Remove default routes pushed by VPN server (we don't want to route
# all network traffic through the VPN gateway)
/sbin/ip route del 128.0.0.0/1 via ${route_vpn_gateway}
/sbin/ip route del 0.0.0.0/1 via ${route_vpn_gateway}

# Search route for traffic coming from 192.168.2.0/24 in table 'vpn'
# (unicast: This rule type simple causes the kernel to refer to the
# specified routing table in the search for a route.)
/sbin/ip rule add from 192.168.2.0/24 table vpn

# Search route for traffic going to 192.168.2.0/24 in table 'vpn'
/sbin/ip rule add to 192.168.2.0/24 table vpn

# Use 'vpn' table as default for tun3
/sbin/ip route add table vpn default dev ${dev}

# Route traffic from/to 192.168.2.0/24 on LAN_VPN using the 'vpn'.
# table. (192.168.2.1 is the source address for outgoing packets)
/sbin/ip route add 192.168.2.0/24 dev LAN_VPN src 192.168.2.1 table vpn

and I add to the ovpn file :

route-noexec
script-security 2
route-up '/etc/openvpn/route-up.sh'

But when I reboot the router and I check System Logs, I have the following warning :

Fri May  1 23:59:08 2020 daemon.warn openvpn(VPN)[3177]: WARNING: Failed running command (--route-up): external program exited with error status: 255

Do you have any idea on how i solve this ?

Add via $route_vpn_gateway at the end of /sbin/ip route add table vpn default dev ${dev}

@trendy : I add via $route_vpn_gateway in route-up.sh file.

But I have always a problem with running the command -route-up in System Logs: WARNING: Failed running command (--route-up): external program exited with error status: 255

I don't understand why ...

I convert the file route-up.sh to an executable file :

chmod +x /etc/openvpn/route-up.sh

My Ovpn file is :

client
dev tun3

proto udp
remote xxxxxxxxxx.protonvpn.com 80

resolv-retry infinite
nobind
cipher AES-256-CBC
auth SHA512
comp-lzo no
verb 3

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun

reneg-sec 0

remote-cert-tls server
auth-user-pass '/etc/openvpn/ProtonVPN.auth'

script-security 2
route-noexec
route-up '/etc/openvpn/route-up.sh'

fast-io


<ca>
-----BEGIN CERTIFICATE-----
xxxxx
-----END CERTIFICATE-----
</ca>

key-direction 1
<tls-auth>
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
xxxxx
-----END OpenVPN Static key V1-----
</tls-auth>

And in system logs, I have :

daemon.notice openvpn(VPN)[2378]: OpenVPN 2.4.7 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
daemon.notice openvpn(VPN)[2378]: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
daemon.warn openvpn(VPN)[2378]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
daemon.notice openvpn(VPN)[2378]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
daemon.notice openvpn(VPN)[2378]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
daemon.notice openvpn(VPN)[2378]: TCP/UDP: Preserving recently used remote address: [AF_INET]103.125.234.202:80
daemon.notice openvpn(VPN)[2378]: Socket Buffers: R=[163840->163840] S=[163840->163840]
daemon.notice openvpn(VPN)[2378]: UDP link local: (not bound)
daemon.notice openvpn(VPN)[2378]: UDP link remote: [AF_INET]103.125.234.202:80
daemon.notice openvpn(VPN)[2378]: TLS: Initial packet from [AF_INET]103.125.234.202:80, sid=45d8dffe 5fd15c9b
daemon.warn openvpn(VPN)[2378]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
daemon.notice openvpn(VPN)[2378]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
daemon.notice openvpn(VPN)[2378]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
daemon.notice openvpn(VPN)[2378]: VERIFY KU OK
daemon.notice openvpn(VPN)[2378]: Validating certificate extended key usage
daemon.notice openvpn(VPN)[2378]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
daemon.notice openvpn(VPN)[2378]: VERIFY EKU OK
daemon.notice openvpn(VPN)[2378]: VERIFY OK: depth=0, CN=jp-105.protonvpn.com
daemon.notice openvpn(VPN)[2378]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
daemon.notice openvpn(VPN)[2378]: [jp-105.protonvpn.com] Peer Connection Initiated with [AF_INET]103.125.234.202:80
daemon.notice openvpn(VPN)[2378]: SENT CONTROL [jp-105.protonvpn.com]: 'PUSH_REQUEST' (status=1)
daemon.notice openvpn(VPN)[2378]: SENT CONTROL [jp-105.protonvpn.com]: 'PUSH_REQUEST' (status=1)
daemon.notice openvpn(VPN)[2378]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.0.28 255.255.255.0,peer-id 31,cipher AES-256-GCM'
daemon.notice openvpn(VPN)[2378]: OPTIONS IMPORT: timers and/or timeouts modified
daemon.notice openvpn(VPN)[2378]: OPTIONS IMPORT: explicit notify parm(s) modified
daemon.notice openvpn(VPN)[2378]: OPTIONS IMPORT: compression parms modified
daemon.notice openvpn(VPN)[2378]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
daemon.notice openvpn(VPN)[2378]: Socket Buffers: R=[163840->327680] S=[163840->327680]
daemon.notice openvpn(VPN)[2378]: OPTIONS IMPORT: --ifconfig/up options modified
daemon.notice openvpn(VPN)[2378]: OPTIONS IMPORT: route options modified
daemon.notice openvpn(VPN)[2378]: OPTIONS IMPORT: route-related options modified
daemon.notice openvpn(VPN)[2378]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
daemon.notice openvpn(VPN)[2378]: OPTIONS IMPORT: peer-id set
daemon.notice openvpn(VPN)[2378]: OPTIONS IMPORT: adjusting link_mtu to 1657
daemon.notice openvpn(VPN)[2378]: OPTIONS IMPORT: data channel crypto options modified
daemon.notice openvpn(VPN)[2378]: Data Channel: using negotiated cipher 'AES-256-GCM'
daemon.notice openvpn(VPN)[2378]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
daemon.notice openvpn(VPN)[2378]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
daemon.notice openvpn(VPN)[2378]: TUN/TAP device tun3 opened
daemon.notice openvpn(VPN)[2378]: TUN/TAP TX queue length set to 100
daemon.notice openvpn(VPN)[2378]: /sbin/ifconfig tun3 10.8.0.28 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
daemon.notice netifd: Interface 'tun3' is enabled
daemon.notice netifd: Network device 'tun3' link is up
daemon.notice netifd: Interface 'tun3' has link connectivity
daemon.notice netifd: Interface 'tun3' is setting up now
daemon.notice netifd: Interface 'tun3' is now up
user.notice firewall: Reloading firewall due to ifup of tun3 (tun3)
daemon.warn odhcpd[1131]: A default route is present but there is no public prefix on lan thus we don't announce a default route!
daemon.warn openvpn(VPN)[2378]: WARNING: Failed running command (--route-up): external program exited with error status: 255
daemon.notice openvpn(VPN)[2378]: Initialization Sequence Completed

What I do wrong ?
Thank you in advance.

I am not sure what is wrong here.
May I suggest a different approach that I have tried and is working?
Let OpenVPN install the routes. Don't run any script on tunnel up.

config rule
        option in 'lan'
        option lookup '100'

config route
        option interface 'wan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option gateway '192.168.0.1'
        option table '100'

Hello, I try your route with lan and wan, but it's not working either.

So now, my Ovpn file is :

client
dev tun3

proto udp
remote xxxxxxxxxx.protonvpn.com 80

resolv-retry infinite
nobind
cipher AES-256-CBC
auth SHA512
comp-lzo no
verb 3

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun

reneg-sec 0

remote-cert-tls server
auth-user-pass '/etc/openvpn/ProtonVPN.auth'

fast-io


<ca>
-----BEGIN CERTIFICATE-----
xxxxx
-----END CERTIFICATE-----
</ca>

key-direction 1
<tls-auth>
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
xxxxx
-----END OpenVPN Static key V1-----
</tls-auth>

and /etc/config/network is :

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd1f:bd69:bd00::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr '40:31:3c:0b:65:e4'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 2 1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 4'
        option vid '2'

config interface 'LAN_VPN'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option ifname 'eth0.3'
        option type 'bridge'
        option netmask '255.255.255.0'

config interface 'tun3'
        option ifname 'tun3'
        option proto 'none'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '6t 3'
        option vid '3'

config rule
        option in 'lan'
        option lookup '100'

config route
        option interface 'wan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option source '192.168.0.1'
        option table '100'

and after reboot, I have the previous problem with the VPN overriding your default route :

Routing table 100 has not been created. Your route stanza is wrong, you have source while I wrote you gateway.

Hello,

I created the routing table 100, the file /etc/iproute2/rt_tables is :

128 prelocal
255 local
254 main
253 default
0 unspec
#1 inr.ruhep
100 tablewan

but it don't work.

There is something I don't understand, when I watch the static IPv4 routes in Luci, the 100 table don't appear. The wan interface is routed in main table 254 and I don't see 100 table.


This is just an alias.

To verify the routing table 100 is there give the command ip -4 ro li tab 100

There is nothing when I put the command ip -4 ro li tab 100.
so there is no routing table 100 ...

Then paste the lines correctly in network without mistakes this time and restart network service:

config route
        option interface 'wan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option gateway '192.168.0.1'
        option table '100'

Ok, it seems to work.

To have a good understanding of the routing, now my main network is in table "tablewan" whereas my vpn network is in main table ? Is this right ?