[SOLVED] Can't access to devices, wrong firewall rule or missing route?

Hi, I'm experimenting difficulty to connect to my devices when I'm not at home.

I've configured one openvpn server (maybe I miss some firewall rules?) And then I connect to it when I'm not at home, then from here I reach all my lan, but I miss some!

I added the route rule to my nas and seems to be ok, maybe I set in a bad way the openvpn server or I do mistake with the firewall?

Here the route on my router:

root@OpenWrt:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface         UG    0      0        0 eth0.2   U     0      0        0 br-lan   U     0      0        0 tun0 UGH   0      0        0 tun1 UH    0      0        0 tun1   U     0      0        0 eth0.2 UH    0      0        0 tun1

tun0 -> the openvpn server
tun1 -> the openvpn client (PIA)

This's the route from my nas:

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface         UG    0      0        0 bond0   U     0      0        0 bond0   UG    0      0        0 bond0

I also have installed the PBR script and I put

pull-filter ignore "redirect-gateway"
To client configuration so in this way the pbr rule works inside-out

Here the vpn-policy-routing config:

config vpn-policy-routing 'config'
	option enabled '1'
	option verbosity '2'
	option ipv6_enabled '0'
	option ipset_enabled '1'
	option dnsmasq_enabled '0'
	option strict_enforcement '1'
	option boot_timeout '30'
	list supported_interface 'PIA_VPN'
	list ignored_interface 'lan'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

config policy
	option chain 'PREROUTING'
	option name 'Nas'
	option local_address ''
	option proto 'tcp udp'
	option interface 'PIA_VPN'

This's the support:

root@OpenWrt:~# /etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.0.7-7 running on OpenWrt 18.06.4.
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
Routes/IP Rules
default         UG    0      0        0 eth0.2
IPv4 Table 201: default via dev eth0.2
IPv4 Table 201 Rules:
32727:  from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via dev tun1
IPv4 Table 202 Rules:
32726:  from all fwmark 0x20000 lookup 202
-A VPR_PREROUTING -s -p udp -m comment --comment Nas -c 3283 479683 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -s -p tcp -m comment --comment Nas -c 5561 472261 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set PIA_VPN dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create PIA_VPN hash:net family inet hashsize 1024 maxelem 65536 comment
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]

My modem is
Router with dhch to
All my devices are under 10.0.0.X

What I miss?


What exact you miss? I don't get the point, what is not working...

Only one device can not be reached from external over your openvpn server, I am right?
The OpenVPN Server is on your Router (Default GW) or your NAS?

From your routing table your posted, the server is running on your OpenWRT-Router.
The NAS is the device you can't reach???
The is the internal ip of your openwrt-router ? (as you have written) is your VPN network (from your routing table - yes)? when yes, you don't need to define it on your NAS, because your default gw will handle the route.

for what your use vpn-policy-routing??

You need to configure OpenVPN server over TCP if you want to run server and client with gateway redirection.

Maybe was not clear, but yes, my nas.

Now I can reach all my lan and the nas too, I've another problem (from the very last update) but for this I think I've to open a new post

@vgaetera, @ThomasCr

I resolved this, following the documentation and with a lot of search, because I'm noob on firewall etc!!!!
Openvpn server is under udp and working, till today but is a different problem.

So for me the solution is:

  1. add this rule to client configuration
    pull-filter ignore "redirect-gateway"
    In this way the rule that I put inside Policies are vice-versa style
  2. Then only one policies that use the vpn interface
  3. Then from advanced configuration -> Append local IP Tables rules
    ! -d

In this way I can reach my nas when I connect from outside home.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.