[Solved] OpenVPN accesses LAN but not WAN

fiftyudp · January 23, 2022, 4:59pm

Hello.

I setup an OpenVPN server on my router and am able to connect to it from the internet and access my internal LAN network (in my case, VPN to LAN_Port_4/192.168.4.0).

I'm unable to access the internet when I'm on the VPN (can't even ping 8.8.8.8). All other LAN networks on the router are able to access the internet just fine. I believe I correctly followed the posted howto on setting up the server on OpenWRT.
From the VPN, the only internal address I can't seem to access is 192.168.4.2 (it's another router). I'm able to access that device (and devices on that router) from the internal LAN_Port_4 network, just not the VPN.

Thanks for any insight you might have.

Here are some outputs of interest from the router that may be helpful in trying to find out where I went wrong.

#ubus call system board

{
        "kernel": "5.4.154",
        "hostname": "ABCD",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT3200ACM",
        "board_name": "linksys,wrt3200acm",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.1",
                "revision": "r16325-88151b8303",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 21.02.1 r16325-88151b8303"
        }

#server.conf

user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway"
push "persist-tun"
push "persist-key"
push "route 192.168.0.0 255.255.255.0"

#uci export network

package network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'
config device
        option name 'wan'
        option macaddr 'XX:XX:XX:XX:XX:XX
config interface 'wan'
        option device 'wan'
        option proto 'static'
        option ipaddr 'X.X.X.X'
        option netmask '255.255.255.0'
        option gateway 'X.X.X.Y'
        option broadcast 'X.X.X.Z'
        list dns '8.8.8.8'
config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
config interface 'LAN_Port_4'
        option proto 'static'
        option device 'lan4'
        option netmask '255.255.255.0'
        option ipaddr '192.168.4.1'
config interface 'LAN_Port_3'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.3.1'
        option device 'lan3'
config interface 'Wireless'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'
        option device 'radio1.network1'
config route
        option target '192.168.11.204'
        option gateway '192.168.3.215'
        option interface 'LAN_Port_3'
config interface 'VPN'
        option proto 'none'
        option device 'tun0'

#uci export dhcp

package dhcp
config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'
config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
config dhcp 'LAN_Port_4'
        option interface 'LAN_Port_4'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'
config dhcp 'LAN_Port_3'
        option interface 'LAN_Port_3'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'
config dhcp 'Wireless'
        option interface 'Wireless'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

#uci export firewall

package firewall
config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
config zone 'lan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option name 'WAN'
        option input 'DROP'
        option forward 'DROP'
        list device 'tun+'
        list network 'wan'
        list network 'wan6'
config zone 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'LAN'
        list network 'lan'
config forwarding
        option dest 'WAN'
        option src 'LAN'
config rule
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option src 'WAN'
config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'WAN'
config rule
        option name 'Allow-IGMP'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'WAN'
config rule
        option name 'Allow-DHCPv6'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'WAN'
config rule
        option name 'Allow-MLD'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'WAN'
config rule
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'WAN'
config rule
        option name 'Allow-ICMPv6-Forward'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'WAN'
config rule
        option name 'Allow-IPSec-ESP'
        option proto 'esp'
        option target 'ACCEPT'
        option src 'WAN'
        option dest 'LAN'
config rule
        option name 'Allow-ISAKMP'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option src 'WAN'
        option dest 'LAN'
config rule
        option name 'Support-UDP-Traceroute'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option src 'WAN'
        option enabled '0'
config include
        option path '/etc/firewall.user'  (note that this file is effectively empty)
config zone
        option name 'LAN_Port_3'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'LAN_Port_3'
config zone
        option name 'LAN_Port_4'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'
        list network 'LAN_Port_4'
config forwarding
        option src 'LAN_Port_4'
        option dest 'WAN'
config forwarding
        option src 'LAN'
        option dest 'LAN_Port_4'
config zone
        option name 'Wireless'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Wireless'
config forwarding
        option src 'Wireless'
        option dest 'WAN'
config rule
        option name 'LAN Port 3 DHCP'
        option src 'LAN_Port_3'
        option dest_port '67-68'
        option target 'ACCEPT'
config rule
        option name 'LAN Port 3 DNS'
        option src 'LAN_Port_3'
        option dest_port '53'
        option target 'ACCEPT'
config rule
        option target 'ACCEPT'
        option src 'LAN_Port_4'
        option name 'LAN Port 4 DHCP'
        option dest_port '67-68'
config rule
        option target 'ACCEPT'
        option src 'LAN_Port_4'
        option name 'LAN Port 4 DNS'
        option dest_port '53'
config rule
        option target 'ACCEPT'
        option src 'Wireless'
        option name 'Wireless DHCP'
        option dest_port '67-68'
config rule
        option target 'ACCEPT'
        option src 'Wireless'
        option name 'Wireless DNS'
        option dest_port '53'
config forwarding
        option src 'LAN_Port_3'
        option dest 'WAN'
config forwarding
        option src 'LAN'
        option dest 'LAN_Port_3'
config rule
        option name 'OpenVPN'
        list proto 'udp'
        option src 'WAN'
        option dest_port '1194'
        option target 'ACCEPT'
        option enabled '0'
config zone
        option name 'VPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'VPN'
        option forward 'ACCEPT'
        option mtu_fix '1'
config forwarding
        option src 'VPN'
        option dest 'WAN'
config forwarding
        option src 'VPN'
        option dest 'LAN_Port_4'
config forwarding
        option src 'LAN'

#ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: lan4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.4.1/24 brd 192.168.4.255 scope global lan4
       valid_lft forever preferred_lft forever
4: lan3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.3.1/24 brd 192.168.3.255 scope global lan3
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet X.X.X.X/24 brd X.X.X.Y scope global wan
       valid_lft forever preferred_lft forever
13: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
17: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    inet 10.0.0.1/24 brd 10.0.0.255 scope global wlan1
       valid_lft forever preferred_lft forever
29: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    inet 192.168.8.1/24 scope global tun0
       valid_lft forever preferred_lft forever
default via X.X.X.Y dev wan
10.0.0.0/24 dev wlan1 scope link  src 10.0.0.1
192.168.0.0/24 dev br-lan scope link  src 192.168.0.1
192.168.3.0/24 dev lan3 scope link  src 192.168.3.1
192.168.4.0/24 dev lan4 scope link  src 192.168.4.1
192.168.8.0/24 dev tun0 scope link  src 192.168.8.1
192.168.11.204 via 192.168.3.215 dev lan3
X.X.X.0/24 dev wan scope link  src X.X.X.X
broadcast 10.0.0.0 dev wlan1 table local scope link  src 10.0.0.1
local 10.0.0.1 dev wlan1 table local scope host  src 10.0.0.1
broadcast 10.0.0.255 dev wlan1 table local scope link  src 10.0.0.1
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.0.0 dev br-lan table local scope link  src 192.168.0.1
local 192.168.0.1 dev br-lan table local scope host  src 192.168.0.1
broadcast 192.168.0.255 dev br-lan table local scope link  src 192.168.0.1
broadcast 192.168.3.0 dev lan3 table local scope link  src 192.168.3.1
local 192.168.3.1 dev lan3 table local scope host  src 192.168.3.1
broadcast 192.168.3.255 dev lan3 table local scope link  src 192.168.3.1
broadcast 192.168.4.0 dev lan4 table local scope link  src 192.168.4.1
local 192.168.4.1 dev lan4 table local scope host  src 192.168.4.1
broadcast 192.168.4.255 dev lan4 table local scope link  src 192.168.4.1
broadcast 192.168.8.0 dev tun0 table local scope link  src 192.168.8.1
local 192.168.8.1 dev tun0 table local scope host  src 192.168.8.1
broadcast 192.168.8.255 dev tun0 table local scope link  src 192.168.8.1
broadcast X.X.X.0 dev wan table local scope link  src X.X.X.X
local X.X.X.X dev wan table local scope host  src X.X.X.X
broadcast X.X.X.Z dev wan table local scope link  src X.X.X.X
broadcast X.X.X.255 dev wan table local scope link  src X.X.X.X
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

#route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         X.X.X.Y         0.0.0.0         UG    0      0        0 wan
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 wlan1
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 lan3
192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        0 lan4
192.168.8.0     0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.11.204  192.168.3.215   255.255.255.255 UGH   0      0        0 lan3
X.X.X.0         0.0.0.0         255.255.255.0   U     0      0        0 wan

#ip route

default via 216.17.235.78 dev wan
10.0.0.0/24 dev wlan1 scope link  src 10.0.0.1
192.168.0.0/24 dev br-lan scope link  src 192.168.0.1
192.168.3.0/24 dev lan3 scope link  src 192.168.3.1
192.168.4.0/24 dev lan4 scope link  src 192.168.4.1
192.168.8.0/24 dev tun0 scope link  src 192.168.8.1
192.168.11.204 via 192.168.3.215 dev lan3
X.X.X.0/24 dev wan scope link  src X.X.X.X

#iptables-save -t nat

#Generated by iptables-save v1.8.7 on Sat Jan 22 22:22:12 2022
*nat
:PREROUTING ACCEPT [3605:590057]
:INPUT ACCEPT [92:9433]
:OUTPUT ACCEPT [60:4110]
:POSTROUTING ACCEPT [1008:52480]
:FWKNOP_MASQUERADE - [0:0]
:FWKNOP_POSTROUTING - [0:0]
:FWKNOP_PREROUTING - [0:0]
:postrouting_LAN_Port_3_rule - [0:0]
:postrouting_LAN_Port_4_rule - [0:0]
:postrouting_LAN_rule - [0:0]
:postrouting_VPN_rule - [0:0]
:postrouting_WAN_rule - [0:0]
:postrouting_Wireless_rule - [0:0]
:postrouting_rule - [0:0]
:prerouting_LAN_Port_3_rule - [0:0]
:prerouting_LAN_Port_4_rule - [0:0]
:prerouting_LAN_rule - [0:0]
:prerouting_VPN_rule - [0:0]
:prerouting_WAN_rule - [0:0]
:prerouting_Wireless_rule - [0:0]
:prerouting_rule - [0:0]
:zone_LAN_Port_3_postrouting - [0:0]
:zone_LAN_Port_3_prerouting - [0:0]
:zone_LAN_Port_4_postrouting - [0:0]
:zone_LAN_Port_4_prerouting - [0:0]
:zone_LAN_postrouting - [0:0]
:zone_LAN_prerouting - [0:0]
:zone_VPN_postrouting - [0:0]
:zone_VPN_prerouting - [0:0]
:zone_WAN_postrouting - [0:0]
:zone_WAN_prerouting - [0:0]
:zone_Wireless_postrouting - [0:0]
:zone_Wireless_prerouting - [0:0]
-A PREROUTING -j FWKNOP_PREROUTING
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i tun+ -m comment --comment "!fw3" -j zone_WAN_prerouting
-A PREROUTING -i wan -m comment --comment "!fw3" -j zone_WAN_prerouting
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_LAN_prerouting
-A PREROUTING -i lan3 -m comment --comment "!fw3" -j zone_LAN_Port_3_prerouting
-A PREROUTING -i lan4 -m comment --comment "!fw3" -j zone_LAN_Port_4_prerouting
-A PREROUTING -i wlan1 -m comment --comment "!fw3" -j zone_Wireless_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_VPN_prerouting
-A POSTROUTING -j FWKNOP_MASQUERADE
-A POSTROUTING -j FWKNOP_POSTROUTING
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o tun+ -m comment --comment "!fw3" -j zone_WAN_postrouting
-A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_WAN_postrouting
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_LAN_postrouting
-A POSTROUTING -o lan3 -m comment --comment "!fw3" -j zone_LAN_Port_3_postrouting
-A POSTROUTING -o lan4 -m comment --comment "!fw3" -j zone_LAN_Port_4_postrouting
-A POSTROUTING -o wlan1 -m comment --comment "!fw3" -j zone_Wireless_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_VPN_postrouting
-A zone_LAN_Port_3_postrouting -m comment --comment "!fw3: Custom LAN_Port_3 postrouting rule chain" -j postrouting_LAN_Port_3_rule
-A zone_LAN_Port_3_prerouting -m comment --comment "!fw3: Custom LAN_Port_3 prerouting rule chain" -j prerouting_LAN_Port_3_rule
-A zone_LAN_Port_4_postrouting -m comment --comment "!fw3: Custom LAN_Port_4 postrouting rule chain" -j postrouting_LAN_Port_4_rule
-A zone_LAN_Port_4_prerouting -m comment --comment "!fw3: Custom LAN_Port_4 prerouting rule chain" -j prerouting_LAN_Port_4_rule
-A zone_LAN_postrouting -m comment --comment "!fw3: Custom LAN postrouting rule chain" -j postrouting_LAN_rule
-A zone_LAN_prerouting -m comment --comment "!fw3: Custom LAN prerouting rule chain" -j prerouting_LAN_rule
-A zone_VPN_postrouting -m comment --comment "!fw3: Custom VPN postrouting rule chain" -j postrouting_VPN_rule
-A zone_VPN_prerouting -m comment --comment "!fw3: Custom VPN prerouting rule chain" -j prerouting_VPN_rule
-A zone_WAN_postrouting -m comment --comment "!fw3: Custom WAN postrouting rule chain" -j postrouting_WAN_rule
-A zone_WAN_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_WAN_prerouting -m comment --comment "!fw3: Custom WAN prerouting rule chain" -j prerouting_WAN_rule
-A zone_Wireless_postrouting -m comment --comment "!fw3: Custom Wireless postrouting rule chain" -j postrouting_Wireless_rule
-A zone_Wireless_prerouting -m comment --comment "!fw3: Custom Wireless prerouting rule chain" -j prerouting_Wireless_rule
COMMIT
# Completed on Sat Jan 22 22:22:12 2022

trendy · January 23, 2022, 6:36pm

Do not use this option here. Instead select the network interface that the ssid will be attached to from the wireless configuration.

Firewall configuration is pretty messed up. Zone lan is named WAN and includes the tun+ interfaces. Zone wan is named LAN and includes the lan interface. I cannot suggest fixes, but to create it from scratch. In /rom/etc/config/ you'll find the factory default.

fiftyudp · January 23, 2022, 8:39pm

Hi trendy.

I will take a closer look at the firewall config to see where it went wrong. Thanks for pointing those things out. I was hoping for an easier fix than to rebuild it, but if that's what it takes, I guess that's what I need to do.

Thanks for catching the wireless config issue. I fixed that.

I was also able to fix not being able to access 192.168.4.2 (the other router) from the VPN . The other router's internal subnet was also the same as the VPN's, so it was routing back to itself. I changed its internal subnet to a non-overlapping space and now I can access it.

fiftyudp · January 23, 2022, 9:03pm

Well I'll be darned. I just solved it. I can now access but my LAN and WAN from the VPN.

I was just about to wipe the whole configuration and start anew and was in LUCI checking one last time to see if there was anything amiss. When I went to Network->Firewall->WAN->Advanced Settings I noticed that the VPN (tun0) was selected under "Covered devices". I deselected it and now everything works.

Hopefully that helps anyone else coming through here with a similar problem.

Again, thanks for your help.

tmomas · January 24, 2022, 10:40am

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

tmomas · February 3, 2022, 10:41am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.