Thank you mk24 the VPN works again !
Now i try to disable the gateway redirect
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extra#disable_gateway_redirect
The command it's in one line ?
sed -i -e "/^redirect-gateway/s/^/#/\$a pull-filter ignore redirect-gateway" /etc/openvpn/vpnclient.conf
because i have this error :
sed: bad option in substitution expression
Copy-paste it exactly as you see it:
root@RoadWarrior:~# sed -i -e "
> /^push.*redirect-gateway/s/^/#/
> " /etc/openvpn/vpnserver.conf
root@RoadWarrior:~#
The greater -than sign is added automatically.
Sorry but i thing i have not any file.conf :
root@OpenWrt:~# sed -i -e "
/^push.*redirect-gateway/s/^/#/
" /etc/openvpn/vpnserver.conf
sed: /etc/openvpn/vpnserver.conf: No such file or directory
root@OpenWrt:~# head -n -0 /etc/openvpn/.conf
head: /etc/openvpn/.conf: No such file or directory
root@OpenWrt:~# head -n -0 /etc/openvpn/vpnserver.conf
head: /etc/openvpn/vpnserver.conf: No such file or directory
root@OpenWrt:~#
you have told us already, many times the name of your config file....
@cd38 Please use "Preformatted text </>" for logs, scripts, configs and general console output.
Please edit your posting accordingly.
Hello thank's for your help.
i do
sed -i -e "
> /^push.*redirect-gateway/s/^/#/
> " /etc/openvpn/zoogvpn_us4.ovpn
service openvpn restart
there are no error but i'm ever connected on the vpn ...
Post once again here the contents of the config.
If you have two routers, I think it is possible.
I think i will never finish ... Now i can't install more the vpn package after resset ...
troot@OpenWrt:~# opkg update
Downloading http://downloads.openwrt.org/releases/18.06.2/targets/ramips/mt7621/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading http://downloads.openwrt.org/releases/18.06.2/targets/ramips/mt7621/packages/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/18.06.2/packages/mipsel_24kc/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading http://downloads.openwrt.org/releases/18.06.2/packages/mipsel_24kc/base/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/18.06.2/packages/mipsel_24kc/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading http://downloads.openwrt.org/releases/18.06.2/packages/mipsel_24kc/luci/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/18.06.2/packages/mipsel_24kc/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading http://downloads.openwrt.org/releases/18.06.2/packages/mipsel_24kc/packages/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/18.06.2/packages/mipsel_24kc/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading http://downloads.openwrt.org/releases/18.06.2/packages/mipsel_24kc/routing/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/18.06.2/packages/mipsel_24kc/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading http://downloads.openwrt.org/releases/18.06.2/packages/mipsel_24kc/telephony/Packages.sig
Signature check passed.
root@OpenWrt:~# opkg install openvpn-openssl luci-app-openvpn
Unknown package 'openvpn-openssl'.
Installing luci-app-openvpn (git-19.170.32094-4d6d8bc-1) to root...
Downloading http://downloads.openwrt.org/releases/18.06.2/packages/mipsel_24kc/luci/luci-app-openvpn_git-19.170.32094-4d6d8bc-1_all.ipk
Configuring luci-app-openvpn.
Collected errors:
* opkg_install_cmd: Cannot install package openvpn-openssl.
root@OpenWrt:~# opkg install libustream-openssl ca-bundle ca-certificates
Unknown package 'libustream-openssl'.
Unknown package 'ca-bundle'.
Unknown package 'ca-certificates'.
Collected errors:
* opkg_install_cmd: Cannot install package libustream-openssl.
* opkg_install_cmd: Cannot install package ca-bundle.
* opkg_install_cmd: Cannot install package ca-certificates.
root@OpenWrt:~#
Hello,
Finaly i arrive to create the VPN session but i do not do this for not activated it to all interface
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpn'
The pb it's when the vpn it's started i don't have internet acces (Lan of wifi) ...
I created a SSID: VPN in interface Configuration Network -> zoogvpn_vpn
but how can i create with IP/MASK and DHCP server ?
Regards
You need to post once again the commands I asked you in the second post as well as the OpenVPN configuration (when the vpn is up) to see what can be wrong.
Hello,
I'm sorry here the config 
Thanks again for youre help !
cat /etc/config/network; cat /etc/config/firewall; cat /etc/config/wireless ; cat /etc/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc8:a9e4:272a::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_dev'
option name 'eth0.1'
option macaddr '50:64:2b:b2:71:cc'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config interface 'zoogvpn_vpn'
option proto 'none'
option ifname 'tun0'
option metric '10'
option type 'bridge'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'HT20'
option country '00'
option legacy_rates '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'Wifi'
option encryption 'psk2'
option key '0102030405'
config wifi-device 'radio1'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'VPN'
option network 'zoogvpn_vpn'
option encryption 'psk2'
option key '0102030405'
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option serversfile '/tmp/adb_list.overall'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'Jeedom'
option dns '1'
option mac 'B8:27:EB:0F:88:E9'
option ip '192.168.1.254'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.0.253/24 brd 192.168.0.255 scope global eth0.2
valid_lft forever preferred_lft forever
default via 192.168.0.254 dev eth0.2 src 192.168.0.253
192.168.0.0/24 dev eth0.2 scope link src 192.168.0.253
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
For a start remove the bridge from the VPN interface. I don't see the VPN interface up as requested so I am not sure what is the problem.
Create a new interface for the WiFi VPN. Add IP address, network mask, and DHCP server will be enabled by default if I am not mistaken.
In firewall allow traffic from WiFi VPN interface to VPN tunnel.
Create a rule to classify all traffic coming from WiFi VPN interface to table 100.
Add a route for table 100 to use the VPN tunnel gateway.
For a start remove the bridge from the VPN interface
on uci interface i was on Network -> Interface -> Edit ZOOGVPN_VPN -> Physical Settings and i désactivated Bridge Interface.
For information on interface i hane Tun0(zoogvpn_vpn)
Create a new interface for the WiFi VPN his name is VPN on network zoogvpn_vpn
I created à new interface INTERFACE_VPN with statick adresse 192.168.2.1 and netmask 255.255.255.0 with no gateway, i activated on the dhcp server
In firewall allow traffic from WiFi VPN interface to VPN tunnel.
? in Network -> firewall -> i do this :
Create a rule to classify all traffic coming from WiFi VPN interface to table 100
How can do this ?
Add a route for table 100 to use the VPN tunnel gateway.
How can do this ?
Best regards
In VPN firewall zone change the forward from reject to accept.
For the rule and route check the links in this post:
Hello,
1°)
I do to dosable gateway redirect on vpn server:
sed -i -e "
/^push.*redirect-gateway/s/^/#/
" /etc/openvpn/zoogvpn_us4.ovpn
service openvpn restart
and
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='wan'
service openvpn restart
But if the vpn it's start my wifi doesn't work
2°) I have an interface zoogvpn_vpn with ip 192.168.2.1 (Lan interface has ip 192.168.1.1) (Bridge interfaces not activated)
i created a wifi for the VPN named VPN on network zoogvpn_vpn
The DHCP it's enable (not ignore ) but it's don't attrubute any IP when i'm connected on wifi vpn
I have do this and click on restart Firewall but i'm not shure it's do somethings
For the static route i have to do ?
config 'route' 'MyVPN'
option 'interface' 'lan'
option 'target' '192.168.2.0'
option 'netmask' '255.255.255.0'
option 'gateway' '192.168.1.1'
Regards
Nope this is wrong.
In the previous post you had the wifi VPN interface and the ZOOGVPN_VPN in the same firewall zone, but the Forward rule was reject, so I told you to make it accept.
Then the rules and the routes are configured inside /etc/config/network not in firewall.
Firstly, thanks for your patience ...
I'm too bad ...I resset again my config.
I will try step by step ...
I config the vpn ans is working.
To beguining i would like to stop the VPN from the network, it will be only on 1 wifi specific vpn .
I do this
sed -i -e "
/^push.*redirect-gateway/s/^/#/
" /etc/openvpn/zoogvpn_us4.ovpn
service openvpn restart
But when the vpn it's start i'm automaticly on the vpn ..
My conf :
cat /etc/config/network; cat /etc/config/firewall; cat /etc/config/wireless ; cat /etc/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb9:99da:a865::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_dev'
option name 'eth0.1'
option macaddr '50:64:2b:b2:71:cc'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option peerdns '0'
list dns '208.67.222.222'
list dns '208.67.220.220'
list dns '8.8.8.8'
list dns '8.8.4.4'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config interface 'zoogvpn_vpn'
option proto 'none'
option ifname 'tun0'
option metric '10'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'zoogvpn_vpn'
option forward 'ACCEPT'
config forwarding
option dest 'vpn'
option src 'lan'
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'HT20'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio1'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
list dhcp_option '6,208.67.222.222,208.67.220.220'
list dhcp_option '6,8.8.8.8,8.8.4.4'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.0.253/24 brd 192.168.0.255 scope global eth0.2
valid_lft forever preferred_lft forever
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
inet 10.8.11.14 peer 10.8.11.13/32 scope global tun0
valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.8.11.13 dev tun0
default via 192.168.0.254 dev eth0.2 src 192.168.0.253
10.8.11.1 via 10.8.11.13 dev tun0
10.8.11.13 dev tun0 scope link src 10.8.11.14
23.229.0.242 via 192.168.0.254 dev eth0.2
128.0.0.0/1 via 10.8.11.13 dev tun0
192.168.0.0/24 dev eth0.2 scope link src 192.168.0.253
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
It's this the pb ?
config forwarding
option dest 'vpn'
option src 'lan'
The problem to start with is that you still install the default route:
Post again the ovpn configuration.
redirect-gateway def1 should not be there and just in case route-nopull would make sure the server is not pushing anything to you.