Trying to get the VPN working

Trying to get the VPN working properly.

I configured OpenVPN up and set the firewall and all up to have one NIC pass to the VPN and everything else go to the WAN...

Still can't figure out why this isn't working...

Once I activate it, the DNS requests reach my internal DNS server, but the machine just can't get to that domain name for web browsing.

I did get it functioning at one point but since then still isn't working...

Why is turning the VPN on destroying all network connections to the internet?

How can I find the problem and resolve it in your system please?

I have read other topics, but they don't answer my questions..

Hope someone here can help.

There's a lot we don't know about your config including what VPN protocol you are using. However, it does sound like you might be trying to achieve a split tunnel config. That is to say that some of the traffic should go through the VPN tunnel and the rest through the regular wan. Is that your goal?

If you want a split tunnel, the easiest way to do this is via Policy Based Routing. This will allow you to setup specific policies with respect to what traffic should use each upstream connection (tunnel vs wan).

If you need additional help, please start by posting your config.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

.sneppah tahw tsuj si taht ,noitarugifnoc krowten eht rettam t'nseod ,eussi eht si ereht woN
.ti trats dna elbanE :2
.NPVnepO eht pu tes :1
...od uoy tahw si ereH

Here is the details WITHOUT an active VPN...
I'll upload the config when the VPN is active later tonight when I don't need the internet for a few minutes.

BusyBox v1.36.1 (2025-12-17 21:08:22 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 24.10.5, r29087-d9c5716d1d
 -----------------------------------------------------

[REDACTED]:~# ubus call system board
{
	"kernel": "6.6.119",
	"hostname": "[REDACTED]",
	"system": "[REDACTED]",
	"model": "[REDACTED]",
	"board_name": "[REDACTED]",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.5",
		"revision": "r29087-d9c5716d1d",
		"target": "x86/64",
		"description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
		"builddate": "1766005702"
	}
}


================================================================
                               NETWORK
================================================================
[REDACTED]:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '[REDACTED]'
	option packet_steering '1'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'
	option hostname '*'

config device
	option name 'eth1'
	option promisc '0'
	option acceptlocal '1'
	option sendredirects '0'
	option arp_accept '0'
	option drop_gratuitous_arp '1'
	option multicast '0'
	option ipv6 '0'

config device
	option name 'eth0'
	option promisc '0'
	option acceptlocal '0'
	option sendredirects '0'
	option arp_accept '0'
	option drop_gratuitous_arp '0'
	option ipv6 '0'
	option multicast '0'
	option learning '1'
	option unicast_flood '0'
	option isolate '1'

config interface 'LAN'
	option proto 'static'
	option device 'eth1'
	option ipaddr '[LAN1.1]'
	option netmask '255.255.255.0'
	list ip6class 'local'
	option ip4table 'local'
	option broadcast '[LAN1.255]'

config interface 'lan2'
	option proto 'static'
	option device 'eth2'
	option ipaddr '[LAN2.1]'
	option netmask '255.255.255.0'
	option delegate '0'
	list ip6class 'local'

config interface 'lan4'
	option proto 'static'
	option device 'eth4'
	option ipaddr '[LAN4.1]'
	option netmask '255.255.255.0'
	option delegate '0'
	option broadcast '[LAN4.255]'

config device
	option name 'eth4'
	option sendredirects '0'
	option ipv6 '0'
	option multicast '0'

config device
	option name 'eth2'
	option sendredirects '0'
	option ipv6 '0'
	option multicast '0'

config device
	option name 'eth3'
	option acceptlocal '1'
	option sendredirects '0'
	option arp_accept '0'
	option drop_gratuitous_arp '1'
	option ipv6 '0'
	option multicast '0'
	option promisc '0'

config interface 'VPN'
	option proto 'dhcp'
	option device 'tun0'
	option hostname 'VPNCONNECT'
	option peerdns '0'
	option delegate '0'
	option force_link '1'
	list dns '[LAN2.5]'

config device
	option name 'tun0'
	option promisc '0'
	option acceptlocal '0'
	option sendredirects '0'
	option arp_accept '0'
	option drop_gratuitous_arp '1'
	option ipv6 '0'
	option multicast '0'

config interface 'LAN3'
	option proto 'static'
	option device 'eth3'
	option ipaddr '[LAN3.1]'
	option netmask '255.255.255.0'
	option broadcast '[LAN3.255]'
	list dns '[LAN2.11]'

================================================================
                               FIREWALL
================================================================
[REDACTED]:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'zone_wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	option family 'ipv4'
	list network 'wan'

config rule
	option src 'zone_wan'
	option name 'BLOCK ALL'
	option direction 'in'
	option device 'eth0'
	option target 'DROP'

config zone
	option name 'zone_lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'LAN'

config zone
	option name 'zone_lan4'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan4'
	option family 'ipv4'

config zone
	option name 'zone_lan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan2'

config zone
	option name 'zone_vpn_external'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	list network 'VPN'

config redirect
	option dest 'zone_lan2'
	option target 'DNAT'
	option name 'INNXT-443'
	option src 'zone_wan'
	option src_dport '80'
	option dest_ip '[LAN2.26]'
	option dest_port '80'
	list proto 'tcp'

config redirect
	option dest 'zone_lan2'
	option target 'DNAT'
	option name 'INNXT-443'
	option src 'zone_wan'
	option src_dport '443'
	option dest_ip '[LAN2.26]'
	option dest_port '443'
	list proto 'tcp'

config redirect
	option dest 'zone_lan2'
	option target 'DNAT'
	option name 'fwd_lan_lan2'
	option src 'zone_lan'
	option src_dport '53'
	option dest_ip '[LAN2.11]'
	option dest_port '53'
	option reflection '0'

config redirect
	option dest 'zone_lan2'
	option target 'DNAT'
	option name 'fwd_lan4_lan2'
	option src 'zone_lan4'
	option src_dport '53'
	option dest_ip '[LAN2.5]'
	option dest_port '53'
	option reflection '0'

config forwarding
	option src 'zone_lan2'
	option dest 'zone_wan'

config forwarding
	option src 'zone_lan4'
	option dest 'zone_wan'

config forwarding
	option src 'zone_lan'
	option dest 'zone_lan2'

config forwarding
	option src 'zone_lan4'
	option dest 'zone_lan2'

config zone
	option name 'zone_lan3'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'LAN3'

config forwarding
	option src 'zone_lan3'
	option dest 'zone_lan'

config forwarding
	option src 'zone_lan3'
	option dest 'zone_lan4'

config forwarding
	option src 'zone_lan3'
	option dest 'zone_lan2'

config forwarding
	option src 'zone_lan'
	option dest 'zone_lan4'

config redirect
	option dest 'zone_lan2'
	option target 'DNAT'
	option name 'localinternal80'
	option src 'zone_lan'
	option src_dip '[LAN2.26'
	option src_dport '80'
	option dest_ip '[LAN2.26]'
	option dest_port '80'
	option reflection '0'
	option enabled '0'

config redirect
	option dest 'zone_lan2'
	option target 'DNAT'
	option name 'localinternal80'
	option src 'zone_lan'
	option src_dip '[LAN2.26]'
	option src_dport '443'
	option dest_ip '[LAN2.26]'
	option dest_port '443'
	option reflection '0'
	option enabled '0'

config ipset
	option name 'Blacklist'
	option family 'ipv4'
	list match 'ip'
	option counters '1'
	list entry '[REDACTED]'
	list entry '[REDACTED]'

config rule
	option src '*'
	option dest '*'
	option name 'BLACKSTING'
	option ipset 'Blacklist'
	option target 'REJECT'

config forwarding
	option src 'zone_lan'
	option dest 'zone_wan'

config rule
	option src 'zone_lan'
	option dest 'zone_wan'
	option name 'DeviceBlock'
	list src_ip '[LAN1.191]'
	option target 'DROP'
	option enabled '0'

We await the requested information.

Also, is there a reason you created a post with the characters reversed in the sentences?

Eveything is almost the same with the VPN active. The only difference is...

config forwarding
	option src 'zone_lan4'
	option dest 'zone_wan'

becomes

config forwarding
	option src 'zone_lan4'
	option dest 'zone_vpn_external'

I don't know why that happenned...
I did a reply to the message, and deleted the text that was in there, and then I typed and sent.
I think some char went through maybe corrupted at the start and reversed everything...

And in addition to the firewall, did you route the traffic to the VPN interface?

I only set that one interface to go through the VPN TUNNEL, the other 3 interfaces use the WAN

With the VPN active at the moment, the communication gets to the external servers and does HTTP access using domain names when the domain name is set locally on my internal server.

The real problem is that when I have the VPN active, I can't use the internet from any of the other parts of the network either.. not from LAN1 or LAN2 or LAN3.

@DRWhite Did you wrote in Hebrew? If so take care of Left-to-Right vs. Right-to-Left... (shot in the dark / gut feeling)

I did not write it in Hebrew.
The message is right to left and bottom to top... What character causes that to happen when submitting? I actually don't know, so that's why I ask.
It is literally my text COMPLETELY reversed...

Don't know. Is your native language Right-to-Left? If not, I dunno what went wrong with your text input...

Australian English.
Left to Right Top to bottom...

I don't know either.. something in transmission...

I'll try asking in another way:

Can you show us the routing configurations you created to send traffic thru the active VPN?

You showed us the firewall configuration, but not the routing config.

I showed you what you asked me to show you.
You asked for those 3 entities, and that is what I provided.

Traffic goes through the VPN when it is active, as I said.

The issue is that when the VPN is active, it also kills off traffic on the rest of the interfaces.

What else do you want to know?

No, I asked about routing configurations, you showed the firewall (i.e., forwarding rules).

Yes, I understand the issue, and you've only showed us firewall rules.

So are you saying that you've made no routing configurations to have the the network you desire use VPN, while the remaining networks use the connection you desire (I assume WAN as you stated in the first post)?

If so, that could be the issue.

The configs on this device look very strange. They're also over-redacted.

How did you arrive at the settings that exist on this device?

They are not over redacted actually.
They are still giving the required information without giving all the information away.

The settings are how the network needs to be set up for separation and segregation.

The forwarding on the firewall settings allow for the required locations to talk to each other in the correct way.
There is only one thing that I haven't managed to get fixed up that will take a while due to the way things work, and that is the HTTPS DNS requests, there is no easy way in the system to filter those for redirection to the DNS server.

Information that is redacted:
hostname: [REDACTED],
system: [REDACTED],
model: [REDACTED],
board_name: [REDACTED],
The username and hostname
the ipv6 prefix that shouldn't be there since ipv6 is disabled.

No other information is redacted... So it isn't over redacted.... No important information has been redacted...

Edit: Oh, forgot that the 2 blacklisted IPs have been redacted as well. As they are of no consequence either to this whole issue.

They are absolutely over-redacted.

For example:

RFC1918 addresses ( option ipaddr '[LAN1.1]') do not reveal anything private or sensitive about your network. However, without seeing them, we don't know if you've got any errors/overlaps.

Likewise, why have you redacted the system/model/board name information? Sure, I understand redacting the hostname... but the other things just tell us about the hardware so there's nothing revealing there, either.

Meanwhile, the key question I was asking was this:

It looks as if you basically ripped everything out of the default config and re-wrote everything yourself. For example, in the firewall, there are a whole bunch of rules that would normally be there and are missing.

The device definitions are also rather unusual...

What were the goals in adding all of these options? It's quite unusual and it would be good to know why you've included all those things that are not in a default config.

This also looks very strange... what VPN protocol are you using that would have a DHCP server on the tunnel? For example, openvpn tunnels, when defined in the network config file, would be a simple unmanaged interface like this:

config interface 'VPN'
	option proto 'none'
	option device 'tun0'

Anything more than that would be invalid for OpenVPN.

No, they aren't overly redacted at all..

LAN1 is LAN1. There are no overlaps or errors as the networks internally work perfectly.
LAN2 is LAN2...

They could be referred to as 192.168.1.* and 192.168.2.*
Whatever you want to referr to them as like that is up to you..

What rules are missing that you would believe should be there?

What is wrong with the eth0 WAN port?

tun0 VPN interface is like that because that's the way it needs to be..
protocol needs to be DHCP to get the IP from the VPN service for reference. I don't have it manually set.
the HOSTNAME is there to send that as the hostname instead of sending the internal machine identifier.
I use internal DNS, not the peer DNS, so it is set to inactive.
force link means it's always there in the options so it doesn't destroy the configuration and can be activated and deactivated whenever I want.
the list dns is telling anything that tries to ues the VPN connection that the DNS server to use is the internal DNS server dedicated to the VPN, for protection.
I dont' know what delegate is in the options there.

But then again this is all very obvious if you know the system and actually know the options and read them.