Vpn client on seperate wifi network, no vpn on the other

Hello
I'm trying to setup openwrt to have a wifi network that uses the vpn and an other wifi network that just goes straight to the internet.
I've followed lots of different guides but just can't seem to get it to work right.
I think i have the interfaces setup correctly of which i have added a second lan2 interface a VPN interface, and created firewall zones for each, the lan interfaces are on there own subnets.
The vpn establishes a connection but I am unable to use it and I have no internet on the lan2 interface when th vpn is connected
Could anyone just point me to where i may be going wrong?
Im running OpenWrt 19.07.5, r11257-5090152ae3

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd60:5ad2:1d49::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option clientid '31323334353637383930313240736b7964736c7c31323334353637383930313233343536'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '84:d8:1b:f9:c7:58'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'VPN'
        option ifname 'tun0'
        option proto 'none'

config interface 'lan2'
        option proto 'static'
        option type 'bridge'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.1'

config rule
        option in 'lan2'
        option lookup '100'

config route 'vpn'
        option interface 'VPN'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option table '100'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option network 'VPN'
        option forward 'REJECT'
        option name 'vpn'
        option output 'ACCEPT'
        option input 'REJECT'
        option masq '1'
        option mtu_fix '1'

config zone
        option network 'lan2'
        option input 'ACCEPT'
        option name 'lan2'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option dest 'vpn'
        option src 'lan2'

config forwarding
        option dest 'wan'
        option src 'lan'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option start '192.168.0.2'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option ip '192.168.0.3'
        option mac '20:47:ED:DC:4F:02'
        option dns '1'
        option name 'SkyHDLiv'

config host
        option mac 'B8:27:EB:A7:13:6A'
        option name 'Rpi'
        option dns '1'
        option ip '192.168.0.16'

config host
        option mac '1C:5A:3E:E3:56:B5'
        option name 'TVLiv'
        option dns '1'
        option ip '192.168.0.101'

config dhcp 'lan2'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'lan2'

Output from command ip -4 addr ; ip -4 ro ; ip -4 ru

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 94.13.25.139/22 brd 94.13.27.255 scope global eth0.2
       valid_lft forever preferred_lft forever
9: br-lan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan2
       valid_lft forever preferred_lft forever
16: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.8.3.2/24 brd 10.8.3.255 scope global tun0
       valid_lft forever preferred_lft forever
default via 94.13.24.1 dev eth0.2 proto static src 94.13.25.139
10.8.3.0/24 dev tun0 proto kernel scope link src 10.8.3.2
94.13.24.0/22 dev eth0.2 proto kernel scope link src 94.13.25.139
192.168.0.0/24 dev br-lan proto kernel scope link src 192.168.0.1
192.168.1.0/24 dev br-lan2 proto kernel scope link src 192.168.1.1
0:      from all lookup local
1:      from all iif br-lan2 lookup vpn
32766:  from all lookup main
32767:  from all lookup default

This is part of my ovpn config from vpn provider

client
dev tun
proto udp
remote (removed for post)
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no

remote-cert-tls server

auth-user-pass /etc/openvpn/Nordvpn.auth
script-security 2
route-nopull
verb 3
fast-io
cipher AES-256-CBC
auth SHA512
1 Like

It's simpler to configure with VPN-PBR, otherwise you should handle the race condition between the openvpn and netifd services.

Could you elaberate on what you mean by, otherwise you should handle the race condition between the openvpn and netifd services.

The network service likely fails to configure the route due to missing VPN interface.

1 Like

So its not how I've configured it then?

opkg update
opkg install vpn-policy-routing
uci set vpn-policy-routing.config.enabled="1"
uci -q delete vpn-policy-routing.config.dest_ipset
uci -q delete vpn-policy-routing.lan_vpn
uci set vpn-policy-routing.lan_vpn="policy"
uci set vpn-policy-routing.lan_vpn.src_addr="192.168.1.0/24"
uci set vpn-policy-routing.lan_vpn.dest_addr="!192.168.1.0/24"
uci set vpn-policy-routing.lan_vpn.interface="VPN"
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart

VPN Policy-Based Routing + Web UI -- Discussion

1 Like

Do I need to remove these from /etc/config/network before I set up vpn-policy-routing

config rule
        option in 'lan2'
        option lookup '100'

config route 'vpn'
        option interface 'VPN'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option table '100'

1 Like

Yep, remove that rule and route.

1 Like

This is the output I get after entering the commands from above

ERROR: DNSMASQ ipset support is enabled in vpn-policy-routing, but DNSMASQ is either not installed or installed DNSMASQ does not support ipsets!
Creating table 'wan/eth0.2/94.13.24.1' [✓]
Creating table 'VPN/tun0/10.8.3.2' [✓]
Routing 'blank' via VPN [✓]
vpn-policy-routing 0.2.1-13 started with gateways:
wan/eth0.2/94.13.24.1 [✓]
VPN/tun0/10.8.3.2
ERROR: DNSMASQ ipset support is enabled in vpn-policy-routing, but DNSMASQ is either not installed or installed DNSMASQ does not support ipsets!
vpn-policy-routing 0.2.1-13 monitoring interfaces: wan VPN .

I do have DNSMASQ installed

This matters only when you need IP set support, otherwise it is safe to ignore.

1 Like

I think its working now, but could you tell me where I put the DNS severs, is it in the custom DNS servers of my lan2 interface.
Thanks for the help

1 Like

The easiest way is to provide DNS with DHCP.

1 Like

Thanks its all working now, the only thing I can not do is connect to my synology diskstation when im connected to the 192.168.1.1 subnet as my diskstation is on my 192.168.0.1 do I have to add a static route to be able to do this.
If so could you give me an idea how to set this up.

1 Like
uci -q delete firewall.lan_lan2
uci set firewall.lan_lan2="forwarding"
uci set firewall.lan_lan2.src="lan"
uci set firewall.lan_lan2.dest="lan2"
uci -q delete firewall.lan2_lan
uci set firewall.lan2_lan="forwarding"
uci set firewall.lan2_lan.src="lan2"
uci set firewall.lan2_lan.dest="lan"
uci commit firewall
/etc/init.d/firewall restart
uci set vpn-policy-routing.vpn.dest_addr="!192.168.0.0/23"
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart
1 Like

Thanks for that but I still can not reach the diskstation from the 192.168.1.0 subnet

Post the output:

uci show network; uci show firewall; uci show vpn-policy-routing; \
ip address show; ip route show table all; ip rule show
1 Like
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd60:5ad2:1d49::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.0.1'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan.clientid='31323334353637383930313240736b7964736c7c31323334353637383930313233343536'
network.wan_eth0_2_dev=device
network.wan_eth0_2_dev.name='eth0.2'
network.wan_eth0_2_dev.macaddr='84:d8:1b:f9:c7:58'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.reqprefix='auto'
network.wan6.reqaddress='try'
network.wan6.peerdns='0'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 0t'
network.VPN=interface
network.VPN.ifname='tun0'
network.VPN.proto='none'
network.lan2=interface
network.lan2.proto='static'
network.lan2.type='bridge'
network.lan2.netmask='255.255.255.0'
network.lan2.ipaddr='192.168.1.1'
network.lan2.dns='103.86.96.100' '103.86.99.100'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].network='VPN'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].name='vpn'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[3]=zone
firewall.@zone[3].network='lan2'
firewall.@zone[3].input='ACCEPT'
firewall.@zone[3].name='lan2'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].forward='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='vpn'
firewall.@forwarding[0].src='lan2'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='lan'
firewall.lan_lan2=forwarding
firewall.lan_lan2.src='lan'
firewall.lan_lan2.dest='lan2'
firewall.lan2_lan=forwarding
firewall.lan2_lan.src='lan2'
firewall.lan2_lan.dest='lan'
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.verbosity='2'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.src_ipset='0'
vpn-policy-routing.config.dest_ipset='dnsmasq.ipset'
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.supported_interface=''
vpn-policy-routing.config.ignored_interface='vpnserver wgserver'
vpn-policy-routing.config.boot_timeout='30'
vpn-policy-routing.config.iptables_rule_option='append'
vpn-policy-routing.config.iprule_enabled='0'
vpn-policy-routing.config.webui_enable_column='0'
vpn-policy-routing.config.webui_protocol_column='0'
vpn-policy-routing.config.webui_chain_column='0'
vpn-policy-routing.config.webui_sorting='1'
vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp' 'all'
vpn-policy-routing.config.enabled='1'
vpn-policy-routing.@include[0]=include
vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.netflix.user'
vpn-policy-routing.@include[0].enabled='0'
vpn-policy-routing.@include[1]=include
vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.aws.user'
vpn-policy-routing.@include[1].enabled='0'
vpn-policy-routing.vpn=policy
vpn-policy-routing.vpn.src_addr='192.168.1.0/24'
vpn-policy-routing.vpn.interface='VPN'
vpn-policy-routing.vpn.dest_addr='!192.168.0.0/23'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 84:d8:1b:f9:c7:57 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::86d8:1bff:fef9:c757/64 scope link
       valid_lft forever preferred_lft forever
4: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 84:d8:1b:f9:c7:56 brd ff:ff:ff:ff:ff:ff
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 84:d8:1b:f9:c7:57 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 2a02:c7f:6466:eb00::1/60 scope global dynamic noprefixroute
       valid_lft 1848sec preferred_lft 1848sec
    inet6 fd60:5ad2:1d49::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::86d8:1bff:fef9:c757/64 scope link
       valid_lft forever preferred_lft forever
7: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 84:d8:1b:f9:c7:57 brd ff:ff:ff:ff:ff:ff
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 84:d8:1b:f9:c7:58 brd ff:ff:ff:ff:ff:ff
    inet 94.13.25.139/22 brd 94.13.27.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 fe80::86d8:1bff:fef9:c758/64 scope link
       valid_lft forever preferred_lft forever
9: br-lan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 86:d8:1b:f9:c7:57 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan2
       valid_lft forever preferred_lft forever
    inet6 fe80::84d8:1bff:fef9:c757/64 scope link
       valid_lft forever preferred_lft forever
10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 84:d8:1b:f9:c7:57 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::86d8:1bff:fef9:c757/64 scope link
       valid_lft forever preferred_lft forever
11: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan2 state UP group default qlen 1000
    link/ether 86:d8:1b:f9:c7:57 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::84d8:1bff:fef9:c757/64 scope link
       valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.8.3.2/24 brd 10.8.3.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::fb8d:1df8:f5fe:99f7/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
default via 94.13.24.1 dev eth0.2 table 201
default via 10.8.3.2 dev tun0 table 202
default via 94.13.24.1 dev eth0.2 proto static src 94.13.25.139
10.8.3.0/24 dev tun0 proto kernel scope link src 10.8.3.2
94.13.24.0/22 dev eth0.2 proto kernel scope link src 94.13.25.139
192.168.0.0/24 dev br-lan proto kernel scope link src 192.168.0.1
192.168.1.0/24 dev br-lan2 proto kernel scope link src 192.168.1.1
broadcast 10.8.3.0 dev tun0 table local proto kernel scope link src 10.8.3.2
local 10.8.3.2 dev tun0 table local proto kernel scope host src 10.8.3.2
broadcast 10.8.3.255 dev tun0 table local proto kernel scope link src 10.8.3.2
broadcast 94.13.24.0 dev eth0.2 table local proto kernel scope link src 94.13.25.139
local 94.13.25.139 dev eth0.2 table local proto kernel scope host src 94.13.25.139
broadcast 94.13.27.255 dev eth0.2 table local proto kernel scope link src 94.13.25.139
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev br-lan table local proto kernel scope link src 192.168.0.1
local 192.168.0.1 dev br-lan table local proto kernel scope host src 192.168.0.1
broadcast 192.168.0.255 dev br-lan table local proto kernel scope link src 192.168.0.1
broadcast 192.168.1.0 dev br-lan2 table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan2 table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan2 table local proto kernel scope link src 192.168.1.1
default from 2a02:c7f:6466:eb00::/56 via fe80::a2f3:e4ff:fe5d:9230 dev eth0.2 proto static metric 512 pref medium
2a02:c7f:6466:eb00::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2a02:c7f:6466:eb00::/56 dev lo proto static metric 2147483647 error 4294967148 pref medium
fd60:5ad2:1d49::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd60:5ad2:1d49::/48 dev lo proto static metric 2147483647 error 4294967148 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev br-lan2 proto kernel metric 256 pref medium
fe80::/64 dev wlan1-1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast 2a02:c7f:6466:eb00:: dev br-lan table local proto kernel metric 0 pref medium
local 2a02:c7f:6466:eb00::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fd60:5ad2:1d49:: dev br-lan table local proto kernel metric 0 pref medium
local fd60:5ad2:1d49::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan2 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan1-1 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
local fe80::84d8:1bff:fef9:c757 dev br-lan2 table local proto kernel metric 0 pref medium
local fe80::84d8:1bff:fef9:c757 dev wlan1-1 table local proto kernel metric 0 pref medium
local fe80::86d8:1bff:fef9:c757 dev eth0 table local proto kernel metric 0 pref medium
local fe80::86d8:1bff:fef9:c757 dev br-lan table local proto kernel metric 0 pref medium
local fe80::86d8:1bff:fef9:c757 dev wlan1 table local proto kernel metric 0 pref medium
local fe80::86d8:1bff:fef9:c758 dev eth0.2 table local proto kernel metric 0 pref medium
local fe80::fb8d:1df8:f5fe:99f7 dev tun0 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
ff00::/8 dev eth0.2 table local metric 256 pref medium
ff00::/8 dev wlan1 table local metric 256 pref medium
ff00::/8 dev br-lan2 table local metric 256 pref medium
ff00::/8 dev wlan1-1 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
0:      from all lookup local
32758:  from all fwmark 0x20000/0xff0000 lookup 202
32759:  from all fwmark 0x10000/0xff0000 lookup 201
32766:  from all lookup main
32767:  from all lookup default

1 Like

I think the problem I'm having is not with the configuration you gave me to allow access to my diskstation.
The issue I have is that if I have my diskstation connected to a vpn server(not using the one on my router but just the device its self connected) I can't acces it, but if I disconnect the diskstation from the vpn I can then access it.

1 Like

Yep, in this case OpenWrt should be fine, but you need to configure routes on the client.

I created a static route on the diskstation and all seems to be working fine now, thanks again for all your help.

1 Like