VPN & VLAN working - LAN no internet access

blinton · June 6, 2020, 11:29am

Dear all,

Using Youhua 1200 (mt7621at) with OpenWrt 19.07.3.
Problem: As soon as I turn on a VPN client connection (on the VLAN) the LAN has no internet access, independant if it's Wireguard or OpenVPN. The VLAN has internet access via VPN as expected.
Working: Therefore when VPN is off, LAN and VLAN have internet access.

It's very strange, as on my main router I have an identical setup with OpenVPN client on a VLAN (the only difference being that I use there route no pull and the VPN kicks in at specific internet destination IPs).

So the setup is pretty simple (client router):

Ports 1 and 2 on LAN
Ports 3 and 4 on VLAN -> linked to VPN client

fyi, on the home router the wireguard port is not used by any other instance, nor is any ip used by another instance.

My network on the client router, which makes problems (example with wireguard)


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'blabla'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'
	option delegate '0'
	list dns '1.1.1.1'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr 'blabla'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '9.9.9.9'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'blabla'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config interface 'wwan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '9.9.9.9'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '1 2 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'
	option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '3 4 6t'
        option vid '4'

config interface 'VLAN4'
        option ifname 'eth0.4'
        option proto 'static'
        option netmask '255.255.255.0'
        option type 'bridge'
        option ipaddr '192.168.140.1'
        list dns '1.1.1.1'
        list dns '9.9.9.9'

config interface 'wg1'
	option proto 'wireguard'
	list addresses '10.8.8.2/32'
	option private_key 'blabla'

config wireguard_wg1
	option persistent_keepalive '25'
	option public_key 'blabla'
	option description 'blabla'
	option endpoint_port '1194'
	option endpoint_host 'blabla'
	option preshared_key 'blabla'
	option route_allowed_ips '1'
	list allowed_ips '0.0.0.0/1'
	list allowed_ips '128.0.0.0/1'
	list allowed_ips '::/0'

my firewall on the client router


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vlan4_fw'
	option output 'ACCEPT'
	option network 'VLAN4'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'vlan4_fw'

config zone
        option network 'wg1'
        option name 'wg1fw'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'

config forwarding
        option dest 'wg1fw'
        option src 'vlan4_fw'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option name 'v4DNS'
	option src 'vlan4_fw'
	option dest_port '53 853 1053 5453'

config rule
	option target 'ACCEPT'
	option dest_port '67-68'
	option name 'v4DHCP'
	option src 'vlan4_fw'
	option proto 'udp'

Do I have an issue with my firewall rules, how can I track down the problem ?

Cheers blinton

krazeh · June 6, 2020, 11:51am

You need to turn this off and then set up the appropriate routing rules yourself. Either by manually adding them to the routing table(s) or using something like the VPN policy based routing package.

mikma · June 6, 2020, 11:54am

By "linked to" are you referring to the configuration of the firewall? You need to use policy routing to solve your problem since you want to select route depending on source interface (or address).

blinton · June 6, 2020, 12:15pm

Hi krazeh and mikma,

thanks a lot for your quick answers.
I'll try with openvpn, because I'm more familiar with and I have identical firewall rules at the moment.
And I'll report if I was successful.

Cheers blinton

blinton · June 8, 2020, 1:11pm

The problem is that the wireguard (or openvpn) interface leads to a routing table where wan 0.0.0.0 gets overrruled (to the second place), leading to lan having no access to wan.
As a workaround I added a static route from lan to wan (0.0.0.0) with a static IP (gateway) for wan.
Preferably the wan IP would be recognized automatically (instead of adding a static IP, which could work in my case, but is not elegant). Do you know a way how to make this happen ?

I'm not familiar with the VPN policy based routing package, I tried ~2 years ago, but it was much slower than my routing via openvpn config file (different scenario than here).

many thanks in advance !

cheers blinton

blinton · June 11, 2020, 9:15am

Hi krazeh,

I managed to find the more correct solution by removing option route_allowed_ips '1' as you suggested and adding a static route manually for the wireguard 'vpn' (or openvpn, I guess it will work, but I won't use it as wireguard is preferred due to performance) and a lookup rule for the VLAN into the 'vpn' table, as suggested in this post:

Everything works perfectly now.

So my next step is to create now a wireguard "server" on the LAN and connect it to the home router as wireguard client for specific destination networks.
Is there a limitation of number of listed networks for wireguard ? (I haven't found on the web)

Many thanks again ! and

cheers blinton