Weird VPN loosing connection issue

Hi all,

I searched high and low for a solution before posting here.
I've set up a VPN client on my OpenWrt router (TL-WR1043ND v2) and have the weirdest issue.
The router in question is connected in client mode to my main router (Speedport w724v) and all is fine in regards to regular networking.
Now when I establish a VPN connection it works fine for a while and than I lose all connectivity to VPN server.
Well technically that's not true, I'm still connected to it but I can't ping it.
As anyone with at least half a brain would do, I try reconnecting which succeeds but I still can't ping the server.
Resetting the router also doesn't help, I can connect but can't ping.
VPN is completely dead until I reset my main router.
Everything points to my main router is causing the issue but here's the kicker.
I've reset the main router, connected to VPN , transferred the data I needed, disconnected from VPN and couple of hours later I've reconnected to it and guess what?
It connects but I can't ping the server.
I am clueless on how to proceed so any help is appreciated.

Cheers

1 Like

ambiguous

please confirm;

  1. your sanitized client vpn config ( change any ip's / mac's /passwords etc )
  2. provide some
logread | grep openvpn | tail -n 25

as early as possible after the issue begins...
2) your "main router model / os version"
3) that the vpn-client-openwrt router is or is not on dhcp ( are you using it's "wan" interface... "lan"? firewall?
4) if you have a way to interrogate or check NAT tables on the main router...

how exactly are you coming this conclusion...;

( note: please use code tags ^ < / > if pasting command output )

Hi wulfy23,

I'm pretty sure config is fine.
It's the same config I used on my RPi and it was running flawless for months

Log:

Mon Nov 25 09:58:06 2019 daemon.notice openvpn(dad)[6153]: [server] Peer Connection Initiated with [AF_INET]---.---.---.75:1194
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9,peer-id 0,cipher AES-256-GCM'
Mon Nov 25 09:58:07 2019 daemon.err openvpn(dad)[6153]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Mon Nov 25 09:58:07 2019 daemon.err openvpn(dad)[6153]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Mon Nov 25 09:58:07 2019 daemon.err openvpn(dad)[6153]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: Pushed option removed by filter: 'route 10.8.0.1'
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: OPTIONS IMPORT: timers and/or timeouts modified
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: OPTIONS IMPORT: --ifconfig/up options modified
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: OPTIONS IMPORT: peer-id set
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: OPTIONS IMPORT: adjusting link_mtu to 1584
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: OPTIONS IMPORT: data channel crypto options modified
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: TUN/TAP device tun0 opened
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: TUN/TAP TX queue length set to 100
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: /sbin/ifconfig tun0 10.8.0.10 pointopoint 10.8.0.9 mtu 1460
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 metric 50 gw 10.8.0.9
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 metric 50 gw 10.8.0.9
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: GID set to nogroup
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: UID set to nobody
Mon Nov 25 09:58:07 2019 daemon.warn openvpn(dad)[6153]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Nov 25 09:58:07 2019 daemon.notice openvpn(dad)[6153]: Initialization Sequence Completed

Note: errors are probably caused because I have route-nopull in config so whole traffic doesn't get routed through VPN

Main router is Speedport W 724V - ver. B - 01011603.07.001
DHCP is off on open-wrt router and is connecting to main router over wireless (Bridge mode using this guide)
As for NAT on main router I can't do anything other than it's web config allows, is locked tighter than a kings daughter.
The way I know I'm still connected is that I connect to VPN server from my PC and reboot it, and on open-wrt router I get a message in log that VPN server has disconnected.
Another note: when VPN connection goes stale there is no error of any sort in log, it's like all is fine but it is not. Only error I can get is if it goes stale in the middle of file transfer and I get a timeout error.

1 Like

well just a random observation...

OPTIONS IMPORT: timers and/or timeouts modified

this is interesting... but i'd expect to see some log messages... can you increase the debugging level in the config file....

it's still unclear to me exactly what the "flow" is when problems arise...

in the stale state... what can a (not the openvpn-client) client do? can you get any server logs?

Well I suck at explaining things ... :smiley:
I connect to VPN server and, lets say initiate file transfer using ssh @ "tar", and it runs fine.
Sometime down the line, it's not exact when will it occur, I get a transfer timeout.
This is the point I referred to as going stale.
After that I can't ping the server but VPN connection is still active.
No error in log about being disconnected or any other error for that matter.
I could leave it like this for days and no error would pop up.
Reconnecting to VPN server yields normal connection (Initialization Sequence Completed in log) but I still can't ping the server.
VPN disconnection message is shown only when I connect to VPN using my PC and reboot the server indicating connection (on open-wrt router) was active whole time even though I can't ping the server.
Maybe I should note that by pinging the server I refer to it's local address when connected to it (in my case 192.168.0.12) and not its internet address.
As for server logs, well, it's setup so it doesn't keep them (don't ask why) but I'll change it and see if there is anything unusual.

1 Like

Here's the exact log message when I reboot the server, just to be clear:

Connection reset command was pushed by server ('')
daemon.notice openvpn(dad)[1872]: TCP/UDP: Closing socket
daemon.notice openvpn(dad)[1872]: SIGUSR1[soft,server-pushed-connection-reset] received, process restarting

Edit: log is exactly the same even with verbosity set to 4

is this a separate direct connection to the external VPN server?
is the PC going via openwrt or direct through your edge router?
does anything connect to the VPN at all apart from your openwrt box?
when you "cannot ping" you can make other tcp/udp connections right ( "through the vpn" aka to the remote-local-ip~192.168.0.12 from a real pc/non router client )?
are you running firewall rules on the openwrt box... what are they?

if you are running the vpn via openwrt's "wan" or have any fancy wan like firewall rules... the first thing you should try is just having one interface only ( lan )... ( assuming your edge router is natting )... this is the easiest way to know if it's config or something openwrt/network specific....

PC is going through main router.
Other than occasional connection from my PC nothing else but openwrt is connected to my VPN server.
From a PC everything works fine always regardless of state my openwrt box VPN connection is in.
As for firewall I got nothing setup (other than what was shown in tutorial), I doubt that matters because its effect would be instant/constant, right?
Now when you pointed me to server log, and after enabling them, I noticed one of the ip's in client list having some weird address and a message in log stating something like "previous connection for ´client´ will be dropped yada yada...".
That made me think I might have messed up certs/config for openwrt and used the one generated for my PC.
Even though I think that's not the case, I think it would have different effects than what I'm facing, I retrieved the openwrt config/certs and reinserted them in router.
I've let relatively big transfer to run and I'll see if anything changes.
So not to waste your time anymore I'll let you know if it has any effect to my problem.
Thank you for trying to help me so far

1 Like

Well reinserting certificates didn't solve anything.
I was able to transfer all I needed but when I checked this morning connection was stale again.
On VPN server side there were no errors, I could still see openwrt box in client list.
Tried reconnecting, same result as always.
What do you suggest as next course of action?

@anon50098793? anyone?

use tcp... or

uci show network
uci show firewall

difficult to help properly with your real settings

( and for ease of debugging... cease using the vpn>direct! from any other client )

Here you go

uci show network:

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdb1:1403:07a7::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth1.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.1.1'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan.auto='0'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.auto='0'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 2 3 4 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='5 6t'
network.wwan=interface
network.wwan.proto='static'
network.wwan.netmask='255.255.255.0'
network.wwan.ipaddr='192.168.2.2'
network.wwan.gateway='192.168.2.1'
network.wwan.dns='208.67.222.222 208.67.220.220'
network.stabridge=interface
network.stabridge.proto='relay'
network.stabridge.network='lan' 'wwan'
network.stabridge.ipaddr='192.168.2.2'

uci show firewall:

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].drop_invalid='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.mtu_fix='1'
firewall.lan.network='lan stabridge wwan'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan wan6'
firewall.wan.device='tun0'
firewall.lan_wan=forwarding
firewall.lan_wan.src='lan'
firewall.lan_wan.dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'

well, that is insightful... maybe @trendy or @jeff might be able to shed some light on your network config...

Actually more configurations are needed to see what can be wrong here:

uci show network; uci show firewall; head -n -0 /etc/firewall.user; uci show dhcp; \
ip -4 addr ; ip -4 ro ; ip -4 ru; iptables-save -c; \
ip -6 addr ; ip -6 ro ; ip -6 ru; ip6tables-save -c; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.* ; \
uci show openvpn

Make sure the actual client config is in the last command. If not paste it along with the server config.
Also if you could explain what is going on with your wan,wan6,wwan, and starbridge interfaces.
Please use "Preformatted text </>" for logs, scripts, configs and general console output.

1 Like

Here you go:

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdb1:1403:07a7::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth1.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.1.1'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan.auto='0'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.auto='0'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 2 3 4 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='5 6t'
network.wwan=interface
network.wwan.proto='static'
network.wwan.netmask='255.255.255.0'
network.wwan.ipaddr='192.168.2.2'
network.wwan.gateway='192.168.2.1'
network.wwan.dns='208.67.222.222 208.67.220.220'
network.stabridge=interface
network.stabridge.proto='relay'
network.stabridge.network='lan' 'wwan'
network.stabridge.ipaddr='192.168.2.2'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].drop_invalid='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.mtu_fix='1'
firewall.lan.network='lan stabridge wwan'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan wan6'
firewall.wan.device='tun0'
firewall.lan_wan=forwarding
firewall.lan_wan.src='lan'
firewall.lan_wan.dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ignore='1'
dhcp.lan.ra_management='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.2/24 brd 192.168.2.255 scope global wlan0
       valid_lft forever preferred_lft forever
10: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 10.8.0.10 peer 10.8.0.9/32 scope global tun0
       valid_lft forever preferred_lft forever
default via 192.168.2.1 dev wlan0 
10.8.0.0/24 via 10.8.0.9 dev tun0  metric 50 
10.8.0.9 dev tun0 scope link  src 10.8.0.10 
192.168.0.0/24 via 10.8.0.9 dev tun0  metric 50 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.2.0/24 dev wlan0 scope link  src 192.168.2.2 
0:	from all lookup local 
2:	from all iif lo lookup 16800 
2:	from all iif wlan0 lookup 16801 
2:	from all iif br-lan lookup 16802 
32766:	from all lookup main 
32767:	from all lookup default 
# Generated by iptables-save v1.6.2 on Thu Nov 28 08:22:58 2019
*nat
:PREROUTING ACCEPT [118557:40814866]
:INPUT ACCEPT [363:290403]
:OUTPUT ACCEPT [3097:436692]
:POSTROUTING ACCEPT [10310:3603017]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[118557:40814866] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[105273:37169313] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[13284:3645553] -A PREROUTING -i wlan0 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[10310:3603017] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[1535:212580] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[8721:3387141] -A POSTROUTING -o wlan0 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[10256:3599721] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[118557:40814866] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Nov 28 08:22:58 2019
# Generated by iptables-save v1.6.2 on Thu Nov 28 08:22:58 2019
*mangle
:PREROUTING ACCEPT [297487:107603680]
:INPUT ACCEPT [51843:6110638]
:FORWARD ACCEPT [134663:64134904]
:OUTPUT ACCEPT [49437:6396540]
:POSTROUTING ACCEPT [190115:71230995]
[1958:110104] -A FORWARD -o br-lan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone lan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[1850:110440] -A FORWARD -o wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone lan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Nov 28 08:22:58 2019
# Generated by iptables-save v1.6.2 on Thu Nov 28 08:22:58 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[386:26729] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[51457:6083909] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[39679:4847272] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:68] -A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[38:2280] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[3067:353234] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[8710:883335] -A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[134663:64134904] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[124690:60222870] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[108:4788] -A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[9493:3886334] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[372:20912] -A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[386:26729] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[49049:6369659] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[42376:5623437] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[3063:351922] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[3610:394300] -A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[38:2280] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[3433:372738] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[13105:4280730] -A zone_lan_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
[9865:3907246] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[9865:3907246] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[9865:3907246] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[11777:1236569] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[11777:1236569] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[6673:746222] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[6673:746222] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[3067:353234] -A zone_lan_src_ACCEPT -i br-lan -m comment --comment "!fw3" -j ACCEPT
[8710:883335] -A zone_lan_src_ACCEPT -i wlan0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Nov 28 08:22:58 2019
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::32b5:c2ff:feb0:54ee/64 scope link 
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fdb1:1403:7a7::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::32b5:c2ff:feb0:54ee/64 scope link 
       valid_lft forever preferred_lft forever
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::32b5:c2ff:feb0:54ee/64 scope link 
       valid_lft forever preferred_lft forever
10: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 100
    inet6 fe80::c7e5:e0ac:9d36:8cc1/64 scope link 
       valid_lft forever preferred_lft forever
fdb1:1403:7a7::/64 dev br-lan  metric 1024 
unreachable fdb1:1403:7a7::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev eth1  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan0  metric 256 
fe80::/64 dev tun0  metric 256 
unreachable default dev lo  metric -1  error -128
ff00::/8 dev br-lan  metric 256 
ff00::/8 dev eth1  metric 256 
ff00::/8 dev wlan0  metric 256 
ff00::/8 dev tun0  metric 256 
unreachable default dev lo  metric -1  error -128
0:	from all lookup local 
32766:	from all lookup main 
4200000001:	from all iif lo lookup unspec 12
4200000005:	from all iif br-lan lookup unspec 12
4200000007:	from all iif wlan0 lookup unspec 12
# Generated by ip6tables-save v1.6.2 on Thu Nov 28 08:22:58 2019
*mangle
:PREROUTING ACCEPT [31620:2746394]
:INPUT ACCEPT [26467:2143056]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [448:70064]
:POSTROUTING ACCEPT [448:70064]
[0:0] -A FORWARD -o br-lan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone lan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone lan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Nov 28 08:22:58 2019
# Generated by ip6tables-save v1.6.2 on Thu Nov 28 08:22:58 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[26467:2143056] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[26467:2143056] -A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[448:70064] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[429:68512] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[7:640] -A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_lan_output
[12:912] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[429:68512] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[7:640] -A zone_lan_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[26467:2143056] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[26467:2143056] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[436:69152] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[436:69152] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i br-lan -m comment --comment "!fw3" -j ACCEPT
[26467:2143056] -A zone_lan_src_ACCEPT -i wlan0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[12:912] -A zone_wan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[12:912] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[12:912] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Nov 28 08:22:58 2019
lrwxrwxrwx    1 root     root            16 Nov 19 12:58 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Nov 25 11:07 /tmp/resolv.conf
-rw-r--r--    1 root     root            69 Nov 25 11:07 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wwan
nameserver 208.67.222.222
nameserver 208.67.220.220
openvpn.dad=openvpn
openvpn.dad.config='/etc/openvpn/dad.conf'
openvpn.dad.enabled='1'
openvpn.sample_server=openvpn
openvpn.sample_server.port='1194'
openvpn.sample_server.proto='udp'
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca='/etc/openvpn/ca.crt'
openvpn.sample_server.cert='/etc/openvpn/server.crt'
openvpn.sample_server.key='/etc/openvpn/server.key'
openvpn.sample_server.dh='/etc/openvpn/dh1024.pem'
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.compress='lzo'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.proto='udp'
openvpn.sample_client.remote='my_server_1 1194'
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.user='nobody'
openvpn.sample_client.ca='/etc/openvpn/ca.crt'
openvpn.sample_client.cert='/etc/openvpn/client.crt'
openvpn.sample_client.key='/etc/openvpn/client.key'
openvpn.sample_client.compress='lzo'
openvpn.sample_client.verb='3'

VPN config:

client
dev tun
proto udp
remote ----.----.--- 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca dad-ca.crt
cert dad-client.crt
key dad-client.key
remote-cert-tls server
tls-auth dad-ta.key 1
cipher AES-256-CBC
verb 3
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
pull-filter ignore "route "
route-metric 50
route-nopull
route 10.8.0.0 255.255.255.0
route 192.168.0.0 255.255.255.0

wan and wan6 are unused, first one is wan port, second one I got no idea :smiley: it was there when I installed openwrt
wwan is wireless connection to my main router and stabridge is bidge between wwan and lan

Try to add "keepalive 10 60" in both configs

–keepalive n m
A helper directive designed to simplify the expression of –ping and –ping-restart in server mode configurations

In server add ping-timer-rem

Run the –ping-exit / –ping-restart timer only if we have a remote address. Use this option if you are starting the daemon in listen mode (i.e. without an explicit –remote peer), and you don’t want to start clocking timeouts until a remote peer connects.

You could also push the keepalive from the server to the client.

1 Like

Incredible
The connection hasn't gone stale for almost 24 hours
If it doesn't go stale till tonight I'll mark this as solved

Hopefully it was as easy as that.

All hail @trendy our lord and savior :grin:
And lets not forget @anon50098793 too.
Connection is running strong for over 24 hours.
Thanks guys!
Or girls, I really have no idea :rofl:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.