Topic: OpenVPN: Traffic does not route trough tunnel

Hi guys,

I just set up an OpenVPN Server (TAP) on my Archer C7 following this guide: vpn.openvpn

The connection works and I can access devices on my network through the tunnel. My problem is that the WAN traffic is not send this way (public IP does not change).

The guide says that this should remidy the problem: uci add_list openvpn.myvpn.push='redirect-gateway def1'

Still it does not work as it should. I also tried manually adding 'redirect-gateway def1' to my client configuration but this also didn’t change anything.

Can anybody help me?

/etc/config/network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd55:cf98:2089::/48'

config interface 'lan'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ifname 'eth1 tap0'

config interface 'wan'
    option ifname 'eth0'
    option proto 'dhcp'
    option peerdns '0'
    option dns '8.8.8.8 8.8.4.4'

config interface 'wan6'
    option ifname 'eth0'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0 2 3 4 5'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '1 6'

config interface 'guest'
    option _orig_ifname 'wlan1-1'
    option _orig_bridge 'false'
    option proto 'static'
    option ipaddr '192.168.3.1'
    option netmask '255.255.255.0'

config interface 'vpn0'
    option ifname 'tap0'
    option proto 'none'
    option auto '1'

/etc/config/firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'wan wan6'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config zone
    option name 'guest'
    option forward 'REJECT'
    option output 'ACCEPT'
    option network 'guest'
    option input 'REJECT'

config forwarding
    option dest 'wan'
    option src 'guest'

config rule
    option target 'ACCEPT'
    option proto 'tcp udp'
    option dest_port '53'
    option name 'Guest DNS'
    option src 'guest'

config rule
    option enabled '1'
    option target 'ACCEPT'
    option proto 'udp'
    option dest_port '67-68'
    option name 'Guest DHCP'
    option src 'guest'

config rule 'Allow_OpenVPN_Inbound'
    option target 'ACCEPT'
    option src '*'
    option proto 'udp'
    option dest_port '1194'

config zone 'vpn'
    option name 'vpn'
    option network 'vpn0'
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option masq '1'

config forwarding 'vpn_forwarding_lan_in'
    option src 'vpn'
    option dest 'lan'

config forwarding 'vpn_forwarding_lan_out'
    option src 'lan'
    option dest 'vpn'

config forwarding 'vpn_forwarding_wan'
    option src 'vpn'
    option dest 'wan'

/etc/config/openvpn

config openvpn 'myvpn'
    option enabled '1'
    option verb '3'
    option proto 'udp'
    option port '1194'
    option dev 'tap'
    option mode 'server'
    option tls_server '1'
    list push 'route-gateway dhcp'
    list push 'redirect-gateway def1'
    option keepalive '10 120'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/wob-server.crt'
    option key '/etc/openvpn/wob-server.key'
    option dh '/etc/openvpn/dh2048.pem'

Re: OpenVPN: Traffic does not route trough tunnel

Managed to solve the problem by adding this line to /etc/config/openvpn

option server_bridge "192.168.1.1 255.255.255.0 192.168.1.128 192.168.1.254"

I'm happy that it works, but I still would love it somebody could explain this to me. I thought the bridge to my LAN was defined in /etc/config/network