OpenWrt Forum Archive

Topic: configuring router so that some devices completely bypass vpn [SOLVED]

The content of this topic has been archived between 13 Apr 2018 and 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I have openvpn running in my OpenWRT router so that all devices in my home network connect to internet through vpn.

The only other thing I need is to have two devices connected to the router NOT be behind the vpn: My Roku stick and a laptop that I'd like to ssh to from work. Both of these devices have a static local ip address.

I've tried the vpnbypass package and it works great for the Roku, but ssh'ing to laptop just doesn't work while vpn is on, no matter what I try. I think the issue is that the vpnbypass package was designed with outgoing traffic in mind, but in the case of ssh the "vpnbypass" needs to be bidirectional.

I've asked for help at the vpnbypass thread (at the LEDE forum), but I've gotten nowhere and get the feeling that the thread just doesn't get a lot of eyeballs. I'm frustrated enough that I'm ready to ditch vpnbypass and try something else such as a boot script or manual firewall configuration. Problem is that I don't know enough about firewalls and routing to come up with the solution myself.

By the way, with vpn off and port forwarding configured I can ssh to the laptop from work just fine.

Please, I'm willing to learn and experiment for hours if need be, but I've run out of ideas and am just going around in circles at this point. Can anyone point me in the right direction?

(Last edited by GNUser on 23 Sep 2017, 21:34)

You can ssh into your devices using TOR. You dont need to bypass VPN. The devices are then simply available anonymously over xxxxxxxxxxxxx.onion .
You can use a Router in front of devices that you dont own (dont have the full code for those). In case of your laptop you probably can directly turn on ssh deamon and tor on the laptop itself.

(Last edited by kelhgvrb on 21 Sep 2017, 01:29)

Wow, thanks for suggesting that. I never knew it was an option. I will try it out. (BTW, sshd is already running on the laptop, of course--it would just be a matter of figuring out the tor component.)

Nevertheless, I would still like to learn how to make the router allow ssh traffic to/from laptop to travel outside the vpn tunnel--after struggling with this for so many days, finding a more traditional solution would be quite satisfying smile

(Last edited by GNUser on 21 Sep 2017, 02:06)

vpnbypass is wrapper for ipset and iptables. Please, post iptables rules, when port forwarding to internal IP doesn't work, and when it works without vpnbypass. It should work, we'll compare it.

Thank you, ulmwind. I will post both. Before I do so, which command will output exactly what you want to see? Is it one (or more) of these, or something else?

iptables -vL -t filter
iptables -vL -t nat
iptables -vL -t mangle
iptables -vL -t raw
iptables -vL -t security
iptables -S

I don't know if it was clear before, but the laptop I want to connect to is at home, on vpnbypass subnet, has a static local ip, and port 22 is forwarded to it in the router.

EDIT:
I discovered something new: While I cannot connect to the laptop from any machine on my home network (regardless of whether the machine is bypassing vpn or not), I *am* able connect from *outside* my network. I hadn’t tried connecting remotely because I usually test things out at home first.

I hope examining the iptables rules with and without openvpn+vpnbypass will explain this unexpected behavior.

(Last edited by GNUser on 21 Sep 2017, 19:56)

Let's start with

iptables -nvL
iptables -S

It is strange, because both IP's are in the same LAN.

(Last edited by ulmwind on 21 Sep 2017, 20:37)

I tried pasting the output in pastebin, but this forum is not allowing me to post links. So here they go:

When openvpn and vpnbypass are *disabled*, I can ssh to 192.168.10.61 *both* from lan and wan.
This is the output of iptables -nvL:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            ID:66773300
  471 47834 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
  348 35381 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate RELATED,ESTABLISHED
   26  2232 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate INVALID
    3   144 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp flags:0x17/0x02
   80  8168 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300
   17  2053 zone_wan_input  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1823 1267K forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
 1737 1259K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate RELATED,ESTABLISHED
    8  1400 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate INVALID
   77  5696 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300
    1    60 zone_wan_forward  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            ID:66773300
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            ID:66773300
  317 48925 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
  245 42484 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate RELATED,ESTABLISHED
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate INVALID
    7  2039 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            ID:66773300
   65  4402 zone_wan_output  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    5   537 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 reject-with tcp-reset
   12  1516 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   144 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp flags:0x17/0x02 limit: avg 25/sec burst 50
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    7  2039 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   77  5696 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
   77  5696 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* forwarding lan -> wan */
    1    60 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   80  8168 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port redirections */
   80  8168 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    7  2039 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
    7  2039 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   80  8168 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  141 10038 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
    0     0 zone_lan_dest_ACCEPT  esp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* @rule[7] */
    0     0 zone_lan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 udp dpt:500 /* @rule[8] */
    1    60 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   17  2053 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 udp dpt:68 /* Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 icmptype 8 /* Allow-Ping */
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* Allow-IGMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port redirections */
   17  2053 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   65  4402 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
   65  4402 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   17  2053 reject     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            ID:66773300

And this is the output of iptables -S:

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N forwarding_lan_rule
-N forwarding_rule
-N forwarding_wan_rule
-N input_lan_rule
-N input_rule
-N input_wan_rule
-N output_lan_rule
-N output_rule
-N output_wan_rule
-N reject
-N syn_flood
-N zone_lan_dest_ACCEPT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_wan_dest_ACCEPT
-N zone_wan_dest_REJECT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_REJECT
-A INPUT -i lo -m id --id 0x66773300 -j ACCEPT
-A INPUT -m id --id 0x66773300 -m comment --comment "user chain for input" -j input_rule
-A INPUT -m id --id 0x66773300 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m id --id 0x66773300 -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m id --id 0x66773300 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A INPUT -i br-lan -m id --id 0x66773300 -j zone_lan_input
-A INPUT -i eth1 -m id --id 0x66773300 -j zone_wan_input
-A FORWARD -m id --id 0x66773300 -m comment --comment "user chain for forwarding" -j forwarding_rule
-A FORWARD -m id --id 0x66773300 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m id --id 0x66773300 -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i br-lan -m id --id 0x66773300 -j zone_lan_forward
-A FORWARD -i eth1 -m id --id 0x66773300 -j zone_wan_forward
-A FORWARD -m id --id 0x66773300 -j reject
-A OUTPUT -o lo -m id --id 0x66773300 -j ACCEPT
-A OUTPUT -m id --id 0x66773300 -m comment --comment "user chain for output" -j output_rule
-A OUTPUT -m id --id 0x66773300 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m id --id 0x66773300 -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -o br-lan -m id --id 0x66773300 -j zone_lan_output
-A OUTPUT -o eth1 -m id --id 0x66773300 -j zone_wan_output
-A reject -p tcp -m id --id 0x66773300 -j REJECT --reject-with tcp-reset
-A reject -m id --id 0x66773300 -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m id --id 0x66773300 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -m id --id 0x66773300 -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m id --id 0x66773300 -j ACCEPT
-A zone_lan_forward -m id --id 0x66773300 -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m id --id 0x66773300 -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m id --id 0x66773300 -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_lan_forward -m id --id 0x66773300 -j zone_lan_dest_ACCEPT
-A zone_lan_input -m id --id 0x66773300 -m comment --comment "user chain for input" -j input_lan_rule
-A zone_lan_input -m id --id 0x66773300 -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_lan_input -m id --id 0x66773300 -j zone_lan_src_ACCEPT
-A zone_lan_output -m id --id 0x66773300 -m comment --comment "user chain for output" -j output_lan_rule
-A zone_lan_output -m id --id 0x66773300 -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m id --id 0x66773300 -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m id --id 0x66773300 -j ACCEPT
-A zone_wan_dest_REJECT -o eth1 -m id --id 0x66773300 -j reject
-A zone_wan_forward -m id --id 0x66773300 -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m id --id 0x66773300 -m comment --comment "@rule[7]" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m id --id 0x66773300 -m udp --dport 500 -m comment --comment "@rule[8]" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m id --id 0x66773300 -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_wan_forward -m id --id 0x66773300 -j zone_wan_dest_REJECT
-A zone_wan_input -m id --id 0x66773300 -m comment --comment "user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m id --id 0x66773300 -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m id --id 0x66773300 -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
-A zone_wan_input -p igmp -m id --id 0x66773300 -m comment --comment Allow-IGMP -j ACCEPT
-A zone_wan_input -m id --id 0x66773300 -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan_input -m id --id 0x66773300 -j zone_wan_src_REJECT
-A zone_wan_output -m id --id 0x66773300 -m comment --comment "user chain for output" -j output_wan_rule
-A zone_wan_output -m id --id 0x66773300 -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth1 -m id --id 0x66773300 -j reject

(Last edited by GNUser on 21 Sep 2017, 22:12)

When openvpn and vpnbypass are *enabled*, I can ssh to 192.168.10.61 *only* from wan, not from lan.
This is the output of iptables -nvL:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            ID:66773300
  520 67548 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
  427 58234 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate RELATED,ESTABLISHED
    9   444 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate INVALID
    4   180 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp flags:0x17/0x02
   53  4390 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300
   31  4480 zone_wan_input  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            ID:66773300
    0     0 zone_VPN_input  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  376 59590 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
  329 55537 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate RELATED,ESTABLISHED
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate INVALID
   46  3993 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300
    1    60 zone_wan_forward  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            ID:66773300
    0     0 zone_VPN_forward  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0            ID:66773300
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            ID:66773300
  455 92458 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
  402 88562 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate RELATED,ESTABLISHED
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate INVALID
    1   335 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            ID:66773300
    0     0 zone_wan_output  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            ID:66773300
   52  3561 zone_VPN_output  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain forwarding_VPN_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_VPN_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_VPN_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (5 references)
 pkts bytes target     prot opt in     out     source               destination         
   13  2390 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 reject-with tcp-reset
   18  2090 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   180 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp flags:0x17/0x02 limit: avg 25/sec burst 50
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_VPN_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   70  5626 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_VPN_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_VPN_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_VPN_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port forwards */
    0     0 zone_VPN_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_VPN_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_VPN_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port redirections */
    0     0 zone_VPN_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_VPN_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   52  3561 output_VPN_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
   52  3561 zone_VPN_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_VPN_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    1   335 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   46  3993 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
   46  3993 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* forwarding lan -> wan */
   18  2065 zone_VPN_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* forwarding lan -> VPN */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   53  4390 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port redirections */
   53  4390 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1   335 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
    1   335 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   53  4390 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   28  1928 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
    0     0 zone_lan_dest_ACCEPT  esp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* @rule[7] */
    0     0 zone_lan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 udp dpt:500 /* @rule[8] */
    1    60 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   31  4480 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 udp dpt:68 /* Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 icmptype 8 /* Allow-Ping */
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* Allow-IGMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port redirections */
   31  4480 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   31  4480 reject     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            ID:66773300

And this is the output of iptables -S:

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N forwarding_VPN_rule
-N forwarding_lan_rule
-N forwarding_rule
-N forwarding_wan_rule
-N input_VPN_rule
-N input_lan_rule
-N input_rule
-N input_wan_rule
-N output_VPN_rule
-N output_lan_rule
-N output_rule
-N output_wan_rule
-N reject
-N syn_flood
-N zone_VPN_dest_ACCEPT
-N zone_VPN_dest_REJECT
-N zone_VPN_forward
-N zone_VPN_input
-N zone_VPN_output
-N zone_VPN_src_REJECT
-N zone_lan_dest_ACCEPT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_wan_dest_ACCEPT
-N zone_wan_dest_REJECT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_REJECT
-A INPUT -i lo -m id --id 0x66773300 -j ACCEPT
-A INPUT -m id --id 0x66773300 -m comment --comment "user chain for input" -j input_rule
-A INPUT -m id --id 0x66773300 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m id --id 0x66773300 -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m id --id 0x66773300 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A INPUT -i br-lan -m id --id 0x66773300 -j zone_lan_input
-A INPUT -i eth1 -m id --id 0x66773300 -j zone_wan_input
-A INPUT -i tun0 -m id --id 0x66773300 -j zone_VPN_input
-A FORWARD -m id --id 0x66773300 -m comment --comment "user chain for forwarding" -j forwarding_rule
-A FORWARD -m id --id 0x66773300 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m id --id 0x66773300 -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i br-lan -m id --id 0x66773300 -j zone_lan_forward
-A FORWARD -i eth1 -m id --id 0x66773300 -j zone_wan_forward
-A FORWARD -i tun0 -m id --id 0x66773300 -j zone_VPN_forward
-A FORWARD -m id --id 0x66773300 -j reject
-A OUTPUT -o lo -m id --id 0x66773300 -j ACCEPT
-A OUTPUT -m id --id 0x66773300 -m comment --comment "user chain for output" -j output_rule
-A OUTPUT -m id --id 0x66773300 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m id --id 0x66773300 -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -o br-lan -m id --id 0x66773300 -j zone_lan_output
-A OUTPUT -o eth1 -m id --id 0x66773300 -j zone_wan_output
-A OUTPUT -o tun0 -m id --id 0x66773300 -j zone_VPN_output
-A reject -p tcp -m id --id 0x66773300 -j REJECT --reject-with tcp-reset
-A reject -m id --id 0x66773300 -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m id --id 0x66773300 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -m id --id 0x66773300 -j DROP
-A zone_VPN_dest_ACCEPT -o tun0 -m id --id 0x66773300 -j ACCEPT
-A zone_VPN_dest_REJECT -o tun0 -m id --id 0x66773300 -j reject
-A zone_VPN_forward -m id --id 0x66773300 -m comment --comment "user chain for forwarding" -j forwarding_VPN_rule
-A zone_VPN_forward -m id --id 0x66773300 -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_VPN_forward -m id --id 0x66773300 -j zone_VPN_dest_REJECT
-A zone_VPN_input -m id --id 0x66773300 -m comment --comment "user chain for input" -j input_VPN_rule
-A zone_VPN_input -m id --id 0x66773300 -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_VPN_input -m id --id 0x66773300 -j zone_VPN_src_REJECT
-A zone_VPN_output -m id --id 0x66773300 -m comment --comment "user chain for output" -j output_VPN_rule
-A zone_VPN_output -m id --id 0x66773300 -j zone_VPN_dest_ACCEPT
-A zone_VPN_src_REJECT -i tun0 -m id --id 0x66773300 -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m id --id 0x66773300 -j ACCEPT
-A zone_lan_forward -m id --id 0x66773300 -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m id --id 0x66773300 -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m id --id 0x66773300 -m comment --comment "forwarding lan -> VPN" -j zone_VPN_dest_ACCEPT
-A zone_lan_forward -m id --id 0x66773300 -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_lan_forward -m id --id 0x66773300 -j zone_lan_dest_ACCEPT
-A zone_lan_input -m id --id 0x66773300 -m comment --comment "user chain for input" -j input_lan_rule
-A zone_lan_input -m id --id 0x66773300 -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_lan_input -m id --id 0x66773300 -j zone_lan_src_ACCEPT
-A zone_lan_output -m id --id 0x66773300 -m comment --comment "user chain for output" -j output_lan_rule
-A zone_lan_output -m id --id 0x66773300 -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m id --id 0x66773300 -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m id --id 0x66773300 -j ACCEPT
-A zone_wan_dest_REJECT -o eth1 -m id --id 0x66773300 -j reject
-A zone_wan_forward -m id --id 0x66773300 -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m id --id 0x66773300 -m comment --comment "@rule[7]" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m id --id 0x66773300 -m udp --dport 500 -m comment --comment "@rule[8]" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m id --id 0x66773300 -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_wan_forward -m id --id 0x66773300 -j zone_wan_dest_REJECT
-A zone_wan_input -m id --id 0x66773300 -m comment --comment "user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m id --id 0x66773300 -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m id --id 0x66773300 -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
-A zone_wan_input -p igmp -m id --id 0x66773300 -m comment --comment Allow-IGMP -j ACCEPT
-A zone_wan_input -m id --id 0x66773300 -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan_input -m id --id 0x66773300 -j zone_wan_src_REJECT
-A zone_wan_output -m id --id 0x66773300 -m comment --comment "user chain for output" -j output_wan_rule
-A zone_wan_output -m id --id 0x66773300 -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth1 -m id --id 0x66773300 -j reject

(Last edited by GNUser on 21 Sep 2017, 22:13)

Ok, I can't see ipset in the rules. I can see new chains for VPN zone, but neither ipsets nor redirections. No ip. It is interesting. Let's continue. Post output of:

ipset list
iptables -nvL -t mangle
iptables -nvL -t nat

(Last edited by ulmwind on 22 Sep 2017, 08:59)

Thank you for your help so far, ulmwind. This seems pretty intense.

Ok, so first the outputs when openvpn/vpnbypass are disabled and everything works as expected.

ipset list produces no output

# iptables -nvL -t mangle
Chain PREROUTING (policy ACCEPT 730 packets, 105K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 491 packets, 38223 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 228 packets, 55870 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    9   540 TCPMSS     tcp  --  *      eth1    0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp flags:0x06/0x02 /* wan (mtu_fix) */ TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 255 packets, 33689 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 481 packets, 89383 bytes)
 pkts bytes target     prot opt in     out     source               destination         
# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 60 packets, 16296 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   61 16356 prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */
   35 13138 zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300
   26  3218 zone_wan_prerouting  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain INPUT (policy ACCEPT 3 packets, 317 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 28 packets, 2078 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   49  3714 postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */
    1    60 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            ID:66773300
   48  3654 zone_wan_postrouting  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */
    0     0 SNAT       tcp  --  *      *       192.168.10.0/24      192.168.10.61        ID:66773300 tcp dpt:5500 /* bruno port forwarding (reflection) */ to:192.168.10.1
    1    60 SNAT       tcp  --  *      *       192.168.10.0/24      192.168.10.61        ID:66773300 tcp dpt:22 /* bruno port forwarding 2 (reflection) */ to:192.168.10.1

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   35 13138 prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */
    0     0 DNAT       tcp  --  *      *       192.168.10.0/24      73.226.70.41         ID:66773300 tcp dpt:5500 /* bruno port forwarding (reflection) */ to:192.168.10.61:5500
    1    60 DNAT       tcp  --  *      *       192.168.10.0/24      73.226.70.41         ID:66773300 tcp dpt:22 /* bruno port forwarding 2 (reflection) */ to:192.168.10.61:22

Chain zone_wan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   48  3654 postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */
   48  3654 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   26  3218 prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp dpt:5500 /* bruno port forwarding */ to:192.168.10.61:5500
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp dpt:22 /* bruno port forwarding 2 */ to:192.168.10.61:22

And here are the outputs when openvpn/vpnbypass are on, when I can't ssh to 192.168.10.61 from lan:

# ipset list
Name: vpnbypass
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8248
References: 0
Members:
# iptables -nvL -t mangle
Chain PREROUTING (policy ACCEPT 539 packets, 76579 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  730  130K VPNBYPASS  all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  mark match 0x0/0xff0000

Chain INPUT (policy ACCEPT 400 packets, 44108 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 131 packets, 21735 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   11   660 TCPMSS     tcp  --  *      eth1    0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp flags:0x06/0x02 /* wan (mtu_fix) */ TCPMSS clamp to PMTU
    1    60 TCPMSS     tcp  --  *      tun0    0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp flags:0x06/0x02 /* VPN (mtu_fix) */ TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 288 packets, 39333 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 417 packets, 60892 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain VPNBYPASS (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  309 32250 MARK       all  --  *      *       192.168.10.56/29     0.0.0.0/0            MARK xset 0x10000/0xff0000
# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 95 packets, 21962 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   97 22082 prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */
   39 13399 zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300
   58  8683 zone_wan_prerouting  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            ID:66773300
    0     0 zone_VPN_prerouting  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain INPUT (policy ACCEPT 6 packets, 814 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 37 packets, 2894 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 3 packets, 436 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   68  5294 postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */
    4   496 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            ID:66773300
   14  1038 zone_wan_postrouting  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            ID:66773300
   50  3760 zone_VPN_postrouting  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain postrouting_VPN_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_VPN_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_VPN_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   50  3760 postrouting_VPN_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */
   50  3760 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_VPN_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 prerouting_VPN_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   496 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */
    0     0 SNAT       tcp  --  *      *       192.168.10.0/24      192.168.10.61        ID:66773300 tcp dpt:5500 /* bruno port forwarding (reflection) */ to:192.168.10.1
    1    60 SNAT       tcp  --  *      *       192.168.10.0/24      192.168.10.61        ID:66773300 tcp dpt:22 /* bruno port forwarding 2 (reflection) */ to:192.168.10.1

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   39 13399 prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */
    0     0 DNAT       tcp  --  *      *       192.168.10.0/24      73.226.70.41         ID:66773300 tcp dpt:5500 /* bruno port forwarding (reflection) */ to:192.168.10.61:5500
    1    60 DNAT       tcp  --  *      *       192.168.10.0/24      73.226.70.41         ID:66773300 tcp dpt:22 /* bruno port forwarding 2 (reflection) */ to:192.168.10.61:22

Chain zone_wan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   14  1038 postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */
   14  1038 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   58  8683 prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp dpt:5500 /* bruno port forwarding */ to:192.168.10.61:5500
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp dpt:22 /* bruno port forwarding 2 */ to:192.168.10.61:22

What is IP 192.168.10.56?

No device on my network has that IP address, nor did I enter it into any config file.

This is what my home network looks like:
- Router at 192.168.10.1
- Printer at 192.168.10.7
- I manually set 192.168.10.60/29 to be the vpnbypass range (via the vpnbypass LuCI GUI), and have two devices in that range:
   - Roku stick at 192.168.10.60
   - Laptop at 192.168.10.61
- All other devices on my home network get their ip via DHCP, which starts at 192.168.10.100

Not that I understand much of the outputs I've gotten for you, but this makes no sense to me either:

Chain VPNBYPASS (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  309 32250 MARK       all  --  *      *       192.168.10.56/29     0.0.0.0/0  

(Last edited by GNUser on 22 Sep 2017, 14:01)

Aha! It seems that 192.168.10.60/29 and 192.168.10.56/29 are equivalent. Something must be automatically converting my manually-entered 192.168.10.60/29 into 192.168.10.56/29, which in itself shouldn't hurt anything.

I think vpnbypass is the source of my problem, but something else that it's doing must be to blame.

(Last edited by GNUser on 22 Sep 2017, 14:09)

Ok, 192.168.10.56/29=57-62, it is subnet, containing your set of IPs. It is used in mangle table, please, write the whole string, because without end it is senseless:

  309 32250 MARK       all  --  *      *       192.168.10.56/29     0.0.0.0/0            MARK xset 0x10000/0xff0000

It marks specific packets, and after that they pass specific routes.
Now we'll analyze routing table.
Post output of:

/etc/iproute2/rt_tables
ip route
ip rule list

Oops, sorry for cutting off the end of the string. I didn't know there was more. I'm educating myself about this stuff as we work through this issue, so hopefully I won't be such noobie forever smile

I'll post the output of those as soon as I get home from work this evening. Again, thank you so much for your help.

(Last edited by GNUser on 22 Sep 2017, 21:51)

Here's with openvpn/vpnbypass off, when everything works normally:

# /etc/iproute2/rt_tables
-ash: /etc/iproute2/rt_tables: Permission denied

# cat /etc/iproute2/rt_tables
#
# reserved values
#
128    prelocal
255    local
254    main
253    default
0    unspec
#
# local
#
#1    inr.ruhep

# ip route
default via 73.226.68.1 dev eth1  src 73.226.70.41 
73.226.68.0/22 dev eth1  src 73.226.70.41 
73.226.68.1 dev eth1  src 73.226.70.41 
192.168.10.0/24 dev br-lan  src 192.168.10.1 

# ip rule list
0:    from all lookup local 
32766:    from all lookup main 
32767:    from all lookup default 

And here's with openvpn/vpnbypass on, which causes aforementioned squirrely behavior:

# /etc/iproute2/rt_tables
-ash: /etc/iproute2/rt_tables: Permission denied

# cat /etc/iproute2/rt_tables
#
# reserved values
#
128    prelocal
255    local
254    main
253    default
0    unspec
#
# local
#
#1    inr.ruhep

# ip route
0.0.0.0/1 via 10.31.10.5 dev tun0 
default via 73.226.68.1 dev eth1  src 73.226.70.41 
10.31.10.1 via 10.31.10.5 dev tun0 
10.31.10.5 dev tun0  src 10.31.10.6 
73.226.68.0/22 dev eth1  src 73.226.70.41 
73.226.68.1 dev eth1  src 73.226.70.41 
107.191.33.9 via 73.226.68.1 dev eth1 
128.0.0.0/1 via 10.31.10.5 dev tun0 
192.168.10.0/24 dev br-lan  src 192.168.10.1 

# ip rule list
0:    from all lookup local 
32765:    from all fwmark 0x10000 lookup 200 
32766:    from all lookup main 
32767:    from all lookup default 

OK, routing for fwmark is defined in separate table 200.
Please, post output for

ip route show all

Also for second case (vpnbypass+openvpn) try to ping from "vpn-lan" IP from "vpnbypass-lan", and vice-versa. Try to run command traceroute 192.168.X.X or tracert 192.168.X.X, depending on OS.

(Last edited by ulmwind on 23 Sep 2017, 13:52)

No problem. Here you go:

With openvpn/vpnbypass off:

# ip route show all
default via 73.226.68.1 dev eth1  src 73.226.70.41 
73.226.68.0/22 dev eth1  src 73.226.70.41 
73.226.68.1 dev eth1  src 73.226.70.41 
192.168.10.0/24 dev br-lan  src 192.168.10.1 

With openvpn/vpnbypass on:

# ip route show all
0.0.0.0/1 via 10.20.10.5 dev tun0 
default via 73.226.68.1 dev eth1  src 73.226.70.41 
10.20.10.1 via 10.20.10.5 dev tun0 
10.20.10.5 dev tun0  src 10.20.10.6 
73.226.68.0/22 dev eth1  src 73.226.70.41 
73.226.68.1 dev eth1  src 73.226.70.41 
107.191.33.9 via 73.226.68.1 dev eth1 
128.0.0.0/1 via 10.20.10.5 dev tun0 
192.168.10.0/24 dev br-lan  src 192.168.10.1

For second case, here's me doing a ping and traceroute from my laptop on vpnbypass-lan to my wife's computer on vpn-lan:

bruno@thinkpad:~$ ping -c 2 192.168.10.229
PING 192.168.10.229 (192.168.10.229) 56(84) bytes of data.
64 bytes from 192.168.10.229: icmp_seq=1 ttl=64 time=130 ms
64 bytes from 192.168.10.229: icmp_seq=2 ttl=64 time=2.13 ms

--- 192.168.10.229 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 2.132/66.232/130.333/64.101 ms

bruno@thinkpad:~$ traceroute 192.168.10.229
traceroute to 192.168.10.229 (192.168.10.229), 30 hops max, 60 byte packets
 1  vaio.lan (192.168.10.229)  5.753 ms  8.052 ms  8.488 ms

And here is from my wife's computer on vpn-lan to my laptop on vpnbypass-lan:

eileen@vaio:~$ ping -c 2 192.168.10.61
PING 192.168.10.61 (192.168.10.61) 56(84) bytes of data.
64 bytes from 192.168.10.61: icmp_seq=1 ttl=64 time=2.09 ms
64 bytes from 192.168.10.61: icmp_seq=2 ttl=64 time=2.10 ms

--- 192.168.10.61 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 2.090/2.097/2.105/0.046 ms

eileen@vaio:~$ traceroute 192.168.10.61
traceroute to 192.168.10.61 (192.168.10.61), 30 hops max, 60 byte packets
 1  192.168.10.61 (192.168.10.61)  3.605 ms  3.566 ms  5.477 ms

(Last edited by GNUser on 23 Sep 2017, 14:40)

Sorry, I wrote command with the same effect, as previous.
Correct command:

ip route show table all

So you can ping computers between "vpn-lan" and "vpnbypass-lan". We should reproduce behavior, you mentioned, that you can't login to your local device. Could you ping device and what error message do you get trying to login to it when vpnbypass is active?

(Last edited by ulmwind on 23 Sep 2017, 16:26)

In trying to reproduce the "problem", I think I had a breakthrough. I hope this is not expected behavior...

I had been trying to ssh using the ISP's public IP, like this:

eileen@vaio:~$ ssh bruno@73.226.70.41

Doing it the above way only works when openvpn and vpnbypass are both off. With those things on, cursor just blinks and eventually the connection attempt times out--even though vpnbypass is definitely working and my laptop's public IP is 73.226.70.41.

Using the local IP address like this, though, always works:

eileen@vaio:~$ ssh bruno@192.168.10.61

Is this expected behavior? If so, my profuse apologies and why is it that using the ISP's public IP only works when openvpn/vpnbypass are off?

(Last edited by GNUser on 23 Sep 2017, 18:04)

Yes, it is expected behavior (as I've expected it). With local address it should work always.

I don't understand, you tried to login from computer in lan to different IPs? Have you tried to login from wan side?

eileen@vaio:~$ ssh bruno@73.226.70.41

(Last edited by ulmwind on 23 Sep 2017, 19:18)

From wan it works fine. And from lan it works fine if I use local IP.

I thought connecting from lan using ISP public IP should work with vpnbypass (it does work when openvpn/vpnbypass are off), but I guess I was wrong.

Gosh, I feel terrible for all the trouble. I've been using GNU/Linux for a long time and have gotten support from peers before, but never anything like this. If I can buy you a few beers for the effort, please let me know how at routernoob AT dantas DOT airpost DOT net.

(Last edited by GNUser on 23 Sep 2017, 21:33)

You are welcome! I have experience in teaching and explaining applied mathematics, physics and other subjects :-) So if you or your friends need help, let me know, I'll write you message.
OK, let's explore the issue. We'll solve it and after that modify your script, because it is similar task. Try to login via ssh from lan side to wan IP of your router, redirecting you to your device, as you did, and write result.
1) openvpn is down, vpnbypass is down - you wrote, OK.
2) openvpn is up, vpnbypass is down - ?
3) openvpn is up, vpnbypass is up - ?
4) openvpn is down, vpnbypass is up - ?
The last item is strange, if it doesn't work, ignore it.

I think, answer will be as follows:
2) OK
3) BAD

Let's check my assumption.

(Last edited by ulmwind on 23 Sep 2017, 22:29)

1) Works. This one is straight-forward both locally and remotely, and makes sense to me.

2) Not expected to work because I don't have port forwarding configured with my vpn provider

3) This is the strange one. I can connect from lan to laptop on vpnbypass using laptop's local IP address, and can connect to it from wan using its public IP address. I just can't connect to it from lan using its public IP address. I don't understand it at all but am happy to let it be. Hopefully it will make sense to me when I know a bit more.

4) This situation would never happen. No need to run vpnbypass if openvpn is off.

I'm happy with how this stands. I have learned a ton and will learn even more from revisiting this thread as I learn more.

(Last edited by GNUser on 23 Sep 2017, 22:35)