GL-E750. Problem after connecting vpn

box4pda · March 11, 2023, 3:16pm

Hi.
I’m having an issue with pinging resources through a channel and a second point in the channel after an OpenVPN client connects to ExpressVPN.

System. Default Configuration

root@GL-E750:~# ubus call system board
{
        "kernel": "4.14.241",
        "hostname": "GL-E750",
        "system": "Qualcomm Atheros QCA9533 ver 2 rev 0",
        "model": "GL.iNet GL-E750 (NOR/NAND)",
        "board_name": "glinet,gl-e750-nor-nand",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.8",
                "revision": "r11364-ef56c85848",
                "target": "ath79/nand",
                "description": "OpenWrt 19.07.8 r11364-ef56c85848"
        }
}

#Log and status

root@GL-E750:~$ logread -e openvpn
Sat Mar 11 16:03:36 2023 daemon.notice procd: /etc/rc.d/S90vpn-service: cat: can't open '/etc/openvpn/ovpn/server.ovpn': No such file or directory
Sat Mar 11 16:05:06 2023 daemon.notice openvpn[5446]: OpenVPN 2.5.2 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Mar 11 16:05:06 2023 daemon.notice openvpn[5446]: library versions: OpenSSL 1.1.1n  15 Mar 2022
Sat Mar 11 16:05:06 2023 daemon.warn openvpn[5587]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Sat Mar 11 16:05:06 2023 daemon.warn openvpn[5587]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Mar 11 16:05:06 2023 daemon.notice openvpn[5587]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Mar 11 16:05:06 2023 daemon.notice openvpn[5587]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Mar 11 16:05:06 2023 daemon.notice openvpn[5587]: Control Channel MTU parms [ L:1626 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Sat Mar 11 16:05:06 2023 daemon.notice openvpn[5587]: Data Channel MTU parms [ L:1626 D:1200 EF:126 EB:407 ET:0 EL:3 ]
Sat Mar 11 16:05:06 2023 daemon.notice openvpn[5587]: Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ]
Sat Mar 11 16:05:06 2023 daemon.notice openvpn[5587]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Sat Mar 11 16:05:06 2023 daemon.notice openvpn[5587]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Sat Mar 11 16:05:06 2023 daemon.notice openvpn[5587]: TCP/UDP: Preserving recently used remote address: [AF_INET]45.91.21.131:1195
Sat Mar 11 16:05:06 2023 daemon.notice openvpn[5587]: Socket Buffers: R=[163840->327680] S=[163840->327680]
Sat Mar 11 16:05:06 2023 daemon.notice openvpn[5587]: UDP link local: (not bound)
Sat Mar 11 16:05:06 2023 daemon.notice openvpn[5587]: UDP link remote: [AF_INET]45.91.21.131:1195
Sat Mar 11 16:05:06 2023 daemon.notice openvpn[5587]: TLS: Initial packet from [AF_INET]45.91.21.131:1195, sid=b80a29fc 7b4ee9df
Sat Mar 11 16:05:06 2023 daemon.notice openvpn[5587]: VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Sat Mar 11 16:05:07 2023 daemon.notice openvpn[5587]: VERIFY OK: nsCertType=SERVER
Sat Mar 11 16:05:07 2023 daemon.notice openvpn[5587]: VERIFY KU OK
Sat Mar 11 16:05:07 2023 daemon.notice openvpn[5587]: Validating certificate extended key usage
Sat Mar 11 16:05:07 2023 daemon.notice openvpn[5587]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Mar 11 16:05:07 2023 daemon.notice openvpn[5587]: VERIFY EKU OK
Sat Mar 11 16:05:07 2023 daemon.notice openvpn[5587]: VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-8812-0a, emailAddress=support@expressvpn.com
Sat Mar 11 16:05:07 2023 daemon.notice openvpn[5587]: VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-8812-0a, emailAddress=support@expressvpn.com
Sat Mar 11 16:05:08 2023 daemon.notice openvpn[5587]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Sat Mar 11 16:05:08 2023 daemon.notice openvpn[5587]: [Server-8812-0a] Peer Connection Initiated with [AF_INET]45.91.21.131:1195
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: SENT CONTROL [Server-8812-0a]: 'PUSH_REQUEST' (status=1)
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.99.0.1,comp-lzo no,route 10.99.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.99.0.78 10.99.0.77,peer-id 12,cipher AES-256-GCM'
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: Pushed option removed by filter: 'ping-restart 60'
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: OPTIONS IMPORT: timers and/or timeouts modified
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: OPTIONS IMPORT: compression parms modified
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: OPTIONS IMPORT: --ifconfig/up options modified
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: OPTIONS IMPORT: route options modified
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: OPTIONS IMPORT: peer-id set
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: OPTIONS IMPORT: adjusting link_mtu to 1629
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: OPTIONS IMPORT: data channel crypto options modified
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: Data Channel MTU parms [ L:1557 D:1200 EF:57 EB:407 ET:0 EL:3 ]
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: Fragmentation MTU parms [ L:1626 D:1300 EF:53 EB:407 ET:1 EL:3 ]
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: TUN/TAP device tun0 opened
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: do_ifconfig, ipv4=1, ipv6=0
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: /sbin/ip link set dev tun0 up mtu 1500
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: /sbin/ip link set dev tun0 up
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: /sbin/ip addr add dev tun0 local 10.99.0.78 peer 10.99.0.77
Sat Mar 11 16:05:09 2023 daemon.notice openvpn[5587]: /etc/openvpn/update-resolv-conf tun0 1500 1557 10.99.0.78 10.99.0.77 init
Sat Mar 11 16:05:11 2023 daemon.notice openvpn[5587]: /sbin/ip route add 45.91.21.131/32 via 192.168.1.254
Sat Mar 11 16:05:11 2023 daemon.notice openvpn[5587]: /sbin/ip route add 0.0.0.0/1 via 10.99.0.77
Sat Mar 11 16:05:11 2023 daemon.notice openvpn[5587]: /sbin/ip route add 128.0.0.0/1 via 10.99.0.77
Sat Mar 11 16:05:11 2023 daemon.notice openvpn[5587]: /sbin/ip route add 10.99.0.1/32 via 10.99.0.77
Sat Mar 11 16:05:23 2023 daemon.notice openvpn[5587]: Initialization Sequence Completed 
root@GL-E750:~$ netstat -l -n -p | grep -e openvpn
udp        0      0 0.0.0.0:34180           0.0.0.0:*                           5587/openvpn

root@GL-E750:~$ pgrep -f -a openvpn

5587 /usr/sbin/openvpn --config /etc/openvpn/ovpn0/my_expressvpn_sweden_-_2_udp.ovpn --script-security 2 --dev tun0 --route-delay 2 --route-up /usr/bin/ovpn_check_route --remap-usr1 SIGHUP --writepid /var/run/ovpn_client.pid --pull-filter ignore ifconfig-ipv6 --pull-filter ignore route-ipv6

/etc/openvpn/ovpn0/my_expressvpn_sweden_-_2_udp.ovpn. Keys removed for brevity

dev tun
fast-io
persist-key
persist-tun
nobind
remote sweden2-ca-version-2.expressnetw.com 1195
remote-random
pull
pull-filter ignore ping-restart
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
#remote-cert-tls server
remote-cert-tls server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
#cipher AES-256-CBC
data-ciphers-fallback AES-256-CBC
#keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass /etc/openvpn/ovpn0/auth/usrpwd.txt
auth-nocache
<cert>
...
</cert>
<key>
...
</key>
<tls-auth>
...
</tls-auth>
<ca>
...
</ca>
proto udp
client
daemon

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
script-security 2

root@GL-E750:~$ ip address show; ip route show table all

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 94:83:c4:27:56:31 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.85/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
3: teql0: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 100
    link/void
4: wwan0: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 12:68:7a:99:33:fe brd ff:ff:ff:ff:ff:ff
    inet 10.247.178.175/27 brd 10.247.178.191 scope global wwan0
       valid_lft forever preferred_lft forever
    inet6 fe80::1068:7aff:fe99:33fe/64 scope link
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 94:83:c4:27:56:32 brd ff:ff:ff:ff:ff:ff
    inet 192.168.8.1/24 brd 192.168.8.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 94:83:c4:27:56:32 brd ff:ff:ff:ff:ff:ff
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 94:83:c4:27:56:33 brd ff:ff:ff:ff:ff:ff
10: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 10.99.0.78 peer 10.99.0.77/32 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.99.0.77 dev tun0 table 1
default via 192.168.1.254 dev eth0 table 1 metric 10
10.99.0.1 via 10.99.0.77 dev tun0 table 1
10.99.0.77 dev tun0 table 1 proto kernel scope link src 10.99.0.78
10.247.178.160/27 dev wwan0 table 1 proto static scope link metric 40
45.91.21.131 via 192.168.1.254 dev eth0 table 1
128.0.0.0/1 via 10.99.0.77 dev tun0 table 1
185.247.71.155 via 192.168.1.254 dev eth0 table 1
192.168.1.0/24 dev eth0 table 1 proto static scope link metric 10
192.168.8.0/24 dev br-lan table 1 proto kernel scope link src 192.168.8.1
0.0.0.0/1 via 10.99.0.77 dev tun0 table 5
default via 10.247.178.176 dev wwan0 table 5 metric 40
10.99.0.1 via 10.99.0.77 dev tun0 table 5
10.99.0.77 dev tun0 table 5 proto kernel scope link src 10.99.0.78
10.247.178.160/27 dev wwan0 table 5 proto static scope link metric 40
45.91.21.131 via 192.168.1.254 dev eth0 table 5
128.0.0.0/1 via 10.99.0.77 dev tun0 table 5
185.247.71.155 via 192.168.1.254 dev eth0 table 5
192.168.1.0/24 dev eth0 table 5 proto static scope link metric 10
192.168.8.0/24 dev br-lan table 5 proto kernel scope link src 192.168.8.1
0.0.0.0/1 via 10.99.0.77 dev tun0
default via 192.168.1.254 dev eth0 proto static src 192.168.1.85 metric 10
default via 10.247.178.176 dev wwan0 proto static src 10.247.178.175 metric 40
10.99.0.1 via 10.99.0.77 dev tun0
10.99.0.77 dev tun0 proto kernel scope link src 10.99.0.78
10.247.178.160/27 dev wwan0 proto static scope link metric 40
45.91.21.131 via 192.168.1.254 dev eth0
128.0.0.0/1 via 10.99.0.77 dev tun0
185.247.71.155 via 192.168.1.254 dev eth0
192.168.1.0/24 dev eth0 proto static scope link metric 10
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
local 10.99.0.78 dev tun0 table local proto kernel scope host src 10.99.0.78
broadcast 10.247.178.160 dev wwan0 table local proto kernel scope link src 10.247.178.175
local 10.247.178.175 dev wwan0 table local proto kernel scope host src 10.247.178.175
broadcast 10.247.178.191 dev wwan0 table local proto kernel scope link src 10.247.178.175
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev eth0 table local proto kernel scope link src 192.168.1.85
local 192.168.1.85 dev eth0 table local proto kernel scope host src 192.168.1.85
broadcast 192.168.1.255 dev eth0 table local proto kernel scope link src 192.168.1.85
broadcast 192.168.8.0 dev br-lan table local proto kernel scope link src 192.168.8.1
local 192.168.8.1 dev br-lan table local proto kernel scope host src 192.168.8.1
broadcast 192.168.8.255 dev br-lan table local proto kernel scope link src 192.168.8.1
unreachable fdaf:f50c:fcc1::/48 dev lo proto static metric 2147483647 error 4294967148 pref medium
fe80::/64 dev wwan0 proto kernel metric 256 pref medium
default dev tun0 metric 1 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fe80:: dev wwan0 table local proto kernel metric 0 pref medium
local fe80::1068:7aff:fe99:33fe dev wwan0 table local proto kernel metric 0 pref medium
ff00::/8 dev wwan0 table local proto kernel metric 256 pref medium

root@GL-E750:~$ uci show network; uci show firewall; uci show openvpn

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdaf:f50c:fcc1::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.multicast_to_unicast='0'
network.lan.hostname='GL-E750-631'
network.lan.ipaddr='192.168.8.1'
network.wan6=interface
network.wan6.proto='dhcpv6'
network.wan6.disabled='1'
network.guest=interface
network.guest.ifname='guest'
network.guest.type='bridge'
network.guest.proto='static'
network.guest.ipaddr='192.168.9.1'
network.guest.netmask='255.255.255.0'
network.guest.ip6assign='60'
network.wan=interface
network.wan.proto='dhcp'
network.wan.ipv6='0'
network.wan.ifname='eth0'
network.wan.metric='10'
network.modem_1_1_2=interface
network.modem_1_1_2.ifname='wwan0'
network.modem_1_1_2.service='fdd_lte'
network.modem_1_1_2.apn='internet'
network.modem_1_1_2.proto='qmi'
network.modem_1_1_2.device='/dev/cdc-wdm0'
network.modem_1_1_2.node='1-1.2:1.4'
network.modem_1_1_2.metric='40'
network.modem_1_1_2.disabled='0'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].input='DROP'
firewall.@zone[1].network='wan wan6 modem_1_1_2'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].enabled='0'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@include[0].reload='1'
firewall.gls2s=include
firewall.gls2s.type='script'
firewall.gls2s.path='/var/etc/gls2s.include'
firewall.gls2s.reload='1'
firewall.glfw=include
firewall.glfw.type='script'
firewall.glfw.path='/usr/bin/glfw.sh'
firewall.glfw.reload='1'
firewall.glqos=include
firewall.glqos.type='script'
firewall.glqos.path='/usr/sbin/glqos.sh'
firewall.glqos.reload='1'
firewall.guestzone=zone
firewall.guestzone.name='guestzone'
firewall.guestzone.network='guest'
firewall.guestzone.forward='REJECT'
firewall.guestzone.output='ACCEPT'
firewall.guestzone.input='REJECT'
firewall.guestzone_fwd=forwarding
firewall.guestzone_fwd.src='guestzone'
firewall.guestzone_fwd.dest='wan'
firewall.guestzone_fwd.enabled='0'
firewall.guestzone_dhcp=rule
firewall.guestzone_dhcp.name='guestzone_DHCP'
firewall.guestzone_dhcp.src='guestzone'
firewall.guestzone_dhcp.target='ACCEPT'
firewall.guestzone_dhcp.proto='udp'
firewall.guestzone_dhcp.dest_port='67-68'
firewall.guestzone_dns=rule
firewall.guestzone_dns.name='guestzone_DNS'
firewall.guestzone_dns.src='guestzone'
firewall.guestzone_dns.target='ACCEPT'
firewall.guestzone_dns.proto='tcp udp'
firewall.guestzone_dns.dest_port='53'
firewall.sambasharewan=rule
firewall.sambasharewan.src='wan'
firewall.sambasharewan.dest_port='137 138 139 445'
firewall.sambasharewan.dest_proto='tcpudp'
firewall.sambasharewan.target='DROP'
firewall.sambasharelan=rule
firewall.sambasharelan.src='lan'
firewall.sambasharelan.dest_port='137 138 139 445'
firewall.sambasharelan.dest_proto='tcpudp'
firewall.sambasharelan.target='ACCEPT'
firewall.vpn_zone=zone
firewall.vpn_zone.name='ovpn'
firewall.vpn_zone.input='DROP'
firewall.vpn_zone.forward='DROP'
firewall.vpn_zone.output='ACCEPT'
firewall.vpn_zone.network='ovpn'
firewall.vpn_zone.masq='1'
firewall.vpn_zone.mtu_fix='1'
firewall.vpn_zone.masq6='1'
firewall.vpn_zone.device='tun0'
firewall.forwarding_vpn1=forwarding
firewall.forwarding_vpn1.dest='ovpn'
firewall.forwarding_vpn1.src='lan'
firewall.forwarding_guest_ovpn=forwarding
firewall.forwarding_guest_ovpn.dest='ovpn'
firewall.forwarding_guest_ovpn.src='guestzone'
firewall.forwarding_lan_ovpn=forwarding
firewall.forwarding_lan_ovpn.src='ovpn'
firewall.forwarding_lan_ovpn.dest='lan'
firewall.forwarding_lan_ovpn.enabled='0'
openvpn.custom_config=openvpn
openvpn.custom_config.enabled='0'
openvpn.custom_config.config='/etc/openvpn/my-vpn.conf'
openvpn.sample_server=openvpn
openvpn.sample_server.enabled='0'
openvpn.sample_server.port='1194'
openvpn.sample_server.proto='udp'
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca='/etc/openvpn/ca.crt'
openvpn.sample_server.cert='/etc/openvpn/server.crt'
openvpn.sample_server.key='/etc/openvpn/server.key'
openvpn.sample_server.dh='/etc/openvpn/dh2048.pem'
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.enabled='0'
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.proto='udp'
openvpn.sample_client.remote='my_server_1 1194'
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.user='nobody'
openvpn.sample_client.ca='/etc/openvpn/ca.crt'
openvpn.sample_client.cert='/etc/openvpn/client.crt'
openvpn.sample_client.key='/etc/openvpn/client.key'
openvpn.sample_client.verb='3'

root@GL-E750:~$ ip rule show; ip -6 rule show

0:      from all lookup local
1001:   from all iif eth0 lookup 1
1005:   from all iif wwan0 lookup 5
2001:   from all fwmark 0x100/0x3f00 lookup 1
2005:   from all fwmark 0x500/0x3f00 lookup 5
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default
0:      from all lookup local
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
32766:  from all lookup main
4200000001:     from all iif lo failed_policy
4200000002:     from all iif eth0 failed_policy
4200000004:     from all iif wwan0 failed_policy
4200000004:     from all iif wwan0 failed_policy
4200000007:     from all iif br-lan failed_policy

External resources are not available. The second point of the channel 10.99.0.77 and 8.8.8.8 is not pinged. Traceroute goes to waste

Thanks in advance for your reply

luochongjun · March 13, 2023, 3:05am

You can comment the two lines and try again.

box4pda · March 13, 2023, 4:47am

Commented out the lines. There is no response through the channel.

root@GL-E750:~# tcpdump -i tun0 -s0 -n icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
04:53:04.518900 IP 10.99.0.146 > 8.8.4.4: ICMP echo request, id 21586, seq 0, length 64
04:53:06.549322 IP 10.99.0.146 > 8.8.8.8: ICMP echo request, id 21771, seq 0, length 64
04:53:08.594828 IP 10.99.0.146 > 208.67.222.222: ICMP echo request, id 21938, seq 0, length 64
04:53:10.610719 IP 10.99.0.146 > 208.67.220.220: ICMP echo request, id 22079, seq 0, length 64

box4pda · March 13, 2023, 5:25am

Rows are automatically added by the system.

Added to the beginning of the update-resolv-conf file

exit 0

Ping passes

root@GL-E750:/etc/openvpn/ovpn0$ tcpdump -i tun0 -s0 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
08:09:42.022379 IP 10.107.0.122 > 8.8.8.8: ICMP echo request, id 1, seq 51, length 40
08:09:42.101675 IP 8.8.8.8 > 10.107.0.122: ICMP echo reply, id 1, seq 51, length 40
08:09:43.029245 IP 10.107.0.122 > 8.8.8.8: ICMP echo request, id 1, seq 52, length 40
08:09:43.093692 IP 8.8.8.8 > 10.107.0.122: ICMP echo reply, id 1, seq 52, length 40
08:09:44.036746 IP 10.107.0.122 > 8.8.8.8: ICMP echo request, id 1, seq 53, length 40

Thank @luochongjun