OpenVPN server, no Internet at Connect

[Kenji]

#Update2

Problem:
Outside and inside I can connect to the clients on the OpenVPN server running on the Asus router. But I can't get a usable internet connection.

This will only change if I deactivate the internal firewall of the Asus router. Now the internet works on all devices without problems. But I would still like to have the firewall enabled and a usable OpenVPN server.

A short description: Depending on the routing, the LAN devices are either pushed onto the wall or the VPN client (north VPN). From outside you should be able to log in to the VPN server and surf. I think it should be possible.

What I have already done, unfortunately only moderate success:

- Router reset and tried again.
- WAN - Port Trigger "Activated": Trigger Port 1194 UDP, Incomming 1194 UDP
- WAN - Virtual Server / Port Forwarding "Enabled": 192.168.168.33 UDP on port 1194#
Important! Only when I configured these two options I could see the connected devices with IP under VPN Status. So I already blocked something here
- Various other port forwaring rules added
- VPN Client (North VPN) deleted and tried again. Force Internet traffic through "Policy Rules/ or Strict"
- With and without DNS settings
- Pixel server deactivated
- Adding IPtables Rules to /jffs/sripts/firewall-start
iptables -I INPUT -p udp --dport 1149 -j ACCEPT
iptables -I OUTPUT -p udp --dport 1149 -j ACCEPT




Short setting up:

RT-AC86U:

- Operating Mode:Wireless Router Firmware Version:384.17

- Internet > (ISP) Fritzbox > LAN cable to the WAN port of the Asus router > Asus Router integrated OpenVPN server and configured OpenVpn Cliebt (North VPN).

Fritzbox:
- IP address: 77.182.38.14 (Changes daily)
- Gateway 62.52.201.195
- DNS servers 37,235,1,174; 37,235,1,177
- DynDNS activated, axxxxx7.ddnss.de
- Port release for 192.167.178.33 Port 1194
- IPv4 routing table: Network Subnet Mask Gateway 10.8.0.0; 255.255.0.0; 192.168.178.33
- Asus router always assigned to the same IP.

Asus router:
- Wireless router mode / AiMesh Router mode (default)
- WAN IP: 192.168.178.33
- subnet mask 255.255.255.0
- Lan IP: 192.168.1.1
- IP pool start address : 192.168.1.3
- Pixel server : 192.168.1.2
- IP pool end address : 192.168.1.254
- VPN Subnet / Netmask 10.8.0.0 255.255.255.0
- DNS server: 37.235.1.174 and 37.235.1.177
- LAN - DHCP Server "On". Manual Assignment "On"
- LAN Static routes "Disabled"
- Default gateway "None"
- VPN Client (NordVPN) active; 10.8.3.8 Here certain clients are assigned to the VPN via rules.

 

[Kenji]

~

 

[Kenji]

OpenVPN Server Log:

May 2 13:56:57 ovpn-server1[2268]: /sbin/ifconfig tun0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
May 2 13:56:57 ovpn-server1[2268]: updown.sh tun0 1500 1621 10.8.0.1 255.255.255.0 init
May 2 13:56:57 ovpn-server1[2268]: Socket Buffers: R=[524288->524288] S=[524288->524288]
May 2 13:56:57 ovpn-server1[2268]: UDPv4 link local (bound): [AF_INET][undef]:1194
May 2 13:56:57 ovpn-server1[2268]: UDPv4 link remote: [AF_UNSPEC]
May 2 13:56:57 ovpn-server1[2268]: GID set to nobody
May 2 13:56:57 ovpn-server1[2268]: UID set to nobody
May 2 13:56:57 ovpn-server1[2268]: MULTI: multi_init called, r=256 v=256
May 2 13:56:57 ovpn-server1[2268]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
May 2 13:56:57 ovpn-server1[2268]: Initialization Sequence Completed

OpenVPN Client (Nordvpn) Log:

May 2 13:57:07 lul ovpn-client1[3802]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 2 13:57:07 lul ovpn-client1[3802]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 2 13:57:07 lul ovpn-client1[3802]: TUN/TAP device tun11 opened
May 2 13:57:07 lul ovpn-client1[3802]: TUN/TAP TX queue length set to 1000
May 2 13:57:07 lul ovpn-client1[3802]: /sbin/ifconfig tun11 10.8.2.30 netmask 255.255.255.0 mtu 1500 broadcast 10.8.2.255
May 2 13:57:07 lul ovpn-client1[3802]: updown.sh tun11 1500 1585 10.8.2.30 255.255.255.0 init
May 2 13:57:13 lul ovpn-client1[3802]: /sbin/route add -net 85.208.72.242 netmask 255.255.255.255 gw 192.168.178.1
May 2 13:57:13 lul ovpn-client1[3802]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.2.1
May 2 13:57:13 lul ovpn-client1[3802]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.2.1
May 2 13:57:13 lul openvpn-routing: Configuring policy rules for client 1
May 2 13:57:13 lul ovpn-client1[3802]: Initialization Sequence Completed


VPN Server Settings:

1. Automatically generated configuration

daemon ovpn-server1
topology subnet
server 10.8.0.0 255.255.255.0
proto udp
port 1194
dev tun21
txqueuelen 1000
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
cipher AES-256-CBC
keepalive 15 60
verb 3
duplicate-cn
push "dhcp-option DNS 37.235.1.174"
push "dhcp-option DNS 37.235.1.177"
push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up updown.sh
down updown.sh
status-version 2
status status 5

1. Custom Configuration

dev tun
proto udp4
port 1194
cipher AES-256-CBC
auth SHA256
user nobody
group nobody
server 10.8.0.0 255.255.255.0
topology subnet
push "topology subnet"
persist-key
persist-tun
keepalive 10 120
explicit-exit-notify 1
tun-mtu 1500

Nat_rules

*nat
REROUTING ACCEPT [0:0]
OSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VSERVER - [0:0]
:LOCALSRV - [0:0]
UPNP - [0:0]
:VUPNP - [0:0]
NSFILTER - [0:0]
CREDIRECT - [0:0]
-A PREROUTING -d 192.168.178.33 -j VSERVER
-A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
-A DNSFILTER -j DNAT --to-destination 37.235.1.174
-A VSERVER -p udp -m udp --dport 1194:1496 -j DNAT --to-destination 192.168.178.33:1194
-A VSERVER -p udp -m udp --dport 1194:1195 -j DNAT --to-destination 192.168.1.1:1194
-A VSERVER -p udp -m udp --dport 1194 -j DNAT --to-destination 10.8.2.0:1194
-A VSERVER -p udp -m udp --dport 1194:1197 -j DNAT --to-destination 192.168.1.0:1194
-A VSERVER -j VUPNP
-A POSTROUTING -o eth0 -j PUPNP
-A VSERVER -j TRIGGER --trigger-type dnat
-A POSTROUTING -o eth0 ! -s 192.168.178.33 -j MASQUERADE --mode symmetric
-A POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
COMMIT

nat_rules_eth0_eth0

*nat
REROUTING ACCEPT [0:0]
OSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VSERVER - [0:0]
:LOCALSRV - [0:0]
UPNP - [0:0]
:VUPNP - [0:0]
NSFILTER - [0:0]
CREDIRECT - [0:0]
-A PREROUTING -d 192.168.178.33 -j VSERVER
-A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
-A DNSFILTER -j DNAT --to-destination 37.235.1.174
-A VSERVER -p udp -m udp --dport 1194:1496 -j DNAT --to-destination 192.168.178.33:1194
-A VSERVER -p udp -m udp --dport 1194:1195 -j DNAT --to-destination 192.168.1.1:1194
-A VSERVER -p udp -m udp --dport 1194 -j DNAT --to-destination 10.8.2.0:1194
-A VSERVER -p udp -m udp --dport 1194:1197 -j DNAT --to-destination 192.168.1.0:1194
-A VSERVER -j VUPNP
-A POSTROUTING -o eth0 -j PUPNP
-A VSERVER -j TRIGGER --trigger-type dnat
-A POSTROUTING -o eth0 ! -s 192.168.178.33 -j MASQUERADE --mode symmetric
-A POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
COMMIT

redirect_rules

*nat
REROUTING ACCEPT [0:0]
OSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VSERVER - [0:0]
:LOCALSRV - [0:0]
UPNP - [0:0]
:VUPNP - [0:0]
NSFILTER - [0:0]
CREDIRECT - [0:0]
-A PREROUTING -d 192.168.178.33 -j VSERVER
-A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
-A DNSFILTER -j DNAT --to-destination 37.235.1.174
-A VSERVER -p udp -m udp --dport 1194:1496 -j DNAT --to-destination 192.168.178.33:1194
-A VSERVER -p udp -m udp --dport 1194:1195 -j DNAT --to-destination 192.168.1.1:1194
-A VSERVER -p udp -m udp --dport 1194 -j DNAT --to-destination 10.8.2.0:1194
-A VSERVER -p udp -m udp --dport 1194:1197 -j DNAT --to-destination 192.168.1.0:1194
-A VSERVER -j VUPNP
-A POSTROUTING -o eth0 -j PUPNP
-A VSERVER -j TRIGGER --trigger-type dnat
-A POSTROUTING -o eth0 ! -s 192.168.178.33 -j MASQUERADE --mode symmetric
-A POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
-A PREROUTING ! -d 192.168.1.0/24 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:18017
-A PREROUTING -p udp --dport 53 -j DNAT --to-destination 192.168.1.1:18018
COMMIT

filter_rules

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:INPUT_PING - [0:0]
:INPUT_ICMP - [0:0]
:FUPNP - [0:0]
:SECURITY - [0:0]
:ACCESS_RESTRICTION - [0:0]
ther2wan - [0:0]
:OVPN - [0:0]
NSFILTER_DOT - [0:0]
:NSFW - [0:0]
Controls - [0:0]
:default_block - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
TCSRVWAN - [0:0]
TCSRVLAN - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j logaccept
-A INPUT -m state --state INVALID -j logdrop
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j OVPN
-A INPUT -p udp --sport 67 --dport 68 -j logaccept
-A INPUT -p icmp -j logaccept
-A INPUT -j logdrop
-A FORWARD -m state --state ESTABLISHED,RELATED -j logaccept
-A FORWARD -o eth0 ! -i br0 -j other2wan
-A other2wan -i tun+ -j RETURN
-A other2wan -j logdrop
-A FORWARD -i br0 -o br0 -j logaccept
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i eth0 -j SECURITY
-A FORWARD -j NSFW
-A PControls -j logaccept
:triggers_eth0 - [0:0]
-A FORWARD -o eth0 -j triggers_eth0
-A FORWARD -i eth0 -j TRIGGER --trigger-type in
-A triggers_eth0 -p udp -m udp --dport 1194 -j TRIGGER --trigger-type out --trigger-proto udp --trigger-match 1194 --trigger-relate 1194
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j logaccept
-A FORWARD -m state --state NEW -j OVPN
-A SECURITY -p tcp --syn -m limit --limit 1/s -j RETURN
-A SECURITY -p tcp --syn -j logdrop
-A SECURITY -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
-A SECURITY -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j logdrop
-A SECURITY -p icmp --icmp-type 8 -m limit --limit 1/s -j RETURN
-A SECURITY -p icmp --icmp-type 8 -j logdrop
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A FORWARD -i br0 -m tcp -p tcp --dport 853 -j DNSFILTER_DOT
-A DNSFILTER_DOT ! -d 37.235.1.174 -j REJECT
-A FORWARD -j logdrop
COMMIT

lg.

 

[GSpock]

do you have a custom nat-start script ? if yes, can you pls attach it ?

 

[Kenji]

I don't use a custom nat script.

Lg.

 

[Kenji]

can a mod please move the thread to Security >VPN

Lg.

 

[RMerlin]

can a mod please move the thread to Security >VPN

Lg.

This is currently the proper location, as it's specific to Asuswrt-Merlin.

 

[Kenji]

do you have a custom nat-start script ? if yes, can you pls attach it ?

I think I have provided the information you need above. Or?