WNDR3700v4 DD-WRT v24-sp2 (12/22/14) & OpenVPN

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
castletonroad
DD-WRT Novice


Joined: 23 Oct 2018
Posts: 27

PostPosted: Sat Apr 13, 2019 21:08    Post subject: WNDR3700v4 DD-WRT v24-sp2 (12/22/14) & OpenVPN Reply with quote
Hi,

I have configured my Netgear WNDR3700v4 running DD-WRT v24-sp2 (12/22/14) with OpenVPN.

WAN-side cliets can connect to the router and access LAN-side clients, however, they cannot then access the internet.

I believe this to be an issue with my firewall rules, but I have tried many different solutions and don't seem able to resolve this.

/tmp/openvpn/openvpn.conf:
Code:
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto udp
cipher aes-256-cbc
auth sha1
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
comp-lzo yes
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
client-to-client
push "redirect-gateway def1"
fast-io
tun-mtu 1500
mtu-disc yes
server 10.8.0.0 255.255.255.0
dev tun2
tun-ipv6
passtos
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.200.0 255.255.255.0"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
persist-key
persist-tun
verb 3
sndbuf 0
rcvbuf 0
txqueuelen 1000


My firewall rules:
Code:
# Accepts incoming traffic via port 1194 UDP
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT

# Allows connection from local VPN to the internet
iptables -I FORWARD 1 --source 10.8.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun2 -j MASQUERADE
##iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
##iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o tun2 -j MASQUERADE

# Allows connections from local network to VPN network and
# other way around (br0 is LAN and WIFI)
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT


I have OpenVPN working nicely on a LAN-side machine, but I really want this service to be provided by the router.

Any help to resolve my issue would be very greatly appreciated.

Thanks very much - Steven.
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sat Apr 13, 2019 23:19    Post subject: Reply with quote
The OpenVPN server automatically generates all the firewall rules it needs, save one. It won't, by default, NAT the OpenVPN's tunnel network over the WAN. YOU have to do that yourself.

IOW, dump all your firewall rules and only specify the following.

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE


Now you should have internet access through the OpenVPN server.
castletonroad
DD-WRT Novice


Joined: 23 Oct 2018
Posts: 27

PostPosted: Sun Apr 14, 2019 3:35    Post subject: [SOLVED] WNDR3700v4 DD-WRT v24-sp2 (12/22/14) & OpenVPN Reply with quote
Thanks very much, indeed - that works!!

Very Happy
castletonroad
DD-WRT Novice


Joined: 23 Oct 2018
Posts: 27

PostPosted: Sat May 18, 2019 22:06    Post subject: WNDR3700v4 DD-WRT v24-sp2 (12/22/14) & OpenVPN Reply with quote
@eibgrad

This still does not seem to work.

My client (iPhone) connects to my router no problem, and access LAN addresses.

But when I try to access internet addresses, my client cannot connect, and times out.

I have always been able to get OpenVPN working fully on my raspberry pi, but I have not yet succeeded in getting DD WRT to function.

What files should I post here to provide a full view of my configuration?

Thanks for your help Smile
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4345
Location: Netherlands

PostPosted: Sun May 19, 2019 7:31    Post subject: Reply with quote
In my signature (bottom of this posting) is a link to an OVPN server setup guide.

Mind you this is for modern DDWRT builds, your build is 5 years old so it might not work for your build.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sun May 19, 2019 17:27    Post subject: Re: WNDR3700v4 DD-WRT v24-sp2 (12/22/14) & OpenVPN Reply with quote
castletonroad wrote:
@eibgrad

This still does not seem to work.

My client (iPhone) connects to my router no problem, and access LAN addresses.

But when I try to access internet addresses, my client cannot connect, and times out.

I have always been able to get OpenVPN working fully on my raspberry pi, but I have not yet succeeded in getting DD WRT to function.

What files should I post here to provide a full view of my configuration?

Thanks for your help Smile


I'm confused. Back on April 13, over a month ago, you reported it working. Now it's not working? What changed? That's a long time to now come back and say it's not working.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
castletonroad
DD-WRT Novice


Joined: 23 Oct 2018
Posts: 27

PostPosted: Sun May 19, 2019 21:33    Post subject: Reply with quote
I tried it from my Android phone at the time, once, and it seemed to work. Maybe the web pages I checked were cached...

Using my iPhone now, on cellular, away from the house, I confirm that I can access the router and the LAN, but then cannot access the internet.

I hadn't had any use for the VPN connection until now.

Apologies for the confusion.

I really am desperate to get this working. (And FYI, I have now upgraded the DD WRT firmware to the latest available for the Netgear WNDR3700v4.)

Thanks again.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sun May 19, 2019 21:44    Post subject: Reply with quote
As I stated in one of my prior posts, the most common problem is failing to NAT the tunnel's private IP network over the WAN on the server side. Just like the local network on that side, you can't route private IP addresses over the public internet unless you NAT those packets before they're dropped over the WAN.

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE


Now it's always possible there's more going on over there than we suspected. For example, sometimes ppl place the OpenVPN server on a router that is NOT also hosting the default gateway on the server side (e.g., an AP configuration) . So the default gateway (on some other router) doesn't know how to route packets from the tunnel's IP network back to that router/AP. Not without static routes.

Anyway, perhaps it's time to dump some things on the server side and see what's happening, get some context here.

Code:
route
iptables -vnL
iptables -t nat -vnL

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
castletonroad
DD-WRT Novice


Joined: 23 Oct 2018
Posts: 27

PostPosted: Mon May 20, 2019 7:55    Post subject: Reply with quote
Hi,

Thanks very much for your patience and continued support Smile

192.168.200.2 is the router

192.168.200.23 is my LAMP/email server.

Code:
root@WNDR3700v4:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         my.stat.isp.0   0.0.0.0         UG    0      0        0 vlan2
10.8.0.0        *               255.255.255.0   U     0      0        0 tun2
my.stat.isp.0    *              255.255.248.0   U     0      0        0 vlan2
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
169.254.0.0     *               255.255.0.0     U     0      0        0 br0
192.168.200.0   *               255.255.255.0   U     0      0        0 br0
root@WNDR3700v4:~#


Code:

root@WNDR3700v4:~# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 2438  600K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
    1    42 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194
    0     0 ACCEPT     0    --  tun2   *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 DROP       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
   14   698 DROP       icmp --  vlan2  *       0.0.0.0/0            0.0.0.0/0
    1    32 DROP       2    --  *      *       0.0.0.0/0            0.0.0.0/0
   29  1781 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW
10922 1108K ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
 2299  132K DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
3774K 3511M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     47   --  *      vlan2   192.168.200.0/24     0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      vlan2   192.168.200.0/24     0.0.0.0/0           tcp dpt:1723
    0     0 ACCEPT     0    --  tun2   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      tun2    0.0.0.0/0            0.0.0.0/0
33079 6055K lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0
  761 41109 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.200.23      udp dpt:4444
  110  5744 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:25
   50  2984 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:465
    1    44 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:587
    2   104 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:143
  139  9104 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:993
    2   104 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:110
    1    44 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:995
   73  3768 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:80
  593 35196 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:4190
    0     0 TRIGGER    0    --  vlan2  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
31347 5957K trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 TRIGGER    0    --  vlan2  eth0    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  eth0   *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 TRIGGER    0    --  vlan2  vlan1   0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  vlan1  *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  vlan1  *       0.0.0.0/0            0.0.0.0/0           state NEW
31149 5946K ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
  198 10248 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 13647 packets, 1368K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_1 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_10 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_11 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_12 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_13 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_14 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_15 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_16 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_17 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_18 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_19 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_2 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_20 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_3 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_4 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_5 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_6 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_7 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_8 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_9 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_1 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_10 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_11 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_12 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_13 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_14 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_15 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_16 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_17 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_18 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_19 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_2 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_20 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_3 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_4 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_5 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_6 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_7 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_8 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_9 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain lan2wan (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset

Chain trigger_out (3 references)
 pkts bytes target     prot opt in     out     source               destination
root@WNDR3700v4:~#


Code:
root@WNDR3700v4:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 43777 packets, 7338K bytes)
 pkts bytes target     prot opt in     out     source               destination
    7   290 DNAT       icmp --  *      *       0.0.0.0/0            my.static.isp.addr      to:192.168.200.2
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            my.static.isp.addr      udp dpt:4444 to:192.168.200.23:4444
  110  5736 DNAT       tcp  --  *      *       0.0.0.0/0            my.static.isp.addr      tcp dpt:25 to:192.168.200.23:25
   54  3196 DNAT       tcp  --  *      *       0.0.0.0/0            my.static.isp.addr      tcp dpt:465 to:192.168.200.23:465
    1    40 DNAT       tcp  --  *      *       0.0.0.0/0            my.static.isp.addr      tcp dpt:587 to:192.168.200.23:587
    2   100 DNAT       tcp  --  *      *       0.0.0.0/0            my.static.isp.addr      tcp dpt:143 to:192.168.200.23:143
  185 11724 DNAT       tcp  --  *      *       0.0.0.0/0            my.static.isp.addr      tcp dpt:993 to:192.168.200.23:993
    2   100 DNAT       tcp  --  *      *       0.0.0.0/0            my.static.isp.addr      tcp dpt:110 to:192.168.200.23:110
    1    40 DNAT       tcp  --  *      *       0.0.0.0/0            my.static.isp.addr      tcp dpt:995 to:192.168.200.23:995
   73  3712 DNAT       tcp  --  *      *       0.0.0.0/0            my.static.isp.addr      tcp dpt:80 to:192.168.200.23:80
 1300 72913 DNAT       tcp  --  *      *       0.0.0.0/0            my.static.isp.addr      tcp dpt:443 to:192.168.200.23:443
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            my.static.isp.addr      tcp dpt:4190 to:192.168.200.23:4190
 2235  128K TRIGGER    0    --  *      *       0.0.0.0/0            my.static.isp.addr      TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT 10021 packets, 821K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 104 packets, 17953 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1064 packets, 74169 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  0    --  *      vlan2   10.8.0.0/24          0.0.0.0/0
27308 5064K SNAT       0    --  *      vlan2   192.168.200.0/24     0.0.0.0/0           to:my.stat.isp.addr  768 41473 MASQUERADE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x80000000/0x80000000
root@WNDR3700v4:~#


How does this all look...?

Thanks again, so much.[/code]
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Mon May 20, 2019 14:35    Post subject: Reply with quote
On the face of it, I don't see any problems.

I can see that all traffic is allowed to be forwarded both inbound and outbound on the tunnel (tun2).

Code:
    0     0 ACCEPT     0    --  tun2   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      tun2    0.0.0.0/0            0.0.0.0/0


And I can see the WAN is NAT'd w/ the tunnel's IP network.

Code:
  0     0 MASQUERADE  0    --  *      vlan2   10.8.0.0/24          0.0.0.0/0


OTOH, all the traffic counters are zero (0). Looks like you perhaps rebooted that server and never tried to actually access a public IP through the VPN before dumping these tables. Is that correct? Because that's what interests me too.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
castletonroad
DD-WRT Novice


Joined: 23 Oct 2018
Posts: 27

PostPosted: Tue May 21, 2019 9:48    Post subject: Reply with quote
Hi,

Thanks again for helping me out.

After restarting my router this morning, I have now connected my iPhone via OpenVPN. I am able to connect to the router, but not then an external IP.

Here're the outputs:

Code:
root@WNDR3700v4:~# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 4209 1392K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
    7   297 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194
  205 13682 ACCEPT     0    --  tun2   *       0.0.0.0/0            0.0.0.0/0
    1    52 DROP       udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 DROP       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
   17   666 DROP       icmp --  vlan2  *       0.0.0.0/0            0.0.0.0/0
    4   128 DROP       2    --  *      *       0.0.0.0/0            0.0.0.0/0
   34  2098 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW
12492 1318K ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
57799 2366K DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
5611K 5388M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     47   --  *      vlan2   192.168.200.0/24     0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      vlan2   192.168.200.0/24     0.0.0.0/0           tcp dpt:1723
    0     0 ACCEPT     0    --  tun2   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      tun2    0.0.0.0/0            0.0.0.0/0
39904 7238K lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0
 1408 77056 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.200.23      udp dpt:4444
   49  2532 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:25
   58  3448 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:465
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:587
    2   104 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:143
   86  5472 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:993
    8   416 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:110
    2   104 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:995
   94  4864 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:80
  481 28280 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.23      tcp dpt:4190
    0     0 TRIGGER    0    --  vlan2  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
37716 7116K trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 TRIGGER    0    --  vlan2  eth0    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  eth0   *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 TRIGGER    0    --  vlan2  vlan1   0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  vlan1  *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  vlan1  *       0.0.0.0/0            0.0.0.0/0           state NEW
37423 7094K ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
  293 21215 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 15631 packets, 2123K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_1 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_10 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_11 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_12 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_13 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_14 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_15 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_16 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_17 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_18 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_19 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_2 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_20 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_3 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_4 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_5 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_6 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_7 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_8 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_9 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_1 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_10 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_11 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_12 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_13 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_14 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_15 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_16 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_17 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_18 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_19 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_2 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_20 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_3 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_4 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_5 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_6 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_7 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_8 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_9 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain lan2wan (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset

Chain trigger_out (3 references)
 pkts bytes target     prot opt in     out     source               destination
root@WNDR3700v4:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 110K packets, 11M bytes)
 pkts bytes target     prot opt in     out     source               destination
   17   666 DNAT       icmp --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      to:192.168.200.2
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      udp dpt:4444 to:192.168.200.23:4444
   49  2528 DNAT       tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:25 to:192.168.200.23:25
   59  3492 DNAT       tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:465 to:192.168.200.23:465
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:587 to:192.168.200.23:587
    2   100 DNAT       tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:143 to:192.168.200.23:143
  235 14876 DNAT       tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:993 to:192.168.200.23:993
    8   408 DNAT       tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:110 to:192.168.200.23:110
    2   100 DNAT       tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:995 to:192.168.200.23:995
   94  4788 DNAT       tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:80 to:192.168.200.23:80
 1748 96328 DNAT       tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:443 to:192.168.200.23:443
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      tcp dpt:4190 to:192.168.200.23:4190
57653 2345K TRIGGER    0    --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx      TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT 11145 packets, 918K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 126 packets, 23342 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 909 packets, 68754 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  0    --  *      vlan2   10.8.0.0/24          0.0.0.0/0
33205 6023K SNAT       0    --  *      vlan2   192.168.200.0/24     0.0.0.0/0           to:xxx.xxx.xxx.xxx
 1414 77356 MASQUERADE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x80000000/0x80000000
root@WNDR3700v4:~#


Here's the OpenVPN log for the session from my iPhone:

Code:
2019-05-21 19:12:55 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct  3 2018 06:35:04

2019-05-21 19:12:55 Frame=512/2048/512 mssfix-ctrl=1250

2019-05-21 19:12:55 UNUSED OPTIONS
5 [resolv-retry] [infinite]
6 [nobind]
7 [persist-key]
8 [persist-tun]
9 [sndbuf] [0]
10 [rcvbuf] [0]
12 [verb] [3]
14 [auth-nocache]

2019-05-21 19:12:55 EVENT: RESOLVE

2019-05-21 19:12:55 Contacting [xxx.xxx.xxx.xxx]:1194/UDP via UDP

2019-05-21 19:12:55 EVENT: WAIT

2019-05-21 19:12:55 Connecting to [mysite.org]:1194 (xxx.xxx.xxx.xxx) via UDPv4

2019-05-21 19:12:55 EVENT: CONNECTING

2019-05-21 19:12:55 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client

2019-05-21 19:12:55 Creds: UsernameEmpty/PasswordEmpty

2019-05-21 19:12:55 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1


2019-05-21 19:12:56 VERIFY OK : depth=1
cert. version    : 3
serial number    : B9:4C:94:93:89:03:BB:F7
issuer name      : C=xxx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=OpenVPN-CA, ??=xxx, emailAddress=xxx
subject name      : C=xxx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=OpenVPN-CA, ??=xxx, emailAddress=xxx
issued  on        : 2018-10-20 11:36:19
expires on        : 2028-10-17 11:36:19
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=true


2019-05-21 19:12:56 VERIFY OK : depth=0
cert. version    : 3
serial number    : 01
issuer name      : C=xxx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=OpenVPN-CA, ??=xxx, emailAddress=xxx
subject name      : C=xxx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=OpenVPN-CA, ??=xxx, emailAddress=xxx
issued  on        : 2018-10-20 11:38:48
expires on        : 2028-10-17 11:38:48
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=false
cert. type        : SSL Server
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication


2019-05-21 19:12:57 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

2019-05-21 19:12:57 Session is ACTIVE

2019-05-21 19:12:57 EVENT: GET_CONFIG

2019-05-21 19:12:57 Sending PUSH_REQUEST to server...

2019-05-21 19:12:57 OPTIONS:
0 [redirect-gateway] [def1]
1 [route] [10.8.0.1] [255.255.255.255]
2 [route] [10.8.0.0] [255.255.255.0]
3 [route] [192.168.200.0] [255.255.255.0]
4 [dhcp-option] [DNS] [10.8.0.1]
5 [route-gateway] [10.8.0.1]
6 [topology] [subnet]
7 [ping] [10]
8 [ping-restart] [120]
9 [ifconfig] [10.8.0.2] [255.255.255.0]
10 [peer-id] [0]
11 [cipher] [AES-256-GCM]


2019-05-21 19:12:57 PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA1
  compress: LZO_STUB
  peer ID: 0

2019-05-21 19:12:57 EVENT: ASSIGN_IP

2019-05-21 19:12:57 NIP: preparing TUN network settings

2019-05-21 19:12:57 NIP: init TUN network settings with endpoint: xxx.xxx.xxx.xxx

2019-05-21 19:12:57 NIP: adding IPv4 address to network settings 10.8.0.2/255.255.255.0

2019-05-21 19:12:57 NIP: adding (included) IPv4 route 10.8.0.0/24

2019-05-21 19:12:57 NIP: adding (included) IPv4 route 10.8.0.1/32

2019-05-21 19:12:57 NIP: adding (included) IPv4 route 10.8.0.0/24

2019-05-21 19:12:57 NIP: adding (included) IPv4 route 192.168.200.0/24

2019-05-21 19:12:57 NIP: redirecting all IPv4 traffic to TUN interface

2019-05-21 19:12:57 NIP: adding DNS 10.8.0.1

2019-05-21 19:12:57 Connected via NetworkExtensionTUN

2019-05-21 19:12:57 LZO-ASYM init swap=0 asym=1

2019-05-21 19:12:57 Comp-stub init swap=0

2019-05-21 19:12:57 EVENT: CONNECTED mysite.org:1194 (xxx.xxx.xxx.xxx) via /UDPv4 on NetworkExtensionTUN/10.8.0.2/ gw=[/]

2019-05-21 19:17:59 OS Event: SLEEP

2019-05-21 19:17:59 EVENT: PAUSE

2019-05-21 19:18:00 OS Event: WAKEUP

2019-05-21 19:18:03 RESUME TEST: Internet:ReachableViaWWAN/WR t------

2019-05-21 19:18:03 STANDARD RESUME

2019-05-21 19:18:03 EVENT: RESUME

2019-05-21 19:18:03 EVENT: RECONNECTING

2019-05-21 19:18:03 EVENT: RESOLVE

2019-05-21 19:18:03 Contacting [xxx.xxx.xxx.xxx]:1194/UDP via UDP

2019-05-21 19:18:03 EVENT: WAIT

2019-05-21 19:18:03 Connecting to [mysite.org]:1194 (xxx.xxx.xxx.xxx) via UDPv4

2019-05-21 19:18:03 EVENT: CONNECTING

2019-05-21 19:18:03 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client

2019-05-21 19:18:03 Creds: UsernameEmpty/PasswordEmpty

2019-05-21 19:18:03 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1


2019-05-21 19:18:04 VERIFY OK : depth=1
cert. version    : 3
serial number    : B9:4C:94:93:89:03:BB:F7
issuer name      : C=xxx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=OpenVPN-CA, ??=xxx, emailAddress=xxx
subject name      : C=xxx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=OpenVPN-CA, ??=xxx, emailAddress=xxx
issued  on        : 2018-10-20 11:36:19
expires on        : 2028-10-17 11:36:19
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=true


2019-05-21 19:18:04 VERIFY OK : depth=0
cert. version    : 3
serial number    : 01
issuer name      : C=xxx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=OpenVPN-CA, ??=xxx, emailAddress=xxx
subject name      : C=xxx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=OpenVPN-CA, ??=xxx, emailAddress=xxx
issued  on        : 2018-10-20 11:38:48
expires on        : 2028-10-17 11:38:48
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=false
cert. type        : SSL Server
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication


2019-05-21 19:18:05 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

2019-05-21 19:18:05 Session is ACTIVE

2019-05-21 19:18:05 EVENT: GET_CONFIG

2019-05-21 19:18:05 Sending PUSH_REQUEST to server...

2019-05-21 19:18:05 OPTIONS:
0 [redirect-gateway] [def1]
1 [route] [10.8.0.1] [255.255.255.255]
2 [route] [10.8.0.0] [255.255.255.0]
3 [route] [192.168.200.0] [255.255.255.0]
4 [dhcp-option] [DNS] [10.8.0.1]
5 [route-gateway] [10.8.0.1]
6 [topology] [subnet]
7 [ping] [10]
8 [ping-restart] [120]
9 [ifconfig] [10.8.0.2] [255.255.255.0]
10 [peer-id] [0]
11 [cipher] [AES-256-GCM]


2019-05-21 19:18:05 PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA1
  compress: LZO_STUB
  peer ID: 0

2019-05-21 19:18:05 EVENT: ASSIGN_IP

2019-05-21 19:18:05 NIP: preparing TUN network settings

2019-05-21 19:18:05 NIP: init TUN network settings with endpoint: xxx.xxx.xxx.xxx

2019-05-21 19:18:05 NIP: adding IPv4 address to network settings 10.8.0.2/255.255.255.0

2019-05-21 19:18:05 NIP: adding (included) IPv4 route 10.8.0.0/24

2019-05-21 19:18:05 NIP: adding (included) IPv4 route 10.8.0.1/32

2019-05-21 19:18:05 NIP: adding (included) IPv4 route 10.8.0.0/24

2019-05-21 19:18:05 NIP: adding (included) IPv4 route 192.168.200.0/24

2019-05-21 19:18:05 NIP: redirecting all IPv4 traffic to TUN interface

2019-05-21 19:18:05 NIP: adding DNS 10.8.0.1

2019-05-21 19:18:05 Connected via NetworkExtensionTUN

2019-05-21 19:18:05 LZO-ASYM init swap=0 asym=1

2019-05-21 19:18:05 Comp-stub init swap=0

2019-05-21 19:18:05 EVENT: CONNECTED mysite.org:1194 (xxx.xxx.xxx.xxx) via /UDPv4 on NetworkExtensionTUN/10.8.0.2/ gw=[/]

2019-05-21 19:18:41 OS Event: SLEEP

2019-05-21 19:18:41 EVENT: PAUSE

2019-05-21 19:18:44 OS Event: WAKEUP

2019-05-21 19:18:47 RESUME TEST: Internet:ReachableViaWWAN/WR t------

2019-05-21 19:18:47 STANDARD RESUME

2019-05-21 19:18:47 EVENT: RESUME

2019-05-21 19:18:47 EVENT: RECONNECTING

2019-05-21 19:18:47 EVENT: RESOLVE

2019-05-21 19:18:47 OS Event: SLEEP

2019-05-21 19:18:47 EVENT: PAUSE

2019-05-21 19:18:49 OS Event: WAKEUP

2019-05-21 19:18:52 RESUME TEST: Internet:ReachableViaWWAN/WR t------

2019-05-21 19:18:52 STANDARD RESUME

2019-05-21 19:18:52 EVENT: RESUME

2019-05-21 19:18:52 EVENT: RECONNECTING

2019-05-21 19:18:52 EVENT: RESOLVE

2019-05-21 19:18:52 OS Event: SLEEP

2019-05-21 19:18:52 EVENT: PAUSE

2019-05-21 19:18:54 OS Event: WAKEUP

2019-05-21 19:18:57 RESUME TEST: Internet:ReachableViaWWAN/WR t------

2019-05-21 19:18:57 STANDARD RESUME

2019-05-21 19:18:57 EVENT: RESUME

2019-05-21 19:18:57 EVENT: RECONNECTING

2019-05-21 19:18:57 EVENT: RESOLVE

2019-05-21 19:19:07 OS Event: SLEEP

2019-05-21 19:19:07 EVENT: PAUSE

2019-05-21 19:19:50 OS Event: WAKEUP

2019-05-21 19:19:53 RESUME TEST: Internet:ReachableViaWWAN/WR t------

2019-05-21 19:19:53 STANDARD RESUME

2019-05-21 19:19:53 EVENT: RESUME

2019-05-21 19:19:53 EVENT: RECONNECTING

2019-05-21 19:19:53 EVENT: RESOLVE

2019-05-21 19:19:58 OS Event: SLEEP

2019-05-21 19:19:58 EVENT: PAUSE

2019-05-21 19:21:22 OS Event: WAKEUP

2019-05-21 19:21:25 RESUME TEST: Internet:ReachableViaWWAN/WR t------

2019-05-21 19:21:25 STANDARD RESUME

2019-05-21 19:21:25 EVENT: RESUME

2019-05-21 19:21:25 EVENT: RECONNECTING

2019-05-21 19:21:25 EVENT: RESOLVE

2019-05-21 19:21:25 Contacting [xxx.xxx.xxx.xxx]:1194/UDP via UDP

2019-05-21 19:21:25 EVENT: WAIT

2019-05-21 19:21:25 Connecting to [mysite.org]:1194 (xxx.xxx.xxx.xxx) via UDPv4

2019-05-21 19:21:25 EVENT: CONNECTING

2019-05-21 19:21:25 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client

2019-05-21 19:21:25 Creds: UsernameEmpty/PasswordEmpty

2019-05-21 19:21:25 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1


2019-05-21 19:21:26 VERIFY OK : depth=1
cert. version    : 3
serial number    : B9:4C:94:93:89:03:BB:F7
issuer name      : C=xxx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=OpenVPN-CA, ??=xxx, emailAddress=xxx
subject name      : C=xxx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=OpenVPN-CA, ??=xxx, emailAddress=xxx
issued  on        : 2018-10-20 11:36:19
expires on        : 2028-10-17 11:36:19
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=true


2019-05-21 19:21:26 VERIFY OK : depth=0
cert. version    : 3
serial number    : 01
issuer name      : C=xxx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=OpenVPN-CA, ??=xxx, emailAddress=xxx
subject name      : C=xxx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=OpenVPN-CA, ??=xxx, emailAddress=xxx
issued  on        : 2018-10-20 11:38:48
expires on        : 2028-10-17 11:38:48
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=false
cert. type        : SSL Server
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication


2019-05-21 19:21:26 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

2019-05-21 19:21:26 Session is ACTIVE

2019-05-21 19:21:26 EVENT: GET_CONFIG

2019-05-21 19:21:26 Sending PUSH_REQUEST to server...

2019-05-21 19:21:26 OPTIONS:
0 [redirect-gateway] [def1]
1 [route] [10.8.0.1] [255.255.255.255]
2 [route] [10.8.0.0] [255.255.255.0]
3 [route] [192.168.200.0] [255.255.255.0]
4 [dhcp-option] [DNS] [10.8.0.1]
5 [route-gateway] [10.8.0.1]
6 [topology] [subnet]
7 [ping] [10]
8 [ping-restart] [120]
9 [ifconfig] [10.8.0.2] [255.255.255.0]
10 [peer-id] [0]
11 [cipher] [AES-256-GCM]


2019-05-21 19:21:26 PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA1
  compress: LZO_STUB
  peer ID: 0

2019-05-21 19:21:26 EVENT: ASSIGN_IP

2019-05-21 19:21:26 NIP: preparing TUN network settings

2019-05-21 19:21:26 NIP: init TUN network settings with endpoint: xxx.xxx.xxx.xxx

2019-05-21 19:21:26 NIP: adding IPv4 address to network settings 10.8.0.2/255.255.255.0

2019-05-21 19:21:26 NIP: adding (included) IPv4 route 10.8.0.0/24

2019-05-21 19:21:26 NIP: adding (included) IPv4 route 10.8.0.1/32

2019-05-21 19:21:26 NIP: adding (included) IPv4 route 10.8.0.0/24

2019-05-21 19:21:26 NIP: adding (included) IPv4 route 192.168.200.0/24

2019-05-21 19:21:26 NIP: redirecting all IPv4 traffic to TUN interface

2019-05-21 19:21:26 NIP: adding DNS 10.8.0.1

2019-05-21 19:21:26 Connected via NetworkExtensionTUN

2019-05-21 19:21:26 LZO-ASYM init swap=0 asym=1

2019-05-21 19:21:26 Comp-stub init swap=0

2019-05-21 19:21:26 EVENT: CONNECTED mysite.org:1194 (xxx.xxx.xxx.xxx) via /UDPv4 on NetworkExtensionTUN/10.8.0.2/ gw=[/]

2019-05-21 19:25:21 OS Event: SLEEP

2019-05-21 19:25:21 EVENT: PAUSE

2019-05-21 19:28:19 OS Event: WAKEUP

2019-05-21 19:28:22 RESUME TEST: Internet:ReachableViaWWAN/WR t------

2019-05-21 19:28:22 STANDARD RESUME

2019-05-21 19:28:22 EVENT: RESUME

2019-05-21 19:28:22 EVENT: RECONNECTING

2019-05-21 19:28:22 EVENT: RESOLVE

2019-05-21 19:28:22 Contacting [xxx.xxx.xxx.xxx]:1194/UDP via UDP

2019-05-21 19:28:22 EVENT: WAIT

2019-05-21 19:28:22 Connecting to [mysite.org]:1194 (xxx.xxx.xxx.xxx) via UDPv4

2019-05-21 19:28:22 EVENT: CONNECTING

2019-05-21 19:28:22 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client

2019-05-21 19:28:22 Creds: UsernameEmpty/PasswordEmpty

2019-05-21 19:28:22 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1


2019-05-21 19:28:23 VERIFY OK : depth=1
cert. version    : 3
serial number    : B9:4C:94:93:89:03:BB:F7
issuer name      : C=xxx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=OpenVPN-CA, ??=xxx, emailAddress=xxx
subject name      : C=xxx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=OpenVPN-CA, ??=xxx, emailAddress=xxx
issued  on        : 2018-10-20 11:36:19
expires on        : 2028-10-17 11:36:19
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=true


2019-05-21 19:28:23 VERIFY OK : depth=0
cert. version    : 3
serial number    : 01
issuer name      : C=xxx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=OpenVPN-CA, ??=xxx, emailAddress=xxx
subject name      : C=xxx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=OpenVPN-CA, ??=xxx, emailAddress=xxx
issued  on        : 2018-10-20 11:38:48
expires on        : 2028-10-17 11:38:48
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=false
cert. type        : SSL Server
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication


2019-05-21 19:28:24 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

2019-05-21 19:28:24 Session is ACTIVE

2019-05-21 19:28:24 EVENT: GET_CONFIG

2019-05-21 19:28:24 Sending PUSH_REQUEST to server...

2019-05-21 19:28:24 OPTIONS:
0 [redirect-gateway] [def1]
1 [route] [10.8.0.1] [255.255.255.255]
2 [route] [10.8.0.0] [255.255.255.0]
3 [route] [192.168.200.0] [255.255.255.0]
4 [dhcp-option] [DNS] [10.8.0.1]
5 [route-gateway] [10.8.0.1]
6 [topology] [subnet]
7 [ping] [10]
8 [ping-restart] [120]
9 [ifconfig] [10.8.0.2] [255.255.255.0]
10 [peer-id] [0]
11 [cipher] [AES-256-GCM]


2019-05-21 19:28:24 PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA1
  compress: LZO_STUB
  peer ID: 0

2019-05-21 19:28:24 EVENT: ASSIGN_IP

2019-05-21 19:28:24 NIP: preparing TUN network settings

2019-05-21 19:28:24 NIP: init TUN network settings with endpoint: xxx.xxx.xxx.xxx

2019-05-21 19:28:24 NIP: adding IPv4 address to network settings 10.8.0.2/255.255.255.0

2019-05-21 19:28:24 NIP: adding (included) IPv4 route 10.8.0.0/24

2019-05-21 19:28:24 NIP: adding (included) IPv4 route 10.8.0.1/32

2019-05-21 19:28:24 NIP: adding (included) IPv4 route 10.8.0.0/24

2019-05-21 19:28:24 NIP: adding (included) IPv4 route 192.168.200.0/24

2019-05-21 19:28:24 NIP: redirecting all IPv4 traffic to TUN interface

2019-05-21 19:28:24 NIP: adding DNS 10.8.0.1

2019-05-21 19:28:24 Connected via NetworkExtensionTUN

2019-05-21 19:28:24 LZO-ASYM init swap=0 asym=1

2019-05-21 19:28:24 Comp-stub init swap=0

2019-05-21 19:28:24 EVENT: CONNECTED mysite.org:1194 (xxx.xxx.xxx.xxx) via /UDPv4 on NetworkExtensionTUN/10.8.0.2/ gw=[/]


Here's the OpenVPN log for the session from my DD WRT router:

Code:
Serverlog:
20190521 19:12:57 my_iPhone:2973 SENT CONTROL [surface]: 'PUSH_REPLY redirect-gateway def1 route 10.8.0.1 255.255.255.255 route 10.8.0.0 255.255.255.0 route 192.168.200.0 255.255.255.0 dhcp-option DNS 10.8.0.1 route-gateway 10.8.0.1 topology subnet ping 10 ping-restart 120 ifconfig 10.8.0.2 255.255.255.0 peer-id 0 cipher AES-256-GCM' (status=1)
20190521 19:12:57 my_iPhone:2973 Data Channel: using negotiated cipher 'AES-256-GCM'
20190521 19:12:57 my_iPhone:2973 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20190521 19:12:57 my_iPhone:2973 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20190521 19:18:00 my_iPhone:2973 SIGTERM[soft remote-exit] received client-instance exiting
20190521 19:18:03 my_iPhone:3030 TLS: Initial packet from [AF_INET]my_iPhone:3030 sid=88e81e4d 2f0a69ed
20190521 19:18:05 my_iPhone:3030 VERIFY OK: depth=1 C=xxx ST=xxx L=xxx O=xxx OU=xxx CN=OpenVPN-CA name=xxx emailAddress=xxx
20190521 19:18:05 my_iPhone:3030 VERIFY OK: depth=0 C=xxx ST=xxx L=xxx O=xxx OU=xxx CN=OpenVPN-CA name=xxx emailAddress=xxx
20190521 19:18:05 I my_iPhone:3030 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.2-894
20190521 19:18:05 I my_iPhone:3030 peer info: IV_VER=3.2
20190521 19:18:05 I my_iPhone:3030 peer info: IV_PLAT=ios
20190521 19:18:05 I my_iPhone:3030 peer info: IV_NCP=2
20190521 19:18:05 I my_iPhone:3030 peer info: IV_TCPNL=1
20190521 19:18:05 I my_iPhone:3030 peer info: IV_PROTO=2
20190521 19:18:05 I my_iPhone:3030 peer info: IV_LZO_STUB=1
20190521 19:18:05 I my_iPhone:3030 peer info: IV_COMP_STUB=1
20190521 19:18:05 I my_iPhone:3030 peer info: IV_COMP_STUBv2=1
20190521 19:18:05 I my_iPhone:3030 peer info: IV_AUTO_SESS=1
20190521 19:18:05 my_iPhone:3030 Control Channel: TLSv1.2 cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 4096 bit RSA
20190521 19:18:05 I my_iPhone:3030 [surface] Peer Connection Initiated with [AF_INET]my_iPhone:3030
20190521 19:18:05 I my_iPhone:3030 MULTI_sva: pool returned IPv4=10.8.0.2 IPv6=(Not enabled)
20190521 19:18:05 my_iPhone:3030 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_41cda33c4f7b92fc.tmp
20190521 19:18:05 my_iPhone:3030 MULTI: Learn: 10.8.0.2 -> my_iPhone:3030
20190521 19:18:05 my_iPhone:3030 MULTI: primary virtual IP for my_iPhone:3030: 10.8.0.2
20190521 19:18:05 my_iPhone:3030 PUSH: Received control message: 'PUSH_REQUEST'
20190521 19:18:05 my_iPhone:3030 SENT CONTROL [surface]: 'PUSH_REPLY redirect-gateway def1 route 10.8.0.1 255.255.255.255 route 10.8.0.0 255.255.255.0 route 192.168.200.0 255.255.255.0 dhcp-option DNS 10.8.0.1 route-gateway 10.8.0.1 topology subnet ping 10 ping-restart 120 ifconfig 10.8.0.2 255.255.255.0 peer-id 0 cipher AES-256-GCM' (status=1)
20190521 19:18:05 my_iPhone:3030 Data Channel: using negotiated cipher 'AES-256-GCM'
20190521 19:18:05 my_iPhone:3030 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20190521 19:18:05 my_iPhone:3030 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20190521 19:18:41 my_iPhone:3030 SIGTERM[soft remote-exit] received client-instance exiting
20190521 19:21:25 my_iPhone:2877 TLS: Initial packet from [AF_INET]my_iPhone:2877 sid=86462e58 a4bdd011
20190521 19:21:26 my_iPhone:2877 VERIFY OK: depth=1 C=xxx ST=xxx L=xxx O=xxx OU=xxx CN=OpenVPN-CA name=xxx emailAddress=xxx
20190521 19:21:26 my_iPhone:2877 VERIFY OK: depth=0 C=xxx ST=xxx L=xxx O=xxx OU=xxx CN=OpenVPN-CA name=xxx emailAddress=xxx
20190521 19:21:26 I my_iPhone:2877 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.2-894
20190521 19:21:26 I my_iPhone:2877 peer info: IV_VER=3.2
20190521 19:21:26 I my_iPhone:2877 peer info: IV_PLAT=ios
20190521 19:21:26 I my_iPhone:2877 peer info: IV_NCP=2
20190521 19:21:26 I my_iPhone:2877 peer info: IV_TCPNL=1
20190521 19:21:26 I my_iPhone:2877 peer info: IV_PROTO=2
20190521 19:21:26 I my_iPhone:2877 peer info: IV_LZO_STUB=1
20190521 19:21:26 I my_iPhone:2877 peer info: IV_COMP_STUB=1
20190521 19:21:26 I my_iPhone:2877 peer info: IV_COMP_STUBv2=1
20190521 19:21:26 I my_iPhone:2877 peer info: IV_AUTO_SESS=1
20190521 19:21:26 my_iPhone:2877 Control Channel: TLSv1.2 cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 4096 bit RSA
20190521 19:21:26 I my_iPhone:2877 [surface] Peer Connection Initiated with [AF_INET]my_iPhone:2877
20190521 19:21:26 I my_iPhone:2877 MULTI_sva: pool returned IPv4=10.8.0.2 IPv6=(Not enabled)
20190521 19:21:26 my_iPhone:2877 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_6ecedc6a66726a9a.tmp
20190521 19:21:26 my_iPhone:2877 MULTI: Learn: 10.8.0.2 -> my_iPhone:2877
20190521 19:21:26 my_iPhone:2877 MULTI: primary virtual IP for my_iPhone:2877: 10.8.0.2
20190521 19:21:26 my_iPhone:2877 PUSH: Received control message: 'PUSH_REQUEST'
20190521 19:21:26 my_iPhone:2877 SENT CONTROL [surface]: 'PUSH_REPLY redirect-gateway def1 route 10.8.0.1 255.255.255.255 route 10.8.0.0 255.255.255.0 route 192.168.200.0 255.255.255.0 dhcp-option DNS 10.8.0.1 route-gateway 10.8.0.1 topology subnet ping 10 ping-restart 120 ifconfig 10.8.0.2 255.255.255.0 peer-id 0 cipher AES-256-GCM' (status=1)
20190521 19:21:26 my_iPhone:2877 Data Channel: using negotiated cipher 'AES-256-GCM'
20190521 19:21:26 my_iPhone:2877 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20190521 19:21:26 my_iPhone:2877 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20190521 19:28:20 my_iPhone:2877 SIGTERM[soft remote-exit] received client-instance exiting
20190521 19:28:22 my_iPhone:3048 TLS: Initial packet from [AF_INET]my_iPhone:3048 sid=9a232db5 04462177
20190521 19:28:23 my_iPhone:3048 VERIFY OK: depth=1 C=xxx ST=xxx L=xxx O=xxx OU=xxx CN=OpenVPN-CA name=xxx emailAddress=xxx
20190521 19:28:23 my_iPhone:3048 VERIFY OK: depth=0 C=xxx ST=xxx L=xxx O=xxx OU=xxx CN=OpenVPN-CA name=xxx emailAddress=xxx
20190521 19:28:24 I my_iPhone:3048 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.2-894
20190521 19:28:24 I my_iPhone:3048 peer info: IV_VER=3.2
20190521 19:28:24 I my_iPhone:3048 peer info: IV_PLAT=ios
20190521 19:28:24 I my_iPhone:3048 peer info: IV_NCP=2
20190521 19:28:24 I my_iPhone:3048 peer info: IV_TCPNL=1
20190521 19:28:24 I my_iPhone:3048 peer info: IV_PROTO=2
20190521 19:28:24 I my_iPhone:3048 peer info: IV_LZO_STUB=1
20190521 19:28:24 I my_iPhone:3048 peer info: IV_COMP_STUB=1
20190521 19:28:24 I my_iPhone:3048 peer info: IV_COMP_STUBv2=1
20190521 19:28:24 I my_iPhone:3048 peer info: IV_AUTO_SESS=1
20190521 19:28:24 my_iPhone:3048 Control Channel: TLSv1.2 cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 4096 bit RSA
20190521 19:28:24 I my_iPhone:3048 [surface] Peer Connection Initiated with [AF_INET]my_iPhone:3048
20190521 19:28:24 I my_iPhone:3048 MULTI_sva: pool returned IPv4=10.8.0.2 IPv6=(Not enabled)
20190521 19:28:24 my_iPhone:3048 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_0010c3e63163acbb.tmp
20190521 19:28:24 my_iPhone:3048 MULTI: Learn: 10.8.0.2 -> my_iPhone:3048
20190521 19:28:24 my_iPhone:3048 MULTI: primary virtual IP for my_iPhone:3048: 10.8.0.2
20190521 19:28:24 my_iPhone:3048 PUSH: Received control message: 'PUSH_REQUEST'
20190521 19:28:24 my_iPhone:3048 SENT CONTROL [surface]: 'PUSH_REPLY redirect-gateway def1 route 10.8.0.1 255.255.255.255 route 10.8.0.0 255.255.255.0 route 192.168.200.0 255.255.255.0 dhcp-option DNS 10.8.0.1 route-gateway 10.8.0.1 topology subnet ping 10 ping-restart 120 ifconfig 10.8.0.2 255.255.255.0 peer-id 0 cipher AES-256-GCM' (status=1)
20190521 19:28:24 my_iPhone:3048 Data Channel: using negotiated cipher 'AES-256-GCM'
20190521 19:28:24 my_iPhone:3048 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20190521 19:28:24 my_iPhone:3048 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20190521 19:29:57 my_iPhone:3048 SIGTERM[soft remote-exit] received client-instance exiting
20190521 19:41:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190521 19:41:01 D MANAGEMENT: CMD 'state'
20190521 19:41:01 MANAGEMENT: Client disconnected
20190521 19:41:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190521 19:41:01 D MANAGEMENT: CMD 'state'
20190521 19:41:01 MANAGEMENT: Client disconnected
20190521 19:41:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190521 19:41:01 D MANAGEMENT: CMD 'state'
20190521 19:41:01 MANAGEMENT: Client disconnected
20190521 19:41:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190521 19:41:01 MANAGEMENT: Client disconnected
20190521 19:41:01 NOTE: --mute triggered...
20190521 19:41:01 1 variation(s) on previous 3 message(s) suppressed by --mute
20190521 19:41:01 D MANAGEMENT: CMD 'status 2'
20190521 19:41:01 MANAGEMENT: Client disconnected
20190521 19:41:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190521 19:41:01 D MANAGEMENT: CMD 'status 2'
20190521 19:41:01 MANAGEMENT: Client disconnected
20190521 19:41:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190521 19:41:01 D MANAGEMENT: CMD 'log 500'
19700101 11:00:00


(xxx, my_iPhone, my_site.org etc. replace my real values/data)


Does this provide any more information as to why I can't get an outbound connection?

Cheers - Steven.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue May 21, 2019 11:56    Post subject: Reply with quote
Once again, I don't see any attempt by the OpenVPN client to access a public IP. Neither the FORWARD or PREROUTING chains show any activity (packets).

Code:
# FORWARD CHAIN:
    0     0 ACCEPT     0    --  tun2   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      tun2    0.0.0.0/0            0.0.0.0/0


Code:
# POSTROUTING CHAIN:
    0     0 MASQUERADE  0    --  *      vlan2   10.8.0.0/24          0.0.0.0/0


I do see a small amount of activity on the INPUT chain, indicating the OpenVPN client is trying to access some service(s) on the OpenVPN server itself.

Code:
# INPUT CHAIN:
205 13682 ACCEPT     0    --  tun2   *       0.0.0.0/0            0.0.0.0/0


So it appears to be working in the sense that the OpenVPN client can access the OpenVPN server itself. But I see no attempt to access a public IP over the tunnel, which would be indicated by having traffic on the FORWARD and POSTROUTING chains. IOW, the system is configured properly to handle public IP requests provided they are actually made across the tunnel.

All I can assume at this point is that perhaps this is a DNS problem. IOW, if you used a ping utility on the smartphone, and made a ping to 8.8.8.8, it would work. But any attempt to ping based on a domain name (e.g., cnn.com) would fail.

What I suspect is the problem is the following in the OpenVPN server config:

Code:
push "dhcp-option DNS 10.8.0.1"


IIRC, by default, DNSMasq (the router's DNS server) does NOT listen to any network interfaces but the primary network (br0). And what this specific directive is doing is telling the OpenVPN client to access the remote DNS server on the OpenVPN tunnel's network interface, so it's ignoring those requests. That's why the only activity we see is over the INPUT chain. That's likely the OpenVPN client attempting to access the DNS server @ 10.8.0.1, but without success.

You either have to add the tunnel's network interface to DNSMasq, by adding the following to the Additional DNSMasq Options field on the services page:

Code:
interface=tun2


OR

change the DNS push to the DNS server's local IP (which is probably the better option):

Code:
push "dhcp-option DNS 192.168.200.2"

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
castletonroad
DD-WRT Novice


Joined: 23 Oct 2018
Posts: 27

PostPosted: Wed May 22, 2019 9:59    Post subject: Reply with quote
@eibgrad

You are an absolute genius!

Code:
change the DNS push to the DNS server's local IP (which is probably the better option):

Code:   
push "dhcp-option DNS 192.168.200.2"


This nailed it!

I've confirmed this is now working by using both apps and Firefox on my iPhone.

Thank you so much - this seems such a simple/obvious tweak, now, but this issue has been dogging me for months!

Thank you. Very much!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum