If wireguard replaced with other type vpn, this issue still same. The wireguard iface wg0 added to lan zone by openwrt configuration /etc/config/firewall. Then I can access my home network by wireguard, even access the internet through my home network, so far so good.
But many sites are blocked in this country by GFW. So I add these sites's domain name to dnsmasq's ipset list, Add redirect these ipaddress in ipset to a linux PC which run openvpn to get throuth GFW. Now every devices in my home network can access the sites blocked by GFW. But when I use wireguard or other vpn connect to my home network, I can't visite the blocked sites. The [syn syn+ack ack] packets get through well, but not the first data packets. If I use netcat to connect to one blocked site, it can established, then WAIT A SECOND and type some ramdom data, I can got "HTTP/1.0 400 Bad Request" as expected. If send data IMMEDIATELY after it established, I can not get any response. If I connect to a blocked smtp like "nc -vv smtp.gmail.com 25", it works well, maybe because the server send data first? If I turn off OFFLOAD, everythings works well. I setup ipset by these commands ip route add default via <IP of PC run openvpn> table 100 ip rule add fwmark 1 lookup 100 iptables -t mangle -D OUTPUT -j fwmark iptables -t mangle -A PREROUTING -j fwmark iptables -t mangle -A fwmark -m set --match-set <ipset name set by dnsmasq> dst -j MARK --set-mark 1 Thanks. _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
