Unable to make incoming connections when VPN is connected

Question

I have a Ubuntu router that I've recently made connect to a VPN service to get around internet filtering. The idea is to use the VPN for everything, the machine also hosts some stuff so the normal IP still needs to work. When the VPN is connected I am not able to ping the external interface from outside the network, it also hosts a webserver that can only be reached when the VPN is not connected.

The router sees the incoming packets but does not seem to send a reply.

The incoming packets don't hit the INPUT iptables chain, I see this

Capturing on 'p5p1'
  1 0.000000000 91.121.133.139 → 86.13.39.252 TCP 74 46830→443 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=43316855 TSecr=0 WS=128
  2 0.998501403 91.121.133.139 → 86.13.39.252 TCP 74 [TCP Retransmission] 46830→443 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=43317105 TSecr=0 WS=128
  3 3.002695195 91.121.133.139 → 86.13.39.252 TCP 74 [TCP Retransmission] 46830→443 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=43317606 TSecr=0 WS=128

but this number does not go up

    1    44 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443

Looking around it sounds like something to do with routing or connection tracking but I didn't find anyone with the exact problem.

Some other info that might be meaningful

Routing table

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.34.10.5      128.0.0.0       UG    0      0        0 tun0
0.0.0.0         86.13.39.1      0.0.0.0         UG    0      0        0 p5p1
10.34.10.1      10.34.10.5      255.255.255.255 UGH   0      0        0 tun0
10.34.10.5      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
81.187.30.110   86.13.39.1      255.255.255.255 UGH   0      0        0 p5p1
81.187.30.111   86.13.39.1      255.255.255.255 UGH   0      0        0 p5p1
81.187.30.112   86.13.39.1      255.255.255.255 UGH   0      0        0 p5p1
81.187.30.113   86.13.39.1      255.255.255.255 UGH   0      0        0 p5p1
81.187.30.114   86.13.39.1      255.255.255.255 UGH   0      0        0 p5p1
81.187.30.115   86.13.39.1      255.255.255.255 UGH   0      0        0 p5p1
81.187.30.116   86.13.39.1      255.255.255.255 UGH   0      0        0 p5p1
81.187.30.117   86.13.39.1      255.255.255.255 UGH   0      0        0 p5p1
81.187.30.118   86.13.39.1      255.255.255.255 UGH   0      0        0 p5p1
81.187.30.119   86.13.39.1      255.255.255.255 UGH   0      0        0 p5p1
86.13.39.0      0.0.0.0         255.255.255.0   U     0      0        0 p5p1
90.155.3.0      86.13.39.1      255.255.255.0   UG    0      0        0 p5p1
90.155.103.0    86.13.39.1      255.255.255.0   UG    0      0        0 p5p1
104.238.169.126 86.13.39.1      255.255.255.255 UGH   0      0        0 p5p1
128.0.0.0       10.34.10.5      128.0.0.0       UG    0      0        0 tun0
185.150.144.0   86.13.39.1      255.255.252.0   UG    0      0        0 p5p1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 p4p1

Routing rules

jacek@saturn: ~ $ ip rule list
0:  from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default

ifconfig

jacek@saturn: ~ $ ifconfig 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 163286  bytes 151310144 (151.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 163286  bytes 151310144 (151.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

p4p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.10  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::96de:80ff:feac:6b53  prefixlen 64  scopeid 0x20<link>
        ether 94:de:80:ac:6b:53  txqueuelen 1000  (Ethernet)
        RX packets 64227222  bytes 90185530723 (90.1 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4077370  bytes 5387966885 (5.3 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

p5p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 86.13.39.252  netmask 255.255.255.0  broadcast 255.255.255.255
        inet6 fe80::96de:80ff:feac:6b51  prefixlen 64  scopeid 0x20<link>
        ether 94:de:80:ac:6b:51  txqueuelen 1000  (Ethernet)
        RX packets 15457848  bytes 5153012970 (5.1 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1002737  bytes 205402684 (205.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.34.10.6  netmask 255.255.255.255  destination 10.34.10.5
        inet6 fe80::35ba:653d:44a:1dc3  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 54434  bytes 63968785 (63.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 17087  bytes 1622925 (1.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Any advice would be much appreciated :)

Answer 1

Your default route is through the vpn. So the pings come in on the normal interface but go out via the vpn (and are subsequently lost).

If your router itself does not need to connect to anything, I would simply not have a default route via the vpn, but use a source nat rule to map client traffic to have 10.34.10.6 as source address, making that traffic go out via the vpn.