OpenWrt Forum Archive

Topic: Failing to connect to remote VPN server

The content of this topic has been archived on 10 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I want to replace an old Trendnet router with my OpenWRT RC5 driven WL-500GD

But i can't get VPN pass-through to work. Seeing that the old Trendnet thing has 'VPN pass-through' feature i looked for something similar on the OpenWRT, but found only OpenVPN, which seems to be a server-thing, and my need is different. I need to connect a VPN-client machine (Win2K) on my LAN to a remote VPN-server.

Tried to search for 'VPN pass through' on this forum as well as on macsat.com, but this just made me more confused.

Could someone please tell me:
What *IS* 'VPN pass through'?
Does OpenWRT have this feature? And if not, is there a package available that implements it?

Thanks in advance

You must edit iptables/firewall rules to enable VPN passthrough.

If you have to do ipsec nat-t parssthrough I think you have to forward UDP port 500 to your vpn client.

Hi mafiltenborg,

what kind of IPSec-implementation (both sides) are you using?
How is authentication done (PSK, certificates, ...)?

Kind regards,
giftclown

Sonic:
Nice. If all it takes is to edit iptables rules i'll be perfectly happy. Now for the tricky part: which ports do i need to forward?

Pinguina:
Haven't got a clue as to wheter or not i'll have to do ipsec nat passthrough. With regards to VPN, i'm a complete newbie, as my initial question should hopefully reveal to you all. Do I figure out if ipsec-nat-passthrough is needed by simple trial-and-error?

giftclown:
Again; haven't got a clue... Does your question regarding ipsec-implementation refer to what i've read about Cisco- vs Microsoft-VPN? If so, i'll try to figure out by examining my girlfriend's machine-setup. It's she who uses VPN, and she uses plain Windows - plus some odd client software that's supposedly needed.
But something tells me it's nonetheless mickeysoft-ipsec which is used. What the 3rd-party-app does is unknown.
Authentication? Most likely *not* certificates. By entering an ip-address and a username/password combo, access is granted - so i believe it's PSK.

Summing up so far:
ipsec-implementation is mickeysoft, auth is PSK
iptables-rules are to be modified.
- VPN-passthrough is made by doing <unknown modification> to iptables
- ipsec-nat-passthrough is made by forwarding UDP port 500 to VPN client PC

I'd like to know about the sofar-unknown mod to iptables, and then i'll go experiment smile

IMHO for being sure about what kind of traffic / port you have to forward you should try intalling tcpdump on your wrt (ipkg install tcpdump) and try to see what happens when you try to connect with your vpn client.

Probabily if ipsec-over-udp is used you should add something like this in /etc/firewall.user

iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 500 -j  DNAT --to-destination your.client.ip

iptables        -A input_rule      -i $WAN -p udp --dport 500 -j ACCEPT

Maybe the first rule is not necessary I'm not so sure.

It you tell what kind of vpn client and server you are using perhaps I can give you some more help.

mafiltenborg wrote:

...By entering an ip-address and a username/password combo, access is granted - so i believe it's PSK.

From what you described, you might be using PPTP. First and foremost find out what kind of VPN server you are trying to connect to - that is going to make all the difference.

yes you must know your vpn server, I think you use PPTP server from standard Microsoft with MSCHAP authentification.
I have these in iptables but it's for server only (and pptp vpn server is on the OpenWrt itself).

### Tunnel PPTP, VPN
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 1723 -j ACCEPT
iptables        -A input_rule      -i $WAN -p tcp --dport 1723 -j ACCEPT
iptables        -A output_rule             -p 47               -j ACCEPT
iptables        -A input_rule              -p 47               -j ACCEPT
iptables        -A forwarding_rule         -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables        -A output_rule     -o ppp+ -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables        -A input_rule      -i ppp+ -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables        -A forwarding_rule -i ppp+ -o $WAN -j ACCEPT

I will search to just allow passthough, I'm n00b to iptables sad

Same problem over here with a client trying to connect to his VPN using the Cisco VPN Client ... sad

The discussion might have continued from here.