Access across Interfaces when connected OpenVPN

Hello,

I have my system setup with multiple interfaces (in this case, they are VLANS), i.e. Guest, IoT, lan etc. Firewall has appropriate rules defined and everything is working fine. However, I have installed OpenVPN to connect to router from external locations, but when I connect to router and actually connect to LAN subnet, I cannot connect to IoT and other subnets (can see only devices in lan) although firewall rule is defined for that. Is there something more to be done in order to communicate among interfaces, when actually connected via VPN?

/etc/network/config

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fddd:5142:0b4b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config device
	option name 'wan'
	option macaddr '26:f5:a2:2d:03:e8'
	option ipv6 '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'Guest'
	option proto 'static'
	option ipaddr '172.24.20.1'
	option netmask '255.255.255.0'
	option device 'br-lan.20'
	list dns '192.168.10.1'

config interface 'IoT'
	option proto 'static'
	option ipaddr '10.10.30.1'
	option netmask '255.255.255.0'
	option device 'br-lan.30'
	list dns '192.168.10.1'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan2:t'
	list ports 'lan3:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan2:t'
	list ports 'lan3:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'lan2'
	list ports 'lan3'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config device
	option name 'br-lan.20'
	option type '8021q'
	option ifname 'br-lan'
	option vid '20'
	option ipv6 '0'

config device
	option name 'br-lan.30'
	option type '8021q'
	option ifname 'br-lan'
	option vid '30'
	option ipv6 '0'

config interface 'TUN0'
	option proto 'none'
	option device 'tun0'

/etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list device 'tun0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'GuestZone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Guest'

config zone
	option name 'IoTZone'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IoT'

config forwarding
	option src 'lan'
	option dest 'IoTZone'

config forwarding
	option src 'GuestZone'
	option dest 'wan'

config rule
	option name 'Allow Guest DHCP and DNS '
	option src 'GuestZone'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'WAN to srv-openvpn'
	list proto 'udp'
	option src 'wan'
	option src_dport '1194'
	option dest_ip '192.168.10.15'
	option dest_port '1194'

config rule
	option name 'Allow TIG to WAN'
	option dest 'wan'
	option target 'ACCEPT'
	option src 'IoTZone'
	list src_ip '10.10.30.166'
	list src_ip '10.10.30.60'
	option enabled '0'

config rule
	option name 'Allow NAS to WAN'
	option src 'IoTZone'
	list src_ip '10.10.30.50'
	option dest 'wan'
	option target 'ACCEPT'

config rule
	option name 'Allow IoT to srv-openvpn'
	option src 'IoTZone'
	option dest 'lan'
	list dest_ip '192.168.10.15'
	option target 'ACCEPT'
	list src_ip '10.10.30.21'
	list src_ip '10.10.30.22'

config rule
	option name 'Allow-VPN'
	option src 'wan'
	option dest_port '1193'
	option target 'ACCEPT'
	list proto 'udp'
OpenVPN server config
proto udp
push "route 192.168.10.0 255.255.255.0"
server 192.168.66.0 255.255.255.0

persist-key
persist-tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
dh /etc/openvpn/dh.pem
;crl-verify /etc/openvpn/crl.pem
key /etc/openvpn/server.key

;script-security 2
;auth-user-pass-verify /etc/openvpn/ovpnauth.sh via-file

ifconfig-pool-persist /tmp/ipp.txt

status /tmp/openvpn-status.log
log-append /tmp/openvpn.log

reneg-sec 0 

verb 7

Thank you.

You have the vpn tunnel in the lan zone, which prevents treating vpn and lan differently. Move the vpn into a new zone called vpn then make rules forwarding vpn->iot vpn->lan etc.

1 Like

I have now set tun0 device on lan zone as Covered device. Should I create a new fw VPN zone with tun0 interface as Covered network and then set appropriate rules for that VPN fw zone?

Yes. Take tun0 out of the lan zone and make a new separate zone which includes only tun0 so you have finer control of VPN traffic.

Also for proper routing it is important that none of the IP subnets overlap: your own LANs of course but also the subnet for the VPN tunnel endpoints and the subnets of any LAN(s) at the remote location (these cause attempts to reach your home lan to be re-routed into the locally remote lan).

1 Like

Thank you, I will give it a try tomorrow.

You don’t need a new zone to handle the openvpn server but it may help in some cases, tun0 (or more precisely the server IP address range) are treated like an interface in the zone tun0 is mounted.
So only set zone rule forward to reject and create specific forward rules in firewall.

Thanks for your response. Could you explain me in detail, what you mean with this? I am sometimes confused here as tun0 is actually a device in OpenWRT and also an interface (identically named based on manual). So it is a bit confusing what should I actually create in fw in order to control the traffic.

The documentation is pretty much non existent about this. I found out by trial an error when I started having multi interfaces zones.
And tun0 was loaded as a cidr ip address in the openvpn log and if you run ip address.

You define the tun0 interface or more precisely the server in your case in firewall rules with cidr rules as 192.168.66.0/24. All data to and from the server is defined with this IP address in the fw rules.

But you shouldn’t need any tun0 interface in network. You only include the tun0 device in the firewall zone you want it in. The firewall zone will see it as another interface in the zone.

I concur with this.

However you do need to have an interface defined like you have now if you want to use the PBR package that needs an interface to work with :slight_smile:

1 Like

Well, I played around a bit, but all my attempts to do that within firewall failed. I tried to create new zone, called VPN, set covered device tun0 only. Then I set appropriate forward rules, but at the end that did not work. I tried without cidr ip defined in the fw zone and it also failed. Eventually, I added another line in the vpn server:

push "route 192.168.10.0 255.255.255.0"
push "route 10.10.30.0 255.255.255.0"

With this setup and all created fw zones deleted it worked, i.e. I only had lan zone with covered device as tun0 set. But I am not that well experienced with networking to say if this setup is actually the correct one...