Hey, guys!
I know there are a lot of topics similar to this but I didn't find the solution to my problem in them.
I have a router running openwrt inside my LAN and I would like to set up a VPN server on it. I have configured port forwarding on my router/modem (ISP) to forward all connections to port 1194 for openwrt. Unfortunately it didn't work. I can see the incoming connection attempt using tcpdump but the connection fails to establish. It looks like openwrt refuses all external IPs coming from the ISP router, even setting a "firewall traffic rule" to allow this port. Can someone help me please!!!
- Does your main router have a public IP address on its wan?
- How are the devices connected together (lan - lan, or lan - wan)?
Please share you configuration from OpenWrt:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/openvpn
Side note: I'd recommend Wireguard instead of OpenVPN, unless you have a specific reason to use OpenVPN on your router.
-
Does your main router have a public IP address on its wan?
yes and I'm using a DDNS -
How are the devices connected together (lan - lan, or lan - wan)?
lan-lan
I just migrated to wireguard. I still don't know if it's working because I can't see a listening endpoint with port 51820 using netstat -an command.
{
"kernel": "5.10.161",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Raspberry Pi 3 Model B Rev 1.2",
"board_name": "raspberrypi,3-model-b",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "22.03.3",
"revision": "r20028-43d71ad93e",
"target": "bcm27xx/bcm2710",
"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
}
}
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda8:ff39:689c::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '8.8.8.8'
option gateway '192.168.16.1'
option ipaddr '192.168.16.8'
config interface 'vpn'
option proto 'wireguard'
option private_key 'XXXXXXXXXXXXXX'
list addresses '192.168.9.2/24'
list addresses 'fd00:9::2/64'
option force_link '1'
config wireguard_vpn 'wgserver'
option public_key 'XXXXXXXXXXXXXX'
option preshared_key 'XXXXXXXXXXXXXX'
option endpoint_host '192.168.16.8'
option endpoint_port '51820'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
config interface 'wan'
option proto 'static'
option device 'br-lan'
option ipaddr '192.168.17.8'
option netmask '255.255.255.0'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wan'
list network 'vpn'
I just saw that I set up a wireguard client instead of a server. Disregard it. But anyway, I am not able to establish any connection with openwrt through an external ip coming from a redirection by my ISP router
DDNS is good, but doesn't guarantee a public IP on your actual wan. Have you verified this by looking at the main router's wan IP (not the ddns result; if in doubt, post the first two octets in bold aaa.bbb.ccc.ddd)?
This should be deleted.
Am I correct in assuming that the actual upstream router's address is 192.168.16.1?
Is the wireguard interface active? If so, that will cause a conflict.
I don't see your OpenVPN config, nor do I see any evidence of it in your firewall.
Thanks @psherman !!!
I actually have a public IP. Use for other purposes.
The upstream router address is 192.168.16.1
I migrated to wireguard and now it's working. I can see the established connection and I can ping the router IP address (openwrt).
The problem now is I can't access/ping any device on my LAN with the exception of openwrt. I think something related to the firewall configuration. Can you help me?
root@OpenWrt:~# ubus call system board
{
"kernel": "5.10.161",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Raspberry Pi 3 Model B Rev 1.2",
"board_name": "raspberrypi,3-model-b",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "22.03.3",
"revision": "r20028-43d71ad93e",
"target": "bcm27xx/bcm2710",
"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda8:ff39:689c::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '8.8.8.8'
option ipaddr '192.168.16.8'
option gateway '192.168.16.1'
config interface 'wg_lan'
option proto 'wireguard'
option private_key 'xxxxxxxxxxxxxxxxx'
option listen_port '51820'
option mtu '1420'
list addresses '192.168.16.8/24'
config wireguard_wg_lan
option public_key 'xxxxxxxxxxxxxxxxxx'
option preshared_key 'xxxxxxxxxxxxxxxxxx'
option description '1_lan_Alpha'
list allowed_ips '192.168.16.11/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg_lan
option public_key 'xxxxxxxxxxxxxxxxxx'
option preshared_key 'xxxxxxxxxxxxxxxxxx'
option description '2_lan_Bravo'
list allowed_ips '192.168.16.12/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg_lan
option public_key 'xxxxxxxxxxxxxxxxxx'
option preshared_key 'xxxxxxxxxxxxxxxxxx'
option description '3_lan_Charlie'
list allowed_ips '192.168.16.13/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg_lan
option public_key 'xxxxxxxxxxxxxxxxxx'
option preshared_key 'xxxxxxxxxxxxxxxxxx'
option description '4_lan_Delta'
list allowed_ips '192.168.16.14/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg_lan'
config rule 'wg'
option name 'Allow-WireGuard-lan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
option src 'lan'
root@OpenWrt:~# cat /etc/config/openvpn
Your wg subnet overlaps your main network's subnet. This won't work. Change it so something else. Maybe 10.0.5.0/24 as an example (interface 10.0.5.1/24, peers 10.0.5.2/32, etc.)
Does your main router allow you to create static routes (if it's OpenWrt, it certianly does, other firmware features vary, depending on the source). If so, you'll create a route for the WG subnet such as:
10.0.5.0/24 via 192.168.16.8
If not, you'll need to put the WG network into a separate firewall zone, allow forwarding from that new WG zone > lan zone, and enable masquerading on the lan zone.
Given that many mobile ISPs abuse the 10.0.0.0/8 subnet, I would suggest to avoid that.
1 Like
I chose the second option, creating a specific zone for wg and everything worked perfectly. Thanks! 
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.