Access services behind VPN (or not!)

Hello everyone,

I have been running OpenWRT on a RPi3b to act as a AP for the other devices. OpenWRT is also set-up in a way that all the traffic goes through a Surfshark Wireguard VPN. Note the OpenWRT device works as a router (my ISP modem is set as DMZ on the OpenWRT internal IP). I have also set-it up netdata and docker as additional services and I would love to have access to those outside my local network. My understanding is that I cannot access any server behind a VPN as the VPN would just reject any incoming call and for safety reason I'd prefer not to expose the LuCi interface to the internet. Here my question: is there a way to selectively forward the incoming traffic (to specific ports) so that it goes through or around the VPN thus making those services accessible from outside the local network? Find the config files hereafter

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix ''

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'Surfshark_Milan'
        option proto 'wireguard'
        list addresses 'my_ip'
        option private_key 'my_key'
        option mtu ''
        option peerdns '0'
        option metric '10'
        list dns 'my_dns'
        list dns 'my_dns'

config wireguard_Surfshark_Milan
        list allowed_ips ''
        option route_allowed_ips '1'
        option persistent_keepalive '30'
        option endpoint_host ''
        option endpoint_port ''
        option public_key 'my_key'

config wireguard_Surfshark_Milan
        option public_key 
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host ''
        option persistent_keepalive '25'
        option endpoint_port ''

config interface 'WAN'
        option proto 'dhcp'
        option peerdns '0'
        option metric '20'
        option device 'eth1'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'Surfshark_Milan'
        option ipv6 '0'

config device
        option name 'wlan0'
        option ipv6 '0'

config device
        option name 'eth1'
        option ipv6 '0'

config interface 'Surfshark_BE'
        option proto 'wireguard'
        option auto '0'
        option private_key ''
        list addresses ''
        option mtu ''
        option peerdns '0'
        list dns ''
        list dns ''

config wireguard_Surfshark_BE
        option public_key ''
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host ''
        option persistent_keepalive '25'

config interface 'Surfshark_US'
        option proto 'wireguard'
        option auto '0'
        option private_key ''
        list addresses ''
        option mtu ''
        option peerdns '0'
        list dns ''
        list dns ''

config wireguard_Surfshark_US
        option public_key ''
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host ''
        option persistent_keepalive '25'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'

config device
        option type 'bridge'
        option name 'docker0'
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        list network 'WAN'
        option masq '1'
        option mtu_fix '1'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'Surfshark_Milan'
        list network 'Surfshark_BE'
        list network 'Surfshark_US'
        option input 'REJECT'
        option forward 'REJECT'

config rule
        option name 'wan-local-wg'
        option src 'wan'
        option dest_port '51820'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vpn'

config redirect
        option target 'DNAT'
        option dest_port '19999'
        option name 'Netdata'
        option src_dport '19999'
        option dest_ip '192.168.2.1'
        option enabled '0'
        option src 'lan'
        option dest 'wan'

config redirect
        option dest 'wan'
        option target 'DNAT'
        option name 'RPi'
        option src 'lan'
        option src_dport '443'
        option dest_ip '192.168.2.1'
        option dest_port '443'
        option enabled '0'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

config redirect
        option target 'DNAT'
        option name 'HA'
        option src_dport '8123'
        option src 'lan'
        option dest 'wan'
        option dest_ip '192.168.2.1'
        option dest_port '8123'
        option enabled '0'

I do hope this info can be of some help!
Thanks in advance

Matteo

Yes, you can use policy based routing to exclude some type of traffic from the VPN. For example setup another vpn server on it and say that whatever has source port the port of the vpn server will use routing table 100 which uses the isp router.

Hi trendy,

Are you able to help me out with the configuration itself? I also feel that my config is somehow redundant and it makes it more difficult to troubleshoot the issue

I think the easiest way is to create a firewall rule to mark the interesting traffic based on source port. Then make an IP rule to lookup traffic which is marked according to the previous firewall rule from another routing table. Finally create another routing table to route this traffic via the ISP router as gateway.

Alright, divide and conquer approach here..
I set up a firewall rule for netdata for all the traffic coming from wan (which is the ISP router network) to the device (see screenshot attached). I have no clue about the IP rule though.. where can I find it?

Thanks again!
Matteo

This is not relevant to what I described earlier, however you need it to be allowed.
The rule should match the source port, egress zone wan and for action to firewall mark.

I am afraid I will need more details to get it done as I really don`t know what this means.. I am quite a newbie with these network configurations :frowning:

Thanks in advance for your help!

Make another rule in the firewall. Instead of selecting allow as action select the firewall mark. Use the same value to match the rule you'll create and lookup to a new routing table. Finally create a new routing table to send over WAN interface via the designated gateway.