Allow open-vpn connections on custom port

mrAndersen · October 30, 2020, 8:30pm

I am trying to connect from local PC (in 192.168 network) to my external open-vpn server which is not on the router. It worked perfectly with default asus firmware.

trendy · October 30, 2020, 8:39pm

Lan to wan traffic is not blocked by default. And from what I can see you have not messed with the firewall, so it is not blocked there.
Install tcpdump first opkg update; opkg install tcpdump
Then run on one ssh window tcpdump -i eth0.2 -evn udp port 51194
On another ssh window run logread -f
Fire up the Openvpn connection from the PC and paste her the output from the 2 windows.

mrAndersen · October 30, 2020, 9:29pm

This is indeed very strange thing. In tcpdump window there are packets like this

21:21:01.117576 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 31765, offset 0, flags [DF], proto UDP (17), length 68)
    <my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40
21:21:11.143149 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 32600, offset 0, flags [DF], proto UDP (17), length 68)
    <my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40
21:21:21.272845 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 33889, offset 0, flags [DF], proto UDP (17), length 68)
    <my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40
21:21:31.405310 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 34130, offset 0, flags [DF], proto UDP (17), length 68)
    <my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40
21:21:41.758317 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 35700, offset 0, flags [DF], proto UDP (17), length 68)
    <my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40

In logread -f window there were nothing (was running it from another ssh session from the router). I even checked my open-vpn server logs, seems like i was connected, and in addition to that my network manager icon showed me that i am connected (small lock icon, i am using arch-linux). The most bad part that after i disconnect from that broken vpn connection (because i have not internet) i can't access any 80 or 443 port via router (just freezing on connection), BUT i can use ssh 22 port from my local PC in 192 network

vgaetera · October 30, 2020, 9:57pm

Looks like you have some problem with client and/or server configuration.
Your issue doesn't seem to be related to OpenWrt.

mrAndersen · October 30, 2020, 10:05pm

But it was working perfectly fine, before i started using openwrt firmware + that port blocking after disconnecting from "broken" vpn connection is clearly router issue, i had nothing near that previously

vgaetera · October 30, 2020, 10:08pm

Activate the VPN connection and collect the diagnostics from your PC:

PAGER= nmcli connection show id VPN_CON; \
ip address show; ip route show; ip rule show; \
ip route get 1; ip route get 1::; \
grep -e ^hosts /etc/nsswitch.conf; \
grep -v -e ^# -e ^$ /etc/resolv.conf; \
resolvectl query openwrt.org; \
resolvectl dns; resolvectl domain; \
ping -w 3 8.8.8.8; ping -w 3 openwrt.org; \
nslookup openwrt.org 8.8.8.8; nslookup openwrt.org

You can post it to pastebin.com.

mrAndersen · October 30, 2020, 10:48pm

So i solved first issue, which was loss of dns after i was disconnecting from VPN, by enabling systemd-resolved service, it wasn't somehow disabled, but anyway when VPN is connected, nothing of below works resulting in 100% packet loss or timeout

resolvectl query openwrt.org
ping -w 3 openwrt.org
ping -w 3 8.8.8.8
nslookup openwrt.org 8.8.8.8
nslookup openwrt.org

resolvectl domain; resolvectl dns
Global:
Link 2 (enp30s0):
Link 3 (br-1469495459e8):
Link 4 (br-35c745066029):
Link 5 (docker0):
Link 6 (br-baeb43c59b81):
Link 25 (tun0): ~.
Global: 8.8.8.8 8.8.4.4
Link 2 (enp30s0):
Link 3 (br-1469495459e8):
Link 4 (br-35c745066029):
Link 5 (docker0):
Link 6 (br-baeb43c59b81):
Link 25 (tun0): 8.8.8.8 8.8.4.4

ip route get 1; ip route get 1::;
1.0.0.0 via 192.168.255.5 dev tun0 src 192.168.255.6 uid 1000 
    cache 
RTNETLINK answers: Network is unreachable

vgaetera · October 30, 2020, 11:23pm

This might be MTU-related issues, see:
Route into a Open-VPN-Client Subnet

mrAndersen · October 30, 2020, 11:28pm

I will check that out, in addition to that, i am getting timeout doing nslookup openwrt.org on normal connection state, without VPN connected

vgaetera · October 30, 2020, 11:31pm

grep -e ^hosts /etc/nsswitch.conf; \
ls -l /etc/resolv.conf; \
grep -v -e ^# -e ^$ /etc/resolv.conf; \
resolvectl dns; resolvectl domain

mrAndersen · October 30, 2020, 11:32pm

grep -e ^hosts /etc/nsswitch.conf; \
> ls -l /etc/resolv.conf; \
> grep -v -e ^# -e ^$ /etc/resolv.conf; \
> resolvectl dns; resolvectl domain
hosts: files mymachines myhostname resolve [!UNAVAIL=return] dns
-rw-r--r-- 1 root root 30 окт 31 02:17 /etc/resolv.conf
Global:
Link 2 (enp30s0):
Link 3 (br-1469495459e8):
Link 4 (br-35c745066029):
Link 5 (docker0):
Link 6 (br-baeb43c59b81):
Global:
Link 2 (enp30s0):
Link 3 (br-1469495459e8):
Link 4 (br-35c745066029):
Link 5 (docker0):
Link 6 (br-baeb43c59b81):

vgaetera · October 30, 2020, 11:38pm

Post your main connection config:

PAGER= nmcli connection show id MAIN_CONNECTION

And fix resolver:

sudo ln -f -r -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

mrAndersen · October 30, 2020, 11:42pm

Ye, resolver is ok now from wired connection, but not from vpn. Config here https://pastebin.com/F95uc3kX

vgaetera · October 31, 2020, 1:10am

Check both the VPN server and client logs for clues.

mrAndersen · October 31, 2020, 9:29am

I have no idea at all. Journalctl is clean, i am 90% sure the problem is in router\openwrt firewall, because everything was working okay yesterday on this pc with all this settings (and even switched off resolvectl service) with default asus firmware. OpenVPN server logs are clean too, it is allowing me to connect + networkmanager icon is showing that i am connected. And after that connection nothing is working, unable to nslookup, ping, e.t.c, like something is blocking all the traffic.

Is this okay that tun interface are getting 192.168.255.* local address the same that router LAN network is in? Is this okay that iptables -S on the router showing rejection of all tcp traffic by default?

-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable

How can i completely disable firewall and allow everything to everything ?

vgaetera · October 31, 2020, 2:06pm

Your LAN is:

mrAndersen · October 31, 2020, 3:10pm

Ye, i was meaning same network in terms of another prive subnet e.g. (172. , 10.)
Anyway i tried to change LAN to 192.168.0.1 - and it did not worked

trendy · October 31, 2020, 6:46pm

It doesn't affect it, they are in different subnets.
Post here the client and server configurations and logs.

mrAndersen · October 31, 2020, 8:40pm

Ok, this is getting worse, i flushed back the original Asus firmware, and vpn is not working either But it clearly was working a day ago, so openwrt was not the case, i'll try find the problem, thx a lot.

UP. Vpn IS working on open-wrt from another device in the network PLUS it is working from target pc using raw cmd openvpn ~/my-config.ovpn, so this is clearly network-manager issue

vgaetera · October 31, 2020, 9:03pm