Allow open-vpn connections on custom port

I am trying to connect from local PC (in 192.168 network) to my external open-vpn server which is not on the router. It worked perfectly with default asus firmware.

1 Like

Lan to wan traffic is not blocked by default. And from what I can see you have not messed with the firewall, so it is not blocked there.
Install tcpdump first opkg update; opkg install tcpdump
Then run on one ssh window tcpdump -i eth0.2 -evn udp port 51194
On another ssh window run logread -f
Fire up the Openvpn connection from the PC and paste her the output from the 2 windows.

1 Like

This is indeed very strange thing. In tcpdump window there are packets like this

21:21:01.117576 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 31765, offset 0, flags [DF], proto UDP (17), length 68)
    <my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40
21:21:11.143149 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 32600, offset 0, flags [DF], proto UDP (17), length 68)
    <my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40
21:21:21.272845 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 33889, offset 0, flags [DF], proto UDP (17), length 68)
    <my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40
21:21:31.405310 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 34130, offset 0, flags [DF], proto UDP (17), length 68)
    <my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40
21:21:41.758317 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 35700, offset 0, flags [DF], proto UDP (17), length 68)
    <my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40

In logread -f window there were nothing (was running it from another ssh session from the router). I even checked my open-vpn server logs, seems like i was connected, and in addition to that my network manager icon showed me that i am connected (small lock icon, i am using arch-linux). The most bad part that after i disconnect from that broken vpn connection (because i have not internet) i can't access any 80 or 443 port via router (just freezing on connection), BUT i can use ssh 22 port from my local PC in 192 network

Looks like you have some problem with client and/or server configuration.
Your issue doesn't seem to be related to OpenWrt.

1 Like

But it was working perfectly fine, before i started using openwrt firmware + that port blocking after disconnecting from "broken" vpn connection is clearly router issue, i had nothing near that previously

Activate the VPN connection and collect the diagnostics from your PC:

PAGER= nmcli connection show id VPN_CON; \
ip address show; ip route show; ip rule show; \
ip route get 1; ip route get 1::; \
grep -e ^hosts /etc/nsswitch.conf; \
grep -v -e ^# -e ^$ /etc/resolv.conf; \
resolvectl query openwrt.org; \
resolvectl dns; resolvectl domain; \
ping -w 3 8.8.8.8; ping -w 3 openwrt.org; \
nslookup openwrt.org 8.8.8.8; nslookup openwrt.org

You can post it to pastebin.com.

So i solved first issue, which was loss of dns after i was disconnecting from VPN, by enabling systemd-resolved service, it wasn't somehow disabled, but anyway when VPN is connected, nothing of below works resulting in 100% packet loss or timeout

resolvectl query openwrt.org
ping -w 3 openwrt.org
ping -w 3 8.8.8.8
nslookup openwrt.org 8.8.8.8
nslookup openwrt.org
resolvectl domain; resolvectl dns
Global:
Link 2 (enp30s0):
Link 3 (br-1469495459e8):
Link 4 (br-35c745066029):
Link 5 (docker0):
Link 6 (br-baeb43c59b81):
Link 25 (tun0): ~.
Global: 8.8.8.8 8.8.4.4
Link 2 (enp30s0):
Link 3 (br-1469495459e8):
Link 4 (br-35c745066029):
Link 5 (docker0):
Link 6 (br-baeb43c59b81):
Link 25 (tun0): 8.8.8.8 8.8.4.4
ip route get 1; ip route get 1::;
1.0.0.0 via 192.168.255.5 dev tun0 src 192.168.255.6 uid 1000 
    cache 
RTNETLINK answers: Network is unreachable
1 Like

This might be MTU-related issues, see:
Route into a Open-VPN-Client Subnet

I will check that out, in addition to that, i am getting timeout doing nslookup openwrt.org on normal connection state, without VPN connected

grep -e ^hosts /etc/nsswitch.conf; \
ls -l /etc/resolv.conf; \
grep -v -e ^# -e ^$ /etc/resolv.conf; \
resolvectl dns; resolvectl domain
grep -e ^hosts /etc/nsswitch.conf; \
> ls -l /etc/resolv.conf; \
> grep -v -e ^# -e ^$ /etc/resolv.conf; \
> resolvectl dns; resolvectl domain
hosts: files mymachines myhostname resolve [!UNAVAIL=return] dns
-rw-r--r-- 1 root root 30 окт 31 02:17 /etc/resolv.conf
Global:
Link 2 (enp30s0):
Link 3 (br-1469495459e8):
Link 4 (br-35c745066029):
Link 5 (docker0):
Link 6 (br-baeb43c59b81):
Global:
Link 2 (enp30s0):
Link 3 (br-1469495459e8):
Link 4 (br-35c745066029):
Link 5 (docker0):
Link 6 (br-baeb43c59b81):

Post your main connection config:

PAGER= nmcli connection show id MAIN_CONNECTION

And fix resolver:

sudo ln -f -r -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Ye, resolver is ok now from wired connection, but not from vpn. Config here https://pastebin.com/F95uc3kX

1 Like

Check both the VPN server and client logs for clues.

I have no idea at all. Journalctl is clean, i am 90% sure the problem is in router\openwrt firewall, because everything was working okay yesterday on this pc with all this settings (and even switched off resolvectl service) with default asus firmware. OpenVPN server logs are clean too, it is allowing me to connect + networkmanager icon is showing that i am connected. And after that connection nothing is working, unable to nslookup, ping, e.t.c, like something is blocking all the traffic.

Is this okay that tun interface are getting 192.168.255.* local address the same that router LAN network is in? Is this okay that iptables -S on the router showing rejection of all tcp traffic by default?

-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable

How can i completely disable firewall and allow everything to everything ?

Your LAN is:

Ye, i was meaning same network in terms of another prive subnet e.g. (172. , 10.)
Anyway i tried to change LAN to 192.168.0.1 - and it did not worked

It doesn't affect it, they are in different subnets.
Post here the client and server configurations and logs.

1 Like

Ok, this is getting worse, i flushed back the original Asus firmware, and vpn is not working either :slight_smile: But it clearly was working a day ago, so openwrt was not the case, i'll try find the problem, thx a lot.

UP. Vpn IS working on open-wrt from another device in the network PLUS it is working from target pc using raw cmd openvpn ~/my-config.ovpn, so this is clearly network-manager issue

2 Likes
1 Like