Cannot acces my own sites which run with an port behind the domainname

Hey everyone,

I am struggeling for days now, I run (Partly)succesfully an router with an openvpn connection. As soon as the vpn connection is made with the main router at home. I cannot reach my own sites behind a port like https://www.mydomain.com:5001, while http://www.mydomain.com is just working fine. I setup an openvpn connection, this works almost perfect. I can reach the whole internet except my own webpages running on the server in my own domain behind the router with the active vpn connection.

I can reach the server on a direct ip adres.

can you give me a hint?

Additional info:

The firewall of the Asus router at home is switched off. Nat loopback of the router are on.

The host is trying to connect from anywhere but home :wink:

/etc/config/network


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8a:6518:2e52::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option hostname 'Travelrouter'
	option ipaddr '192.168.8.1'
	option ifname 'eth1.1'
	option default_macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
	option ifname 'eth0'
	option proto 'dhcp'
	option hostname 'Travelrouter'
	option metric '10'
	option type 'bridge'

config interface 'wan6'
	option ifname 'eth0'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 0t'

config interface 'wwan'
	option proto 'dhcp'
	option metric '20'

config interface 'guest'
	option ifname 'guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'ovpn'
	option ifname 'tun0'
	option proto 'none'


/etc/config/firewall


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option network 'wan6 wwan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
	option reload '1'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'shadowsocks'
	option type 'script'
	option path '/var/etc/shadowsocks.include'
	option reload '1'

config rule 'glservice_rule'
	option name 'glservice'
	option dest_port '83'
	option proto 'tcp udp'
	option src 'wan'
	option target 'ACCEPT'
	option enabled '0'

config include 'glfw'
	option type 'script'
	option path '/usr/bin/glfw.sh'
	option reload '1'

config forwarding
	option dest 'wan'
	option src 'lan'
	option enabled '0'

config forwarding
	option dest 'lan'
	option src 'wan'

config zone 'guestzone'
	option name 'guestzone'
	option network 'guest'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding 'guestzone_fwd'
	option src 'guestzone'
	option dest 'wan'

config rule 'guestzone_dhcp'
	option name 'guestzone_DHCP'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule 'guestzone_dns'
	option name 'guestzone_DNS'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config include 'glqos'
	option type 'script'
	option path '/usr/sbin/glqos.sh'
	option reload '1'

config include 'mwan3'
	option type 'script'
	option path '/var/etc/mwan3.include'
	option reload '1'

config forwarding
	option dest 'ovpn'
	option src 'lan'

config forwarding
	option dest 'ovpn'
	option src 'wan'

config forwarding
	option dest 'lan'
	option src 'ovpn'

config forwarding
	option dest 'wan'
	option src 'ovpn'

config zone 'vpn_zone'
	option name 'ovpn'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'ovpn'
	option masq '1'
	option mtu_fix '1'

config forwarding 'forwarding_vpn1'
	option dest 'ovpn'
	option src 'lan'


/etc/config/vpn_service

config general 'global'
	option enable '0'

config service 'vpn'
	option auth 'SHA1'
	option proto 'udp'
	option port '1194'
	option dev 'tun-SERVER'
	option dev_type 'tun'
	option cipher 'BF-CBC'
	option comp 'adaptive'
	option subnet '10.8.0.0'
	option mask '255.255.255.0'
	option host '127.0.0.1'

Trying to reach the main config page of the home openvpn router result in showing it.

Trying to reach all the other ip's running behind the openvpn connection results in:

Even puting the ip of oe of the clients in DMZ is not working

Hope this is all the info you need to solve the issue :slight_smile:

André

Could you explain the situation a bit better? Maybe draw a diagram of the flows?
Maybe it is just a matter of NAT Loopback, or something else.
Where is the host trying to access the server located? At home or in the internet?
Which devices are running Openwrt? Only router at home or the openvpn server as well?
Also post here the /etc/config/network and /etc/config/firewall as well as the vpn configuration.

2 Likes

Just added the info requested as good as possible to the post, thnx a lot for trying.

I am a bit confused here, as the IP addresses in the configuration don't match the ones in the diagram.
However the error that you get in the browser doesn't mean that you cannot access the web server, but the certificate on the web server is not acceptable. It makes sense though, because you have used a self-signed server certificate. If you click on advanced and examine the certificate you'll see that it was issued by the server itself and you can accept it.

2 Likes

Yeh I was a bit to lazy I only changed the ip's from the server side wich I can connect and which I can't, I know I can accept them I did, that's not a problem but it is not working when I try to reach the https://www.mydomain.com

To which IP address does that domain resolve to?
nslookup www.mydomain.com

O sorry this is the travel router not the openvpn server

Could you update the diagram with IPs that match the configuration that you have posted?
Verify that the nameserver resolves the correct IP address and that it is reachable over the vpn tunnel.
If the name resolves into a public IP address, make sure that you are doing proper NAT so the the return traffic goes back to the vpn tunnel and not to the internet.

2 Likes

fluefiske@RT-AC5300:/tmp/home/root# nslookup www.vstijn.nl
Server:    85.113.233.93
Address 1: 85.113.233.93

Name:      www.mydomainname.nl
Address 1: xx.xx.xx.xx.xx 4dae5b47.ftth.telfortglasvezel.nl

Those ip adresses are fully unknown to me
Server: 85.113.233.93
Address 1: 85.113.233.93

Maeby because the connection is build trough RDP

Sorry for being a noob :blush:

These are the Nameservers used to resolve the names into IP addresses and most likely belong to your ISP.

The IP address (you may want to mask that) resolved is the public that you have on the Asus router?

1 Like

Traveling at the moment I need to update this in the weekend, thx anyhow

Yes the IP adres is the public ipadres that myISP gave me, I use a free dns server from Asus. What I found out that on the travel router it is not working but using the same ovpn file on the laptop everything works fine???

Ok guys, thanks for helping me out. I found it myself. There was no rule for letting the OVPN connecting the lan. I don't understand why it could connect the routers main ip but not every other ip in the lan.

Thnx anyway,

André

1 Like

Most likely there was no route advertised from the vpn server to the travel router so the latter didn't know where to send the packets destined to your LAN and they were ending up at the default gateway of the ISP, where they were dropped.

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

grafik

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.