weasel
May 28, 2020, 12:45pm
22
This is my firewall conf.
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan VPN'
list device 'tun0'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
This is my network conf.
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'VPN'
option ifname 'tun0'
option proto 'none'
Could you please tell me there is a problem?
OK, example is not good, to my mind.
Please, remove string containing device from /etc/config/firewall
Can you access router itself by ssh, LuCI from VPN-client?
trendy
May 28, 2020, 2:45pm
24
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
uci export openvpn; head -n -0 /etc/openvpn/*.conf; head -n -0 /etc/openvpn/*.ovpn; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
Also post the configuration for OpenVPN client.
mk24
May 28, 2020, 5:46pm
25
Yes, in /etc/config/network, make a "dummy" network to associate an OpenWrt network name with the VPN tunnel:
config interface 'vpn'
option ifname 'tun0'
option proto noneThen add network 'vpn' to the firewall lan zone, since everyone in the vpn is trusted and allowed to reach LAN devices.
weasel
May 31, 2020, 7:39pm
26
package openvpn
config openvpn 'custom_config'
option config '/etc/openvpn/my-vpn.conf'
config openvpn 'sample_server'
option port '1194'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option server '192.168.7.0 255.255.255.0'
option ifconfig_pool_persist '/tmp/ipp.txt'
option keepalive '10 120'
option compress 'lzo'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-status.log'
option verb '3'
option dh '/etc/openvpn/dh.pem'
option client_to_client '1'
option enabled '1'
option client_config_dir '/etc/openvpn/ccd'
option tls_server '1'
option cert '/etc/openvpn/antakalnis.crt'
option key '/etc/openvpn/antakalnis.key'
option tls_crypt '/etc/openvpn/ta.key'
list route '192.168.8.0 255.255.255.0'
list push 'route 192.168.2.0 255.255.255.0'
config openvpn 'sample_client'
option client '1'
option dev 'tun'
option proto 'udp'
list remote 'my_server_1 1194'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/client.crt'
option key '/etc/openvpn/client.key'
option compress 'lzo'
option verb '3'
*************
# Generated by iptables-save v1.8.3 on Sun May 31 22:32:40 2020
*nat
:PREROUTING ACCEPT [136424:15421189]
:INPUT ACCEPT [10416:1082377]
:OUTPUT ACCEPT [11311:1156757]
:POSTROUTING ACCEPT [1180:315581]
:postrouting_VPN_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_VPN_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_VPN_postrouting - [0:0]
:zone_VPN_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[136424:15421189] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[78214:13020915] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[104:6696] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_lan_prerouting
[58106:2393578] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[67288:4793509] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[1067:306936] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[109:8361] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_lan_postrouting
[66108:4477928] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_VPN_postrouting -m comment --comment "!fw3: Custom VPN postrouting rule chain" -j postrouting_VPN_rule
[0:0] -A zone_VPN_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_VPN_prerouting -m comment --comment "!fw3: Custom VPN prerouting rule chain" -j prerouting_VPN_rule
[1176:315297] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[78318:13027611] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[66108:4477928] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[66108:4477928] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[58106:2393578] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sun May 31 22:32:40 2020
# Generated by iptables-save v1.8.3 on Sun May 31 22:32:40 2020
*mangle
:PREROUTING ACCEPT [2572228:1954324256]
:INPUT ACCEPT [355723:268585511]
:FORWARD ACCEPT [2186880:1676721119]
:OUTPUT ACCEPT [253030:25823440]
:POSTROUTING ACCEPT [2437409:1702388281]
[13151:805300] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun May 31 22:32:40 2020
# Generated by iptables-save v1.8.3 on Sun May 31 22:32:41 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_VPN_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_VPN_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_VPN_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_VPN_dest_ACCEPT - [0:0]
:zone_VPN_forward - [0:0]
:zone_VPN_input - [0:0]
:zone_VPN_output - [0:0]
:zone_VPN_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[347:46096] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[355380:268539623] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[244862:261483708] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[17481:738436] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[43067:4280121] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_lan_input
[67451:2775794] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[2186880:1676721119] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[2139132:1672985907] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[47557:3722948] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[191:12264] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[347:46096] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[252687:25778256] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[238929:23957207] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3121:952960] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_lan_output
[10637:868089] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[26738:1113864] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[40476:1651306] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[17481:738436] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_VPN_forward -m comment --comment "!fw3: Custom VPN forwarding rule chain" -j forwarding_VPN_rule
[0:0] -A zone_VPN_forward -m comment --comment "!fw3: Zone VPN to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_VPN_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_VPN_forward -m comment --comment "!fw3" -j zone_VPN_dest_ACCEPT
[0:0] -A zone_VPN_input -m comment --comment "!fw3: Custom VPN input rule chain" -j input_VPN_rule
[0:0] -A zone_VPN_input -p tcp -m tcp --sport 80 --dport 80 -m comment --comment "!fw3: allow luci" -j ACCEPT
[0:0] -A zone_VPN_input -p udp -m udp --sport 80 --dport 80 -m comment --comment "!fw3: allow luci" -j ACCEPT
[0:0] -A zone_VPN_input -p tcp -m tcp --sport 22 --dport 22 -m comment --comment "!fw3: allow ssh" -j ACCEPT
[0:0] -A zone_VPN_input -p udp -m udp --sport 22 --dport 22 -m comment --comment "!fw3: allow ssh" -j ACCEPT
[0:0] -A zone_VPN_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_VPN_input -m comment --comment "!fw3" -j zone_VPN_src_ACCEPT
[0:0] -A zone_VPN_output -m comment --comment "!fw3: Custom VPN output rule chain" -j output_VPN_rule
[0:0] -A zone_VPN_output -m comment --comment "!fw3" -j zone_VPN_dest_ACCEPT
[3312:965224] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[263:25415] -A zone_lan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[47748:3735212] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[47748:3735212] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[454:37679] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to VPN forwarding policy" -j zone_VPN_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[454:37679] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[43067:4280121] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[43067:4280121] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[3121:952960] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[3121:952960] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[43067:4280121] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[2501:156278] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[55430:4409344] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[67451:2775794] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[189:6946] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[48:3678] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[67214:2765170] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[10637:868089] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[10637:868089] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[67214:2765170] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun May 31 22:32:41 2020
****************
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet xxxxxx/18 brd xxxxxxx scope global eth0.2
valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
inet 192.168.7.1 peer 192.168.7.2/32 scope global tun0
valid_lft forever preferred_lft forever
*******************
ip -4 ro li tab all
default via xxxxx dev eth0.2 src xxxxxx
xxxx/18 dev eth0.2 scope link src xxxxxxx
192.168.2.0/24 dev br-lan scope link src 192.168.2.1
192.168.7.0/24 via 192.168.7.2 dev tun0
192.168.7.2 dev tun0 scope link src 192.168.7.1
192.168.8.0/24 via 192.168.7.2 dev tun0
broadcast xxxxx dev eth0.2 table local scope link src xxxxx
local xxxx dev eth0.2 table local scope host src xxxx
broadcast xxxxx dev eth0.2 table local scope link src xxxx
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.2.0 dev br-lan table local scope link src 192.168.2.1
local 192.168.2.1 dev br-lan table local scope host src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local scope link src 192.168.2.1
local 192.168.7.1 dev tun0 table local scope host src 192.168.7.1
# ip -4 ru
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@AntakalnisRTR:~#
weasel
May 31, 2020, 8:18pm
27
I did as you told me, but its not working. Now routing between routers is not possible at all.
uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fddd:5b84:13da::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.2.1'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 0t'
network.vpn=interface
network.vpn.ifname='tun0'
network.vpn.proto='none'
root@AntakalnisRTR:~#
root@AntakalnisRTR:~#
root@AntakalnisRTR:~#
root@AntakalnisRTR:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.network='lan VPN vpn'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.network='wan' 'wan6'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.mtu_fix='1'
firewall.wan.masq='1'
firewall.lan_wan=forwarding
firewall.lan_wan.src='lan'
firewall.lan_wan.dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.ovpn=rule
firewall.ovpn.name='Allow-OpenVPN'
firewall.ovpn.src='wan'
firewall.ovpn.dest_port='1194'
firewall.ovpn.proto='udp'
firewall.ovpn.target='ACCEPT'
firewall.@rule[10]=rule
firewall.@rule[10].dest_port='80'
firewall.@rule[10].src='VPN'
firewall.@rule[10].name='allow luci'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src_port='80'
firewall.@rule[11]=rule
firewall.@rule[11].dest_port='22'
firewall.@rule[11].src='VPN'
firewall.@rule[11].name='allow ssh'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].src_port='22'
krazeh
May 31, 2020, 8:24pm
28
Have you considered giving up with OpenVPN and trying Wireguard (if it's supported by both ends)?
weasel
May 31, 2020, 8:29pm
29
i am quite sure, i'm missing only some detail to make it work. However if i could get step-by-step manual and it is possible to use same security level site-to-site vpn with mobile clients... it would be worth to try...
krazeh
May 31, 2020, 8:40pm
30
Assuming you're using OpenWRT on both routers you'll need to install wireguard and luci-app-wireguard (if you're using luci). You can then create public and private keys by running wg genkey | tee privkey | wg pubkey > pubkey in the terminal. That'll give you two files 'privkey' and 'pubkey' containing the relevant keys.
If both routers are connected directly to the internet, i.e. they have a public IP, then do the following -
Using the subnets you posted earlier:
On OpenWRT router in 192.168.2.0/24 subnet (Site A) add the following to /etc/config/network (or you can use luci to create a new wireguard interface. If you do then "interface 'vpn'" goes into the interface details, 'wireguard_vpn' goes into peers)
config interface 'vpn'
option proto 'wireguard'
option private_key '###Private key for site A###'
option listen_port '51820'
config wireguard_vpn
option public_key '###Public key for site B###'
option description 'Site B'
list allowed_ips '192.168.8.0/24'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_host 'IP or hostname for other site'
option endpoint_port '51820'
On router in 192.168.8.0/24 subnet (Site B).
config interface 'vpn'
option proto 'wireguard'
option private_key '###Private key for site B###'
option listen_port '51820'
config wireguard_vpn
option public_key '###Public key for site A###'
option description 'Site A'
list allowed_ips '192.168.2.0/24'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_host 'IP or hostname for other site'
option endpoint_port '51820'
Add appropriate keys to the relevant configs.
On the OpenWRT routers add the VPN interfaces to the lan zone in the firewall and create a port forward to allow 51820 to the router.
That should get your site to site VPN up. Test to see if that works, if there's no issues then we can easily add mobile clients.
The topic is not about wireguard.
Please, paste contents of /etc/config/network, and /etc/config/firewall I can't read it, unlike @trendy
weasel
May 31, 2020, 8:47pm
33
Here it is:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fddd:5b84:13da::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'vpn'
option ifname 'tun0'
option proto 'none'
================= Firewall config ============
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan VPN vpn'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
config rule
option dest_port '80'
option src 'VPN'
option name 'allow luci'
option target 'ACCEPT'
option src_port '80'
config rule
option dest_port '22'
option src 'VPN'
option name 'allow ssh'
option target 'ACCEPT'
option src_port '22'
Create additional zone for vpn. I've written already.
trendy
May 31, 2020, 9:00pm
35
No wonder, it takes some brain to do that.
Sorry, I prefer not to use my brain where I can.
weasel
May 31, 2020, 9:07pm
37
Here it is:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option dest_port '80'
option src 'VPN'
option name 'allow luci'
option target 'ACCEPT'
option src_port '80'
config rule
option dest_port '22'
option src 'VPN'
option name 'allow ssh'
option target 'ACCEPT'
option src_port '22'
config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option output 'ACCEPT'
trendy
May 31, 2020, 9:10pm
38
Are you sure that both routes are pushed and installed to the client?
Remove string containing masq, and add forwarding from vpn to lan.
After that initially try to connect to router itself by SSH, LuCI from PC running OpenVPN-client.
weasel
May 31, 2020, 9:38pm
41
Now i can ping from server router 192.168.2.1 router => client 192.168.8.1 router and LAN behind it. But i cannot ssh it. I still cannot ping client LAN from server LAN or from mobile client.
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option dest 'lan'
option src 'vpn'
