Checkpoint VPN client to connect to company site

Hi Community,
the following strange thing happens...i am not sure if this is reasonable in OpenWRT or not but it smells a bit like :slight_smile:

On the client (Windows) i am using Checkpoint Client VPN. I create a site with the public dns name of the companies VPN-Server and connect. Works. But! then the next day or on every reconnect it doenst work because the software is changeing the IP of the VPN-Server which was correct the first time to the one of my Gateway router with openwrt on it.
Then the company IT says - enable VPN Passthrough but i can not find any matching article which describes.

My Hardware: MikroTik RouterBOARD 750Gr3
Software: OpenWrt 22.03.5 r20134-5f15225c1e / LuCI openwrt-22.03 branch git-23.093.57104-ce20b4a

Maybe you have an Idea?
Thanks in advance

can you try ?

opkg update
opkg install kmod-nf-nathelper-extra

also - you should plan to upgrade to openwrt 23.05 as 22.03 is almost EOL - this is the last month of support

ok, installed. and tested - no change

ok, thx. in upgrading i am a bit lets say unsure. Which way would you prefer?

that really doesn't sound openwrt related - also VPN Passthrough is now included by default.
does the VPN client works if you use a different internet source like mobile phone hotspot ?
EDIT: - also do you happen to have any adblocking software installed in your network (especially on the openwrt gateway) ?

i just used my mobile with tehtering to connect to the internet. Connect and reconnect was every time successful.
So, of course i have an adblocker on my local net :slight_smile: i will disable that now and try again

1 Like

disabled the ad-blocker on the local network an using the openwrt as the internet gateway. Same problem as before.

So it seems something on the router needs to be configured

do you have some log traces that indicate that:

couldnt fetch logs right now but i can see the first time when connecting the public ip of the vpn is showing in the configuration of the checkpoint client. After disconnect and reconnect it shows me the ip of the default gateway.

sounds for me like something with NAT or simiar. Maybe a setting on the VPN-Server itself.

checked the logfiles of the vpn client. But it only shows that at some point the correct IP changes to the router local ip
:gw-ipaddr (192.168.1.1)
:vpnd_ipaddr (192.168.1.1)

Maybe the VPN subnet is 192.168.1.1 which collides with your OpenWRT subnet?

I assume this is a routed VPN which needs to be on a different subnet.

I have no experience with checkpoints VPN so just a long shot but maybe change the routers IP address to something different e.g.192.168.27.1?

Make a backup before doing this so that you can go back.

But I would upgrade first as already stated by @maurer

yes make a backup of openwrt then upgrade to lastest 23.05.3

ok, will do the upgrade. will checking : "keep settings" be ok in this case?

it should work but make sure you also have the external backup just in case...

1 Like

i just need to wait till my wife finishs work.... :wink:

1 Like

Just did the upgrade. Reinstalling the kmod-nf-nat.....
unfortunately the same behaviour.
Is there anything else to to for enabling the vpn passthrough?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

What I can deduce from your settings:
You have a zyxel modem in bridge mode, so presumably you have a public IP.
You have PPPoE VLAN7
You have a set a one-to-one nat for managing the zyxel on 192.168.100.1 from 192.168.1.51
You are hosting a WireGuard server on a Pi

That is all fine and dandy

But you also seem to have OpenVPN in bridge (tap) mode which could interfere

1 Like

Thanks. I fixed the entry. Unfortunately since couple days the internet is down and so the test must wait.

Br
Jens

1 Like

Unfortunately still no solution.