Hey everyone,
I've spent the whole day yesterday to figure this one out by googling and youtube but I just cant get there.
I'm starting out with openwrt on a raspberry pi 3+. I've installed openwrt, installed openvpn and connected to the server sucessfully (curl via ssh confirms that). I've set up my Wireless network and can connect fine to it.
As this is a rpi, im startling out with a Lan interface only. It is br-lan, dhcp with eth0 and wlan0 with the firewall zone lan.
As google tells me, I have created a new unmanaged interface with using tun0 and called it VPN.
Connecting to the wireless network, it shows my real IP, as if the firewall zone is not functioning. I really dont know what im doing wrong here, as I can see the vpn is working fine on the pi itself. I've tried solving this one one my own but I cant get it done...I appreciate any help, please let me know if posting any configuration files will help.
Note that im mostly trying to stick to luci for this, but I can deal with ssh as well.
Thanks!
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
1 Like
Sure, here's the output
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd36:c15a:8fbf::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'dhcp'
config interface 'VPN'
option ifname 'tun0'
option proto 'none'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'platform/soc/3f300000.mmc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option htmode 'VHT80'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option network 'lan'
option key 'XXXXXXXXXXX'
option encryption 'psk2'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
list server '1.1.1.1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option name 'vpnfw'
option output 'ACCEPT'
option masq '1'
option forward 'ACCEPT'
list device 'tun0'
option mtu_fix '1'
option network 'VPN'
config forwarding
option dest 'vpnfw'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Sat Jun 6 16:59:43 2020
*nat
:PREROUTING ACCEPT [1253:410725]
:INPUT ACCEPT [138:9242]
:OUTPUT ACCEPT [56:3865]
:POSTROUTING ACCEPT [25:1602]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpnfw_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpnfw_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpnfw_postrouting - [0:0]
:zone_vpnfw_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[1253:410725] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[1253:410725] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpnfw_prerouting
[56:3865] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[20:1252] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[31:2263] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpnfw_postrouting
[20:1252] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[1253:410725] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[31:2263] -A zone_vpnfw_postrouting -m comment --comment "!fw3: Custom vpnfw postrouting rule chain" -j postrouting_vpnfw_rule
[31:2263] -A zone_vpnfw_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_vpnfw_prerouting -m comment --comment "!fw3: Custom vpnfw prerouting rule chain" -j prerouting_vpnfw_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sat Jun 6 16:59:43 2020
# Generated by iptables-save v1.8.3 on Sat Jun 6 16:59:43 2020
*mangle
:PREROUTING ACCEPT [2513:638096]
:INPUT ACCEPT [1398:236613]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [747:266187]
:POSTROUTING ACCEPT [747:266187]
[0:0] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpnfw MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Jun 6 16:59:43 2020
# Generated by iptables-save v1.8.3 on Sat Jun 6 16:59:43 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpnfw_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpnfw_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpnfw_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpnfw_dest_ACCEPT - [0:0]
:zone_vpnfw_forward - [0:0]
:zone_vpnfw_input - [0:0]
:zone_vpnfw_output - [0:0]
:zone_vpnfw_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[80:7560] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1318:229053] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[598:80262] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[53:3360] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[720:148791] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpnfw_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpnfw_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[80:7560] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[671:259603] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[620:256088] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[20:1252] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[31:2263] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpnfw_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[53:3360] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[20:1252] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpnfw forwarding policy" -j zone_vpnfw_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[720:148791] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[720:148791] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[20:1252] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[20:1252] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[720:148791] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpnfw_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[31:2263] -A zone_vpnfw_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpnfw_forward -m comment --comment "!fw3: Custom vpnfw forwarding rule chain" -j forwarding_vpnfw_rule
[0:0] -A zone_vpnfw_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpnfw_forward -m comment --comment "!fw3" -j zone_vpnfw_dest_ACCEPT
[0:0] -A zone_vpnfw_input -m comment --comment "!fw3: Custom vpnfw input rule chain" -j input_vpnfw_rule
[0:0] -A zone_vpnfw_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpnfw_input -m comment --comment "!fw3" -j zone_vpnfw_src_ACCEPT
[31:2263] -A zone_vpnfw_output -m comment --comment "!fw3: Custom vpnfw output rule chain" -j output_vpnfw_rule
[31:2263] -A zone_vpnfw_output -m comment --comment "!fw3" -j zone_vpnfw_dest_ACCEPT
[0:0] -A zone_vpnfw_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Sat Jun 6 16:59:43 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.204/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
inet 10.74.10.6 peer 10.74.10.5/32 scope global tun0
valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.74.10.5 dev tun0
default via 192.168.1.1 dev br-lan src 192.168.1.204
10.74.10.1 via 10.74.10.5 dev tun0
10.74.10.5 dev tun0 scope link src 10.74.10.6
128.0.0.0/1 via 10.74.10.5 dev tun0
185.220.70.147 via 192.168.1.1 dev br-lan
192.168.1.0/24 dev br-lan scope link src 192.168.1.204
local 10.74.10.6 dev tun0 table local scope host src 10.74.10.6
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local scope link src 192.168.1.204
local 192.168.1.204 dev br-lan table local scope host src 192.168.1.204
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.204
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
lrwxrwxrwx 1 root root 16 May 16 18:32 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 32 Jun 6 16:55 /tmp/resolv.conf
-rw-r--r-- 1 root root 50 Jun 6 16:55 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface lan
nameserver 192.168.1.2
search lan```
The problem here is that your wifi clients when they connect will get dhcp settings from the ISP router, not the OpenWrt, because the wifi is bridged with the lan. So they will be using the ISP router as gateway, not OpenWrt, which would route them via VPN.
Assign static IP/mask on the OpenWrt
Disable DHCP server on ISP router.dhcp tags .
1 Like
That makes sense now, thank you
Disabling DHCP on the ISP router wont be an option, so I'll need to go through option 1.
These are not options, they are steps.
1 Like
I'll give that a go tonight, thank you so far!
1 Like
Thank you mate, I got a working VPN connection over both wifi and the USB Ethernet adapter
2 Likes
system
June 17, 2020, 1:25pm
9
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
