I have just set up a vpn tunnel which looks following
VPS PFsense with openvpn server
Openwrt (archer c7 v4) with openvpn client
Now I am trying to forward some ports through the VPN tunnel, like RDP for instance. I tried it before with openvpn client installed directly on windows VM. I was able to forward rdp directly to the VPN IP of the windows VM. Trying the same with forwarding the port to openvpn client on openwrt in order to forward this port further already on this device and that fails.
What is interesting that I have full communication working between vpn server and vpn client: ping etc. I can also telnet the ports that I have opened on the vpn client IP from the vpn server, but port forwarding doesnt work.
I figured out where the issue is, but still dont know how to solve it.
I should probably add what I am trying to do:
rdp on public IP to VPS (pfsense) -> forwarding to 192.168.15.2 (VPN client IP, OpenWRT box at home) -> forwarding to some windows VM in my LAN
When you are connecting to VPN server, it pushes below routes to the client. Basically it routes all IPv4 addresses through VPN server private IP:
0.0.0.0 192.168.15.1 128.0.0.0 UG 0 0 0 tun0
128.0.0.0 192.168.15.1 128.0.0.0 UG 0 0 0 tun0
Then forwarding works
When you remove above routes, forwarding doesnt work.
I figured out by nerrowing the subnets, playing with the masks, that what it needs is to have route over VPN server private IP back to the public IP I am trying to connect from.
VPN Client working routing table (not acceptable for me)
> Destination Gateway Genmask Flags Metric Ref Use Iface
> default 192.168.15.1 128.0.0.0 UG 0 0 0 tun0
> default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0.2
> VPN PUBLIC IP 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0.2
> 128.0.0.0 192.168.15.1 128.0.0.0 UG 0 0 0 tun0
> 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0.2
> 192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
> 192.168.15.0 * 255.255.255.248 U 0 0 0 tun0
VPN Client working routing table with added route to public IP I am connection from (PUBLIC SRC IP)
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0.2
PUBLIC SRC IP 192.168.15.1 255.255.255.255 UGH 0 0 0 tun0
VPN PUBLIC IP 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0.2
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0.2
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.15.0 * 255.255.255.248 U 0 0 0 tun0
Not working config when I enable "route_nopull"
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0.2
VPN PUBLIC IP 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0.2
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0.2
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.15.0 * 255.255.255.248 U 0 0 0 tun0
This is not suitable solution for me, because it means, every time I wanna connect over VPN server to my LAN, I need to add a route for the specific IP I am connecting from, order for it to work.
Any tricks or advice how to work around it please?
I cannot install vpn-policy-routing package. Neither can find in repo the dependencies of the package, that I am probably missing. Anyone can help to find the link?
according to this I should be able to
root@OpenWrt:~# opkg install libc ipset iptables resolveip kmod-ipt-ipset iptables-mod-ipopt ip-full
Package libc (1.1.19-1) installed in root is up to date.
Package ipset (6.38-1) installed in root is up to date.
Package iptables (1.6.2-1) installed in root is up to date.
Package resolveip (2) installed in root is up to date.
Package kmod-ipt-ipset (4.9.184-1) installed in root is up to date.
Package iptables-mod-ipopt (1.6.2-1) installed in root is up to date.
Package ip-full (4.16.0-8) installed in root is up to date.
root@OpenWrt:~# opkg install vpn-policy-routing
Unknown package 'vpn-policy-routing'.
Collected errors:
* opkg_install_cmd: Cannot install package vpn-policy-routing.
root@OpenWrt:~#
Have you configured RoutedLans according to manual above? Why do you need vpn-policy-routing package? Btw I can't find it either, vpnbypass package have been suggested, and freifunk-policyrouting.