I've set up a pptp-based VPN with a paid PureVPN account that allows me to get a static IP address with all ports "open" (on their side anyway). I can control what ports are open or if all are open on their side, from my account settings, I chose to open all for this testing session.
pptp is not secure but its job is just to connect the router to the PureVPN server that provides me this static IP address, not to provide any security.
I installed kmod-ipt-raw kmod-pptp kmod-mppe ppp-mod-pptp luci-proto-ppp kmod-nf-nathelper kmod-nf-nathelper-extra and I added this to network config
config interface 'pptp'
option proto 'pptp'
option username 'username'
option password 'password'
option server 'de-ddos-1.pointtoserver.com'
option keepalive '1'
This is the firewall wan zone config, with "pptp" interface in the list, plus other interfaces too that are not used at the moment.
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option network 'wan wan6 tetheringwan LTE_MODEM pptp'
option masq '1'
option input 'REJECT'
This testing router is reaching the Internet by connecting its WAN ethernet port to my main router LAN ports (also running OpenWrt, but with none of these changes). This is just a testing setup, I plan to move this config to the main router that is currently connected to the Interent through a Sierra Wireless LTE modem in QMI mode.
I think that the pptp VPN is working, because if I go and disable the firewall in the testing router, (Network -> Firewall -> Zones -> wan "input" set to "accept", "then save & apply") I can connect to its ssh and luci interface by using the public IP assigned to my PureVPN account. I don't think the double (triple?) NAT matters much here as it's going through with a VPN, but I'm no expert.
The problem here is that I'm not able to create a more secure setup by deciding what open ports I want in the OpenWrt firewall of the testing router.
I tried creating a new rule from Luci that allows anything from anything on port 22
config rule
option dest_port '22'
option src '*'
option name 'allow ssh'
option dest '*'
option target 'ACCEPT'
option proto 'tcp udp'
I also tried running commands directly
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
But the firewall is still blocking access.
Currently the only custom rule I'm enforcing with the firewall is required for pptp to work at all and actually connect to PureVPN server, and I've added it to the /etc/firewall.user
iptables -t raw -A OUTPUT -p tcp --dport 1723 -j CT --helper pptp
Am I missing something?