Help with firewall rules for external ssh access with pptp endpoint

I've set up a pptp-based VPN with a paid PureVPN account that allows me to get a static IP address with all ports "open" (on their side anyway). I can control what ports are open or if all are open on their side, from my account settings, I chose to open all for this testing session.

pptp is not secure but its job is just to connect the router to the PureVPN server that provides me this static IP address, not to provide any security.

I installed kmod-ipt-raw kmod-pptp kmod-mppe ppp-mod-pptp luci-proto-ppp kmod-nf-nathelper kmod-nf-nathelper-extra and I added this to network config

config interface 'pptp'
        option proto 'pptp'
        option username 'username'
        option password 'password'
        option server ''
        option keepalive '1'

This is the firewall wan zone config, with "pptp" interface in the list, plus other interfaces too that are not used at the moment.

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option network 'wan wan6 tetheringwan LTE_MODEM pptp'
        option masq '1'
        option input 'REJECT'

This testing router is reaching the Internet by connecting its WAN ethernet port to my main router LAN ports (also running OpenWrt, but with none of these changes). This is just a testing setup, I plan to move this config to the main router that is currently connected to the Interent through a Sierra Wireless LTE modem in QMI mode.

I think that the pptp VPN is working, because if I go and disable the firewall in the testing router, (Network -> Firewall -> Zones -> wan "input" set to "accept", "then save & apply") I can connect to its ssh and luci interface by using the public IP assigned to my PureVPN account. I don't think the double (triple?) NAT matters much here as it's going through with a VPN, but I'm no expert.

The problem here is that I'm not able to create a more secure setup by deciding what open ports I want in the OpenWrt firewall of the testing router.
I tried creating a new rule from Luci that allows anything from anything on port 22

config rule
        option dest_port '22'
        option src '*'
        option name 'allow ssh'
        option dest '*'
        option target 'ACCEPT'
        option proto 'tcp udp'

I also tried running commands directly

iptables -I INPUT -p tcp --dport 22 -j ACCEPT

But the firewall is still blocking access.

Currently the only custom rule I'm enforcing with the firewall is required for pptp to work at all and actually connect to PureVPN server, and I've added it to the /etc/firewall.user

iptables -t raw -A OUTPUT -p tcp --dport 1723 -j CT --helper pptp

Am I missing something?

Your UCI config contains a FORWARD rule while the command is for an INPUT one.
You can temporary stop the firewall service to localize the issue adding only the MASQUERADE rule if required.

From your description it could be a routing issue, so test it with traceroute in both directions.
Also use tcpdump or wireshark for troubleshooting.

If you still can't resolve the issue, collect the diagnostic data from the source and destination hosts:

ip a; ip r; ip ru; iptables-save

I can't figure this out, but it's not important enough to go through with that.

I can set port forwards to my home server and they work fine, I can access the server's SSH or webserver ports from outside.

If needed I'll have to access the router from there, but it's not something that I'll have to do often if ever.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.