My OpenWRT configuration creates a separate Server-LAN (192.168.1.0/24) which I want to FULLY EXPOSE to the internet. I want all servers, all ports and everything opened up to the internet.
Currently I have following zones in my firewall configuration:
I still don't really grasp the functionality of OpenWRT and how to apply my desired changes. In addition, all information and examples that seem relevant to my desired change seem to be done in the terminal rather that through the luci interface. Can anybody help me to get my changes done through luci? Or maybe somebody knows of a good go-to source of information for my desired change?
I think the simplest way of achieving this would be to create a VLAN on the port that's connected to that switch, create a firewall zone for it (let's call it exp here), then create two rules to accept everything from exp to wan and from WAN to exp.
Edit: of course this doesn't handle the IPs issue that @trendy mentioned.
Hi, as I understand from these first replies, I realize I might have been too hasty in my description in my initial post.. I intend to proxy incoming internet traffic from my VPN-server through the VPN-client gateway to any server in my Server-LAN and I want to make sure there is nothing inbetween which could be blocking the traffic.
In the end, I will be facing to learn how to loadbalance traffic for which I intend to use HAProxy and since I Am still very new to networking, I will be in for a steep learning curve during which I want to reduce as many points-of-failure as I can. I hope to make OpenWRT 'invisible' to any of my other actions on that LAN. I will have no important servers there and I expect to be tearing down and building anew veeeery often, learning as I go. Once I feel confident enough to start closing that network down with firewall rules and such, I will start seeking your advice again, but until then I don't want to bother this forum with too many novice questions..
Searching for "openwrt allow access from internet" produces lots of pages to explain how to access the OpenWRT console/GUI from the internet "openwrt open lan from internet" same thing + how to setup a wireless guest network "openwrt create vlan" lots of information there, but most pages assume a typical router with builtin switch whereas I have a x64 configuration with 2 networkcards and I don't even HAVE a "switch" option in my network-menu "openwrt self hosting webserver lan access" results mainly in pages showing again how to access my router from the internet
And maaaanymanymany more search criteria on forum and google did not help.
I just cant find what to do. Spent most of the day to try and get something to route my internet traffic to my Server-LAN.
Is my usecase soooo unusual? Do I need an alternative for this OpenWRT-thing?
I don't get it, will try youtube searches now, maybe find something there....
VPN server is on a cloud server, I setup OpenVPN access server myself with client configuration where the client acts as a gateway to my network
VPN client is configured on my OpenWrt box using the OpenWrt client
I want to (reverse-)proxy incoming webserver requests that are incoming on the VPN server through the VPN tunnel to my Server-LAN.
The VPN Server has a static IP address 217.160.xx.yyy
The network is a home-network. My home gateway is available at: 192.168.0.1
I have my OpenWrt box connected to this homegateway with eth1 with IP address: 192.168.0.2 and gateway set to 192.168.0.1
I have my OpenWrt box configured to create a LAN (I call it Server-LAN in the diagram) on the second network card eth0 with IP network 192.168.1.0/24
I confirm that I Am able to connect with my client (windows 10 laptop) to my Server-LAN, ipconfig shows my client gets 192.168.1.194
From my client I can browse the internet, so far all outgoing connections seem to work as I expect.
When checking from my client 'what is my IP address' returns my public IP address same as my VPN server IP 217.160.xx.yyy which is also as I expect
For my usecase, I have a A-record Domain "testmyopenwrt.myfirewall.org" with IP address 217.160.xx.yyy which I want to (reverse-)proxy from 217.160.xx.yyy to my Server-LAN, for testing say to my laptop at 192.168.1.194. I want to do this without restrictions, no matter if TCP or UDP (I will need UDP in a later stage) and no matter what port, also ICMP protocol should not be blocked and I want to open this for all IP-addresses in that LAN, just fully open my Server-LAN in OpenWrt.
As a first test, when I open a console to my VPN server at 217.160.xx.yyy and although the tunnel is there, but I cannot ping my laptop at 192.168.1.194 with message 'Destination Port Unreachable'.
I hope this provides sufficient detail, will be glad to add more if needed?
Thanks, cheers, Igor
-edit- PS: For the reverse proxy on my VPN Server I Am still undecided, I'm leaning towards HAProxy but may choose to go NGINX instead.
What you want cannot be done with what you have.
You have only one public IP (the 217.160.X.Y) and many private IPs in the LAN.
You can either do 1:1 NAT (or DMZ) where everything from the public IP will be forwarded to only one private IP, or individual DNATs where you can select which protocol/port will be forwarded to which private IP.
If you had IPv6 you could have public IPs all the way and you would do what you want.
yeah, I sensed I should cAsE it correct, OpenWrt. I have not given up on my concept with OpenWrt and made some progress! I removed my OpenVPN client from OpenWrt, so this box is basically just a plain router now, taking care of my Server-LAN(192.168.1.0/24). I fired up a client in this LAN, assigned IPv4 address 192.168.1.2 and configured this as the new OpenVPN client and now this dedicated OpenVPN client acts as the gateway for my whole Server-LAN. My Home-LAN 192.168.0.0/24 is still virtually untouched, unaffected and working just as usual which is most important..
With this setup and without any further ado, I can now (reverse-)proxy ANY incoming requests that are coming in to the OpenVPN Server at 217.160.X.Y to ANY server in my LAN at will and without adding or changing rules in OpenWrt. Basically I'm piercing my VPN tunnel THROUGH the OpenWrt router instead of FROM the router and this works as I intended!
The drawback: I bought my OpenWrt box carefully to support AES-encryption for my VPN traffic and this is now basically by-passed. Also it costs added recourse for the VPN client machine which I had not anticipated. I will now pursue a trial to see if I can manage to setup a virtual machine on the OpenWrt box and see if I can get that to work instead of a dedicated machine in the network.
This is all very heavy lifting for me though as I Am really novice to networking, vpn and linux in general. I might be back in a separate new post asking for some help and support, or -if I get this solved- I will post the solution that works for me..
I Am still intrigued about the OpenWrt-thing, but I have to thing-it and will see how to wing it!
I have removed all traces from my initial OpenVPN client configuration (removed tun0 interface and zone 'VPN_zone'), now the OpenWrt box serves my Server-LAN (192.168.1.0/24) directly through the wan interface 192.168.0.2.
Proof of Concept: (working as desired)
In ServerLAN, I have an OpenVPN box 192.168.1.100 which connects to the OpenVPN Access Server 217.160.xx.yyy (fixed IPv4 on the internet). The client is configured as a VPN client-gateway for network 192.168.1.0/24. I have an webserver in the same Server-LAN on 192.168.1.201 serving the default webserver testpage.
On the OpenVPN AS 217.160.xx.yyy I have NGINX running with:
I will explore- and learn how to setup a load-balanced and scalable videoconferencing solution using the opensource solution of Jisti-Meet..
Consider it a test-bed. I'm using my home-connection and some private infrastructure with the VPN tunnel as a necessary 'evil' since I'm double-natted behind a Carrier Grade Network (this is how my isp hooks me up to the internet). Over time and with more knowledge (and sufficient budget), I may consider alternative service provider options.
This is something you could do with your previous setup. You can move the OpenVPN endpoint to the OpenWrt and nothing will change in the way you can communicate from the internet.
But it anyway is not the same as your initial demand:
Here in the best case you can have multiple web servers, but for almost everything else you can have one port DNAT to an internal server/port.
I thought that I really know how important good communication is, especially about being clear and specific when asking technical questions. I was not clear, or at least not specific indeed!
As to my previous setup: are you sure I would be able to reverse-proxy same as with my shown NGINX example to my webservers in the Server-LAN? In my current 'proof-of-concept' setup I can ping my servers in the Server-LAN from my OpenVPN AS and -if I remember correctly- I tried that also in my previous setup but it failed. Is that such an example where I would need DNAT rules for ICMP?
As an example, I just tried in an ssh-session (ssh as root to my OpenVPN AS) to ssh into 192.168.1.201 which works. So currently I can ping and I can also ssh into my Server-LAN from my VPN server, would I also be able to do this in my previous setup?