How can I open-up VLAN to internet fully - Using LUCI GUI

I think the simplest way of achieving this would be to create a VLAN on the port that's connected to that switch, create a firewall zone for it (let's call it exp here), then create two rules to accept everything from exp to wan and from WAN to exp.

Edit: of course this doesn't handle the IPs issue that @trendy mentioned.

2 Likes

Hi, as I understand from these first replies, I realize I might have been too hasty in my description in my initial post.. I intend to proxy incoming internet traffic from my VPN-server through the VPN-client gateway to any server in my Server-LAN and I want to make sure there is nothing inbetween which could be blocking the traffic.

In the end, I will be facing to learn how to loadbalance traffic for which I intend to use HAProxy and since I Am still very new to networking, I will be in for a steep learning curve during which I want to reduce as many points-of-failure as I can. I hope to make OpenWRT 'invisible' to any of my other actions on that LAN. I will have no important servers there and I expect to be tearing down and building anew veeeery often, learning as I go. Once I feel confident enough to start closing that network down with firewall rules and such, I will start seeking your advice again, but until then I don't want to bother this forum with too many novice questions.. :wink:

Searching for "openwrt allow access from internet" produces lots of pages to explain how to access the OpenWRT console/GUI from the internet
"openwrt open lan from internet" same thing + how to setup a wireless guest network
"openwrt create vlan" lots of information there, but most pages assume a typical router with builtin switch whereas I have a x64 configuration with 2 networkcards and I don't even HAVE a "switch" option in my network-menu
"openwrt self hosting webserver lan access" results mainly in pages showing again how to access my router from the internet

And maaaanymanymany more search criteria on forum and google did not help.

I just cant find what to do. Spent most of the day to try and get something to route my internet traffic to my Server-LAN.

Is my usecase soooo unusual? Do I need an alternative for this OpenWRT-thing?

I don't get it, will try youtube searches now, maybe find something there....

You're not being clear:

  • Where is the VPN server
  • Where is the VPN client
  • Do you mean proxy, or route traffic to/from your VPN client?
1 Like

Hi,

  • VPN server is on a cloud server, I setup OpenVPN access server myself with client configuration where the client acts as a gateway to my network
  • VPN client is configured on my OpenWrt box using the OpenWrt client
  • I want to (reverse-)proxy incoming webserver requests that are incoming on the VPN server through the VPN tunnel to my Server-LAN.

The VPN Server has a static IP address 217.160.xx.yyy
The network is a home-network. My home gateway is available at: 192.168.0.1
I have my OpenWrt box connected to this homegateway with eth1 with IP address: 192.168.0.2 and gateway set to 192.168.0.1
I have my OpenWrt box configured to create a LAN (I call it Server-LAN in the diagram) on the second network card eth0 with IP network 192.168.1.0/24

I confirm that I Am able to connect with my client (windows 10 laptop) to my Server-LAN, ipconfig shows my client gets 192.168.1.194
From my client I can browse the internet, so far all outgoing connections seem to work as I expect.
When checking from my client 'what is my IP address' returns my public IP address same as my VPN server IP 217.160.xx.yyy which is also as I expect

For my usecase, I have a A-record Domain "testmyopenwrt.myfirewall.org" with IP address 217.160.xx.yyy which I want to (reverse-)proxy from 217.160.xx.yyy to my Server-LAN, for testing say to my laptop at 192.168.1.194. I want to do this without restrictions, no matter if TCP or UDP (I will need UDP in a later stage) and no matter what port, also ICMP protocol should not be blocked and I want to open this for all IP-addresses in that LAN, just fully open my Server-LAN in OpenWrt.

As a first test, when I open a console to my VPN server at 217.160.xx.yyy and although the tunnel is there, but I cannot ping my laptop at 192.168.1.194 with message 'Destination Port Unreachable'.

I hope this provides sufficient detail, will be glad to add more if needed?

Thanks, cheers, Igor

-edit- PS: For the reverse proxy on my VPN Server I Am still undecided, I'm leaning towards HAProxy but may choose to go NGINX instead.

What you want cannot be done with what you have.
You have only one public IP (the 217.160.X.Y) and many private IPs in the LAN.
You can either do 1:1 NAT (or DMZ) where everything from the public IP will be forwarded to only one private IP, or individual DNATs where you can select which protocol/port will be forwarded to which private IP.
If you had IPv6 you could have public IPs all the way and you would do what you want.

1 Like

Thank you @trendy, this is a clear answer and it explains why I cannot find any how-to for this. :smile: I will brace for lots of NAT rules then!

If I understand correctly, DNAT rules allow multiple ports in a single line, would you know if this can contain portranges or do DNAT rules require each individual port defined?

Thanks again, sorry for my somewhat frustrated communication yesterday; meanwhile I have slept well and today I'm in a much more constructive mindset again.. :smirk:

Cheers, Igor

Portranges only, not multiple ports.

3 Likes

I will mark this a solution to close the thread, thanks for the effort, much appreciated!

1 Like

Well, if you must thing it, then you must thing it right. It's OpenWrt-thing, and it's case sensitive... Very sensitive!

:smile:

yeah, I sensed I should cAsE it correct, OpenWrt. I have not given up on my concept with OpenWrt and made some progress! I removed my OpenVPN client from OpenWrt, so this box is basically just a plain router now, taking care of my Server-LAN(192.168.1.0/24). I fired up a client in this LAN, assigned IPv4 address 192.168.1.2 and configured this as the new OpenVPN client and now this dedicated OpenVPN client acts as the gateway for my whole Server-LAN. My Home-LAN 192.168.0.0/24 is still virtually untouched, unaffected and working just as usual which is most important..

With this setup and without any further ado, I can now (reverse-)proxy ANY incoming requests that are coming in to the OpenVPN Server at 217.160.X.Y to ANY server in my LAN at will and without adding or changing rules in OpenWrt. Basically I'm piercing my VPN tunnel THROUGH the OpenWrt router instead of FROM the router and this works as I intended!

The drawback: I bought my OpenWrt box carefully to support AES-encryption for my VPN traffic and this is now basically by-passed. Also it costs added recourse for the VPN client machine which I had not anticipated. I will now pursue a trial to see if I can manage to setup a virtual machine on the OpenWrt box and see if I can get that to work instead of a dedicated machine in the network.

This is all very heavy lifting for me though as I Am really novice to networking, vpn and linux in general. I might be back in a separate new post asking for some help and support, or -if I get this solved- I will post the solution that works for me..

I Am still intrigued about the OpenWrt-thing, but I have to thing-it and will see how to wing it! :wink: :smirk: :smile:

Thanks and cheers, Igor

If you explain more in detail what have you done there, we can help you migrate it to OpenWrt and take advantage of the hardware crypto machine.

1 Like

Ok, here goes..

I will first add a diagram of my working Proof of Concept:

I have removed all traces from my initial OpenVPN client configuration (removed tun0 interface and zone 'VPN_zone'), now the OpenWrt box serves my Server-LAN (192.168.1.0/24) directly through the wan interface 192.168.0.2.

Proof of Concept: (working as desired)
In ServerLAN, I have an OpenVPN box 192.168.1.100 which connects to the OpenVPN Access Server 217.160.xx.yyy (fixed IPv4 on the internet). The client is configured as a VPN client-gateway for network 192.168.1.0/24. I have an webserver in the same Server-LAN on 192.168.1.201 serving the default webserver testpage.

On the OpenVPN AS 217.160.xx.yyy I have NGINX running with:

server {
    listen 80;
    listen [::]:80;
    root /var/www/html;
    index  index.html;
    server_name  testmyopenwrt.myfirewall.org;
 
    location / {
    proxy_pass http://192.168.1.201:80;
	try_files $uri $uri/ =404;        
    }
}

The domain testmyopenwrt.myfirewall.org has an A-Record with 217.160.xx.yyy.

http://testmyopenwrt.myfirewall.org opens:

I can fire up any amount of new webservers and access those with a corresponding NGINX serverblock on the OpenVPN AS without the need to add any NAT rules or such on OpenWrt.

What is your eventual end product? i.e. what are you intending to use this setup for when it's complete?

I will explore- and learn how to setup a load-balanced and scalable videoconferencing solution using the opensource solution of Jisti-Meet..

Consider it a test-bed. I'm using my home-connection and some private infrastructure with the VPN tunnel as a necessary 'evil' since I'm double-natted behind a Carrier Grade Network (this is how my isp hooks me up to the internet). Over time and with more knowledge (and sufficient budget), I may consider alternative service provider options. :wink:

This is something you could do with your previous setup. You can move the OpenVPN endpoint to the OpenWrt and nothing will change in the way you can communicate from the internet.
But it anyway is not the same as your initial demand:

Here in the best case you can have multiple web servers, but for almost everything else you can have one port DNAT to an internal server/port.

Hello Trendy, thank you for not giving up on me!

I thought that I really know how important good communication is, especially about being clear and specific when asking technical questions. I was not clear, or at least not specific indeed!

As to my previous setup: are you sure I would be able to reverse-proxy same as with my shown NGINX example to my webservers in the Server-LAN? In my current 'proof-of-concept' setup I can ping my servers in the Server-LAN from my OpenVPN AS and -if I remember correctly- I tried that also in my previous setup but it failed. Is that such an example where I would need DNAT rules for ICMP?

As an example, I just tried in an ssh-session (ssh as root to my OpenVPN AS) to ssh into 192.168.1.201 which works. So currently I can ping and I can also ssh into my Server-LAN from my VPN server, would I also be able to do this in my previous setup?

1 Like

Don't get me wrong: I WILL try to go back to previous setup, I just want to better understand the system before I let myself get into this..

You haven't really done anything with your 'proof of concept' other than bypass the firewall, which isn't really a great idea. You'd be far better off learning how to use the firewall properly, i.e. open/forward ports that need to be opened.

Yes, I Am very much aware of that! I thought I'd be able to do that as I progressed, but it is much harder (for me) than I thought and especially I find it difficult to use the right search-terms for what I try to accomplish.. I'm not giving up on it. I want to be much better aware when I implement my webserver related configs and something doesn't work, if can focus troubleshooting on the server part or if the issue at hand is network related. It's all so much new material to me that I have difficult times to continue with good motivation if I cannot find a resolution in a reasonable time.. :wink:

So I'm really grateful for the support I got so far! :+1: