Enig123
February 14, 2020, 3:05am
#1
What I am trying to do is to access local VPN (ncserv) while connected through WiFi, at client side the WAN IP is set as the VPN server ip, is it a way to access the VPN without change the server ip?
My WiFi is at 172.10.3.0/24 (2.4 G) and 172.10.4.0/24 (5G), and VPN is at 10.100.3.0/24. For now when I come home from outside to get the WiFi connection, the VPN must have to be disconnected first, before I can get the home WiFi.
The ideal situation would be, when I got home, the WiFi connected automatically while sill connected to the VPN.
trendy
February 14, 2020, 10:40am
#2
Could you post here the network, dhcp, wireless, firewall, and VPN server and client configs?
uci export network; uci export dhcp; uci export wireless; uci export firewall
Enig123
February 14, 2020, 7:43pm
#3
Here are the configs I am currently use:
dhcp
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '1'
option localservice '1'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
config dhcp 'lan'
option interface 'lan'
option start '100'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option limit '100'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest0'
option start '100'
option limit '150'
option interface 'guest0'
option leasetime '1h'
config dhcp 'guest1'
option start '100'
option limit '150'
option interface 'guest1'
option leasetime '1h'
network:
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd10:f8f4:959b::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
config interface 'guest0'
option proto 'static'
option ipaddr '172.10.3.1'
option netmask '255.255.255.0'
config interface 'guest1'
option proto 'static'
option ipaddr '172.10.4.1'
option netmask '255.255.255.0'
config interface 'vpn'
option ifname 'vpns+'
option proto 'static'
wireless
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'VHT80'
option country 'US'
option channel '157'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option network 'guest0'
option key 'xxx'
option ssid 'xxxx'
option encryption 'psk2+ccmp'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
option country 'US'
option channel '6'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option network 'guest1'
option key 'xxx'
option ssid 'xxxxx'
option encryption 'psk2+ccmp'
firewall
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'guest0'
option forward 'REJECT'
option name 'guest0'
option output 'ACCEPT'
option input 'REJECT'
list device 'wlan0'
config zone
option network 'guest1'
option name 'guest1'
option output 'ACCEPT'
option input 'REJECT'
list device 'wlan1'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'guest0'
config forwarding
option dest 'wan'
option src 'guest1'
config redirect
option dest_port '13761'
option src 'wan'
option name 'eMule TCP Incoming'
option src_dport '13761'
option target 'DNAT'
option dest_ip '192.168.1.224'
option dest 'lan'
option proto 'tcp'
config redirect
option dest_port '25624'
option src 'wan'
option name 'eMule UDP Incoming'
option src_dport '25624'
option target 'DNAT'
option dest_ip '192.168.1.224'
option dest 'lan'
option proto 'udp'
config rule
option dest_port '53'
option src 'guest0'
option name 'Allow Guest0 DNS'
option target 'ACCEPT'
option proto 'tcp udp'
config rule
option dest_port '53'
option src 'guest1'
option name 'Allow Guest1 DNS'
option target 'ACCEPT'
option proto 'tcp udp'
config rule
option src_port '67-68'
option src 'guest0'
option name 'Allow Guest0 DHCP'
option target 'ACCEPT'
option dest_port '67-68'
option proto 'udp'
config rule
option src_port '67-68'
option src 'guest1'
option name 'Allow Guest1 DHCP'
option target 'ACCEPT'
option dest_port '67-68'
option proto 'udp'
config zone
option network 'vpn'
option name 'vpn'
option output 'ACCEPT'
list device 'vpns+'
option input 'REJECT'
option forward 'REJECT'
option family 'ipv4'
config forwarding
option dest 'wan'
option src 'vpn'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'vpn'
option src_dport '443'
option name 'VPN Forward'
option dest_port '4443'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '443'
option name 'vpn'
option family 'ipv4'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '443'
option name 'vpn'
option family 'ipv4'
config rule
option dest_port '53'
option src 'vpn'
option name 'Allow VPN DNS'
option target 'ACCEPT'
option family 'ipv4'
trendy
February 14, 2020, 11:17pm
#4
And the VPN configuration?
Enig123
February 14, 2020, 11:58pm
#5
Right, here they are:
root@OpenWrt:~# cat /etc/config/ocserv
config ocserv 'config'
option dpd '120'
option max_clients '8'
option max_same '2'
option enable '1'
option zone 'lan'
option auth 'plain'
option ipaddr '10.100.3.0'
option netmask '255.255.255.0'
option compression '1'
option default_domain 'lan'
option split_dns '1'
option _ca '-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
'
option port '4443'
config ocservusers
option name 'xxx'
option password 'xxxxxxx'
config dns
option ip '10.100.3.1'
config dns
option ip '8.8.8.8'
trendy
February 15, 2020, 6:20pm
#6
The client config is missing.
A few remarks.
The vpn rule for tcp/443 is never used, as you are doing DNAT on 443 towards vpn zone. Since you are using port 4443 on the vpn server, you should open that one on the firewall for tcp and udp and remove the DNAT.
You don't have tcp and udp 4443 allowed from the guest networks.
The IP address and the netmask used in the VPN are wrong. For 8 clients you can use:
option ipaddr '192.168.1.248'
option netmask '255.255.255.248'
Make sure you have added in /etc/sysctl.conf
the following line:
net.ipv4.conf.all.proxy_arp=1
and reloaded with sysctl -p
Enig123
February 15, 2020, 8:09pm
#7
New I deleted the port forwarding rule, and changed the server port to 443, and allowed rules for the guest network.
Still I cannot access the vpn while I am using WiFi, hence the same WAN ip.
Assume my WAN ip is aa.bb.cc.dd, my vpn client on my iPhone is accessing the service through aa.bb.cc.dd:443. How can I connect the vpn service while the iPhone is on WiFi (has the same WAN ip aa.bb.cc.dd)?
trendy
February 15, 2020, 10:39pm
#8
I believe it would be easier to use a domain to resolve the internal IP when it is connected inside your network. You are using some name to connect to the server, right?
Enig123
February 16, 2020, 2:34am
#9
How would this help with the vpn exactly?
Look, I am relatively new to Linux, just started learning, and I didn't read similar advice from other places. I guess that's why I am asking.
trendy
February 16, 2020, 4:27am
#10
It's proxy arp for the pseudo-bridge.
Enig123:
Look, I am relatively new to Linux, just started learning, and I didn't read similar advice from other places. I guess that's why I am asking.
Why are you looking in other places and not in the official documentation ?
Enig123
February 16, 2020, 4:46am
#11
I was following Forwarding Approach of this , and apparently totally missed the official documentation you referred to.
trendy
February 16, 2020, 5:09am
#12
You are using the option zone 'lan'
and I was under the impression that you want the proxy-arp approach.
In any case the documentation in the github is 4 years old, so I would be better to follow something more recent, or switch to something more commonly used, like OpenVPN or Wireguard.