b.bo
March 25, 2020, 4:38pm
1
Hi,
With the huge help of @ulmwind I was able to connect to the router 19;07, on a Archer C7 from WAN using OpenVPN Connect.
But I don't know where to go from there. How to see the LAN network from my Windows 10 computer ?
I tried to find the answers on my own but couln't find anything that make this all clear to me.
Would you guys help ?
Thanks a lot.
trendy
March 25, 2020, 6:14pm
2
Post here the output of the following commands.
uci export network; uci export firewall; uci export openvpn; \
head -n -0 /etc/firewall.user; \
head -n -0 /etc/openvpn/*.ovpn /etc/openvpn/*.conf; \
ip -4 addr ; ip -4 ro ls tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
Please use "Preformatted text </>" for logs, scripts, configs and general console output.
b.bo
March 25, 2020, 6:32pm
3
Thank you very much @trendy for your reply.
Here are the output of the commands you reqested :
root@OpenWrt:~# clear
root@OpenWrt:~# uci export network; uci export firewall; uci export openvpn; \
> head -n -0 /etc/firewall.user; \
> head -n -0 /etc/openvpn/*.ovpn /etc/openvpn/*.conf; \
> ip -4 addr ; ip -4 ro ls tab all ; ip -4 ru; \
> ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd35:b866:29b0::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option delegate '0'
option broadcast '1'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
config interface 'VPNServertun'
option proto 'none'
option ifname 'tun1'
package firewall
config defaults
option syn_flood '1'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-SSH'
option target 'ACCEPT'
option src 'wan'
option dest_port '22'
option proto 'tcp'
option family 'ipv4'
config include
option path '/etc/firewall.user'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
config zone
option name 'VPNServerfirewall'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list network 'VPNServertun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
config rule
option src 'wan'
option name 'OpenVPN-Remote'
option target 'ACCEPT'
option dest_port '11940'
list proto 'tcp'
config forwarding
option src 'VPNServertun'
option dest 'lan'
package openvpn
config openvpn 'custom_config'
option enabled '0'
option config '/etc/openvpn/my-vpn.conf'
config openvpn 'sample_server'
option enabled '0'
option port '1194'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh1024.pem'
option server '10.8.0.0 255.255.255.0'
option ifconfig_pool_persist '/tmp/ipp.txt'
option keepalive '10 120'
option compress 'lzo'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-status.log'
option verb '3'
config openvpn 'sample_client'
option enabled '0'
option client '1'
option dev 'tun'
option proto 'udp'
list remote 'my_server_1 1194'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/client.crt'
option key '/etc/openvpn/client.key'
option compress 'lzo'
option verb '3'
config openvpn 'nordvpn'
option enabled '1'
option config '/etc/openvpn/fr218.nordvpn.com.udp.conf'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
==> /etc/openvpn/fr379.nordvpn.com.udp.ovpn <==
client
dev tun0
proto udp
remote 62.210.28.221 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
remote-cert-tls server
auth-user-pass /etc/openvpn/NordVPN.auth
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
==> /etc/openvpn/fr407.nordvpn.com.udp.ovpn <==
client
dev tun0
proto udp
remote 37.120.204.163 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
remote-cert-tls server
auth-user-pass /etc/openvpn/NordVPN.auth
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
==> /etc/openvpn/fr218.nordvpn.com.udp.conf <==
client
dev tun0
proto udp
remote 51.158.24.52 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
log /etc/openvpn/vpn.log
remote-cert-tls server
auth-user-pass /etc/openvpn/NordVPN.auth
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
==> /etc/openvpn/server.conf <==
verb 3
user nobody
group nogroup
dev tun1
port 11940
proto tcp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
duplicate-cn
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----
</dh>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group defaul t qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP gro up default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state U P group default qlen 1000
inet 192.168.2.20/24 brd 192.168.2.255 scope global eth0.2
valid_lft forever preferred_lft forever
12: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel stat e UNKNOWN group default qlen 100
inet 192.168.8.1/24 brd 192.168.8.255 scope global tun1
valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel stat e UNKNOWN group default qlen 100
inet 10.8.8.28/24 brd 10.8.8.255 scope global tun0
valid_lft forever preferred_lft forever
default via 192.168.2.254 dev eth0.2 table 201
default via 10.8.8.28 dev tun0 table 202
default via 192.168.8.1 dev tun1 table 203
0.0.0.0/1 via 10.8.8.1 dev tun0
default via 192.168.2.254 dev eth0.2 proto static src 192.168.2.20
10.8.8.0/24 dev tun0 proto kernel scope link src 10.8.8.28
51.158.24.52 via 192.168.2.254 dev eth0.2
128.0.0.0/1 via 10.8.8.1 dev tun0
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev eth0.2 proto kernel scope link src 192.168.2.20
192.168.8.0/24 dev tun1 proto kernel scope link src 192.168.8.1
broadcast 10.8.8.0 dev tun0 table local proto kernel scope link src 10.8.8.28
local 10.8.8.28 dev tun0 table local proto kernel scope host src 10.8.8.28
broadcast 10.8.8.255 dev tun0 table local proto kernel scope link src 10.8.8.28
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0 .1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168 .1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.1 68.1.1
broadcast 192.168.2.0 dev eth0.2 table local proto kernel scope link src 192.168 .2.20
local 192.168.2.20 dev eth0.2 table local proto kernel scope host src 192.168.2. 20
broadcast 192.168.2.255 dev eth0.2 table local proto kernel scope link src 192.1 68.2.20
broadcast 192.168.8.0 dev tun1 table local proto kernel scope link src 192.168.8 .1
local 192.168.8.1 dev tun1 table local proto kernel scope host src 192.168.8.1
broadcast 192.168.8.255 dev tun1 table local proto kernel scope link src 192.168 .8.1
0: from all lookup local
32760: from all fwmark 0x30000 lookup 203
32761: from all fwmark 0x20000 lookup 202
32762: from all fwmark 0x10000 lookup 201
32766: from all lookup main
32767: from all lookup default
lrwxrwxrwx 1 root root 16 Jan 29 16:05 /etc/resolv.conf -> /tm p/resolv.conf
lrwxrwxrwx 1 root root 21 Mar 24 22:15 /tmp/resolv.conf -> /tm p/resolv.conf.auto
-rw-r--r-- 1 root root 124 Mar 25 09:42 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
# Interface wan
nameserver 192.168.2.254
search lan
# Interface wan6
nameserver fe80::ae84:c9ff:fe4f:41cc%eth0.2
search lan
==> /tmp/resolv.conf <==
# Interface wan
nameserver 192.168.2.254
search lan
# Interface wan6
nameserver fe80::ae84:c9ff:fe4f:41cc%eth0.2
search lan
==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 192.168.2.254
search lan
# Interface wan6
nameserver fe80::ae84:c9ff:fe4f:41cc%eth0.2
search lan
root@OpenWrt:~#
trendy
March 26, 2020, 1:23am
4
First of all you are pushing to the vpn client the default gateway
but there is no forwarding rule from VPNServertun to wan or vpnfirewall.
b.bo
March 26, 2020, 11:19am
5
Yes I do have VPN Policy Routing installed, here is the output of the config file's content :
config vpn-policy-routing 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option ipv6_enabled '0'
list supported_interface ''
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_enable_column '0'
option webui_protocol_column '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_chain_column '1'
option append_src_rules '! -d 192.168.1.0/24'
option append_dest_rules '! -d 192.168.1.0/24'
list ignored_interface 'vpnserver wgserver'
list ignored_interface 'lan'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option interface 'wan'
option name ' OpenVPN-server'
option src_port '11940'
option chain 'OUTPUT'
root@OpenWrt:~#
trendy
March 26, 2020, 11:57am
6
You'll also need to add the VPNServertun in the list of ignored interfaces.
b.bo
March 26, 2020, 1:50pm
7
So in that VPN PBR config file I need to add :
list ignored_interface 'VPNServertun'
and in the /etc/confg/firewall file :
config forwarding
option src 'VPNServertun'
option dest 'wan'
?
Thanks a lot
trendy
March 26, 2020, 2:06pm
8
One correction, the zone is named VPNServerfirewall not VPNServertun
b.bo
March 26, 2020, 2:36pm
9
Ok thanks @trendy . So I have modified the files as this :
list ignored_interface 'VPNServertun'
and in the /etc/confg/firewall file :
config forwarding
option src 'VPNServerfirewall'
option dest 'wan'
Rebooted the router.
The OpenVPN Connect still connects to the router :
But not internet when I'm connected.
The questions in the first post remain the same.
trendy
March 26, 2020, 2:58pm
10
You default gateway is via tun0 so fix the previous forwarding to
config forwarding
option src 'VPNServerfirewall'
option dest 'vpnfirewall'
trendy
March 26, 2020, 3:38pm
12
Okay, please post once again the following to see how it looks now.
uci export network; uci export firewall; uci export policy-based-routing; \
head -n -0 /etc/openvpn/*.ovpn /etc/openvpn/*.conf; \
ip -4 addr ; ip -4 ro ls tab all ; ip -4 ru; \
iptables-save -c
b.bo
March 26, 2020, 4:16pm
13
Ok here it si :
root@OpenWrt:~# clear
root@OpenWrt:~# uci export network; uci export firewall; uci export policy-based-routing; \
> head -n -0 /etc/openvpn/*.ovpn /etc/openvpn/*.conf; \
> ip -4 addr ; ip -4 ro ls tab all ; ip -4 ru; \
> iptables-save -c
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd35:b866:29b0::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option delegate '0'
option broadcast '1'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
config interface 'VPNServertun'
option proto 'none'
option ifname 'tun1'
package firewall
config defaults
option syn_flood '1'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-SSH'
option target 'ACCEPT'
option src 'wan'
option dest_port '22'
option proto 'tcp'
option family 'ipv4'
config include
option path '/etc/firewall.user'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
config zone
option name 'VPNServerfirewall'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list network 'VPNServertun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
config rule
option src 'wan'
option name 'OpenVPN-Remote'
option target 'ACCEPT'
option dest_port '11940'
list proto 'tcp'
config forwarding
option src 'VPNServertun'
option dest 'lan'
config forwarding
option src 'VPNServerfirewall'
option dest 'vpnfirewall'
uci: Entry not found
==> /etc/openvpn/fr379.nordvpn.com.udp.ovpn <==
client
dev tun0
proto udp
remote 62.210.28.221 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
remote-cert-tls server
auth-user-pass /etc/openvpn/NordVPN.auth
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
==> /etc/openvpn/fr407.nordvpn.com.udp.ovpn <==
client
dev tun0
proto udp
remote 37.120.204.163 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
remote-cert-tls server
auth-user-pass /etc/openvpn/NordVPN.auth
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
==> /etc/openvpn/fr218.nordvpn.com.udp.conf <==
client
dev tun0
proto udp
remote 51.158.24.52 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
log /etc/openvpn/vpn.log
remote-cert-tls server
auth-user-pass /etc/openvpn/NordVPN.auth
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
==> /etc/openvpn/server.conf <==
verb 3
user nobody
group nogroup
dev tun1
port 11940
proto tcp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
duplicate-cn
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----
</dh>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.2.20/24 brd 192.168.2.255 scope global eth0.2
valid_lft forever preferred_lft forever
12: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 192.168.8.1/24 brd 192.168.8.255 scope global tun1
valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 10.8.8.36/24 brd 10.8.8.255 scope global tun0
valid_lft forever preferred_lft forever
default via 192.168.2.254 dev eth0.2 table 201
192.168.8.0/24 dev tun1 table 201 proto kernel scope link src 192.168.8.1
default via 10.8.8.36 dev tun0 table 202
192.168.8.0/24 dev tun1 table 202 proto kernel scope link src 192.168.8.1
0.0.0.0/1 via 10.8.8.1 dev tun0
default via 192.168.2.254 dev eth0.2 proto static src 192.168.2.20
10.8.8.0/24 dev tun0 proto kernel scope link src 10.8.8.36
51.158.24.52 via 192.168.2.254 dev eth0.2
128.0.0.0/1 via 10.8.8.1 dev tun0
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev eth0.2 proto kernel scope link src 192.168.2.20
192.168.8.0/24 dev tun1 proto kernel scope link src 192.168.8.1
broadcast 10.8.8.0 dev tun0 table local proto kernel scope link src 10.8.8.36
local 10.8.8.36 dev tun0 table local proto kernel scope host src 10.8.8.36
broadcast 10.8.8.255 dev tun0 table local proto kernel scope link src 10.8.8.36
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.2.0 dev eth0.2 table local proto kernel scope link src 192.168.2.20
local 192.168.2.20 dev eth0.2 table local proto kernel scope host src 192.168.2.20
broadcast 192.168.2.255 dev eth0.2 table local proto kernel scope link src 192.168.2.20
broadcast 192.168.8.0 dev tun1 table local proto kernel scope link src 192.168.8.1
local 192.168.8.1 dev tun1 table local proto kernel scope host src 192.168.8.1
broadcast 192.168.8.255 dev tun1 table local proto kernel scope link src 192.168.8.1
0: from all lookup local
32764: from all fwmark 0x20000 lookup 202
32765: from all fwmark 0x10000 lookup 201
32766: from all lookup main
32767: from all lookup default
# Generated by iptables-save v1.8.3 on Thu Mar 26 16:12:42 2020
*nat
:PREROUTING ACCEPT [15401:1857230]
:INPUT ACCEPT [622:53095]
:OUTPUT ACCEPT [1407:97429]
:POSTROUTING ACCEPT [156:7785]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpnfirewall_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpnfirewall_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpnfirewall_postrouting - [0:0]
:zone_vpnfirewall_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[15401:1857230] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[12748:1401294] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[2095:419820] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[3:2806] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpnfirewall_prerouting
[10815:868384] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[5:1745] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[67:3984] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[10592:856615] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpnfirewall_postrouting
[5:1745] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[12748:1401294] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[10592:856615] -A zone_vpnfirewall_postrouting -m comment --comment "!fw3: Custom vpnfirewall postrouting rule chain" -j postrouting_vpnfirewall_rule
[10592:856615] -A zone_vpnfirewall_postrouting -m comment --comment "!fw3" -j MASQUERADE
[3:2806] -A zone_vpnfirewall_prerouting -m comment --comment "!fw3: Custom vpnfirewall prerouting rule chain" -j prerouting_vpnfirewall_rule
[67:3984] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[67:3984] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[2095:419820] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Mar 26 16:12:42 2020
# Generated by iptables-save v1.8.3 on Thu Mar 26 16:12:42 2020
*mangle
:PREROUTING ACCEPT [4250288:4041300336]
:INPUT ACCEPT [1618392:1955433632]
:FORWARD ACCEPT [2626972:2084866804]
:OUTPUT ACCEPT [1020387:270840249]
:POSTROUTING ACCEPT [3646648:2355653175]
:VPR_FORWARD - [0:0]
:VPR_INPUT - [0:0]
:VPR_OUTPUT - [0:0]
:VPR_PREROUTING - [0:0]
[4250408:4041329454] -A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
[1618451:1955446514] -A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
[2627026:2084881912] -A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
[49:2940] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[5460:320632] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpnfirewall MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[1020450:270850288] -A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
[0:0] -A VPR_OUTPUT -p udp -m multiport --sports 11940 -m comment --comment _OpenVPN-server -j MARK --set-xmark 0x10000/0xff0000
[578:46161] -A VPR_OUTPUT -p tcp -m multiport --sports 11940 -m comment --comment _OpenVPN-server -j MARK --set-xmark 0x10000/0xff0000
COMMIT
# Completed on Thu Mar 26 16:12:42 2020
# Generated by iptables-save v1.8.3 on Thu Mar 26 16:12:42 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpnfirewall_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpnfirewall_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpnfirewall_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpnfirewall_dest_ACCEPT - [0:0]
:zone_vpnfirewall_dest_REJECT - [0:0]
:zone_vpnfirewall_forward - [0:0]
:zone_vpnfirewall_input - [0:0]
:zone_vpnfirewall_output - [0:0]
:zone_vpnfirewall_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1618415:1955453179] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1615357:1955234700] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[6:320] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[2884:206367] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[84:4769] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[75:6380] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpnfirewall_input
[15:963] -A INPUT -m comment --comment "!fw3" -j reject
[2626993:2084884771] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[2612588:2083577171] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[13865:1275253] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpnfirewall_forward
[540:32347] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[1020401:270842953] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1018607:270720803] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[5:1745] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[1789:120405] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpnfirewall_output
[236:14682] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[447:28737] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[6:320] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[5:1745] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[13865:1275253] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[13865:1275253] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[13738:1267789] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpnfirewall forwarding policy" -j zone_vpnfirewall_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2884:206367] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2884:206367] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[5:1745] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[5:1745] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2884:206367] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[176:23276] -A zone_vpnfirewall_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[15351:1364918] -A zone_vpnfirewall_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpnfirewall_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_vpnfirewall_forward -m comment --comment "!fw3: Custom vpnfirewall forwarding rule chain" -j forwarding_vpnfirewall_rule
[0:0] -A zone_vpnfirewall_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpnfirewall_forward -m comment --comment "!fw3" -j zone_vpnfirewall_dest_REJECT
[75:6380] -A zone_vpnfirewall_input -m comment --comment "!fw3: Custom vpnfirewall input rule chain" -j input_vpnfirewall_rule
[0:0] -A zone_vpnfirewall_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[75:6380] -A zone_vpnfirewall_input -m comment --comment "!fw3" -j zone_vpnfirewall_src_REJECT
[1789:120405] -A zone_vpnfirewall_output -m comment --comment "!fw3: Custom vpnfirewall output rule chain" -j output_vpnfirewall_rule
[1789:120405] -A zone_vpnfirewall_output -m comment --comment "!fw3" -j zone_vpnfirewall_dest_ACCEPT
[75:6380] -A zone_vpnfirewall_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[127:7464] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[84:4769] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[29:928] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[1:60] -A zone_wan_input -p tcp -m tcp --dport 22 -m comment --comment "!fw3: Allow-SSH" -j ACCEPT
[1:52] -A zone_wan_input -p tcp -m tcp --dport 11940 -m comment --comment "!fw3: OpenVPN-Remote" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[53:3729] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[53:3729] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Mar 26 16:12:42 2020
trendy
March 26, 2020, 10:36pm
14
The zone name in the forwarding is wrong. You use the interface name and not the zone name.
config forwarding
option src 'VPNServertun'
option dest 'lan'
The policy based routing config was not printed, so if you could paste it here.
Finally in the iptables output there is no reference to tun1, which is the vpn server interface. Do a /etc/init.d/firewall restart and paste here the output, most likely there is some error at the beginning.
1 Like
b.bo
March 27, 2020, 11:49am
15
Hi @trendy ,
Thanks again for your help. Yes I should keep names clearer and shorter but I thought it was better to have explicit names to know what it is referring to.
I modified the firewall as requested. Here are the outputs
config vpn-policy-routing 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option ipv6_enabled '0'
list supported_interface ''
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_enable_column '0'
option webui_protocol_column '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_chain_column '1'
option append_src_rules '! -d 192.168.1.0/24'
option append_dest_rules '! -d 192.168.1.0/24'
list ignored_interface 'vpnserver wgserver'
list ignored_interface 'lan'
list ignored_interface 'VPNServertun'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option interface 'wan'
option name ' OpenVPN-server'
option src_port '11940'
option chain 'OUTPUT'
Firewall:
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-SSH'
option target 'ACCEPT'
option src 'wan'
option dest_port '22'
option proto 'tcp'
option family 'ipv4'
config include
option path '/etc/firewall.user'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
config zone
option name 'VPNServerfirewall'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list network 'VPNServertun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
config rule
option src 'wan'
option name 'OpenVPN-Remote'
option target 'ACCEPT'
option dest_port '11940'
list proto 'tcp'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
config forwarding
option src 'VPNServerfirewall'
option dest 'lan'
config forwarding
option src 'VPNServerfirewall'
option dest 'vpnfirewall'
root@OpenWrt:~#
Finaly here is the output of /etc/init.d/firewall restart :
root@OpenWrt:~# /etc/init.d/firewall restart
Warning: Section @zone[3] (VPNServerfirewall) must not have a name longer than 14 characters
Warning: Section @forwarding[3] refers to not existing zone 'VPNServerfirewall'
Warning: Section @forwarding[4] refers to not existing zone 'VPNServerfirewall'
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'Allow-SSH'
* Rule 'OpenVPN-Remote'
* Forward 'lan' -> 'wan'
* Forward 'lan' -> 'vpnfirewall'
* Forward 'lan' -> 'vpnfirewall'
* Zone 'lan'
* Zone 'wan'
* Zone 'vpnfirewall'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpnfirewall'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpnfirewall'
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'OpenVPN-Remote'
* Forward 'lan' -> 'wan'
* Forward 'lan' -> 'vpnfirewall'
* Forward 'lan' -> 'vpnfirewall'
* Zone 'lan'
* Zone 'wan'
* Zone 'vpnfirewall'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpnfirewall'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
root@OpenWrt:~#
trendy
March 27, 2020, 11:52am
16
Here is your problem:
Also according to documentation this should not be used if the vpn client is providing the default gateway.
1 Like
b.bo
March 27, 2020, 12:08pm
17
Yeah well done!
So :
root@OpenWrt:~# cat /etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option ipv6_enabled '0'
list supported_interface ''
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_enable_column '0'
option webui_protocol_column '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_chain_column '1'
list ignored_interface 'vpnserver wgserver'
list ignored_interface 'lan'
list ignored_interface 'VPNServertun'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option interface 'wan'
option name ' OpenVPN-server'
option src_port '11940'
option chain 'OUTPUT'
root@OpenWrt:~#
root@OpenWrt:~# /etc/init.d/firewall restart
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'Allow-SSH'
* Rule 'OpenVPN-Remote'
* Forward 'lan' -> 'wan'
* Forward 'lan' -> 'vpnfirewall'
* Forward 'lan' -> 'vpnfirewall'
* Forward 'vpnservfw' -> 'lan'
* Forward 'vpnservfw' -> 'vpnfirewall'
* Zone 'lan'
* Zone 'wan'
* Zone 'vpnfirewall'
* Zone 'vpnservfw'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpnfirewall'
* Zone 'vpnservfw'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpnfirewall'
* Zone 'vpnservfw'
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'OpenVPN-Remote'
* Forward 'lan' -> 'wan'
* Forward 'lan' -> 'vpnfirewall'
* Forward 'lan' -> 'vpnfirewall'
* Forward 'vpnservfw' -> 'lan'
* Forward 'vpnservfw' -> 'vpnfirewall'
* Zone 'lan'
* Zone 'wan'
* Zone 'vpnfirewall'
* Zone 'vpnservfw'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpnfirewall'
* Zone 'vpnservfw'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
root@OpenWrt:~#
Now it works ! I can connect through OpenVPN Connect and have access to the internet at the same time.
1 Like
b.bo
March 27, 2020, 12:23pm
18
So now I understand that we are connected to the router through the VPN.
I can now SSH the router as if it was done localy, same thing for the FreeNAS server.
The last thing I'd love to do is see the SMB shares. Can I do that through OpenVPN Connect ?
trendy
March 27, 2020, 12:24pm
19
Only if you access directly with the IP. Don't expect the broadcasts to work over the routed tunnel.
b.bo
March 27, 2020, 12:35pm
20
What IP are you talking about? Wan IP ?
