HTTPS forwarding

Hi,
I am having an old TP link router on which I once installed OpenWrt, don't even know which model and version. Everything used to work fine until ...

See I have an externally hosted server vServer which I have set up as an openvpn server with my domain mapped to it. This vServer was recently erased and moved to a new IP address by the provider, and I had to set up openvpn and iptables rules all anew.

My openwrt router is connected to this vpn, it's got a tun interface with a vpn IP address.
Behind the openwrt I have a raspberry which I use as a https server. It is not directly connected to the VPN but can be reached from the vServer, meaning I have this route on the vServer:

192.168.111.0/24 via 10.8.0.12 dev tun0 

With 192.168.111.0/24 being my local LAN and 10.8.0.12 being the IP address of my openwrt inside the vpn.

I am able to ping my raspberry (192.168.111.242) from the vServer.

I have set up these ip tables rules on my vServer to forward incoming https connections to my raspberry:

root@vpn:~# more /etc/iptables/rules.v4 | grep 443
-A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.111.242:443
root@vpn:~# more /etc/iptables/rules.v4 | grep ESTABLISHED
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

I also added these logging rules:

iptables -A INPUT -p tcp -m tcp --dport 443 -j LOG
iptables -D INPUT -p tcp -m tcp --dport 443 -j LOG
iptables -I INPUT -p tcp -m tcp --dport 443 -j LOG
iptables -I INPUT -p tcp -m tcp --sport 443 -j LOG
iptables -I FORWARD -p tcp -m tcp --dport 443 -j LOG
iptables -I FORWARD -p tcp -m tcp --sport 443 -j LOG
iptables -I OUTPUT -p tcp -m tcp --dport 443 -j LOG
iptables -I OUTPUT -p tcp -m tcp --sport 443 -j LOG
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 443 -j LOG
iptables -t nat -I PREROUTING -p tcp -m tcp --sport 443 -j LOG
iptables -t nat -I POSTROUTING -p tcp -m tcp --dport 443 -j LOG
iptables -t nat -I POSTROUTING -p tcp -m tcp --sport 443 -j LOG
iptables -t nat -I OUTPUT -p tcp -m tcp --dport 443 -j LOG
iptables -t nat -I OUTPUT -p tcp -m tcp --sport 443 -j LOG

and did

echo 1 > /proc/sys/net/ipv4/ip_forward

When I try to connect via https to my vServer's IP address, I get:

Aug 10 22:24:18 vpn kernel: [ 2240.284524] IN=ens32 OUT= MAC=fa:b5:4e:71:12:5b:d4:04:ff:f8:98:00:08:00 SRC=89.246.96.128 DST=<MY_IP> LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=52544 DF PROTO=TCP SPT=31796 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 
Aug 10 22:24:18 vpn kernel: [ 2240.284539] IN=ens32 OUT=tun0 MAC=fa:b5:4e:71:12:5b:d4:04:ff:f8:98:00:08:00 SRC=89.246.96.128 DST=192.168.111.242 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=52544 DF PROTO=TCP SPT=31796 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 
Aug 10 22:24:18 vpn kernel: [ 2240.284542] IN= OUT=tun0 SRC=89.246.96.128 DST=192.168.111.242 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=52544 DF PROTO=TCP SPT=31796 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0

So it looks to me like forwarding is working as expected on the vServer. But in the browser I only get connection timeouts.

I tried to debug iptables on openwrt, but iptables doesn't seem to log to /var/log/kern.log on openwrt. I don't understand what part I am missing, given that it was working fine before my vServer was erased and moved to a new IP address (as mentioned before). No changes were made to my local openwrt router or the raspi.

Please advise how to troubleshoot this.

Many thanks,
Martin

Run a tcpdump on OpenWrt or the server and verify where the packets are lost. Although, since nothing is logged in OpenWrt about return traffic I'd say it is dropped by the https server.

Was there a masquerading or SNATing rule in the previous vServer firewall configuration when everything was working?

Something like

iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE

thanks, that did it!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.