Hi,
I am having an old TP link router on which I once installed OpenWrt, don't even know which model and version. Everything used to work fine until ...
See I have an externally hosted server vServer which I have set up as an openvpn server with my domain mapped to it. This vServer was recently erased and moved to a new IP address by the provider, and I had to set up openvpn and iptables rules all anew.
My openwrt router is connected to this vpn, it's got a tun interface with a vpn IP address.
Behind the openwrt I have a raspberry which I use as a https server. It is not directly connected to the VPN but can be reached from the vServer, meaning I have this route on the vServer:
192.168.111.0/24 via 10.8.0.12 dev tun0
With 192.168.111.0/24 being my local LAN and 10.8.0.12 being the IP address of my openwrt inside the vpn.
I am able to ping my raspberry (192.168.111.242) from the vServer.
I have set up these ip tables rules on my vServer to forward incoming https connections to my raspberry:
root@vpn:~# more /etc/iptables/rules.v4 | grep 443
-A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.111.242:443
root@vpn:~# more /etc/iptables/rules.v4 | grep ESTABLISHED
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
I also added these logging rules:
iptables -A INPUT -p tcp -m tcp --dport 443 -j LOG
iptables -D INPUT -p tcp -m tcp --dport 443 -j LOG
iptables -I INPUT -p tcp -m tcp --dport 443 -j LOG
iptables -I INPUT -p tcp -m tcp --sport 443 -j LOG
iptables -I FORWARD -p tcp -m tcp --dport 443 -j LOG
iptables -I FORWARD -p tcp -m tcp --sport 443 -j LOG
iptables -I OUTPUT -p tcp -m tcp --dport 443 -j LOG
iptables -I OUTPUT -p tcp -m tcp --sport 443 -j LOG
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 443 -j LOG
iptables -t nat -I PREROUTING -p tcp -m tcp --sport 443 -j LOG
iptables -t nat -I POSTROUTING -p tcp -m tcp --dport 443 -j LOG
iptables -t nat -I POSTROUTING -p tcp -m tcp --sport 443 -j LOG
iptables -t nat -I OUTPUT -p tcp -m tcp --dport 443 -j LOG
iptables -t nat -I OUTPUT -p tcp -m tcp --sport 443 -j LOG
and did
echo 1 > /proc/sys/net/ipv4/ip_forward
When I try to connect via https to my vServer's IP address, I get:
Aug 10 22:24:18 vpn kernel: [ 2240.284524] IN=ens32 OUT= MAC=fa:b5:4e:71:12:5b:d4:04:ff:f8:98:00:08:00 SRC=89.246.96.128 DST=<MY_IP> LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=52544 DF PROTO=TCP SPT=31796 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Aug 10 22:24:18 vpn kernel: [ 2240.284539] IN=ens32 OUT=tun0 MAC=fa:b5:4e:71:12:5b:d4:04:ff:f8:98:00:08:00 SRC=89.246.96.128 DST=192.168.111.242 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=52544 DF PROTO=TCP SPT=31796 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Aug 10 22:24:18 vpn kernel: [ 2240.284542] IN= OUT=tun0 SRC=89.246.96.128 DST=192.168.111.242 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=52544 DF PROTO=TCP SPT=31796 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
So it looks to me like forwarding is working as expected on the vServer. But in the browser I only get connection timeouts.
I tried to debug iptables on openwrt, but iptables doesn't seem to log to /var/log/kern.log
on openwrt. I don't understand what part I am missing, given that it was working fine before my vServer was erased and moved to a new IP address (as mentioned before). No changes were made to my local openwrt router or the raspi.
Please advise how to troubleshoot this.
Many thanks,
Martin