Incoming Connection to VPN-Router over Main-Router

moejoe · August 7, 2020, 11:32am

First of all thnks for help, but i have to leave really soon so sorry that i may i dont get every infos together.
My OpenWRT Settings are Default nothing Changed so far. Only the openvpn conf. for connection to the vpn provider was added.
VPN-Client is the GLI-Net Router

Source (Any from Inet): Data Packet over port 40980 Destination : Laptop
Source (Any from Inet): Data Packet over Port 55018 Destination : RASPI

Clients from GLI-NET Router:

RAS: Debain Buster with running on Netword.d Service DHCP

IFConfig Edit: (Updated):

enxb827eb5e914a: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.8.215  netmask 255.255.255.0  broadcast 192.168.8.255
        inet6 fe80::ba27:ebff:fe5e:914a  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:5e:91:4a  txqueuelen 1000  (Ethernet)
        RX packets 162  bytes 52154 (50.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 200  bytes 25909 (25.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 80  bytes 6480 (6.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 80  bytes 6480 (6.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
Gateway is: 192.168.8.1 ---GLI-NET Router

Win10:

ipconfig:

DNS-Suffix: lan
  IPV6  : fe80::4943:6c32:8fe1:158a%41
  IPv4   : 192.168.8.197
  Subnetmask: 255.255.255.0
  Standardgateway : 192.168.8.1 -- GLI-NET Router.

Server:

Win10:
Listening on Port 40980 tested with direct Connection ( with VPN-Client on Localhost (Win10) ) to Main Router-- Everything works

RAS:
Listening on Port 55018 tested with direct Connection ( without VPN Connection ) to Main Router -- everything works.

best regards

vgaetera · August 7, 2020, 12:48pm

This should be possible, although you may need to set up VPN-PBR.

moejoe · August 7, 2020, 1:05pm

Does this also work with may some traffice rules with port forwarding ?

I have no experience with PBR.

best regards

moejoe · August 7, 2020, 3:02pm

But i think it's not a big deal, is it ?

Just 4-5 Rules with Portforwarding i think , or am i wrong

best regards

moejoe · August 8, 2020, 12:31pm

Okay i've installed the PBR Package so now some configs from my Gli-net Router:

Note: my raspi is atm connected through the main router cause i have to provide the server point for some clients now. But if i can reproduce the way with my win10 server i can transmiss then.

iptables-save:

# Generated by iptables-save v1.6.2 on Sat Aug  8 14:27:56 2020
*nat
:PREROUTING ACCEPT [2365:430484]
:INPUT ACCEPT [233:15199]
:OUTPUT ACCEPT [873:72236]
:POSTROUTING ACCEPT [638:27311]
:GL_SPEC_DMZ - [0:0]
:GL_SPEC_FORWARDING - [0:0]
:postrouting_guestzone_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_ovpn_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guestzone_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_ovpn_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guestzone_postrouting - [0:0]
:zone_guestzone_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_ovpn_postrouting - [0:0]
:zone_ovpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j GL_SPEC_DMZ
-A PREROUTING -j GL_SPEC_FORWARDING
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guestzone_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_ovpn_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guestzone_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_ovpn_postrouting
-A zone_guestzone_postrouting -m comment --comment "!fw3: Custom guestzone postrouting rule chain" -j postrouting_guestzone_rule
-A zone_guestzone_prerouting -m comment --comment "!fw3: Custom guestzone prerouting rule chain" -j prerouting_guestzone_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_ovpn_postrouting -m comment --comment "!fw3: Custom ovpn postrouting rule chain" -j postrouting_ovpn_rule
-A zone_ovpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_ovpn_prerouting -m comment --comment "!fw3: Custom ovpn prerouting rule chain" -j prerouting_ovpn_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sat Aug  8 14:27:56 2020
# Generated by iptables-save v1.6.2 on Sat Aug  8 14:27:56 2020
*mangle
:PREROUTING ACCEPT [703180:779961135]
:INPUT ACCEPT [279824:395703143]
:FORWARD ACCEPT [422294:383952931]
:OUTPUT ACCEPT [146868:16515344]
:POSTROUTING ACCEPT [568290:400398953]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_wan - [0:0]
:mwan3_iface_out_wan - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_ifaces_out - [0:0]
:mwan3_policy_default_poli - [0:0]
:mwan3_rules - [0:0]
-A PREROUTING -j mwan3_hook
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone ovpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j mwan3_hook
-A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_out
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
-A mwan3_iface_in_wan -i eth0.2 -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_iface_in_wan -i eth0.2 -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
-A mwan3_iface_out_wan -o eth0.2 -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
-A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_wan
-A mwan3_ifaces_out -m mark --mark 0x0/0x3f00 -j mwan3_iface_out_wan
-A mwan3_policy_default_poli -m mark --mark 0x0/0x3f00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0x3f00
-A mwan3_rules -m mark --mark 0x0/0x3f00 -m comment --comment default_rule -j mwan3_policy_default_poli
COMMIT
# Completed on Sat Aug  8 14:27:56 2020
# Generated by iptables-save v1.6.2 on Sat Aug  8 14:27:56 2020
*filter
:INPUT ACCEPT [12:630]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:GL_SPEC_OPENING - [0:0]
:forwarding_guestzone_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_ovpn_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guestzone_rule - [0:0]
:input_lan_rule - [0:0]
:input_ovpn_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guestzone_rule - [0:0]
:output_lan_rule - [0:0]
:output_ovpn_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guestzone_dest_ACCEPT - [0:0]
:zone_guestzone_dest_REJECT - [0:0]
:zone_guestzone_forward - [0:0]
:zone_guestzone_input - [0:0]
:zone_guestzone_output - [0:0]
:zone_guestzone_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_ovpn_dest_ACCEPT - [0:0]
:zone_ovpn_dest_REJECT - [0:0]
:zone_ovpn_forward - [0:0]
:zone_ovpn_input - [0:0]
:zone_ovpn_output - [0:0]
:zone_ovpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -j GL_SPEC_OPENING
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guestzone_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_ovpn_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guestzone_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_ovpn_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guestzone_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_ovpn_output
-A GL_SPEC_OPENING -p tcp -m tcp --dport 44180 -j ACCEPT
-A GL_SPEC_OPENING -p udp -m udp --dport 44180 -j ACCEPT
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_guestzone_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
-A zone_guestzone_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
-A zone_guestzone_forward -m comment --comment "!fw3: Custom guestzone forwarding rule chain" -j forwarding_guestzone_rule
-A zone_guestzone_forward -m comment --comment "!fw3: Zone guestzone to ovpn forwarding policy" -j zone_ovpn_dest_ACCEPT
-A zone_guestzone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_guestzone_forward -m comment --comment "!fw3" -j zone_guestzone_dest_REJECT
-A zone_guestzone_input -m comment --comment "!fw3: Custom guestzone input rule chain" -j input_guestzone_rule
-A zone_guestzone_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: guestzone_DHCP" -j ACCEPT
-A zone_guestzone_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: guestzone_DNS" -j ACCEPT
-A zone_guestzone_input -p udp -m udp --dport 53 -m comment --comment "!fw3: guestzone_DNS" -j ACCEPT
-A zone_guestzone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_guestzone_input -m comment --comment "!fw3" -j zone_guestzone_src_REJECT
-A zone_guestzone_output -m comment --comment "!fw3: Custom guestzone output rule chain" -j output_guestzone_rule
-A zone_guestzone_output -m comment --comment "!fw3" -j zone_guestzone_dest_ACCEPT
-A zone_guestzone_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to ovpn forwarding policy" -j zone_ovpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_ovpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_ovpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_ovpn_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_ovpn_forward -m comment --comment "!fw3: Custom ovpn forwarding rule chain" -j forwarding_ovpn_rule
-A zone_ovpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_ovpn_forward -m comment --comment "!fw3" -j zone_ovpn_dest_REJECT
-A zone_ovpn_input -m comment --comment "!fw3: Custom ovpn input rule chain" -j input_ovpn_rule
-A zone_ovpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_ovpn_input -m comment --comment "!fw3" -j zone_ovpn_src_ACCEPT
-A zone_ovpn_output -m comment --comment "!fw3: Custom ovpn output rule chain" -j output_ovpn_rule
-A zone_ovpn_output -m comment --comment "!fw3" -j zone_ovpn_dest_ACCEPT
-A zone_ovpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Aug  8 14:27:56 2020

uci network:

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd62:0a80:c91b::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.hostname='GL-MT300N-V2-45f'
network.lan.ipaddr='192.168.8.1'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan.hostname='GL-MT300N-V2-45f'
network.wan.metric='10'
network.wan_dev=device
network.wan_dev.name='eth0.2'
network.wan_dev.macaddr='e4:95:6e:46:64:5f'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.disabled='1'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='0 6t'
network.@route[0]=route
network.@route[0].interface='lan'
network.@route[0].target='192.168.2.0/24'
network.@route[0].gateway='192.168.2.1'
network.@route[0].type='local'
network.guest=interface
network.guest.ifname='guest'
network.guest.type='bridge'
network.guest.proto='static'
network.guest.ipaddr='192.168.9.1'
network.guest.netmask='255.255.255.0'
network.guest.ip6assign='60'
network.ovpn=interface
network.ovpn.ifname='tun0'
network.ovpn.proto='none'

best regards

vgaetera · August 8, 2020, 1:05pm

I believe, you should create policies for the outgoing traffic related to the forwarded ports.
In addition, upgrade to the latest stable OpenWrt release if possible, as older versions may have interoperability issues for mwan3 and vpn-policy-routing.

moejoe · August 8, 2020, 1:59pm

I want stick with the stable Versions which are supplied from the GLI-Net Company.
Cause for some Configs their GUI is helpfully
May i would do so, if some issues came across.

so thnks so far i have to read and dig a little bit in or at least i'll try

Update:
one more note: I 've also configured remote ports on the related vpn server itself, may this plays a role sorry i forgot.

best regards

moejoe · August 10, 2020, 6:07pm

Ok now after a litte bit research, I coming to an point to ask myself , do i need vpn-policy-routing?

I need only a rule for an incoming port so i'm not sure for what i need the , may i overlook sth.

If it's so i have to know 3 Things:

1. I understand what the app is doing do , create table , marks packet assign the rules to the created tables but what i dont get is what mwan3 do.

2. And furthermore i'm not quite sure if i understand the process from the app how it handle the rules from local to remote.
I think local is always the local soure here in my network and the remote one is alyway what is outside from my lan. Is that correct or do i have to think upside down in some cases.

3. What happens, if i leave the IP Adresses Field blank in the gui is this like an wildcard ?
For example i just only fill out the Remote Port Field.

Here is the section form iptables:

-A PREROUTING -j mwan3_hook
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone ovpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j mwan3_hook
-A VPR_PREROUTING -p udp -m multiport --dports 23450 -m comment --comment test-air -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -p tcp -m multiport --dports 23450 -m comment --comment test-air -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set ovpn dst -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
-A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_out
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
-A mwan3_iface_in_wan -i eth0.2 -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_iface_in_wan -i eth0.2 -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
-A mwan3_iface_out_wan -o eth0.2 -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
-A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_wan
-A mwan3_ifaces_out -m mark --mark 0x0/0x3f00 -j mwan3_iface_out_wan
-A mwan3_policy_default_poli -m mark --mark 0x0/0x3f00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0x3f00
-A mwan3_rules -m mark --mark 0x0/0x3f00 -m comment --comment default_rule -j mwan3_policy_default_poli
COMMIT

best regards

vgaetera · August 10, 2020, 9:07pm

Mwan3 is not installed by default in the official OpenWrt, so decide for yourself whether you need it or not.

Here, I created a test policy:

# uci show vpn-policy-routing
...
vpn-policy-routing.@policy[0]=policy
vpn-policy-routing.@policy[0].interface='wan'
vpn-policy-routing.@policy[0].name='test'
vpn-policy-routing.@policy[0].src_addr='local'
vpn-policy-routing.@policy[0].src_port='123'
vpn-policy-routing.@policy[0].dest_addr='remote'
vpn-policy-routing.@policy[0].dest_port='456'

It makes clear that local is src and remote is dest.

I believe, all you need is this:

interface='wan'
src_port='list of ports to forward to wan'

So, it should use the WAN interface when sending replies from the forwarded ports back to the internet.

moejoe · August 11, 2020, 3:30pm

Ok i've made some more Tests ( Connected over an Handy LTE Connection to test the Webserver site. ) :
1.
Connection with Gli-Net through T-Router:
Start an small webserver on port 40980 on Win10-Laptop
Openvpn-client ( Gli-net) : Disabled
PBR: Disabled
T-Router : Forward to Glinet (port40980)
GLI-Net: Forward to win10-client Laptop (port40980)
Works !!!

**2.**Connection with Gli-Net through T-Router:
Start an small webserver on port 40980 ( win10-laptop)
Openvpn-client (Gl-net ): Enabled
PBR: Enabled

config vpn-policy-routing 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option src_ipset '0'
	option ipv6_enabled '0'
	list supported_interface ''
	list ignored_interface 'vpnserver wgserver'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option iprule_enabled '0'
	option webui_enable_column '0'
	option webui_protocol_column '0'
	option webui_chain_column '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option dest_ipset 'ipset'
	option enabled '1'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

config policy
	option name 'test-air'
	option src_addr '192.168.8.197'
	option src_port '40980'
	option interface 'wan'
	option dest_addr '178.162.212.214'
	option dest_port '40980'

T-Router : Forward to Glinet (port40980)
GLI-Net: Forward to win10-client Laptop (port 40980)
Doesnt Work

Here is an pic from my remote port configured on the vpn service panel:

airvpn-unc

So i think sth. blocks if the openvpn client is turned on in.

best regards

vgaetera · August 11, 2020, 4:00pm

Remove the destination options.
You need to reply on the request from the internet.
It typically uses a dynamic port and has no fixed IP address.

moejoe · August 17, 2020, 12:26pm

Ok it really weird sometimes it works sometimes not, then i've figure out the system.log and i got an error from pbr:

ERROR: Failed to set up 'wan/eth0.2/192.168.2.1' ERROR: iptables -t mangle -I VPR_PREROUTING -j MARK --set-xmark 0x010000/0xff0000 -p tcp -s 192.168.8.197 -m multiport --sport 40980 -m comm

May an clean openwrt is the only option for an properly working system.

best regards

vgaetera · August 17, 2020, 3:46pm

The error seems critical for the task, though I'm not sure why this is happening.
It looks like a race condition, perhaps related to the state of the WAN interface.

moejoe · August 17, 2020, 7:27pm

Update: I've downgraded on an stable Version of Glinet-OS Based on Openwrt, now the error is gone and i got an Setup which seems to work with my small demo webserver.
And the PBR Deamon is stopped.

Snippet from iptables-save ( only the added rules ):

-A PREROUTING -i tun0 -p udp -m udp --dport 40980 -j DNAT --to-destination 192.168.8.197
-A PREROUTING -i tun0 -p tcp -m tcp --dport 40980 -j DNAT --to-destination 192.168.8.197
-A FORWARD -d 192.168.8.197/32 -i tun0 -p tcp -m tcp --dport 40980 -j ACCEPT
-A FORWARD -d 192.168.8.197/32 -i tun0 -p udp -m udp --dport 40980 -j ACCEPT

This is the Part from the GUI from Glinet:

-A GL_SPEC_OPENING -p tcp -m tcp --dport 40981 -j ACCEPT
-A GL_SPEC_OPENING -p udp -m udp --dport 40981 -j ACCEPT
-A GL_SPEC_OPENING -p tcp -m tcp --dport 40980 -j ACCEPT
-A GL_SPEC_OPENING -p udp -m udp --dport 40980 -j ACCEPT

May i'm able to left any of these but as i said atm it seems to work

Edit:
Update:
Ok dyndns seems to work also now i have to deploy this on my ras server deamon.

best regards

moejoe · August 25, 2020, 11:25am

Update:

I've started my server service on my ras sucessfully , everything seems pretty good so far.

So, up to there , thanks to @vgaetera for guidance, ure great

best regards

moejoe · August 28, 2020, 12:04pm

Update:

Ok may i have to split my Connections cause the Ping Connection is to bad for the Incoming Connections for the Servepart.

So may i need to separate the Incoming Connections from the VPN Part.
But I'M not sure if this possible with the constellation above cause the Incoming Connections are coming to the T-Com Router first and on this there is no possibility to modify it like OPEN-Wrt Level.
Or is it also possible to setup this on the second one ( Glinet-Router )

I tried to search some Solutions and i think i need some like this:

iptables -t nat -I PREROUTING -p tcp -d "T-Com-Router-Internet-Adress" or "Dyn-Host Entry" --dport 'Port' -j DNAT --to-destination "T-Com Router"

But may the Combination isnt possible ( cause the T-Com Router is the first one in the Chain and not modifiable ) and makes no sense , dont know

best regards

vgaetera · August 28, 2020, 12:10pm

There's a workaround method:

moejoe · September 1, 2020, 3:05pm

@vgaetera

So i have to think vice versa ? How and why ? *confused

Do i need an "ignored interface" flag ?

best regards

moejoe · October 8, 2020, 4:55pm

@vgaetera

so.. what i can do to seperate my Outgoing and Incomings for vpn

i think i'm not really get it

best regards

moejoe · December 27, 2020, 5:30pm

@bumped up