Incoming connections while using OpenVPN

Hello,

I'm wondering how to allow incoming connections while using an openvpn client on my router. I'm using the openvpn configuration provided by ProtonVPN, and it seems to be pulling several routes from the server which override the default route so that all traffic is forced over the VPN.

After reading about it, it seems I would have to avoid pulling the default routes from the server, and set up a second routing table with policy based routing to route traffic from my LAN to the correct gateway on the VPN interface. What I'm wondering is how to enable incoming connections with that setup?

If traffic from my LAN is being routed to the gateway on the VPN interface, how can I allow connections from the normal WAN interface to be forwarded to a LAN device and allow it to respond? As far as I can tell, if I set up a routing table to send LAN traffic over the VPN interface, when a LAN device receives a connection from WAN, the reply will be routed to the VPN interface rather than the WAN, and the reply will reach the connecting device from the wrong IP.

Apologies if I haven't explained this very well, and apologies that I haven't listed any configurations here, I haven't actually set any of this up yet, just a basic configuration (which works, aside from no incoming connections from WAN).

Any advice would be greatly appreciated.

Thanks

You need to do Policy Based Routing and you have 3 options:

  1. mwan3 package
  2. pbr package
  3. a set of rules/routes for each internet connection.

Better go for #2, more friendly and appropriate.

2 Likes

Would that allow incoming connections from the regular WAN interface though? I would need LAN devices to use the VPN by default, but when they receive an incoming connection from the WAN, the reply from the LAN device would need to be sent back over the WAN rather than the VPN. Is that dealt with by the pbr package?

I've just recently started using a VPN for all of my outgoing traffic, but so far I haven't found a way to allow incoming connections to things like my web server without the replies to connections being sent over the wrong interface (the VPN).

Another option I'm considering is setting up a separate network with VLANs and WiFi SSIDs, but I'd like to make sure it's not possible to have the router track the connection and send replies over the right interface first, especially since I would need to set up VLANs on my server as well.

Thanks for your advice so far btw, I appreciate it. And apologies for the delay in replying.

PBR is not blocking incoming connections. It is directing outgoing packets to the desired interface. But this needs to be preconfigured, so if you have an http server running on a host in the lan, then you need to make a rule for outgoing packets from that host with source port tcp/80 to use the wan connection.
I do not know if there is an option to track the connections. You can ask in the support thread though.

1 Like

I am no expert here, but this "all connections over VPN, but a server directly accessible" setup looks like a risk of leaks.

I would try to open the ports on the VPN server, if that is feasible. Or put the server on a separate network, not connected to the VPN.

Hello,

I agree there are security implications. I do have all server processes running in containers though so I was hoping there would be some way that I could configure certain incoming connections.

I'm starting to think setting up a separate network would be the best approach, but that would involve configuring VLANs on my server as well as the router, and since the server has an unmanaged switch between it and the router, I don't even know if the VLAN tags would reach it. I was hoping it would be possible to maintain the ability to forward ports on my router while using OpenVPN for most outbound traffic.

And unfortunately the VPN provider I am using does not allow incoming connections, only outgoing.

Some do, some don't. It's trial and error.

Also I'm afraid that the pbr (vpn-policy-routing) package won't install on my router, no matter what I try I get "wget returned 8" when trying to download the vpn-policy-routing package from the custom repo.

I'm coming to the conclusion I'm just going to have to give up port forwards unless mwan3 can solve this

Stangri's repository is https, which means that you need a few more packages to enable the secure function of wget.

1 Like

I installed all of the packages specified on the GitHub pages for vpn-policy-routing and the repo itself, yet still received that error, I'm unsure why.

I think I'll call this a lost cause for now, even using the VLAN approach this is probably going to require setting my router up from scratch to get mwan3 or vpn-policy-routing to work, and I still haven't worked out how I can manually configure routing when the VPN server's gateway IP differs between VPN servers (there are several servers in the OpenVPN configuration, they're chosen at random, all have different gateways).

Thanks anyway

Nevermind, seems like opkg was trying to fetch the wrong package file from the repo, I've downloaded it manually and got them installed, so hopefully vpn-policy-routing will do the trick after all.

Thanks for the suggestion! I'll work on setting this up tomorrow and see how it goes.

Sorry for the delay, vpn-policy-routing, along with a route-up script seems to have been the solution.

ProtonVPN seems to be overriding all default routes using two routes (0.0.0.0/1 and 128.0.0.0/1) rather than a single 0.0.0.0/0 (default) route. So I wrote a simple openvpn route-up script that finds the two routes, changes the 0.0.0.0/1 route to a normal default route with metric 10, and deletes the other (128.0.0.0/1) route. So the two routes become "default via dev tun1 metric 10". I then set my regular WAN interface to metric 20 so that the VPN takes priority.

After enabling vpn-policy-routing (which started up with no issues), I can now configure which interface is used depending on IP and/or port, so should be able to set up incoming connections from the WAN by setting the servers LAN IP to use the WAN rather than the VPN using a policy.

Thank you very much for your help, much appreciated!

Also the route-up script turned out to be unnecessary. Using the following in the OpenVPN config had the same effect:

pull-filter ignore "redirect-gateway"
route 0.0.0.0 0.0.0.0 default 10

Edit: Actually no that didn't work, the redirect-gateway def1 from the server was needed, so I'm still using a route-up script to replace the /1 routes with a /0 (default) route.

That was not necessary. VPN has precedence anyway due to longer match on the routes.

I'm not sure what you mean. If I hadn't specified metrics both WAN and VPN interfaces would've had metric 0 wouldn't they? How would one take priority over the other?

When metrics match, the route that is more specific (longer mask) is chosen.

1 Like

Oh, I didn't know that, thanks. The setup instructions for vpn-policy-routing said to set up metrics for the interfaces so I assumed it was necessary.

Another problem I'm now having is that I can't configure incoming connections to the router itself. Port forwards are working fine, I set up a routing policy so that packets from my web servers LAN IP on port 80 and 443 are routed out of the WAN interface, and I'm able to access my web server as expected:

But when I configured a routing policy to allow an openvpn server running on the router itself to be accessed from the WAN, it doesn't seem to work. I even tried stopping the openvpn server, setting the policy to both TCP and UDP, running netcat to listen on the same port number, and tried connecting to it from my phones mobile internet, and still I received no response. Here's the routing policy I tried:

The VPN server and netcat were running on that port, 47508, and I was able to connect to it before setting up an OpenVPN client. I assumed that with the routing policy above, packets from that port on the router would be directed to the WAN, so clients would receive the reply correctly, but even with something as simple as netcat, the router doesn't respond, the connection request times out, and netcat running on the router doesn't show any messages, even when running with verbose/debugging output.

I've checked the vpn-policy-routing documentation and the fields left blank are apparently just showing examples, they're not default values, so it isn't that. I've tried setting different values for the policy's source address like 0.0.0.0/0 and the routers WAN IP, none seem to make a difference. Am I misunderstanding the purpose of the OUTPUT chain? Does it not refer to packets going out from the router itself?

Any advice is greatly appreciated. Thanks.

Have you tried FORWARD chain instead of OUTPUT, and TCP protocol?

I didn't try that, as from what I've read, OUTPUT seemed to be the correct chain to use, as it refers to packets leaving the router itself, not being forwarded from elsewhere.

Anyway I've somehow managed to get the connection itself working, I'm able to connect to netcat running on the router, but it seems it's the openvpn server itself that won't accept the connection. Here's the relevant part of the openvpn server log:

on May 25 21:06:24 2020 us=347212 x.x.x.x:8597 TLS: Initial packet from [AF_INET]x.x.x.x:8597, sid=7ec6db98 740c7b27
Mon May 25 21:06:25 2020 us=346571 x.x.x.x:8597 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1590437184) Mon May 25 21:06:24 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mon May 25 21:06:25 2020 us=346621 x.x.x.x:8597 tls-crypt unwrap error: packet replay
Mon May 25 21:06:25 2020 us=346675 x.x.x.x:8597 TLS Error: tls-crypt unwrapping failed from [AF_INET]x.x.x.x:8597

Any idea why this is? I'm not entirely sure what it means by bad packet ID, something to do with vpn-policy-routing? I haven't had this issue before. I've tried adding no-replay but apparently that isn't supported with the AES-256-GCM cipher (I assume that's the problem anyway):

Mon May 25 21:03:34 2020 us=355074 --no-replay or --no-iv cannot be used with a CFB, OFB or AEAD mode cipher

Thanks.

Yes, but how do you understand mixing lan subnetwork, and OUTPUT from wan???