Iptables/openvpn/linode/routing issues

HAVE: Ubuntu 16.04 Linode Openvpn server, a BT Infinity VDSL cable modem/router, and a Linksys WRT3200ACM Openvpn client router running the most recent Lede . The LAN behind Lede is NAT'd but I will eventually want other Openvpn clients to be able to route through to LAN resources.

ISSUE: The Lede router has internet access through tun0, the wireless is functioning, it is assigning DHCP, but traceroutes from Lede client devices stop at the router.

BACKGROUND: I used dubyadubyadubya.linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server to setup the vpn and routing. I assumed it might have been something wrong on the Lede/client interaction, but some hints also let me think there might be server issues such as whois and 'ping' fails to any address other than the tunnel addresses. Looking at the kernal log and I can see iptables_INPUT_denied and iptables_OUTPUT_denied, so there has to be something in the routing tables. Also, the fact that the Luci-app-Openvpn didn't establish a vpn zone or tun interface makes me also wonder if that's an issues. So lost. This is my first Linode, Openwrt router, Openvpn config, SSH experience...so I was super stoked to see everything working right up until the last little bit failing. Here goes what I have:

SERVER
# Generated by iptables-save v1.6.0 on Fri Apr 14 13:11:07 2017
*security
:INPUT ACCEPT [5139:418185]
:FORWARD ACCEPT [71:4493]
:OUTPUT ACCEPT [3438:399353]
COMMIT
# Completed on Fri Apr 14 13:11:07 2017
# Generated by iptables-save v1.6.0 on Fri Apr 14 13:11:07 2017
*raw
:PREROUTING ACCEPT [5212:422758]
:OUTPUT ACCEPT [3438:399353]
COMMIT
# Completed on Fri Apr 14 13:11:07 2017
# Generated by iptables-save v1.6.0 on Fri Apr 14 13:11:07 2017
*nat
:PREROUTING ACCEPT [2:80]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Apr 14 13:11:07 2017
# Generated by iptables-save v1.6.0 on Fri Apr 14 13:11:07 2017
*mangle
:PREROUTING ACCEPT [5212:422758]
:INPUT ACCEPT [5141:418265]
:FORWARD ACCEPT [71:4493]
:OUTPUT ACCEPT [3438:399353]
:POSTROUTING ACCEPT [3524:405676]
COMMIT
# Completed on Fri Apr 14 13:11:07 2017
# Generated by iptables-save v1.6.0 on Fri Apr 14 13:11:07 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 2222 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 443 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: "
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -i tun0 -o eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: "
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 2222 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED -m udp --sport 1194 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_OUTPUT_denied: "
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Apr 14 13:11:07 2017

LEDE NETWORK
config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix '<ipv6_address>'

config interface 'lan'
    option type 'bridge'
    option ifname 'eth0'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.10.1'

config interface 'wan'
    option proto 'dhcp'
    option _orig_ifname 'eth1'
    option _orig_bridge 'false'
    option ifname 'eth1'

config interface 'wan6'
    option ifname 'eth1'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0 1 2 3 5'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '4 6'

LEDE FIREWALL CONFIG

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'

config zone
    option name 'wan'
    option output 'ACCEPT'
    option masq '1'
    option mtu_fix '1'
    option input 'ACCEPT'
    option forward 'ACCEPT'
    option network 'wan wan6'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config forwarding
    option dest 'wan'
    option src 'lan'

config zone 'vpn'
    option network 'derpserver'
    option name 'vpn'
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option masq '1'

config forwarding 'vpn_forwarding_lan_in'
    option src 'vpn'
    option dest 'lan'

config forwarding 'vpn_forwarding_lan_out'
    option src 'lan'
    option dest 'vpn'

root@LEDE:~# cat /etc/openvpn/client.conf | grep "^[^#;]" pull client dev tun proto udp remote <ip_address> 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun remote-cert-tls server cipher AES-128-CBC auth SHA256 comp-lzo verb 3 key-direction 1 <keys>

server@linode:~$ sudo cat /etc/openvpn/server.conf | grep "^[^#;]" port 1194 proto udp dev tun ca ca.crt cert node.crt key node.key # This file should be kept secret dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 96.90.175.167" push "dhcp-option DNS 45.56.117.118" keepalive 10 120 tls-auth ta.key 0 # This file is secret key-direction 0 cipher AES-128-CBC # AES auth SHA256 comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3

Is more info needed?

ISSUE: The Lede router has internet access through tun0, the wireless is functioning, it is assigning DHCP, but traceroutes from Lede client devices stop at the router.

Since your OpenVPN server is pushing redirect-gateway, your router's WAN should really be based on tun0 here, not eth1.

I assume that you want the router's clients to be accessing the internet over VPN as well, through the router's VPN connection. Is that correct?

Yes, I would like all traffic to/from the home LAN (obviously through the Lede client router) to be routed through the tunnel. The only traffic I would want out of the tunnel would be on the LAN-side either intra-local net traffic or other client access through the tunnel to access LAN files.

OK, so you're after some discrete goals here:

1. Private (ish - from your upstream ISP anyway) internet access in general

• From all hosts on the LAN
• From other OpenVPN clients in whatever ISP/access point they might be

2. Secure access from other OpenVPN clients (road warrior laptop use case for example) to the LAN

You can do both with a single OpenVPN server, but it might complicate things a bit. That's because #1 requires the server pushing that redirect-gateway option to the client:

--redirect-gateway flags...
Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. This is a client-side option.

which means that your LEDE box will now route everything - including access to the Linode web console, for example - through the OpenVPN tunnel. This can get annoying if you need to reboot that box etc. Basically it's a single point of failure on your Internet access.

You should be able to work around that with static routes and weights on the LEDE box, but that's something I haven't done before so can't advise.

So I'd start with just #2:

• Remove redirect-gateway and the DNS options - in fact, all the push options, from the server config.
• Add a LEDE network that includes just tun0.
• Add a LEDE firewall zone for that tun0 network.
  • In this zone, add rules to forward the ports you need exposed from the LAN hosts, so that they're available on that 10.8.0.0/24 VPN.

You should be able to test this from a second OpenVPN client, e.g. a laptop. Use another ISP, like tether a mobile phone, to do this. You should be able to access these resources when connected over OpenVPN, on their 10.8.0.0/24 addresses.

Edit: Fixed "test case", testing from a host on the LAN, even if that host is itself an OpenVPN client, may not work - LEDE may be routing you to 10.8.0.0/24.