so I'm using openfortivpn [on a tplink mr200 (LTE) running 21.02.3] to connect to a host behind vpn.
as I need to provide a sms totp I have to bypass the openwrt helper script& config(/etc/config/openfortivpn) and I'm running it via cli in screen session.
I've run the similar setup on 19.07 but I've lost my scripts as I've switched to freshtomato in that location (I know I need to be organized with my scripts )
in FT i only have to run the following /etc/ppp/ip-up script:
#!/bin/sh -e
hostip=192.168.1.101
ip r add 172.31.0.0/24 dev ppp1
ip r add 192.168.222.0/24 dev ppp1
iptables -t nat -A POSTROUTING -s $hostip -d 192.168.222.0/24 -o ppp1 -j MASQUERADE ;
iptables -t nat -A POSTROUTING -s $hostip -d 172.31.0.0/24 -o ppp1 -j MASQUERADE ;
I've tried the same on mr200 openwrt 21.03 (changing ppp1 to ppp0 as the ppp session is handled by the lte modem's android os) but it doesn't seem to be running.
PS: tunnel starts correctly and connection works correctly from openwrt to vpn host but it doesn't from my station behind mr200 - as a workaround I run a ssh port forwarding.
uci add firewall nat
uci set firewall.@nat[-1].name='masq2'
uci add_list firewall.@nat[-1].proto='all'
uci set firewall.@nat[-1].src_ip='192.168.1.101'
uci set firewall.@nat[-1].target='MASQUERADE'
uci set firewall.@nat[-1].dest_ip='192.168.222.0/24'
uci set firewall.@nat[-1].device='ppp1'
uci set firewall.@nat[-1].src='lan'
uci add firewall nat
uci set firewall.@nat[-1].name='masq2'
uci add_list firewall.@nat[-1].proto='all'
uci set firewall.@nat[-1].src_ip='192.168.1.101'
uci set firewall.@nat[-1].target='MASQUERADE'
uci set firewall.@nat[-1].dest_ip='172.31.0.0/24'
uci set firewall.@nat[-1].device='ppp1'
uci set firewall.@nat[-1].src='lan'
uci commit firewall
service firewall restart
Then try to create some interesting traffic and verify it works with iptables-save -c -t nat
In which zone does ppp0 belong? It doesn't seem to be lan, as there are no hits in iptables and ppp0 is not assigned to any zone. You'd also need to fix that too.
Is there a static route for these 2 prefixes via ppp0? ip -4 ro
Since you added ppp0 in wan zone, everything will be masqueraded, so the rules don't matter anymore.