L2TP Over IPSec for WR841N V13 Firmware 2020

ciprian87 · May 19, 2020, 6:25am

Hi,

I installed OpenWRT on my WR841N V13 and everything seems to work ok. I like it and definitely I'll keep it on my Rounter.

But, unfortunately, I'm having a problem and don't know exactly how to solve it.

I need to connect from my laptop (when connected to my Router) to a VPN from my company.
The protocol used is L2TP over IPSec.

My Firewall rules are:


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	list proto 'all'
	option name 'Block Hue Out'
	list src_ip '10.10.10.100'
	option dest 'wan'
	option target 'DROP'
	option src 'lan'
	list src_mac 'EC:B5:FA:07:0A:56'

config rule
	option name 'Block 6-Ipad Out'
	list proto 'all'
	option src 'lan'
	list src_mac '58:E6:BA:F3:58:E5'
	list src_ip '10.10.10.152'
	option target 'DROP'
	option dest 'wan'
	option enabled '0'

config rule
	option name 'Block 6-Iphone Out'
	list proto 'all'
	option src 'lan'
	list src_mac '58:E6:BA:F3:58:E5'
	list src_ip '10.10.10.152'
	option dest 'wan'
	option target 'DROP'
	option enabled '0'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option name 'Raspberry VPN'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option dest_ip '10.10.10.160'
	option dest_port '443'

Thanks

LE: The VPN is connected the problem is that when I'm trying to connect to the jump box I can't
I'f I'm switching to my phone internet I'm able to connect to the VPN (as over Wifi with OpenWRT) but also to connect to the jump box

ciprian87 · May 20, 2020, 6:43pm

Guy ... I really need some help for this

I'm connecting to L2TP Over IPSec (that is working) and after that I'm trying to go to a jump box with RDP (windows box) and that's not working for me ... I'm not able to connect to that Windows jump box.

I'm doing this from Unix system.

Thanks

LE: New finding ... I virtualised a Windows machine and created the VPN there ... and I was able to connect to my jump box from Windows
But I'm able to do so from Unix as well but not when I'm connected to my home wifi with OpenWRT

LLE: Founded the issue but I don't know how to solve it.
If I'm not checking "send all traffic over VPN connection" then I'll not be able to connect at all. I'd like to not send all traffic as with this option on I'm not able to connect to the internet when I'm connected to the VPN