Missconfigured firewall on remote router

haoudar · February 21, 2021, 4:40am

I have two routers on a remote location.

Router1 “modem/wireless_router” to connect to internet PPPoE, stock firmware LAN : 192.168.11.1/24, DMZ opened for Router 2 “WRT1900AC” OpenWRT 18.06.5.

Router2 is connected to router1 as wireless client “WWAN : 192.168.11.100”.

Router2 is my main “remote home” router, LAN : 192.168.10.1/24.

I configured openVpn site to site on Router2 to connect to “my local home” router.

Router3 “local home” router WRT1900ACS OpenWRT 19.07.7 is openVpn server.

All worked fine for almost one year until I missed up on a remote SSH session trying to configure wiregard on “remote home” router Router2.

After a uci commit on firewall configuration on Router2, I lost the connection to my remote LAN.

The SSH and openVpn ports are closed, I don’t know how I did it but it’s a fact now.

OpenVpn client on Router2 still show-up trying to connect to Router3 but with no success;

the traffic occurs only on direction to Router3 and all replay from Router3 to Router2 is blocked by firewall.

I hope someone have a solution ho to gain access to Router2 from WWAN side to reconfigure the firewall.

vgaetera · February 21, 2021, 6:30am

Accepting related/established traffic is one of the essential firewall rules.
If your replies are dropped/rejected, the game is pretty much over.
However, I once was in a similar situation and resolved it with TeamViewer.

haoudar · February 21, 2021, 11:21am

Thank you for your replay, my experience with OpenWrt and Linux systems is very limited, if you can give me some hints how you resolved your similar situation, as access to Router2 from LAN is near impossible for the moment " overseas travel restrictions ".
My Router3 System Log shows me 72 connection attempts every day:

Sun Feb 21 06:05:39 2021 daemon.notice openvpn(server)[3985]: 160.179.205.98:52582 TLS: Initial packet from [AF_INET]x.x.x.x:52582, sid=3bc84d46 63ecee50
Sun Feb 21 06:05:40 2021 daemon.notice openvpn(server)[3985]: 160.179.205.98:52582 VERIFY OK: depth=1, CN=ovpnca
Sun Feb 21 06:05:40 2021 daemon.notice openvpn(server)[3985]: 160.179.205.98:52582 VERIFY OK: depth=0, CN=client
Sun Feb 21 06:05:40 2021 daemon.notice openvpn(server)[3985]: 160.179.205.98:52582 peer info: IV_VER=2.4.5
Sun Feb 21 06:05:40 2021 daemon.notice openvpn(server)[3985]: 160.179.205.98:52582 peer info: IV_PLAT=linux
Sun Feb 21 06:05:40 2021 daemon.notice openvpn(server)[3985]: 160.179.205.98:52582 peer info: IV_PROTO=2
Sun Feb 21 06:05:40 2021 daemon.notice openvpn(server)[3985]: 160.179.205.98:52582 peer info: IV_NCP=2
Sun Feb 21 06:05:40 2021 daemon.notice openvpn(server)[3985]: 160.179.205.98:52582 peer info: IV_LZ4=1
Sun Feb 21 06:05:40 2021 daemon.notice openvpn(server)[3985]: 160.179.205.98:52582 peer info: IV_LZ4v2=1
Sun Feb 21 06:05:40 2021 daemon.notice openvpn(server)[3985]: 160.179.205.98:52582 peer info: IV_LZO=1
Sun Feb 21 06:05:40 2021 daemon.notice openvpn(server)[3985]: 160.179.205.98:52582 peer info: IV_COMP_STUB=1
Sun Feb 21 06:05:40 2021 daemon.notice openvpn(server)[3985]: 160.179.205.98:52582 peer info: IV_COMP_STUBv2=1
Sun Feb 21 06:05:40 2021 daemon.notice openvpn(server)[3985]: 160.179.205.98:52582 peer info: IV_TCPNL=1
Sun Feb 21 06:05:41 2021 daemon.notice openvpn(server)[3985]: 160.179.205.98:52582 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sun Feb 21 06:05:41 2021 daemon.notice openvpn(server)[3985]: 160.179.205.98:52582 [client] Peer Connection Initiated with [AF_INET]x.x.x.x:52582
Sun Feb 21 06:05:41 2021 daemon.notice openvpn(server)[3985]: client/160.179.205.98:52582 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/client
Sun Feb 21 06:05:41 2021 daemon.notice openvpn(server)[3985]: client/160.179.205.98:52582 MULTI: Learn: y.y.y.y -> client/x.x.x.x:52582
Sun Feb 21 06:05:41 2021 daemon.notice openvpn(server)[3985]: client/160.179.205.98:52582 MULTI: primary virtual IP for client/x.x.x.x:52582: x.x.x.2
Sun Feb 21 06:05:41 2021 daemon.notice openvpn(server)[3985]: client/160.179.205.98:52582 MULTI: internal route 192.168.10.0/24 -> client/x.x.x.x:52582
Sun Feb 21 06:05:41 2021 daemon.notice openvpn(server)[3985]: client/160.179.205.98:52582 MULTI: Learn: 192.168.10.0/24 -> client/x.x.x.x:52582
Sun Feb 21 06:09:41 2021 daemon.notice openvpn(server)[3985]: client/160.179.205.98:52582 [client] Inactivity timeout (--ping-restart), restarting
Sun Feb 21 06:09:41 2021 daemon.notice openvpn(server)[3985]: client/160.179.205.98:52582 SIGUSR1[soft,ping-restart] received, client-instance restarting

vgaetera · February 21, 2021, 11:31am

I called a person working on the remote site and asked them to download and start TeamViewer, say their ID and allow remote desktop control.
Then I connected to their PC and used SSH to access the router from the LAN side.

haoudar · February 21, 2021, 11:41am

My remote location is a vacation home, no body near to call. I have some remote Cams they send pictures, but I lost access to an irrigation system for the garden controlled by web interface

h8red · February 21, 2021, 2:19pm

You are "locked out" as @vgaetera said. You have to have a reachable host in that local network to solve the problem from "inside"