New OpenWrt blocks LAN to WAN VPN connections

nyd · February 27, 2021, 3:54pm

I recently installed an R7800 openwrt router. Everything seems fine, apart from the fact that the PC in the LAN cannot connect to a VPN server on the internet that it can connect to, if not connected through this openwrt router.
I am a bit surprised at this because I would expect openwrt, as any other router, to not block any outgoing connections, unless specifically configured as such.
Apart from setting the wireless network with channels, etc., it's a vanilla OpenWrt 19.07.7 r11306-c4a6851c72

Is it normal for OpenWRT to block LAN to WAN connections by default? Why?
How to change it so that PCs inside the LAN to be able to connect to VPN servers, and for that matter to whatever the PC wants/needs to connect to?

iplaywithtoys · February 27, 2021, 3:57pm

No. The default firewall ought to allow all outbound traffic by default, all return traffic in response to outbound traffic, and block all unsolicited inbound traffc.

What are the contents of /etc/config/network and /etc/config/firewall ?

vgaetera · February 27, 2021, 4:20pm

You are not using PPTP, are you?
https://openwrt.org/docs/guide-user/services/vpn/pptp/extras#nat_traversal

pavelgl · February 27, 2021, 4:51pm

To connect a PC behind NAT to VPN server, you will need to have 2 kernel modules loaded on the OpenWrt router - nf_conntrack_pptp and nf_conntrack_proto_gre.
They are part of the package kmod-nf-nathelper-extra.
Make sure that the modules are available and loaded.

lsmod | grep 'gre\|pptp'

nyd · February 27, 2021, 5:58pm

Forgot to mention that the internet comes via wireless, and that interface is called wwan.
/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd02:b946:3db2::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

config interface 'wwan'
        option proto 'dhcp'

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

iplaywithtoys · February 27, 2021, 6:06pm

That all looks normal to me. But, as the others have observed, if your VPN uses PPTP then you may need to install additional modules to allow a PPTP VPN to traverse OpenWRT. Are you using PPTP?

nyd · February 27, 2021, 6:24pm

@iplaywithtoys I was checking now, thanks to the other answers, what I have installed on the other side, and it's indeed PPTP. I suppose I'll be able to fix it using the official documentation, as pointed by @vgaetera (whom I thank), and if it doesn't work, I'll try @pavelgl tips as well.

Do you happen to know what's so special about PPTP that OpenWrt needs extra software just to pass it through? Why is OpenWrt even aware of what kind of traffic it is to be selective about it? I am even more curious since I used to be behind 2 cascaded routers, and one was ISP provided crap, and the other one was a 10€ (brand new price) mini-router, and they didn't cause me any issues. Sure, performance was about as good as expected, but everything worked. This makes me think that it should just work, but I'm clearly missing something.

vgaetera · February 27, 2021, 6:36pm

PPTP relies on GRE-tunneling that requires extra connection tracking modules to traverse NAT:

iplaywithtoys · February 27, 2021, 6:38pm

It's to do with the way the router maps packets to clients when using NAT (masquerade), and why it's relevant to GRE (used by PPTP). The other equipment you mentioned handled NAT differently to the way OpenWRT handles NAT. Adding the relevant module(s) to OpenWRT will alter OpenWRT's behaviour for this scenario.

system · March 9, 2021, 6:39pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.