No access from internet behind a modem & dmz

acognard · March 4, 2020, 10:36pm

**

Openvpn

**

config openvpn 'vpn_server'
	option dev 'tun'
	option ifconfig '10.0.0.1 10.0.0.2'
	option keepalive '10 60'
	option log '/var/log/openvpn.log'
	option status '/var/run/openvpn.status 5'
	option mute '5'
	option mode 'server'
	option port '1194'
	option route_gateway 'dhcp'
	option persist_tun '1'
	option persist_key '1'
	option server '10.8.0.0 255.255.255.0'
	option client_to_client '1'
	option tls_server '1'
	option cert '/etc/easy-rsa/pki/issued/vpn_server.crt'
	option key '/etc/easy-rsa/pki/private/vpn_server.key'
	option tls_auth '/etc/easy-rsa/pki/ta.key 0'
	option user 'nobody'
	option group 'nogroup'
	option dh '/etc/easy-rsa/pki/dh.pem'
	option ca '/etc/easy-rsa/pki/ca.crt'
	option comp_lzo 'yes'
	option enabled '1'
	list push 'persist-key'
	list push 'persist-tun'
	list push 'user nobody'
	list push 'topology subnet'
	list push 'route-gateway dhcp'
	list push 'redirect-gateway def1'
	list push 'dhcp-option DNS 192.168.1.1'
	list push 'block-outside-dns'
	option verb '3'
	option float '1'
	option proto 'tcp-server'

**

Firewall

**

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'	
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	
config zone
	option name 'vpn'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option network 'vpn0'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'vpn'
	option dest 'lan'
	
config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Autoriser-OpenVPN'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp udp'
	option dest_port '1194'
	
config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
[......]
config redirect
	option dest_port '8443'
	option src 'wan'
	option name 'Lifedomus'
	option src_dport '8443'
	option target 'DNAT'
	option dest_ip '192.168.1.126'
	option dest 'lan'
	list proto 'tcp'
[......]

**

Network

**

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd48:2080:194b::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	#list dns '8.8.8.8'
	#list dns '8.8.4.4'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'c0:4a:00:50:fd:6b'

config interface 'vpn0'
	option ifname 'tun0'
	option proto 'none'
	option auto '1'
	
config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

**

tcpdump

**

# tcpdump -i eth0.2 -vvn tcp port 443
tcpdump: listening on eth0.2, link-type EN10MB (Ethernet), capture size 262144 bytes
23:35:14.082297 IP (tos 0x0, ttl 63, id 44110, offset 0, flags [DF], proto TCP (6), length 85)
    192.168.0.11.33204 > 52.21.27.19.443: Flags [P.], cksum 0xe107 (correct), seq 4105355480:4105355513, ack 206168032, win 3994, options [nop,no            p,TS val 483507005 ecr 2112865033], length 33
23:35:14.165479 IP (tos 0x0, ttl 240, id 4408, offset 0, flags [DF], proto TCP (6), length 83)
    52.21.27.19.443 > 192.168.0.11.33204: Flags [P.], cksum 0xd1cd (correct), seq 1:32, ack 33, win 422, options [nop,nop,TS val 2112956017 ecr 4            83507005], length 31
23:35:14.166584 IP (tos 0x0, ttl 63, id 44111, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.0.11.33204 > 52.21.27.19.443: Flags [.], cksum 0xb55c (correct), seq 33, ack 32, win 3994, options [nop,nop,TS val 483507026 ecr 2112            956017], length 0

hope it is clearly now

acognard · March 4, 2020, 11:07pm

as said trendy, it seems isp modem does not use correctly dmz (cf tcpdump results).

From the internet, using firewall forward rules, i can acces to my lan.
If i connect my pc to isp modem (192.168.0.1) , i can not connect to openwrt (192.168.0.11)

mk24 · March 5, 2020, 2:17am

Fix that first that doesn't depend on the ISP or the DMZ it is only the firewall in OpenWrt.

The tcpdump that you posted is an outgoing connection. It doesn't prove anything.

trendy · March 5, 2020, 3:04pm

Appart from tcp/8443 (redirect) and tcp/1194 there are no other ports open. Of course they could be in the part of the config that was redacted.
Still there is no evidence that incoming forwards are not working. Tcpdump is irrelevant to your issue.

acognard · March 5, 2020, 6:43pm

Hello, tks for your help...
What i understand in your response is that openwrt 's firewall might block input from wan ? But regarding my configuration, i have really no idea of what is blocking ;(

acognard · March 5, 2020, 6:49pm

hello, you told me it is not secured. I keep only some ports opened to be able to join some machines while solving openvpn configuration.

I can access them from the internet if ports are forwarded in openwrt. So i suppose dmz works...

mk24 · March 5, 2020, 7:00pm

The problem is solved then?
Again, for services hosted on the OpenWrt router, do not forward to 192.168.1.1, instead accept the port on WAN.

acognard · March 5, 2020, 8:31pm

not solved.... the goal is to use a vpn.

# uci show openvpn
openvpn.nordvpn_france=openvpn
openvpn.nordvpn_france.config='/etc/openvpn/nordvpn_france.ovpn'
openvpn.vpn_server=openvpn
openvpn.vpn_server.dev='tun'
openvpn.vpn_server.ifconfig='10.0.0.1 10.0.0.2'
openvpn.vpn_server.keepalive='10 60'
openvpn.vpn_server.log='/var/log/openvpn.log'
openvpn.vpn_server.status='/var/run/openvpn.status 5'
openvpn.vpn_server.mute='5'
openvpn.vpn_server.mode='server'
openvpn.vpn_server.port='1194'
openvpn.vpn_server.route_gateway='dhcp'
openvpn.vpn_server.persist_tun='1'
openvpn.vpn_server.persist_key='1'
openvpn.vpn_server.server='10.8.0.0 255.255.255.0'
openvpn.vpn_server.client_to_client='1'
openvpn.vpn_server.tls_server='1'
openvpn.vpn_server.cert='/etc/easy-rsa/pki/issued/vpn_server.crt'
openvpn.vpn_server.key='/etc/easy-rsa/pki/private/vpn_server.key'
openvpn.vpn_server.tls_auth='/etc/easy-rsa/pki/ta.key 0'
openvpn.vpn_server.user='nobody'
openvpn.vpn_server.group='nogroup'
openvpn.vpn_server.dh='/etc/easy-rsa/pki/dh.pem'
openvpn.vpn_server.ca='/etc/easy-rsa/pki/ca.crt'
openvpn.vpn_server.comp_lzo='yes'
openvpn.vpn_server.enabled='1'
openvpn.vpn_server.push='persist-key' 'persist-tun' 'user nobody' 'topology subnet' 'route-gateway dhcp' 'redirect-gateway def1' 'dhcp-option DNS 192.168.1.1' 'block-outside-dns'
openvpn.vpn_server.verb='3'
openvpn.vpn_server.float='1'
openvpn.vpn_server.proto='tcp-server'

# head -n -0 /etc/openvpn/* >todel.txt
head: /etc/openvpn/config_clients: I/O error

# head -n -0 /etc/openvpn/*
==> /etc/openvpn/config_clients <==
**head: /etc/openvpn/config_clients: I/O error**

==> /etc/openvpn/downdns <==
#!/bin/sh
mv /tmp/resolv.conf.auto.hold /tmp/resolv.conf.auto

==> /etc/openvpn/nordvpn_auth.txt <==
*<user@mail.com>*
*<MyPassword>*

==> /etc/openvpn/nordvpn_france.ovpn <==
client
dev tun
proto udp
remote 212.129.29.33 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no

remote-cert-tls server

auth-user-pass /etc/openvpn/nordvpn_auth.txt
log-append /var/log/openvpn.log
status /var/log/openvpn-status.log
script-security 2
up /etc/openvpn/updns
down /etc/openvpn/downdns
log-append /var/log/openvpn.log
status /var/log/openvpn-status.log
script-security 2
up /etc/openvpn/updns
down /etc/openvpn/downdns
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512

<ca>
-----BEGIN CERTIFICATE-----
*<DELETED>*==
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
*<DELETED>*
-----END OpenVPN Static key V1-----
</tls-auth>

==> /etc/openvpn/ta.key <==
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
*<DELETED>*
-----END OpenVPN Static key V1-----

==> /etc/openvpn/updns <==
#!/bin/sh
mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold
echo  | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' > /tmp/resolv.conf.auto
echo  | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
echo  | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto

==> /etc/openvpn/vpn_client.crt <==
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4a:ae:bd:41:38:8c:5b:99:ad:71:ba:36:fc:18:f2:bd
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Easy-RSA CA
        Validity
            Not Before: Jan 17 21:03:19 2020 GMT
            Not After : Jan 14 21:03:19 2030 GMT
        Subject: CN=vpn_client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    *<DELETED>*
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                D6:4E:3F:06:AE:8F:26:AD:85:69:8D:62:73:57:BE:D9:A8:9D:C6:E9
            X509v3 Authority Key Identifier:
                keyid:02:BB:68:F6:BB:1F:E6:7E:B5:90:36:19:4C:CD:56:D8:ED:6C:7B:AC
                DirName:/CN=Easy-RSA CA
                serial:6E:BE:04:5F:EA:37:78:2A:D0:03:3B:7D:73:73:13:E2:6B:A9:D1:F6

            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Key Usage:
                Digital Signature
    Signature Algorithm: sha256WithRSAEncryption
         *<DELETED>*
-----BEGIN CERTIFICATE-----
*<DELETED>*=
-----END CERTIFICATE-----

==> /etc/openvpn/vpn_client.key <==
-----BEGIN PRIVATE KEY-----
*<DELETED>*==
-----END PRIVATE KEY-----

==> /etc/openvpn/vpn_server.crt <==
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            46:13:8d:f8:fb:37:e0:40:f1:22:9c:d0:45:ed:ef:eb
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Easy-RSA CA
        Validity
            Not Before: Jan 17 21:03:15 2020 GMT
            Not After : Jan 14 21:03:15 2030 GMT
        Subject: CN=vpn_server
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    *<DELETED>*
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                AE:3C:B3:FE:48:4C:55:28:96:A9:26:3E:16:F7:F5:E9:2F:98:62:7D
            X509v3 Authority Key Identifier:
                keyid:02:BB:68:F6:BB:1F:E6:7E:B5:90:36:19:4C:CD:56:D8:ED:6C:7B:AC
                DirName:/CN=Easy-RSA CA
                serial:6E:BE:04:5F:EA:37:78:2A:D0:03:3B:7D:73:73:13:E2:6B:A9:D1:F6

            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:vpn_server
    Signature Algorithm: sha256WithRSAEncryption
         *<DELETED>*
-----BEGIN CERTIFICATE-----
*<DELETED>*==
-----END CERTIFICATE-----

==> /etc/openvpn/vpn_server.key <==
-----BEGIN PRIVATE KEY-----
*<DELETED>*=
-----END PRIVATE KEY-----

mk24 · March 5, 2020, 8:41pm

You're running two instances of OpenVPN, one is a client of NordVPN(France) and one is your own server.

If you redirect all Internet to NordVPN, your server can't work. This is because the redirect all Internet configuration alters the routing table to send all access to public IPs-- other than the one IP of the NordVPN server-- into the VPN tunnel. So when your VPN client requests a connection directly on your public IP, the OpenVPN server's response goes out via NordVPN (instead of direct through your ISP) and is lost.

acognard · March 5, 2020, 8:46pm

nordvpn client is not activated & not running.

mk24 · March 5, 2020, 9:07pm

OK, then troubleshooting the private VPN would start by attempting a connection then looking through the client and server logs.

acognard · March 5, 2020, 9:21pm

sorry, my english is not soo rich Not sure to understand...

the only log files i have founded :

/tmp/log/openvpn.log
Thu Mar  5 21:38:57 2020 us=515206 OpenVPN 2.4.7 powerpc-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Mar  5 21:38:57 2020 us=515369 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Thu Mar  5 21:38:57 2020 us=515967 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create
Thu Mar  5 21:38:57 2020 us=534632 Diffie-Hellman initialized with 2048 bit key
Thu Mar  5 21:38:57 2020 us=537381 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar  5 21:38:57 2020 us=537582 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar  5 21:38:57 2020 us=537725 TLS-Auth MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Thu Mar  5 21:38:57 2020 us=564690 TUN/TAP device tun0 opened
Thu Mar  5 21:38:57 2020 us=568202 TUN/TAP TX queue length set to 100
Thu Mar  5 21:38:57 2020 us=568436 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Mar  5 21:38:57 2020 us=568606 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Thu Mar  5 21:38:57 2020 us=592672 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Thu Mar  5 21:38:57 2020 us=603775 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Mar  5 21:38:57 2020 us=604105 Could not determine IPv4/IPv6 protocol. Using AF_INET
Thu Mar  5 21:38:57 2020 us=604293 Socket Buffers: R=[87380->87380] S=[16384->16384]
Thu Mar  5 21:38:57 2020 us=604437 Listening for incoming TCP connection on [AF_INET][undef]:1194
Thu Mar  5 21:38:57 2020 us=604573 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Thu Mar  5 21:38:57 2020 us=604682 TCPv4_SERVER link remote: [AF_UNSPEC]
Thu Mar  5 21:38:57 2020 us=604804 GID set to nogroup
Thu Mar  5 21:38:57 2020 us=604925 UID set to nobody
Thu Mar  5 21:38:57 2020 us=605047 MULTI: multi_init called, r=256 v=256
Thu Mar  5 21:38:57 2020 us=605264 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Thu Mar  5 21:38:57 2020 us=605476 MULTI: TCP INIT maxclients=1024 maxevents=1028
Thu Mar  5 21:38:57 2020 us=605722 Initialization Sequence Completed

mk24 · March 5, 2020, 9:25pm

That shows the server has started OK and is running. No problem so far. So now try to connect a client to it, and additional lines will be logged. For testing it should work from inside the LAN.

acognard · March 5, 2020, 10:05pm

good news, tks for all your help !

well nothing append in log file (tested from the lan and ios)

client.openvpn

float
dev tun
proto tcp
ca ca.crt
cert vpn_client.crt
key vpn_client.key
tls-auth ta.key 1
client
auth-nocache
remote-cert-tls server
remote home.domain.fr 443
verb 4

one remark : is this incorrect ???

head -n -0 /etc/openvpn/*
==> /etc/openvpn/config_clients <==
head: /etc/openvpn/config_clients: I/O error

mk24 · March 5, 2020, 10:12pm

Server listening on port 1194, client trying to connect to port 443. That of course means the server never gets anything.

I/O error is usually bad, like a bad flash chip. Can you cat just that one file?

acognard · March 5, 2020, 10:29pm

/etc/openvpn/config_clients is not a file, but a directory .

acognard · March 5, 2020, 10:52pm

hey ! it is closed to work !!

TUN write exception: write_some: asio.system error: asio.system error

but there is a communication now

I was trying to persist to use 443. I changed by 1194 everywhere, and voila...

well, now i am going to understand first why is this error happening, and after that, il will use 443.

Many thanks for all your help guys.

acognard · March 5, 2020, 11:09pm

by Adding 'comp-lzo yes' in ovpn client file.

system · March 15, 2020, 11:09pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.