Not getting OpenVPN-Routing to work

Icinger · April 10, 2019, 4:57pm

Hi everybody,

Since a couple of days, i try to get the following working:
RPi (client) --> WAN --> GL-AR300M (OpenWRT and OpenVPN) --> Routing to my HomeNetwork.

What works:
I can establish the OpenVPN to my AR300M.
I can ping and SSH from client to AR300M (and also from AR300M to client).

root@GL-AR300M:~# ssh pi@192.168.2.6
pi@192.168.2.6's password:
Linux devopb 4.14.98-v7+ #1200 SMP Tue Feb 12 20:27:48 GMT 2019 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Apr 10 17:04:22 2019 from 192.168.8.100
pi@devopb:~ $

pi@devopb:~ $ ssh root@192.168.2.1
root@192.168.2.1's password: 

BusyBox v1.28.3 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 18.06.1, r7258-5eb055306f
 -----------------------------------------------------
root@GL-AR300M:~#

But i can NOT get it to route traffic to my homenet. For example i can not reach 192.168.1.22 (which is also a RPi.
Somehow i made it, that i can also reach the AR300M trough 192.168.1.2 (which is its internal IP), but no other devices).

pi@devopb:~ $ ssh root@192.168.1.2
root@192.168.1.2's password: 


BusyBox v1.28.3 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 18.06.1, r7258-5eb055306f
 -----------------------------------------------------
root@GL-AR300M:~#

My configs so far:
/etc/config/network

config interface 'loopback'                                                                                                                                                                                        
        option ifname 'lo'                                                                                                                                                                                         
        option proto 'static'                                                                                                                                                                                      
        option ipaddr '127.0.0.1'                                                                                                                                                                                  
        option netmask '255.0.0.0'                                                                                                                                                                                 
                                                                                                                                                                                                                   
config globals 'globals'                                                                                                                                                                                           
        option ula_prefix 'fd6f:af50:d654::/48'                                                                                                                                                                    
                                                                                                                                                                                                                   
config interface 'lan'                                                                                                                                                                                             
        option type 'bridge'                                                                                                                                                                                       
        option proto 'static'                                                                                                                                                                                      
        option netmask '255.255.255.0'
        option ip6assign '60'
        option macaddr 'e4:95:6e:44:80:f2'
        option default_macaddr 'e4:95:6e:44:80:f2'
        option hostname 'GL-AR300M-0f1'
        option ipaddr '192.168.1.2'
        option gateway '192.168.1.254'
        option broadcast '192.168.1.255'
        option dns '1.1.1.1'
        option ifname 'eth1'

config device 'lan_dev'
        option name 'eth1'
        option macaddr 'e4:95:6e:44:80:f1'
config interface 'wan'
        option hostname 'GL-AR300M-0f1'
        option metric '10'
        option clientid 'root'
        option proto 'static'
        option ipaddr '192.168.2.2'
        option gateway '192.168.2.254'
        option netmask '255.255.255.0'
        option peerdns '0'
        option dns '1.1.1.1 8.8.8.8'
        option ifname 'eth0 eth1'

config interface 'wan6'
        option proto 'dhcpv6'
        option ifname 'eth0'

config interface 'guest'
        option ifname 'guest'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config route

config interface 'vpn0'
        option proto 'none'
        option ifname 'tun0'
        option auto '1'

/etc/config/openvpn

        option enabled 1                                                                                                                                                                                           
        option port 1194
        option proto tcp
        option dev tun0
        option ca /root/ca.crt
        option cert /root/server.crt
        option dh /root/dh4096.pem
        option key /root/server.key
        option server "192.168.2.0 255.255.255.0"
        option ifconfig_pool_persist /tmp/ipp.txt
        list push "route 192.168.1.0 255.255.255.0"
        route 192.168.1.0 255.255.255.0
        client-to-client
        option keepalive "10 120"
        option tls_auth "/root/tlsauth.key 0"                                                                                                                                                                      
        option cipher AES-256-CBC                                                                                                                                                                                  
        option compress lzo
        option persist_key 1
        option persist_tun 1
        option user nobody
        option status /tmp/openvpn-status.log
        option verb 3

/etc/config/firewall

config defaults                                                                                                                                                                                                    
        option syn_flood '1'                                                                                                                                                                                       
        option input 'ACCEPT'                                                                                                                                                                                      
        option output 'ACCEPT'                                                                                                                                                                                     
        option forward 'REJECT'                                                                                                                                                                                    
                                                                                                                                                                                                                   
config zone                                                                                                                                                                                                        
        option name 'lan'                                                                                                                                                                                          
        option input 'ACCEPT'                                                                                                                                                                                      
        option output 'ACCEPT'                                                                                                                                                                                     
        option forward 'ACCEPT'                                                                                                                                                                                    
        option device 'tun0'                                                                                                                                                                                       
        option network 'lan'                                                                                                                                                                                       
                                                                                                                                                                                                                   
config zone                                                                                                                                                                                                        
        option name 'wan'                                                                                                                                                                                          
        option input 'REJECT'                                                                                                                                                                                      
        option output 'ACCEPT'                                                                                                                                                                                     
        option forward 'REJECT'                                                                                                                                                                                    
        option masq '1'                                                                                                                                                                                            
        option mtu_fix '1'                                                                                                                                                                                         
        option network 'wan6'                                                                                                                                                                                      
                                                                                                                                                                                                                   
config rule                                                                                                                                                                                                        
        option name 'Allow-DHCP-Renew'                                                                                                                                                                             
        option src 'wan'                                                                                                                                                                                           
        option proto 'udp'                                                                                                                                                                                         
        option dest_port '68'                                                                                                                                                                                      
        option target 'ACCEPT'                                                                                                                                                                                     
        option family 'ipv4'                          
config rule                                                                                                                                                                                                        
        option name 'Allow-Ping'                                                                                                                                                                                   
        option src 'wan'                                                                                                                                                                                           
        option proto 'icmp'                                                                                                                                                                                        
        option icmp_type 'echo-request'                                                                                                                                                                            
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
config rule                                                                                                                                                                                                        
        option name 'Allow-ISAKMP'                                                                                                                                                                                 
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
        option reload '1'

config zone 'guestzone'
        option name 'guestzone'
        option network 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding 'guestzone_fwd'
        option src 'guestzone'
        option dest 'wan'

config rule 'guestzone_dhcp'
        option name 'guestzone_DHCP'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule 'guestzone_dns'
        option name 'guestzone_DNS'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config include 'glfw'
        option type 'script'
        option path '/usr/bin/glfw.sh'
        option reload '1'

config include 'glqos'
        option type 'script'
        option path '/usr/sbin/glqos.sh'
        option reload '1'

config include 'mwan3'
        option type 'script'
        option path '/var/etc/mwan3.include'
        option reload '1'

config rule 'glservice_rule'
        option name 'glservice'
        option dest_port '83'
        option proto 'tcp udp'
        option src 'wan'
        option target 'ACCEPT'
        option enabled '0'

config rule 'vpn'
        option name 'Allow-OpenVPN'
        option src 'lan'
        option dest_port '1194'
        option proto 'tcp'
        option target 'ACCEPT'
        option dest 'lan'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'vpn'
        option forward 'ACCEPT'
        list device 'tun0'
        option network 'vpn0'

config redirect
        option target 'DNAT'
        option src 'vpn'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '23'
        option dest_ip '192.168.1.22'
        option dest_port '22'
        option name 'vpn_sshtest'
        option reflection '0'
        option enabled '0'

config forwarding
        option dest 'wan'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'vpn'

config forwarding
        option dest 'vpn'
        option src 'lan'

Please help, i really have no clue. I already followed a lot of Wiki/Tut/HowTo's, so maybe there is also just a left-over, which is blocking me

Thx alot,

Icinger

vgaetera · April 10, 2019, 5:46pm

This is an invalid syntax.

https://community.openvpn.net/openvpn/wiki/VORACLE

Also you are missing option topology subnet.

Follow the guide and you will get it:

Icinger · April 10, 2019, 5:48pm

That part is already working (VPN)

Icinger · April 10, 2019, 6:32pm

Added topology subnet
Removed client-to-client (which is not really necessary here, as far as i understand)
Removed compression

route 192.168.1.0 255.255.255.0

corrected to route 192.168.2.0 255.255.255.0

VPN connecting, but routing still not working.

VPN-Log Server:

Wed Apr 10 20:18:32 2019 daemon.notice openvpn(custom_config)[7647]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]                                                  
Wed Apr 10 20:18:32 2019 daemon.notice openvpn(custom_config)[7647]: library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10                                                                                       
Wed Apr 10 20:18:32 2019 daemon.warn openvpn(custom_config)[7647]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if 
you connect to the VPN server from public locations such as internet cafes that use the same subnet.                                                                                                               
Wed Apr 10 20:18:33 2019 daemon.notice openvpn(custom_config)[7647]: Diffie-Hellman initialized with 4096 bit key                                                                                                  
Wed Apr 10 20:18:33 2019 daemon.notice openvpn(custom_config)[7647]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication                                            
Wed Apr 10 20:18:33 2019 daemon.notice openvpn(custom_config)[7647]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication                                            
Wed Apr 10 20:18:33 2019 daemon.notice netifd: Interface 'vpn0' is enabled                                                                                                                                         
Wed Apr 10 20:18:33 2019 daemon.notice netifd: Interface 'vpn0' has link connectivity
Wed Apr 10 20:18:33 2019 daemon.notice netifd: Interface 'vpn0' is setting up now
Wed Apr 10 20:18:33 2019 daemon.notice netifd: Interface 'vpn0' is now up
Wed Apr 10 20:18:33 2019 daemon.notice openvpn(custom_config)[7647]: TUN/TAP device tun0 opened
Wed Apr 10 20:18:33 2019 daemon.notice openvpn(custom_config)[7647]: TUN/TAP TX queue length set to 100
Wed Apr 10 20:18:33 2019 daemon.notice openvpn(custom_config)[7647]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0                                                                                                   
Wed Apr 10 20:18:33 2019 daemon.notice openvpn(custom_config)[7647]: /sbin/ifconfig tun0 192.168.2.1 pointopoint 192.168.2.2 mtu 1500                                                                             
Wed Apr 10 20:18:33 2019 daemon.notice openvpn(custom_config)[7647]: /sbin/route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.2                                                                        
Wed Apr 10 20:18:33 2019 daemon.warn openvpn(custom_config)[7647]: Could not determine IPv4/IPv6 protocol. Using AF_INET                                                                                          
Wed Apr 10 20:18:33 2019 daemon.notice openvpn(custom_config)[7647]: Socket Buffers: R=[87380->87380] S=[16384->16384]                                                                                            
Wed Apr 10 20:18:33 2019 daemon.notice openvpn(custom_config)[7647]: Listening for incoming TCP connection on [AF_INET][undef]:1194                                                                               
Wed Apr 10 20:18:33 2019 daemon.notice openvpn(custom_config)[7647]: TCPv4_SERVER link local (bound): [AF_INET][undef]:1194                                                                                       
Wed Apr 10 20:18:33 2019 daemon.notice openvpn(custom_config)[7647]: TCPv4_SERVER link remote: [AF_UNSPEC]                                                                                                        
Wed Apr 10 20:18:33 2019 daemon.notice openvpn(custom_config)[7647]: UID set to nobody
Wed Apr 10 20:18:33 2019 daemon.notice openvpn(custom_config)[7647]: MULTI: multi_init called, r=256 v=256                                                                                                        
Wed Apr 10 20:18:33 2019 daemon.notice openvpn(custom_config)[7647]: IFCONFIG POOL: base=192.168.2.4 size=62, ipv6=0                                                                                              
Wed Apr 10 20:18:33 2019 daemon.notice openvpn(custom_config)[7647]: IFCONFIG POOL LIST
Wed Apr 10 20:18:33 2019 daemon.notice openvpn(custom_config)[7647]: MULTI: TCP INIT maxclients=1024 maxevents=1028                                                                                               
Wed Apr 10 20:18:33 2019 daemon.notice openvpn(custom_config)[7647]: Initialization Sequence Completed

Wed Apr 10 20:18:40 2019 daemon.notice openvpn(custom_config)[7647]: TCP connection established with [AF_INET]213.147.161.122:36086                                                                               
Wed Apr 10 20:18:41 2019 daemon.notice openvpn(custom_config)[7647]: 213.147.161.122:36086 TLS: Initial packet from [AF_INET]213.147.161.122:36086, sid=5465bb55 931fa7fd                                         
Wed Apr 10 20:18:45 2019 daemon.notice openvpn(custom_config)[7647]: 213.147.161.122:36086 VERIFY OK: depth=1, C=AT, ST=NOE, L=Goellersdorf, O=xxxxxxx, OU=MyOrganizationalUnit, CN=xxxxxxx CA, name=EasyRSA, emailAddress=stefan@gmail.com
Wed Apr 10 20:18:45 2019 daemon.notice openvpn(custom_config)[7647]: 213.147.161.122:36086 VERIFY OK: depth=0, C=AT, ST=NOE, L=Goellersdorf, O=xxxxxxx, OU=MyOrganizationalUnit, CN=my.dyndns.org,
name=EasyRSA, emailAddress=stefan@gmail.com
Wed Apr 10 20:18:45 2019 daemon.notice openvpn(custom_config)[7647]: 213.147.161.122:36086 peer info: IV_VER=2.4.0                                                                                                
Wed Apr 10 20:18:45 2019 daemon.notice openvpn(custom_config)[7647]: 213.147.161.122:36086 peer info: IV_PLAT=linux                                                                                               
Wed Apr 10 20:18:45 2019 daemon.notice openvpn(custom_config)[7647]: 213.147.161.122:36086 peer info: IV_PROTO=2                                                                                                  
Wed Apr 10 20:18:45 2019 daemon.notice openvpn(custom_config)[7647]: 213.147.161.122:36086 peer info: IV_NCP=2                                                                                                    
Wed Apr 10 20:18:45 2019 daemon.notice openvpn(custom_config)[7647]: 213.147.161.122:36086 peer info: IV_LZ4=1                                                                                                    
Wed Apr 10 20:18:45 2019 daemon.notice openvpn(custom_config)[7647]: 213.147.161.122:36086 peer info: IV_LZ4v2=1                                                                                                  
Wed Apr 10 20:18:45 2019 daemon.notice openvpn(custom_config)[7647]: 213.147.161.122:36086 peer info: IV_LZO=1                                                                                                    
Wed Apr 10 20:18:45 2019 daemon.notice openvpn(custom_config)[7647]: 213.147.161.122:36086 peer info: IV_COMP_STUB=1                                                                                              
Wed Apr 10 20:18:45 2019 daemon.notice openvpn(custom_config)[7647]: 213.147.161.122:36086 peer info: IV_COMP_STUBv2=1                                                                                            
Wed Apr 10 20:18:45 2019 daemon.notice openvpn(custom_config)[7647]: 213.147.161.122:36086 peer info: IV_TCPNL=1                                                                                                  
Wed Apr 10 20:18:45 2019 daemon.notice openvpn(custom_config)[7647]: 213.147.161.122:36086 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA                                 
Wed Apr 10 20:18:45 2019 daemon.notice openvpn(custom_config)[7647]: 213.147.161.122:36086 [my.dyndns.org] Peer Connection Initiated with [AF_INET]213.147.161.122:36086                                      
Wed Apr 10 20:18:45 2019 daemon.notice openvpn(custom_config)[7647]: my.dyndns.org/213.147.161.122:36086 MULTI_sva: pool returned IPv4=192.168.2.6, IPv6=(Not enabled)                                        
Wed Apr 10 20:18:45 2019 daemon.notice openvpn(custom_config)[7647]: my.dyndns.org/213.147.161.122:36086 MULTI: Learn: 192.168.2.6 -> my.dyndns.org/213.147.161.122:36086                                 
Wed Apr 10 20:18:45 2019 daemon.notice openvpn(custom_config)[7647]: my.dyndns.org/213.147.161.122:36086 MULTI: primary virtual IP for my.dyndns.org/213.147.161.122:36086: 192.168.2.6                   
Wed Apr 10 20:18:46 2019 daemon.notice openvpn(custom_config)[7647]: my.dyndns.org/213.147.161.122:36086 PUSH: Received control message: 'PUSH_REQUEST'                                                       
Wed Apr 10 20:18:46 2019 daemon.notice openvpn(custom_config)[7647]: my.dyndns.org/213.147.161.122:36086 SENT CONTROL [my.dyndns.org]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 192.168.2.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.2.6 192.168.2.5,peer-id 0,cipher AES-256-GCM' (status=1)                                                                                                       
Wed Apr 10 20:18:46 2019 daemon.notice openvpn(custom_config)[7647]: my.dyndns.org/213.147.161.122:36086 Data Channel: using negotiated cipher 'AES-256-GCM'                                                  
Wed Apr 10 20:18:46 2019 daemon.notice openvpn(custom_config)[7647]: my.dyndns.org/213.147.161.122:36086 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key                             
Wed Apr 10 20:18:46 2019 daemon.notice openvpn(custom_config)[7647]: my.dyndns.org/213.147.161.122:36086 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Log from client:

Wed Apr 10 20:18:40 2019 Attempting to establish TCP connection with [AF_INET]43.57.13.19:1194 [nonblock]                                                                                                         
Wed Apr 10 20:18:41 2019 TCP connection established with [AF_INET]43.57.13.19:1194
Wed Apr 10 20:18:41 2019 TCP_CLIENT link local: (not bound)
Wed Apr 10 20:18:41 2019 TCP_CLIENT link remote: [AF_INET]43.57.13.19:1194
Wed Apr 10 20:18:41 2019 TLS: Initial packet from [AF_INET]43.57.13.19:1194, sid=be194487 8c49a836
Wed Apr 10 20:18:44 2019 VERIFY OK: depth=1, C=AT, ST=NOE, L=Goellersdorf, O=myother.dyndns.org, OU=MyOrganizationalUnit, CN=myother.dyndns.org CA, name=EasyRSA, emailAddress=stefan@gmail.com                 
Wed Apr 10 20:18:44 2019 Validating certificate key usage
Wed Apr 10 20:18:44 2019 ++ Certificate has key usage  00a0, expects 00a0
Wed Apr 10 20:18:44 2019 VERIFY KU OK
Wed Apr 10 20:18:44 2019 Validating certificate extended key usage
Wed Apr 10 20:18:44 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication                                                                                        
Wed Apr 10 20:18:44 2019 VERIFY EKU OK
Wed Apr 10 20:18:44 2019 VERIFY OK: depth=0, C=AT, ST=NOE, L=Goellersdorf, O=myother.dyndns.org, OU=MyOrganizationalUnit, CN=server, name=EasyRSA, emailAddress=stefan@gmail.com                                 
Wed Apr 10 20:18:45 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA                                                                                                   
Wed Apr 10 20:18:45 2019 [server] Peer Connection Initiated with [AF_INET]43.57.13.19:1194
Wed Apr 10 20:18:46 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Apr 10 20:18:46 2019 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 192.168.2.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.2.6 192.168.2.5,peer-id 0,cipher AES-256-GCM'
Wed Apr 10 20:18:46 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Apr 10 20:18:46 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Apr 10 20:18:46 2019 OPTIONS IMPORT: route options modified
Wed Apr 10 20:18:46 2019 OPTIONS IMPORT: peer-id set
Wed Apr 10 20:18:46 2019 OPTIONS IMPORT: adjusting link_mtu to 1626
Wed Apr 10 20:18:46 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Apr 10 20:18:46 2019 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Apr 10 20:18:46 2019 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Apr 10 20:18:46 2019 Preserving previous TUN/TAP instance: tun0
Wed Apr 10 20:18:46 2019 Initialization Sequence Completed

vgaetera · April 10, 2019, 6:56pm

uci set openvpn.custom_config.topology="subnet"
uci set openvpn.custom_config.client_to_client="1"
uci add_list openvpn.custom_config.route="192.168.1.0 255.255.255.0"
uci commit openvpn
service openvpn restart

Icinger · April 11, 2019, 4:48pm

Connection looks good now:

Thu Apr 11 18:46:16 2019 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 14 2018
Thu Apr 11 18:46:16 2019 library versions: OpenSSL 1.0.2r  26 Feb 2019, LZO 2.08
Thu Apr 11 18:46:16 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 11 18:46:16 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 11 18:46:16 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]46.75.11.19:1194
Thu Apr 11 18:46:16 2019 Socket Buffers: R=[87380->87380] S=[16384->16384]
Thu Apr 11 18:46:16 2019 Attempting to establish TCP connection with [AF_INET]46.75.11.19:1194 [nonblock]
Thu Apr 11 18:46:17 2019 TCP connection established with [AF_INET]46.75.11.19:1194
Thu Apr 11 18:46:17 2019 TCP_CLIENT link local: (not bound)
Thu Apr 11 18:46:17 2019 TCP_CLIENT link remote: [AF_INET]46.75.11.19:1194
Thu Apr 11 18:46:17 2019 TLS: Initial packet from [AF_INET]46.75.11.19:1194, sid=eb500aad 2a3847e3
Thu Apr 11 18:46:18 2019 VERIFY OK: depth=1, C=AT, ST=NOE, L=Goellersdorf, O=guttmann.dyndns.org, OU=MyOrganizationalUnit, CN=guttmann.dyndns.org CA, name=EasyRSA, emailAddress=stefan@gmail.com
Thu Apr 11 18:46:18 2019 Validating certificate key usage
Thu Apr 11 18:46:18 2019 ++ Certificate has key usage  00a0, expects 00a0
Thu Apr 11 18:46:18 2019 VERIFY KU OK
Thu Apr 11 18:46:18 2019 Validating certificate extended key usage
Thu Apr 11 18:46:18 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Apr 11 18:46:18 2019 VERIFY EKU OK
Thu Apr 11 18:46:18 2019 VERIFY OK: depth=0, C=AT, ST=NOE, L=Goellersdorf, O=guttmann.dyndns.org, OU=MyOrganizationalUnit, CN=server, name=EasyRSA, emailAddress=stefan@gmail.com
Thu Apr 11 18:46:19 2019 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1559', remote='link-mtu 1543'
Thu Apr 11 18:46:19 2019 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Thu Apr 11 18:46:19 2019 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Thu Apr 11 18:46:19 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Thu Apr 11 18:46:19 2019 [server] Peer Connection Initiated with [AF_INET]46.75.11.19:1194
Thu Apr 11 18:46:20 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Apr 11 18:46:20 2019 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route-gateway 192.168.1.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.1.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Thu Apr 11 18:46:20 2019 OPTIONS IMPORT: timers and/or timeouts modified
Thu Apr 11 18:46:20 2019 OPTIONS IMPORT: --ifconfig/up options modified
Thu Apr 11 18:46:20 2019 OPTIONS IMPORT: route options modified
Thu Apr 11 18:46:20 2019 OPTIONS IMPORT: route-related options modified
Thu Apr 11 18:46:20 2019 OPTIONS IMPORT: peer-id set
Thu Apr 11 18:46:20 2019 OPTIONS IMPORT: adjusting link_mtu to 1626
Thu Apr 11 18:46:20 2019 OPTIONS IMPORT: data channel crypto options modified
Thu Apr 11 18:46:20 2019 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Apr 11 18:46:20 2019 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Apr 11 18:46:20 2019 ROUTE_GATEWAY 192.168.8.1/255.255.255.0 IFACE=wlan0 HWADDR=b8:27:eb:ac:4e:0b
Thu Apr 11 18:46:20 2019 TUN/TAP device tun0 opened
Thu Apr 11 18:46:20 2019 TUN/TAP TX queue length set to 100
Thu Apr 11 18:46:20 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Apr 11 18:46:20 2019 /sbin/ip link set dev tun0 up mtu 1500
Thu Apr 11 18:46:20 2019 /sbin/ip addr add dev tun0 192.168.1.2/24 broadcast 192.168.1.255
Thu Apr 11 18:46:20 2019 /sbin/ip route add 192.168.1.0/24 via 192.168.1.1
RTNETLINK answers: File exists
Thu Apr 11 18:46:20 2019 ERROR: Linux route add command failed: external program exited with error status: 2
Thu Apr 11 18:46:20 2019 Initialization Sequence Completed

But still no chance to see devices inside ma home-network

pi@devopb:~ $ nmap -sn 192.168.1.0/24                                                                                                                                                                             

Starting Nmap 7.40 ( https://nmap.org ) at 2019-04-11 18:47 CEST
Nmap scan report for 192.168.1.2
Host is up (0.0017s latency).
Nmap done: 256 IP addresses (1 host up) scanned in 2.77 seconds

The only reachable address is my VPN-Server

psherman · April 11, 2019, 5:51pm

It appears that your WAN IP address and your OpenVPN server are on the same subnet. Try changing your VPN to something else... maybe (as an example):

        option server "10.0.25.0 255.255.255.0"

Also, you may need to add a forwarding rule in the firewall to allow your VPN zone > WAN zone.

Icinger · April 11, 2019, 5:58pm

Thx, somehow i must have mixed that up.

Now PART of my network is visible (only devices, which have a DHCP-Address) but:
Devices with a fixed IP are neither visible nor reachable.
Devices with DHCP are visible, but not reachable

pi@devopb:~ $ nmap -sn 192.168.1.0/24

Starting Nmap 7.40 ( https://nmap.org ) at 2019-04-11 19:54 CEST
Nmap scan report for 192.168.1.2
Host is up (0.18s latency).
Nmap scan report for 192.168.1.106
Host is up (0.12s latency).
Nmap scan report for 192.168.1.121
Host is up (0.12s latency).
Nmap scan report for 192.168.1.124
Host is up (0.072s latency).
Nmap scan report for 192.168.1.225
Host is up (0.10s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 12.25 seconds
pi@devopb:~ $ ping 192.168.1.22
PING 192.168.1.22 (192.168.1.22) 56(84) bytes of data.
^C
--- 192.168.1.22 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4139ms

pi@devopb:~ $ telnet 192.168.1.106
Trying 192.168.1.106...
telnet: Unable to connect to remote host: Connection refused
pi@devopb:~ $

psherman · April 11, 2019, 6:17pm

This doesn't make any sense at all. If the devices have active addresses on the network, it doesn't matter if it is DHCP, Static DHCP (reservations), or static IP (manual), the device should be reachable. It is entirely possible that the devices are not on (or listening/responding) or are at a different address.

Meanwhile, most modern systems have telnet disabled (because it is a serious security risk), so it is not unsurprising that the connection was refused (unless you can verify that the same host can accept telnet when you're on the same LAN. If that is the case, you might check the firewall on that device -- it is possible that it is restricting connections only to connections from the same subnet (Windows, for example, often blocks connections from other VLANs, even if the routing/firewall for the network infrastructure doesn't have any restrictions in place).

Icinger · April 11, 2019, 6:23pm

I know, that it doesn't make really sense, but:

stefan@lappi:~$ ping 192.168.1.22
PING 192.168.1.22 (192.168.1.22) 56(84) bytes of data.
64 bytes from 192.168.1.22: icmp_seq=1 ttl=64 time=0.250 ms
64 bytes from 192.168.1.22: icmp_seq=2 ttl=64 time=0.386 ms
^C
--- 192.168.1.22 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 29ms
rtt min/avg/max/mdev = 0.250/0.318/0.386/0.068 ms
stefan@lappi:~$ telnet 192.168.1.106
Trying 192.168.1.106...
Connected to 192.168.1.106.
Escape character is '^]'.

HP JetDirect

Please type "?" for HELP, or "/" for current settings
> exit

 EXITING WITHOUT SAVING ANY ENTRIES 
> Connection closed by foreign host.
stefan@lappi:~$

Thats from the Laptop that i'm currently sitting on and thats inside my home-network

It's also the reason, why i added my firewall-settings in the first post.
For me, the firewall looks good, but maybe there is something i'm missing??

psherman · April 11, 2019, 6:23pm

try adding forwarding from VPN > WAN.

Icinger · April 11, 2019, 6:38pm

Did that, but no change.
Somehow, routing is not working:

pi@devopb:~ $ traceroute 192.168.1.22
traceroute to 192.168.1.22 (192.168.1.22), 30 hops max, 60 byte packets
 1  10.0.25.1 (10.0.25.1)  52.980 ms  110.658 ms  158.873 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
pi@devopb:~ $

anon50098793 · April 11, 2019, 6:43pm

> iptables-save
> uci show firewall

Icinger · April 11, 2019, 6:45pm

root@GL-AR300M:~# uci show firewall                                                                                                                                                                                
firewall.@defaults[0]=defaults                                                                                                                                                                                     
firewall.@defaults[0].syn_flood='1'                                                                                                                                                                                
firewall.@defaults[0].input='ACCEPT'                                                                                                                                                                               
firewall.@defaults[0].output='ACCEPT'                                                                                                                                                                              
firewall.@defaults[0].forward='REJECT'                                                                                                                                                                             
firewall.@zone[0]=zone                                                                                                                                                                                             
firewall.@zone[0].name='lan'                                                                                                                                                                                       
firewall.@zone[0].input='ACCEPT'                                                                                                                                                                                   
firewall.@zone[0].output='ACCEPT'                                                                                                                                                                                  
firewall.@zone[0].forward='ACCEPT'                                                                                                                                                                                 
firewall.@zone[0].device='tun0'                                                                                                                                                                                    
firewall.@zone[0].network='lan'                                                                                                                                                                                    
firewall.@zone[1]=zone                                                                                                                                                                                             
firewall.@zone[1].name='wan'                                                                                                                                                                                       
firewall.@zone[1].input='REJECT'                                                                                                                                                                                   
firewall.@zone[1].output='ACCEPT'                                                                                                                                                                                  
firewall.@zone[1].forward='REJECT'                                                                                                                                                                                 
firewall.@zone[1].masq='1'                                                                                                                                                                                         
firewall.@zone[1].mtu_fix='1'                                                                                                                                                                                      
firewall.@zone[1].network='wan6'                                                                                                                                                                                   
firewall.@rule[0]=rule                                                                                                                                                                                             
firewall.@rule[0].name='Allow-DHCP-Renew'                                                                                                                                                                          
firewall.@rule[0].src='wan'                                                                                                                                                                                        
firewall.@rule[0].proto='udp'                                                                                                                                                                                      
firewall.@rule[0].dest_port='68'                                                                                                                                                                                   
firewall.@rule[0].target='ACCEPT'                                                                                                                                                                                  
firewall.@rule[0].family='ipv4'                                                                                                                                                                                    
firewall.@rule[1]=rule                                                                                                                                                                                             
firewall.@rule[1].name='Allow-Ping'                                                                                                                                                                                
firewall.@rule[1].src='wan'                                                                                                                                                                                        
firewall.@rule[1].proto='icmp'                                                                                                                                                                                     
firewall.@rule[1].icmp_type='echo-request'                                                                                                                                                                         
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advert
isement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
irewall.@rule[7]=rule                                                                                                                                                                                             
firewall.@rule[7].name='Allow-IPSec-ESP'                                                                                                                                                                           
firewall.@rule[7].src='wan'                                                                                                                                                                                        
firewall.@rule[7].dest='lan'                                                                                                                                                                                       
firewall.@rule[7].proto='esp'                                                                                                                                                                                      
firewall.@rule[7].target='ACCEPT'                                                                                                                                                                                  
firewall.@rule[8]=rule                                                                                                                                                                                             
firewall.@rule[8].name='Allow-ISAKMP'                                                                                                                                                                              
firewall.@rule[8].src='wan'                                                                                                                                                                                        
firewall.@rule[8].dest='lan'                                                                                                                                                                                       
firewall.@rule[8].dest_port='500'                                                                                                                                                                                  
firewall.@rule[8].proto='udp'                                                                                                                                                                                      
firewall.@rule[8].target='ACCEPT'                                                                                                                                                                                  
firewall.@include[0]=include                                                                                                                                                                                       
firewall.@include[0].path='/etc/firewall.user'                                                                                                                                                                     
firewall.@include[0].reload='1'                                                                                                                                                                                    
firewall.guestzone=zone                                                                                                                                                                                            
firewall.guestzone.name='guestzone'
firewall.guestzone.network='guest'
firewall.guestzone.forward='REJECT'
firewall.guestzone.output='ACCEPT'
firewall.guestzone.input='REJECT'
firewall.guestzone_fwd=forwarding
firewall.guestzone_fwd.src='guestzone'
firewall.guestzone_fwd.dest='wan'
firewall.guestzone_dhcp=rule
firewall.guestzone_dhcp.name='guestzone_DHCP'
firewall.guestzone_dhcp.src='guestzone'
firewall.guestzone_dhcp.target='ACCEPT'
firewall.guestzone_dhcp.proto='udp'
firewall.guestzone_dhcp.dest_port='67-68'
firewall.guestzone_dns=rule
firewall.guestzone_dns.name='guestzone_DNS'
firewall.guestzone_dns.src='guestzone'
firewall.guestzone_dns.target='ACCEPT'
firewall.guestzone_dns.proto='tcp udp'
firewall.guestzone_dns.dest_port='53'
firewall.glfw=include
firewall.glfw.type='script'
firewall.glfw.path='/usr/bin/glfw.sh'
firewall.glfw.reload='1'
firewall.glqos=include
firewall.glqos.type='script'
firewall.glqos.path='/usr/sbin/glqos.sh'
firewall.glqos.reload='1'
firewall.mwan3=include
firewall.mwan3.type='script'
firewall.mwan3.path='/var/etc/mwan3.include'
firewall.mwan3.reload='1'
firewall.glservice_rule=rule
firewall.glservice_rule.name='glservice'
firewall.glservice_rule.dest_port='83'
firewall.glservice_rule.proto='tcp udp'
firewall.glservice_rule.src='wan'
firewall.glservice_rule.target='ACCEPT'
firewall.glservice_rule.enabled='0'
firewall.vpn=rule
firewall.vpn.name='Allow-OpenVPN'
firewall.vpn.src='lan'
firewall.vpn.dest_port='1194'
firewall.vpn.proto='tcp'
firewall.vpn.target='ACCEPT'
firewall.vpn.dest='lan'
firewall.@zone[3]=zone
firewall.@zone[3].input='ACCEPT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].name='vpn'
firewall.@zone[3].forward='ACCEPT'
firewall.@zone[3].device='tun0'
firewall.@zone[3].network='vpn0'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='vpn'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp udp'
firewall.@redirect[0].src_dport='23'
firewall.@redirect[0].dest_ip='192.168.1.22'
firewall.@redirect[0].dest_port='22'
firewall.@redirect[0].name='vpn_sshtest'
firewall.@redirect[0].reflection='0'
firewall.@redirect[0].enabled='0'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='lan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest='vpn'
firewall.@forwarding[2].src='lan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].dest='vpn'
firewall.@forwarding[3].src='wan'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].dest='lan'
firewall.@forwarding[4].src='vpn'
firewall.@forwarding[5]=forwarding
firewall.@forwarding[5].dest='wan'
firewall.@forwarding[5].src='vpn'
root@GL-AR300M:~#

Icinger · April 11, 2019, 6:47pm

root@GL-AR300M:~# iptables-save                                                                                                                                                                                    
# Generated by iptables-save v1.6.2 on Thu Apr 11 20:46:17 2019                                                                                                                                                    
*nat                                                                                                                                                                                                               
:PREROUTING ACCEPT [1818:217665]                                                                                                                                                                                   
:INPUT ACCEPT [55:7625]                                                                                                                                                                                            
:OUTPUT ACCEPT [376:32078]
:POSTROUTING ACCEPT [1497:104620]
:GL_SPEC_DMZ - [0:0]
:GL_SPEC_FORWARDING - [0:0]
:postrouting_guestzone_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guestzone_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guestzone_postrouting - [0:0]
:zone_guestzone_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j GL_SPEC_DMZ
-A PREROUTING -j GL_SPEC_FORWARDING
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guestzone_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guestzone_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A zone_guestzone_postrouting -m comment --comment "!fw3: Custom guestzone postrouting rule chain" -j postrouting_guestzone_rule
-A zone_guestzone_prerouting -m comment --comment "!fw3: Custom guestzone prerouting rule chain" -j prerouting_guestzone_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
-A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Apr 11 20:46:17 2019
# Generated by iptables-save v1.6.2 on Thu Apr 11 20:46:17 2019
*mangle
:PREROUTING ACCEPT [3066:466570]
:INPUT ACCEPT [1176:234025]
:FORWARD ACCEPT [1244:94585]
:OUTPUT ACCEPT [1094:176413]
:POSTROUTING ACCEPT [2347:275508]
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Apr 11 20:46:17 2019
# Generated by iptables-save v1.6.2 on Thu Apr 11 20:46:17 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:GL_SPEC_OPENING - [0:0]
:forwarding_guestzone_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guestzone_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_guestzone_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guestzone_dest_ACCEPT - [0:0]
:zone_guestzone_dest_REJECT - [0:0]
:zone_guestzone_forward - [0:0]
:zone_guestzone_input - [0:0]
:zone_guestzone_output - [0:0]
:zone_guestzone_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -j GL_SPEC_OPENING
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guestzone_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guestzone_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guestzone_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_guestzone_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
-A zone_guestzone_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
-A zone_guestzone_forward -m comment --comment "!fw3: Custom guestzone forwarding rule chain" -j forwarding_guestzone_rule
-A zone_guestzone_forward -m comment --comment "!fw3: Zone guestzone to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_guestzone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_guestzone_forward -m comment --comment "!fw3" -j zone_guestzone_dest_REJECT
-A zone_guestzone_input -m comment --comment "!fw3: Custom guestzone input rule chain" -j input_guestzone_rule
-A zone_guestzone_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: guestzone_DHCP" -j ACCEPT
-A zone_guestzone_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: guestzone_DNS" -j ACCEPT
-A zone_guestzone_input -p udp -m udp --dport 53 -m comment --comment "!fw3: guestzone_DNS" -j ACCEPT
-A zone_guestzone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_guestzone_input -m comment --comment "!fw3" -j zone_guestzone_src_REJECT
-A zone_guestzone_output -m comment --comment "!fw3: Custom guestzone output rule chain" -j output_guestzone_rule
-A zone_guestzone_output -m comment --comment "!fw3" -j zone_guestzone_dest_ACCEPT
-A zone_guestzone_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j zone_lan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP                                                                                           
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT                                                                                                   
-A zone_wan_forward -m comment --comment "!fw3: Zone wan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT                                                                                                        
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT                                                                                                       
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT                                                                                                     
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Apr 11 20:46:17 2019
root@GL-AR300M:~#

vgaetera · April 11, 2019, 10:33pm

Are you sure it allows access from the outside of local subnet?
Are you sure it is routable to VPN-network?

If not, then add a SNAT-rule on the VPN-server.
And in your current configuration firewall zone vpn is redundant, as well as the forwardings to/from it.

psherman · April 11, 2019, 11:35pm

Can you provide a bit more insight into the following from your first post:

RPi (client) --> WAN --> GL-AR300M (OpenWRT and OpenVPN) --> Routing to my HomeNetwork.

The way I am reading this is:

The GL-AR300M is your main router, the WAN port of this device is connected to the internet (publicly routable IP address on the WAN)
The GL-AR300M runs OpenWrt and has OpenVPN installed (server config)
The devices on the LAN are connected to the GL-AR300M LAN ports.
The RPi is an OpenVPN client that is in a remote location and it connects back to your network via the internet using OpenVPN as the VPN.

Is this correct? Are there any other devices or routers in the setup (especially on your server side)?

lleachii · April 12, 2019, 7:02pm

Also, are you sure this JetDirect card accepts a Gateway address?

Some consumer-grade ones likely do not.

Also:

Can you confirm that you don't have a conflicting IP scheme between your local network, the VPN network, and the remote client network? (e.g. 192.168.1.0/24 exists in two or more places)