Ocserv cannot reach local network

rpugsley · March 14, 2023, 6:50pm

Hi,

I was able to connect Open connect, however, it cannot connect to any machine in the local network.
The router is reachable, internet works fine (gateway is not passing through router). DHCP works fine for client and route to lan has been passed. Any ideas?

ocserv.config

auth = "pam"
banner = "Welcome to network"
max-clients = 2
rate-limit-ms = 10
tcp-port = 4443
udp-port = 4443
server-stats-reset-time = 604800
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = true
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
ca-cert = /etc/ocserv/ca.pem
cert-user-oid = 0.9.2342.19200300.100.1.1
cert-group-oid = 2.5.4.11
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-RSA"
auth-timeout = 120
min-reauth-time = 360
max-ban-score = 80
ban-reset-time = 1200
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = false
pid-file = /var/run/ocserv.pid
chroot-dir = /var/lib/ocserv
socket-file = ocserv-socket
run-as-user = ocserv
run-as-group = ocserv
device = vpns
predictable-ips = true
ipv4-network = 192.168.120.0
ipv4-netmask = 255.255.255.0
dns = 192.168.120.1
tunnel-all-dns = true
cisco-client-compat = true

firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'
	option flow_offloading '1'

config zone 'lan'
	option name 'lan'
	list device 'vpns+'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpns'
	list network 'wg'
	list network 'wg0'

config zone 'wan'
	option name 'wan'
	option output 'ACCEPT'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow Wireguard'
	list proto 'udp'
	option src 'wan'
	option dest_port '*****'
	option target 'ACCEPT'

config rule 'oc'
	option src 'wan'
	option dest_port '4443'
	option proto 'tcp udp'
	option target 'ACCEPT'
	option name 'Allow OpenConnect'

config rule
	option name 'Block DNS'
	option src '*'
	option dest_port '53'
	option target 'DROP'
	option dest '*'
	option enabled '0'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7e:ca7e:f583::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.120.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option proto '6to4'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '*****'
	option listen_port '****'
	list addresses '****'

config wireguard_wg0
	list allowed_ips '*****'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option description '****'
	option public_key '****'

config interface 'vpns'
	option proto 'none'
	option device 'vpns0'

frollic · March 14, 2023, 6:51pm

there's no firewall on the lan side, unless you specifically configured one.

mk24 · March 14, 2023, 8:24pm

The VPN subnet (192.168.120.0/24) must not be the same as your LAN or any other of your networks.

rpugsley · March 14, 2023, 10:30pm

Just changed to another network and it worked. Thank you!

system · March 24, 2023, 10:31pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.