I am trying and trying but without success, I read the openconnect section and the vpn-policy-routing and the forum.
What I want is have 1 laptop to connect exclusively to open connect.
open connect works and I create a firewall zone for it too. But I can not get this exlusivity.
Or I have vpn in my laptop but also in all devices or I dont have any.
So I am wondering what I am missing?
Could you help me?
Network
config interface 'vpnc'
option proto 'openconnect'
option username <user.lastname>
option usergroup <my group>
option server <vpn host>
option auto '0'
option password <password>
option defaultroute '0'
Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button.
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; uci export vpn-policy-routing; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
Thanks for the help, I will do what you mentioned.
this is the output:
ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; uci export vpn-policy-routing; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
{
"kernel": "4.14.195",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "linksys,rango",
"release": {
"distribution": "OpenWrt",
"version": "19.07.4",
"revision": "r11208-ce6496d796",
"target": "mvebu/cortexa9",
"description": "OpenWrt 19.07.4 r11208-ce6496d796"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0c:2e7b:96b1::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '8.8.8.8'
list dns '8.8.4.4'
list dns '1.1.1.1'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
option vid '2'
config interface 'vpnc'
option proto 'openconnect'
option username 'sinuhe.tellez'
option usergroup 'anyconnect'
option server REDACTED
option auto '0'
option defaultroute '0'
option password REDACTED
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
option rebind_protection '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option mac 'B8:27:EB:A5:9D:54'
option leasetime 'infinite'
option dns '1'
option name 'azul'
option ip '192.168.1.169'
config host
option mac '74:EE:2A:54:FF:C4'
option leasetime 'infinite'
option dns '1'
option name 'impresora'
option ip '192.168.1.167'
config host
option mac 'D4:6D:6D:A1:56:3A'
option leasetime 'infinite'
option dns '1'
option name 'ix'
option ip '192.168.1.209'
config host
option mac 'DC:A6:32:BA:EF:E2'
option leasetime 'infinite'
option dns '1'
option name 'trantor'
option ip '192.168.1.151'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'vpnc'
option output 'ACCEPT'
option input 'REJECT'
option network 'vpnc'
option mtu_fix '1'
option forward 'REJECT'
option masq '1'
config forwarding
option dest 'vpnc'
option src 'lan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
package vpn-policy-routing
config policy
option src_addr '192.168.1.209'
option interface 'vpnc'
option chain 'FORWARD'
option name 'dubyte'
option proto 'all'
config vpn-policy-routing 'config'
option verbosity '2'
option src_ipset '0'
option ipv6_enabled '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_enable_column '1'
option dest_ipset 'dnsmasq.ipset'
list supported_interface 'vpnc'
option webui_protocol_column '1'
option webui_chain_column '1'
option strict_enforcement '0'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
10: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 23.91.240.253/27 brd 23.91.240.255 scope global eth1.2
valid_lft forever preferred_lft forever
14: vpn-vpnc: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1250 qdisc fq_codel state UNKNOWN group default qlen 500
inet 10.3.60.101/32 brd 255.255.255.255 scope global vpn-vpnc
valid_lft forever preferred_lft forever
default via 23.91.240.225 dev eth1.2 proto static src 23.91.240.253
8.36.162.210 dev vpn-vpnc proto static scope link
10.3.0.0/16 dev vpn-vpnc proto static scope link
10.4.0.0/14 dev vpn-vpnc proto static scope link
10.30.0.0/16 dev vpn-vpnc proto static scope link
10.74.0.0/16 dev vpn-vpnc proto static scope link
10.96.0.0/16 dev vpn-vpnc proto static scope link
10.100.0.0/19 dev vpn-vpnc proto static scope link
10.100.32.0/19 dev vpn-vpnc proto static scope link
10.100.127.0/24 dev vpn-vpnc proto static scope link
10.100.128.0/19 dev vpn-vpnc proto static scope link
10.100.160.0/19 dev vpn-vpnc proto static scope link
10.100.255.0/24 dev vpn-vpnc proto static scope link
10.199.0.0/16 dev vpn-vpnc proto static scope link
10.200.0.0/22 dev vpn-vpnc proto static scope link
10.201.0.0/24 dev vpn-vpnc proto static scope link
10.255.192.0/19 dev vpn-vpnc proto static scope link
10.255.252.0/22 dev vpn-vpnc proto static scope link
23.91.240.224/27 dev eth1.2 proto kernel scope link src 23.91.240.253
34.224.164.110 dev vpn-vpnc proto static scope link
192.139.80.13 dev vpn-vpnc proto static scope link
192.139.80.20 via 23.91.240.225 dev eth1.2 proto static
192.139.80.43 dev vpn-vpnc proto static scope link
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
local 10.3.60.101 dev vpn-vpnc table local proto kernel scope host src 10.3.60.101
broadcast 23.91.240.224 dev eth1.2 table local proto kernel scope link src 23.91.240.253
local 23.91.240.253 dev eth1.2 table local proto kernel scope host src 23.91.240.253
broadcast 23.91.240.255 dev eth1.2 table local proto kernel scope link src 23.91.240.253
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
lrwxrwxrwx 1 root root 16 Sep 6 16:19 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 32 Oct 7 17:44 /tmp/resolv.conf
-rw-r--r-- 1 root root 226 Oct 7 17:40 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface vpnc
nameserver 10.3.10.41
nameserver 10.3.10.42
search indexexchange.com
# Interface lan
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 1.1.1.1
# Interface wan
nameserver 209.197.128.2
nameserver 209.197.128.5
Remove these nameservers from the lan interface and add them under wan instead. Nameservers should be declared under the interface where they are reachable from.
list dns '8.8.8.8'
list dns '8.8.4.4'
list dns '1.1.1.1'
In the policy add /32 after the .209 address and restart vpn-policy-routing.
If it still doesn't work post also the iptables-save -c
I don't see anything unusual here. [14843:2086088] -A VPR_FORWARD -s 192.168.1.209/32 -m comment --comment dubyte -j MARK --set-xmark 0x20000/0xff0000
The designated host is having its packets marked to use the vpn connection. Everything else will use the routing table. (which by the way it has a lot of entries via vpn)
Which host is having the issue? Which address is it trying to reach?
If you want only that IP from lan to have access to vpn, then you need to delete this forwarding and add a rule:
config rule
option src 'lan'
option name 'Allow host to vpn'
list src_ip '192.168.1.209'
option family 'ipv4'
option target 'ACCEPT'
option dest 'vpnc'
list proto 'all
I am not sure what is your use case, as you didn't mention earlier when I asked you the destination address.
VPR will use an alternative routing table for the specified host, which may have a different default gateway. If you have it disabled (option enable is '0') it won't affect routing.
Thanks @trendy, I think you resolved my use case, the only thing is it would be nice to use Vpn policy routing, it will be hard to instead of use the firewall rules use the VPR?
I think you are missing the function of each component. In a nutshell
Firewall rules will allow or deny traffic
Regular routing will make a decision based on the destination address using the main routing table.
Policy based routing will take in consideration the source address and can make a routing decision using an alternative routing table.
Therefore you cannot do with the firewall the things that PBR does.