Openconnect client on r2s, connected but cannot reach Internet

kfc · June 20, 2021, 3:27pm

Hello there. I am running openconnect VPN client on an r2s (within a restricted firewall) to connect to a remote server, which runs ocserv that forwards packets to Internet.

openconnect can connect to the remote server successfully. And I double check that all traffic going through the tunnel. However, the traffic can only reach the remote server, not further.

On the remote server, I have set up NAT function like this: sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.70.0/24 -j MASQUERADE (70.0 is the network set up by ocserv, and eth0 is the NIC going to the Internet). This NAT setup works well with the Cisco Anyconnect 4.10.01084 iOS version. My iPhone can connect to the ocserv and reach the Internet just fine.

I am really appreciated if someone can provide some help.

The r2s runs the latest firmware (http://downloads.openwrt.org/snapshots/targets/rockchip/armv8/openwrt-rockchip-armv8-friendlyarm_nanopi-r2s-ext4-sysupgrade.img.gz).
ocserv version: ocserv 0.12.6
openconnect version:8.10-4

vgaetera · June 21, 2021, 3:30am

Assign the VPN interface to the WAN firewall zone on the client router.

kfc · June 21, 2021, 3:32am

Thanks for the reminder. I forget to mention I have done that. The VPN interface are with the same firewall zone with the WAN interface.

kfc · June 21, 2021, 3:38am

One interesting observation is that sometimes the r2s router did manage to get a few packets out (especially after a fresh reboot). For example, I ping www.google.com and received response, and my browser can access www.google.com. But after a while, it stopped working. And traceroute never worked. It stopped at the gateway of the ocserv (192.168.70.1 in this case).

From the client, I can always ping 192.168.70.1 and receive response properly.

vgaetera · June 21, 2021, 3:49am

Allow both TCP and UDP traffic from the client router to the server VPN port.
Try to decrease MTU on the client VPN interface.

kfc · June 21, 2021, 4:12am

@vgaetera , thanks for the tips. I will give it a try later.

I did open the corresponding UDP/TCP port on the server side and decrease the MTU to 1200 on the ocserv. I will see if openwrt also imposes some firewall constraint on r2s.

kfc · June 21, 2021, 2:59pm

I checked the log of the ocserv and the vpn interface. the mtu is indeed set to 1200.

And here is the firewall setting, I don't know what wrong it could be. (wu is my vpn interface)

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'wan'
	list network 'wu'
	option forward 'REJECT'
	option masq '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'lan'
	option forward 'REJECT'

config forwarding
	option src 'wan'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wan'

kfc · July 4, 2021, 12:09pm

It took me a while to figure it out. It was due to dns pollution. when I ping from client, the dns returned the wrong IP address. I fixed the issue, by setting the dns server to 8.8.8.8

system · July 14, 2021, 12:10pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.