Hi,
My apologies in advance, as I know this topic has been brought up a few times. I've searched both these forums, as well as Google, tried various tips/suggestions, but I've reached a place where I'm losing track of what my issue might be.
In short, I'm trying to:
- Use iOS OpenVPN client to connect from outside (LTE, not Wifi - so no IP clashing issues), to Openwrt. This works. I connect fine.
- Browse to router's Luci interface. This works.
- Browse to any other service (e.g. Unraid's web UI, etc). This doesn't work in Openwrt. There are no internal firewalls at play. It works with the same keys using Tomato (different router). So my problem has to be my openwrt configuration.
My setup:
- Running snapshot from a couple of days back. So recent snapshot. It is however a Kernel 5.15 build of Robimarko as the router is a Xioami AX3600.
- I have based on instructions created an Unmanaged interface for the VPN. I have tried both putting this interface directly in the LAN zone, as well as (currently) in its own VPN zone, with a zone forwarding for vpn->LAN.
- I have turned off masquerading as it was said to not be needed in a number of posts.
- I have tried both ccd as well as without ccd
- IPv6 is off across the board.
- As mentioned above, the internal hosts I'm trying to reach don't have firewalls. And the same Client setup, but against a Tomato firmware OpenVPN Server results in a working iOs->LAN host connectivity.
Any help or tips would be really appreciated!
Server Conf
port 1194
dev tun1
#client-config-dir ccd
txqueuelen 1000
keepalive 15 60
verb 3
topology subnet
server 10.6.0.0 255.255.255.0
proto tcp4-server
resolv-retry infinite
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
cipher AES-256-GCM
push "route 192.168.0.0 255.255.252.0"
client-to-client
push "dhcp-option DNS 10.6.0.1"
ca PrivateVPN_ca.crt
dh PrivateVPN_dh.pem
cert PrivateVPN_server.crt
key PrivateVPN_server.key
status-version 2
status status 10
ccd file (when previously attempted)
iroute 10.6.0.0 255.255.255.0
Network Conf
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'REMOVED::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
option netmask '255.255.252.0'
option ipaddr '192.168.1.1'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option peerdns '0'
list dns '1.0.0.2'
list dns '1.1.1.2'
config interface 'VPNTUN'
option proto 'none'
option device 'tun1'
option auto '0'
Firewall Conf
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'VPNTUN'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'MODEM'
option input 'DROP'
option forward 'DROP'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule
option name 'Allow-VPN-WAN'
option src 'wan'
option dest_port '1194'
option target 'ACCEPT'
config rule
option src 'lan'
option dest 'wan'
option target 'REJECT'
list src_ip '192.168.0.0/25'
option name 'IoT No Internet (192.168.0.0 to 127)'
config redirect
option target 'DNAT'
option src 'lan'
option src_dport '53'
option name 'DNS Intercept Requests'
option reflection '0'
option dest 'wan'
config redirect
option target 'DNAT'
option name 'NTP Intercept Requests'
option src 'lan'
option src_dport '123'
option reflection '0'
option dest 'wan'
config include 'qcanssecm'
option type 'script'
option path '/etc/firewall.d/qca-nss-ecm'
option family 'any'
option reload '1'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpn'
Thanks again!
EDIT: If nothing jumps out, is it possible that this could be a fw4 issue?