Openvpn and Openwrt

puppurlu · April 14, 2025, 7:48pm

On Old configuration (Router with Fritz Firmware) I use this configuration for vpn

redirect/accept port of openvpn server (openvpn is not on router, is on a vm)

connect from another network to my localnetwork

Stop.

With openwrt

redirect/accept port of openvpn server (openvpn is not on router, is on a vm) OK

But when I connect from other network firewall block all
give me those messages

ping 192.168.0.1
From 10.8.0.1 ... packet filtered

How to accept packets?

puppurlu · April 14, 2025, 7:52pm

This is my connection scheme

laptop use 10.8.0 as "openvpn network" (tun0) and localnet is 192.168.0.0/24

Laptop----->4G key--->openvpn-------internet------>router----openvpn--->localnet

puppurlu · April 14, 2025, 8:05pm

I have try to add those lines on firewall


# Openvpn                                              
                                                   
config rule                                            
        option target 'ACCEPT'                         
        option family 'ipv4'                        
        option proto 'udp'                             
        option src_ip '10.8.0.0/24'                
        option dest_ip '192.168.0.0/24'                
        option name 'Allow OpenVPN -> LAN'             
                                                    
config rule                                            
        option target 'ACCEPT'                     
        option family 'ipv4'                           
        option proto 'tcp'                               
        option src_ip '10.8.0.0/24'                 
        option dest_ip '192.168.0.0/24'                  
        option name 'Allow OpenVPN -> LAN-TCP'     
                                                       
config rule                                            
    option  target          'ACCEPT'                
    option  family          'ipv4'                       
    option  proto           'icmp'                 
    option src_ip '10.8.0.0/24'                        
    option dest_ip '192.168.0.0/24'                                      
    option  dest            'lan'                   
    option  name            'Allow OpenVPN (ICMP) -> LAN'                
                                                   
config rule                                            
    option  target          'ACCEPT'                   
    option  family          'ipv4'                  
    option  proto           'icmp'                                       
    list    icmp_type       'echo-request'         
    option src_ip '10.8.0.0/24'                        
    option dest_ip '192.168.0.0/24'                    
    option  dest            'wan'                   
    option  name            'Allow OpenVPN (ICMP 8: echo-request) -> WAN'

Don't work

brada4 · April 14, 2025, 9:44pm

Your rules do not permit ping. It is better to make openvon tun device in a separate zone and permit entire zone forwarding. Or even join it to lan zone and reuse its defaults.

puppurlu · April 14, 2025, 10:03pm

I see the ip of vpn server (192.168.0.8) can be pinged! So is not a problem of openwrt but firewall on openvpn server (I hope)
Edit: I check it and was the firewalld! I ever think that new technology is good for one "part" and bad for other, I will return to old good iptables script for vpn server.

system · April 24, 2025, 10:04pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.