OpenVPN client OpenWrt and ip addresses

pepo36 · May 24, 2020, 5:44am

I'm new to OpenWrt so please forgive my ignorance
I have an openvpn server running in an EC2 instance in AWS
I just setup OpenWrt in my router and installed openvpn app, I'm able to connect to my openvpn server from the router
my openvpn server's address is 10.8.0.1
my OpenWrt router address is 192.168.1.1
say I have a device connected to the router with the ip address 192.168.213

I'm trying to SSH from my openvpn server in the cloud to the device 192.168.213 but i can't even ping it
I know this probably has to do with nat but i can't figure it out

hendri_th · May 24, 2020, 6:23am

You may have to open the firewall to allow ssh.

trendy · May 24, 2020, 7:56am

Depending on the configuration, you might need to allow the flow on the firewall and install a static route, or do a port forward.
You can post here the output of uci export network; uci export firewall in preformatted text (the </> button) after you remove any sensitive data, like passwords, mac addresses, etc.

pepo36 · May 24, 2020, 5:15pm

Hello @hendri_th and @trendy, thank you for your willingness to help, I noticed that when I go to Dnsleaktest.com, it shows my router's public IP instead of my VPN server IP, not sure how to fix that.

Here's the result from uci export network; uci export firewall

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 tun0'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

ulmwind · May 24, 2020, 7:14pm

You should configure lan behind client: https://community.openvpn.net/openvpn/wiki/RoutedLans

But for basic connection you should configure network, and firewall, see e.g. my manual: https://airvpn.org/forums/topic/20303-airvpn-configuration-on-openwrt-preventing-traffic-leakage-outside-tunnel/

pepo36 · May 24, 2020, 7:54pm

Hi @ulmwind thank you for your reply, I read the lan behind the client article but i don't understand it fully
I followed your guide for the basic config but I don't have internet and i'm not able to ssh into my ec2 instance with the openvpn server
let me know what information you need and i can grab it

trendy · May 24, 2020, 10:19pm

There is no network configuration.
Regardless, there is no rule or port forward in the firewall. Since you are doing NAT on the wan interface, a port forward will be necessary.

ulmwind · May 25, 2020, 6:12pm

OK, let's start. Give contents of /etc/config/firewall, /etc/config/network. Above you gave /etc/config/firewall, but there is no modification. Do you understand, what you should add to the files?