Hi everyone,
I'm coming back to openwrt after a few (something like 10) years, and I'm amazed by all the changes, especially the uci
config interface and the number of packages available.
I want to access the router's SSH remotely from an openvpn client connection. This is what happens:
- Before the openvpn connection is established, I can access the SSH server fine both through the LAN & WAN ports (on the LAN & WAN IPs)
- Once the OpenVPN client connection is open, I can still access it from the LAN port but not the WAN one
- Once the OpenVPN client connection is closed (because I stop openvpn or I close it on the server side), SSH becomes accessible again
I enabled the logging of rejected packets but couldn't find anything valuable.
Here is my config, I can add any info that might be missing:
# cat /proc/cpuinfo |grep machine
machine : GL.iNet GL-AR300M (NOR)
# uci export firewall
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option log '1'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option log '1'
config zone 'vpn'
option name 'vpn'
list network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun0'
option log '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'opennds'
option type 'script'
option path '/usr/lib/opennds/restart.sh'
config rule
option src '*'
option target 'ACCEPT'
option proto 'tcp'
option dest_port '22'
# uci export dropbear
package dropbear
config dropbear
option PasswordAuth 'on'
option Port '22'
# ifconfig
br-lan Link encap:Ethernet HWaddr 94:83:C4:26:FF:10
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fd57:8184:6709::1/60 Scope:Global
inet6 addr: fe80::9683:c4ff:fe26:ff10/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:178673 errors:0 dropped:0 overruns:0 frame:0
TX packets:222689 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:46268254 (44.1 MiB) TX bytes:219509655 (209.3 MiB)
eth0 Link encap:Ethernet HWaddr 94:83:C4:26:FF:10
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:4154 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:588895 (575.0 KiB)
Interrupt:5
eth1 Link encap:Ethernet HWaddr 94:83:C4:26:FF:0F
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::9683:c4ff:fe26:ff0f/64 Scope:Link
inet6 addr: 2a01:e0a:c03:240:9683:c4ff:fe26:ff0f/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:321891 errors:0 dropped:0 overruns:0 frame:0
TX packets:171695 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:276553998 (263.7 MiB) TX bytes:49276688 (46.9 MiB)
Interrupt:4
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:11048 errors:0 dropped:0 overruns:0 frame:0
TX packets:11048 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:778898 (760.6 KiB) TX bytes:778898 (760.6 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.27.67 P-t-P:212.27.38.253 Mask:255.255.255.255
inet6 addr: fe80::cab8:e322:8a3f:8888/64 Scope:Link
inet6 addr: 2a01:e0a:c03:248::10/124 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:3 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:403 (403.0 B) TX bytes:649 (649.0 B)
wlan0 Link encap:Ethernet HWaddr 94:83:C4:26:FF:0F
inet6 addr: fe80::9683:c4ff:fe26:ff0f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:178677 errors:0 dropped:0 overruns:0 frame:0
TX packets:221560 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:48770435 (46.5 MiB) TX bytes:220805593 (210.5 MiB)
# logread -f -e openv
Mon Mar 6 09:47:26 2023 daemon.warn openvpn(client)[11364]: Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Mon Mar 6 09:47:26 2023 daemon.warn openvpn(client)[11364]: DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
Mon Mar 6 09:47:26 2023 daemon.notice openvpn(client)[11364]: OpenVPN 2.5.7 mips-openwrt-linux-gnu [SSL (mbed TLS)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Mar 6 09:47:26 2023 daemon.notice openvpn(client)[11364]: library versions: mbed TLS 2.28.2
Mon Mar 6 09:47:26 2023 daemon.warn openvpn(client)[11364]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Mar 6 09:47:26 2023 daemon.notice openvpn(client)[11364]: UDP link local: (not bound)
Mon Mar 6 09:47:26 2023 daemon.notice openvpn(client)[11364]: UDP link remote: [AF_INET]82.66.165.49:5709
Mon Mar 6 09:47:27 2023 daemon.notice openvpn(client)[11364]: [Freebox OpenVPN server 29c1037b27983188fc883af1e5c6ce7a] Peer Connection Initiated with [AF_INET]82.66.165.49:5709
Mon Mar 6 09:47:28 2023 daemon.notice openvpn(client)[11364]: TUN/TAP device tun0 opened
Mon Mar 6 09:47:28 2023 daemon.notice openvpn(client)[11364]: net_iface_mtu_set: mtu 1500 for tun0
Mon Mar 6 09:47:28 2023 daemon.notice openvpn(client)[11364]: net_iface_up: set tun0 up
Mon Mar 6 09:47:28 2023 daemon.notice openvpn(client)[11364]: net_addr_ptp_v4_add: 192.168.27.67 peer 212.27.38.253 dev tun0
Mon Mar 6 09:47:28 2023 daemon.notice openvpn(client)[11364]: net_iface_mtu_set: mtu 1500 for tun0
Mon Mar 6 09:47:28 2023 daemon.notice openvpn(client)[11364]: net_iface_up: set tun0 up
Mon Mar 6 09:47:28 2023 daemon.notice openvpn(client)[11364]: net_addr_v6_add: 2a01:e0a:c03:248::10/124 dev tun0
Mon Mar 6 09:47:28 2023 daemon.notice openvpn(client)[11364]: /usr/libexec/openvpn-hotplug up client tun0 1500 1556 192.168.27.67 212.27.38.253 init
Mon Mar 6 09:47:28 2023 daemon.warn openvpn(client)[11364]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Mar 6 09:47:28 2023 daemon.notice openvpn(client)[11364]: Initialization Sequence Completed
Just in case you see something suspicious:
# ps
PID USER VSZ STAT COMMAND
1 root 1672 S /sbin/procd
2 root 0 SW [kthreadd]
6 root 0 IW< [mm_percpu_wq]
7 root 0 SW [rcu_tasks_trace]
8 root 0 SW [ksoftirqd/0]
9 root 0 IW< [netns]
108 root 0 SW [oom_reaper]
109 root 0 IW [kworker/0:1-eve]
123 root 0 IW< [writeback]
125 root 0 SW [kcompactd0]
146 root 0 IW< [kblockd]
147 root 0 IW< [blkcg_punt_bio]
148 root 0 SW [watchdogd]
178 root 0 SW [kswapd0]
180 root 0 IW< [kthrotld]
220 root 0 SW [spi0]
316 root 0 IW< [ipv6_addrconf]
329 root 0 IW< [kworker/0:1H-kb]
342 root 0 SW [irq/14-keys]
343 root 0 SW [irq/15-keys]
344 root 0 SW [irq/16-keys]
449 root 0 SWN [jffs2_gcd_mtd5]
511 ubus 1332 S /sbin/ubusd
512 root 996 S /sbin/askfirst /usr/libexec/login.sh
547 root 1108 S /sbin/urngd
686 root 0 IW< [cfg80211]
771 root 0 IW< [kworker/0:2H]
880 logd 1340 S /sbin/logd -S 64
934 root 2124 S /sbin/rpcd -s /var/run/ubus/ubus.sock -t 30
1468 root 1208 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p 22 -K 300 -T 3
1662 root 2656 S {hostapd} /sbin/ujail -t 5 -n hostapd -U network -G network -C /etc/capabilities/wpad.json -c -- /usr/sbin/hostapd -s -g /var/run/hostapd/global
1663 root 2656 S {wpa_supplicant} /sbin/ujail -t 5 -n wpa_supplicant -U network -G network -C /etc/capabilities/wpad.json -c -- /usr/sbin/wpa_supplicant -n -s -g /var/run/wpa_supplicant/glob
1666 network 4436 S /usr/sbin/wpa_supplicant -n -s -g /var/run/wpa_supplicant/global
1667 network 4492 S /usr/sbin/hostapd -s -g /var/run/hostapd/global
1734 root 1816 S /sbin/netifd
1798 root 1544 S /usr/sbin/odhcpd
1925 root 4144 S /usr/sbin/uhttpd -f -h /www -r OpenWrt -x /cgi-bin -u /ubus -t 60 -T 30 -k 20 -A 1 -n 3 -N 100 -R -p 0.0.0.0:8080 -p [::]:8080 -C /etc/uhttpd.crt -K /etc/uhttpd.key -s 0.0.0
2290 root 0 IW [kworker/u2:0-ev]
2444 root 2656 S {ntpd} /sbin/ujail -t 5 -n ntpd -U ntp -G ntp -C /etc/capabilities/ntpd.json -c -u -r /bin/ubus -r /usr/bin/env -r /usr/bin/jshn -r /usr/sbin/ntpd-hotplug -r /usr/share/libu
2495 ntp 1308 S /usr/sbin/ntpd -n -N -S /usr/sbin/ntpd-hotplug -p 0.openwrt.pool.ntp.org -p 1.openwrt.pool.ntp.org -p 2.openwrt.pool.ntp.org -p 3.openwrt.pool.ntp.org
2651 root 1308 S udhcpc -p /var/run/udhcpc-eth1.pid -s /lib/netifd/dhcp.script -f -t 0 -i eth1 -x hostname:OpenWrt -C -R -O 121
2655 root 1124 S odhcp6c -s /lib/netifd/dhcpv6.script -P0 -t120 eth1
5519 root 1228 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p 22 -K 300 -T 3 -2 9
5520 root 1312 S -ash
6076 root 0 IW [kworker/u2:1-ev]
6312 root 1744 S /usr/bin/opennds -c /tmp/etc/opennds_cfg01995c.conf -f -s
6898 root 2656 S {dnsmasq} /sbin/ujail -t 5 -n dnsmasq -u -l -r /bin/ubus -r /etc/TZ -r /etc/dnsmasq.conf -r /etc/ethers -r /etc/group -r /etc/hosts -r /etc/passwd -w /tmp/dhcp.leases -r /tm
6906 dnsmasq 3024 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
8291 root 0 IW [kworker/0:0-eve]
11364 root 2280 S /usr/sbin/openvpn --syslog openvpn(client) --status /var/run/openvpn.client.status --cd /etc/openvpn --config /etc/openvpn/client.conf --up /usr/libexec/openvpn-hotplug up c
# opkg list-installed
base-files - 1498-r20028-43d71ad93e
busybox - 1.35.0-5
ca-bundle - 20211016-1
cgi-io - 2022-08-10-901b0f04-21
dnsmasq-full - 2.86-15
dropbear - 2022.82-2
firewall4 - 2022-10-18-7ae5e14b-1
fstools - 2022-06-02-93369be0-2
fwtool - 2019-11-12-8f7fe925-1
getrandom - 2021-08-03-205defb5-2
hostapd-common - 2022-01-16-cff80b4f-15.2
ipset - 7.15-2
iptables-nft - 1.8.7-7
iw - 5.16-1
iwinfo - 2022-12-15-8d158096-1
jansson4 - 2.13.1-2
jshn - 2022-05-15-d2223ef9-1
jsonfilter - 2018-02-04-c7e938d6-1
kernel - 5.10.161-1-9d271b860b5d8e89f9abd47f0ee26886
kmod-ath - 5.10.161+5.15.81-1-1
kmod-ath9k - 5.10.161+5.15.81-1-1
kmod-ath9k-common - 5.10.161+5.15.81-1-1
kmod-cfg80211 - 5.10.161+5.15.81-1-1
kmod-crypto-aead - 5.10.161-1
kmod-crypto-ccm - 5.10.161-1
kmod-crypto-cmac - 5.10.161-1
kmod-crypto-crc32c - 5.10.161-1
kmod-crypto-ctr - 5.10.161-1
kmod-crypto-gcm - 5.10.161-1
kmod-crypto-gf128 - 5.10.161-1
kmod-crypto-ghash - 5.10.161-1
kmod-crypto-hash - 5.10.161-1
kmod-crypto-hmac - 5.10.161-1
kmod-crypto-manager - 5.10.161-1
kmod-crypto-null - 5.10.161-1
kmod-crypto-rng - 5.10.161-1
kmod-crypto-seqiv - 5.10.161-1
kmod-crypto-sha256 - 5.10.161-1
kmod-gpio-button-hotplug - 5.10.161-3
kmod-ipt-conntrack - 5.10.161-1
kmod-ipt-core - 5.10.161-1
kmod-ipt-ipset - 5.10.161-1
kmod-ipt-nat - 5.10.161-1
kmod-lib-crc-ccitt - 5.10.161-1
kmod-lib-crc32c - 5.10.161-1
kmod-mac80211 - 5.10.161+5.15.81-1-1
kmod-nf-conntrack - 5.10.161-1
kmod-nf-conntrack-netlink - 5.10.161-1
kmod-nf-conntrack6 - 5.10.161-1
kmod-nf-flow - 5.10.161-1
kmod-nf-ipt - 5.10.161-1
kmod-nf-log - 5.10.161-1
kmod-nf-log6 - 5.10.161-1
kmod-nf-nat - 5.10.161-1
kmod-nf-reject - 5.10.161-1
kmod-nf-reject6 - 5.10.161-1
kmod-nfnetlink - 5.10.161-1
kmod-nft-compat - 5.10.161-1
kmod-nft-core - 5.10.161-1
kmod-nft-fib - 5.10.161-1
kmod-nft-nat - 5.10.161-1
kmod-nft-offload - 5.10.161-1
kmod-nls-base - 5.10.161-1
kmod-phy-ath79-usb - 5.10.161-1
kmod-ppp - 5.10.161-1
kmod-pppoe - 5.10.161-1
kmod-pppox - 5.10.161-1
kmod-slhc - 5.10.161-1
kmod-tun - 5.10.161-1
kmod-usb-core - 5.10.161-1
kmod-usb-ehci - 5.10.161-1
kmod-usb-printer - 5.10.161-1
kmod-usb2 - 5.10.161-1
libblobmsg-json20220515 - 2022-05-15-d2223ef9-1
libc - 1.2.3-4
libevdev - 1.13.0-1
libgcc1 - 11.2.0-4
libgmp10 - 6.2.1-1
libipset13 - 7.15-2
libiptext-nft0 - 1.8.7-7
libiptext0 - 1.8.7-7
libiptext6-0 - 1.8.7-7
libiwinfo-data - 2022-12-15-8d158096-1
libiwinfo-lua - 2022-12-15-8d158096-1
libiwinfo20210430 - 2022-12-15-8d158096-1
libjson-c5 - 0.15-2
libjson-script20220515 - 2022-05-15-d2223ef9-1
liblua5.1.5 - 5.1.5-10
liblucihttp-lua - 2022-07-08-6e68a106-1
liblucihttp0 - 2022-07-08-6e68a106-1
libmbedtls12 - 2.28.2-1
libmicrohttpd-no-ssl - 0.9.75-1
libmnl0 - 1.0.5-1
libnetfilter-conntrack3 - 1.0.9-2
libnettle8 - 3.7.3-2
libnfnetlink0 - 1.0.2-1
libnftnl11 - 1.2.1-2
libnl-tiny1 - 2021-11-21-8e0555fb-1
libpthread - 1.2.3-4
librt - 1.2.3-4
libubox20220515 - 2022-05-15-d2223ef9-1
libubus-lua - 2022-06-01-2bebf93c-1
libubus20220601 - 2022-06-01-2bebf93c-1
libuci20130104 - 2021-10-22-f84f49f0-6
libuclient20201210 - 2021-05-14-6a6011df-1
libucode20220812 - 2022-12-02-46d93c9c-1
libudev-zero - 1.0.1-1
libusb-1.0-0 - 1.0.24-5
libustream-wolfssl20201210 - 2022-12-08-9217ab46-2
libwolfssl5.5.4.ee39414e - 5.5.4-stable-1
libxtables12 - 1.8.7-7
logd - 2021-08-03-205defb5-2
lua - 5.1.5-10
luci - git-20.074.84698-ead5e81
luci-app-firewall - git-22.089.67563-7e3c1b4
luci-app-opkg - git-22.273.29004-9f6876b
luci-base - git-22.361.69894-438c598
luci-lib-base - git-20.232.39649-1f6dc29
luci-lib-ip - git-20.250.76529-62505bd
luci-lib-jsonc - git-22.097.61921-7513345
luci-lib-nixio - git-20.234.06894-c4a4e43
luci-mod-admin-full - git-19.253.48496-3f93650
luci-mod-network - git-22.345.48602-4853e7b
luci-mod-status - git-22.302.42268-2878b35
luci-mod-system - git-22.339.34970-004e47c
luci-proto-ipv6 - git-21.148.48881-79947af
luci-proto-ppp - git-21.158.38888-88b9d84
luci-ssl - git-20.244.36115-e10f954
luci-theme-bootstrap - git-22.288.45147-96ec0cd
mtd - 26
netifd - 2022-08-25-76d2d41b-1
nftables-json - 1.0.2-2.1
odhcp6c - 2022-08-05-7d21e8d8-18
odhcpd-ipv6only - 2023-01-02-4a673e1c-2
opennds - 9.10.0-1
openvpn-mbedtls - 2.5.7-3
openwrt-keyring - 2022-03-25-62471e69-3
opkg - 2022-02-24-d038e5b6-1
ppp - 2.4.9.git-2021-01-04-3
ppp-mod-pppoe - 2.4.9.git-2021-01-04-3
procd - 2022-06-01-7a009685-2
procd-seccomp - 2022-06-01-7a009685-2
procd-ujail - 2022-06-01-7a009685-2
px5g-wolfssl - 6.2
rpcd - 2022-12-15-7de4820c-1
rpcd-mod-file - 2022-12-15-7de4820c-1
rpcd-mod-iwinfo - 2022-12-15-7de4820c-1
rpcd-mod-luci - 20210614
rpcd-mod-rrdns - 20170710
swconfig - 12
ubi-utils - 2.1.4-1
uboot-envtools - 2022.01-36
ubox - 2021-08-03-205defb5-2
ubus - 2022-06-01-2bebf93c-1
ubusd - 2022-06-01-2bebf93c-1
uci - 2021-10-22-f84f49f0-6
uclient-fetch - 2021-05-14-6a6011df-1
ucode - 2022-12-02-46d93c9c-1
ucode-mod-fs - 2022-12-02-46d93c9c-1
ucode-mod-ubus - 2022-12-02-46d93c9c-1
ucode-mod-uci - 2022-12-02-46d93c9c-1
uhttpd - 2022-10-31-23977554-1
uhttpd-mod-ubus - 2022-10-31-23977554-1
urandom-seed - 3
urngd - 2020-01-21-c7f7b6b6-1
usbutils - 014-1
usign - 2020-05-23-f1f65026-1
wireless-regdb - 2022.08.12-1
wpad-basic-wolfssl - 2022-01-16-cff80b4f-15.2
xtables-nft - 1.8.7-7
xxd - 8.2-5