OpenVPN Server 192.168.200.0

Frood42 · October 23, 2018, 7:33am

First, this guide and the scrips are awesome and nice:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic

On DSL with OpenWrt doing the pppoe connection, the setup was done quickly and from an iPhone I was able to connect:
PNG
(the external IP changes after restart so it can be exposed here)

But I have two or more questions.

My IP is 192.168.200.2. I want to reach a server on 192.168.5.101
My understanding was that I need such a rule:

config rule
        option target ACCEPT
        option src openvpn
        option family ipv4
        option proto tcp   
        option dest_ip 192.168.5.101/24
        option dest_port 3000                   
        option name allowServer
        option enabled 1

Is this sufficient? Or is there anything more needed to establish the connection form 192.168.200.x to 192.168.5.x ?

Regarding the guide mentioned above. There is nothing for IPv6; is the IPv6 part mentioned here "Creating a Private IPv6 Tunnel" still valid?
https://wiki.openwrt.org/doc/howto/vpn.server.openvpn.tun

psherman · October 23, 2018, 7:57am

You need a push directive for the route to your 192.168.5.0/24 network (server config). And on the server router, you want your firewall to allow forwarding between your vpn and lan zones.

Frood42 · October 23, 2018, 8:08am

The push directive is part of the scrips (mentioned above):

uci add_list openvpn.vpnserver.push="redirect-gateway def1"
uci add_list openvpn.vpnserver.push="route 192.168.5.0 255.255.255.0"
uci add_list openvpn.vpnserver.push="dhcp-option DNS 192.168.5.1"
uci add_list openvpn.vpnserver.push="compress lzo"
uci add_list openvpn.vpnserver.push="persist-tun"
uci add_list openvpn.vpnserver.push="persist-key"

as well as the firewall stuff:

uci add firewall zone
uci set firewall.@zone[-1].name="vpnserver"
uci add_list firewall.@zone[-1].network="vpnserver"
uci set firewall.@zone[-1].input="ACCEPT"
uci set firewall.@zone[-1].output="ACCEPT"
uci set firewall.@zone[-1].forward="REJECT"
uci add firewall forwarding
uci set firewall.@forwarding[-1].src="vpnserver"
uci set firewall.@forwarding[-1].dest="lan"
uci commit firewall

maybe this is not even required?

config rule
option target ACCEPT
option src openvpn
option family ipv4
option proto tcp
option dest_ip 192.168.5.101/24
option dest_port 3000
option name allowServer
option enabled 1

vgaetera · October 23, 2018, 8:17am

No need.

That should be enough.

Frood42 · October 23, 2018, 9:02pm

Now it is getting confusing.
192.168.5.1 is reachable on VPN connection. Feels like super sonic speed.

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.200.1   128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG    600    0        0 wlp4s0
87.122.234.155  192.168.1.1     255.255.255.255 UGH   0      0        0 wlp4s0
128.0.0.0       192.168.200.1   128.0.0.0       UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 wlp4s0
192.168.1.0     0.0.0.0         255.255.255.0   U     600    0        0 wlp4s0
192.168.5.0     192.168.200.1   255.255.255.0   UG    0      0        0 tun0
192.168.200.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0

But 192.168.5.101:3000 is not reachable.

http://ipv6-test.com/ shows "IPv4 Not supported", IPv6 is from the local notebook.

vgaetera · October 23, 2018, 9:10pm

Check routing table and firewall configuration on 192.168.5.101.

Up-to-date how-to:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#ipv6_gateway

mk24 · October 23, 2018, 9:54pm

If you want full access from the IPhone to the 192.168.5 network, you could make the VPN a TAP to that instead of introducing another network.

psherman · October 23, 2018, 10:53pm

Actually, the iOS OpenVPN client does not support TAP. you must use tun.

Frood42 · October 24, 2018, 6:52am

I want to open 192.168.5.101 only. Nothing else.

I don't understand, [vgaetera] says it is enough to reach 192.168.5.101, but [mk24] mentions TAP.

Anyways, I will give it another try tonight.

psherman · October 24, 2018, 8:05am

As I mentioned earlier, iOS doesn’t support tap.

Why doesn't the app support tap-style tunnels?

A: The iOS VPN API supports only tun-style tunnels at the moment. This is a limitation of the iOS platform. If you try to connect a profile that uses a tap-based tunnel, you will get an error that only layer 3 tunnels are currently supported.

If you’re still having issues, post your client and server OpenVPN config files, network, and firewall so we can see if there might be an error or something missing.

Frood42 · October 24, 2018, 9:50pm

switching from udp to tcp makes it working with ubuntu command line openvpn

But from iPhone it does not work. Same setup, same .ovpn file.

The server config is

config openvpn 'vpnserver'
	option enabled '1'
	option dev 'tun0'
	option topology 'subnet'
	option port '1194'
	option server '192.168.200.0 255.255.255.0'
	option client_to_client '1'
	option compress 'lzo'
	option keepalive '10 120'
	option persist_tun '1'
	option persist_key '1'
	option tls_crypt '/etc/openvpn/tc.psk'
	option dh '/etc/openvpn/dh.pem'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/vpnserver.crt'
	option key '/etc/openvpn/vpnserver.key'
	list push 'redirect-gateway def1'
	list push 'route 192.168.5.0 255.255.255.0'
	list push 'dhcp-option DNS 192.168.5.1'
	list push 'compress lzo'
	list push 'persist-tun'
	list push 'persist-key'
	list push 'dhcp-option DOMAIN lan'
	option verb '5'
	option proto 'tcp'

Frood42 · October 25, 2018, 12:15pm

If compression = ON in OpenVPN on iOS, the connection works fine!

There is one more question regarding the "security".
Can the openvpn --> WAN and --> LAN traffic be restricted in the same way as for / with WAN --> REJECT?

config zone
	option name 'vpnserver'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'vpnserver'

then, rules like this are required to "open" the traffic to specific IPs only:
E.g. to access Luci

config rule
	option enabled '1'
	option target 'ACCEPT'
	option src 'vpnserver'
	option name 'test'
	option dest 'lan'
	option dest_ip '192.168.5.1'

these are deleted:

config forwarding
	option dest 'lan'
	option src 'vpnserver'

This one is kept for outgoing traffic, right?

config forwarding
	option src 'vpnserver'
	option dest 'wan'

this one enables (Internet) WAN --> openvpn server

config rule
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'tcp udp'
	option target 'ACCEPT'

vgaetera · October 25, 2018, 1:02pm

It's possible, however the reasoning is questionable.

Frood42 · October 25, 2018, 1:35pm

It is like firewalls in enterprise networks. Between the network "zones" the traffic is closed (REJECT), but there are ACLs maintained. Just to be on the safe side.

system · November 4, 2018, 1:35pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.