OpenVPN Server behind OpenWRT, not on OpenWRT

Mamue · December 11, 2018, 3:48pm

Hi,

I'm sorry if this was answered elsewhere already, I couldn't find anything to this. I want to connect remotely to a Raspberry Pi serving OpenVPN on my DMZ. The Port Forwarding is set and on a remote host an nmape gives me the following result:

PORT      STATE         SERVICE VERSION
54449/udp open|filtered unknown

Yet when I try to connect I get a timeout message. I'd like to know whether the rules I have applied are fine and my OVPN setup has issues or I've missed to create/edit necessary rules. I'm new to OpenWRT, but from first glance everything looks fine to me.

My setup:

TP-Link Archer C7 (v2 1750) with OpenWrt (18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152)) and Raspberry Pi 3 Model B+ running Raspbian 9/Stretch with OpenVPN 2.4

ISP --- (WAN) OpenWRT --- LAN/DMZ/Guest

I get a genuine IPv4 and IPv6 address via FTTH, no DS-Lite or other stuff. DynDNS is already set up and working as well.

I can't upload more than one image, I hope this imgur link is working for you all: My Setup

Switch:
VLAN 3 is my DMZ where my Raspberry Pi sits. VLAN 7 is my FTTH connection.

Firewall:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option family 'ipv4'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'guest_wifi'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'guest_wifi'
        option input 'REJECT'

config forwarding
        option dest 'wan'
        option src 'guest_wifi'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option name 'Allow_Guest_DNS'
        option src 'guest_wifi'
        option dest 'dmz'
        option dest_ip '192.168.99.3'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '67-68'
        option name 'Allow_Guest_DHCP'
        option src 'guest_wifi'

config zone
        option name 'dmz'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'DMZ'
        option input 'REJECT'
        option log '1'

config forwarding
        option dest 'wan'
        option src 'dmz'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option name 'Allow_DMZ_DNS'
        option dest_ip '192.168.99.1'
        option src 'dmz'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '67-68'
        option name 'Allow_DMZ_DHCP'
        option src 'dmz'

config rule
        option target 'ACCEPT'
        option name 'Allow_DMZ_ICMP'
        option proto 'icmp'
        option icmp_type 'echo-reply'
        option src 'dmz'
        option dest_ip '192.168.99.1'

config rule
        option target 'ACCEPT'
        option dest_port '22'
        option name 'Allow_DMZ_SSH'
        option proto 'tcp udp'
        option src 'lan'
        option dest 'dmz'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option dest_ip '192.168.99.3'
        option src 'lan'
        option name 'Allow_DNS_LAN_TO_DMZ'
        option dest 'dmz'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option name 'Allow_DNS_Guest_TO_DMZ'
        option src 'guest_wifi'
        option dest 'dmz'
        option dest_ip '192.168.99.3'

config forwarding
        option dest 'dmz'
        option src 'guest_wifi'

config forwarding
        option dest 'dmz'
        option src 'lan'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'dmz'
        option proto 'udp'
        option src_dport '54449'
        option dest_ip '192.168.99.3'
        option dest_port '54449'
        option name 'Allow_OVPN'

My VPN clients will get IP leases in the 10.8.0.0/24 net, everything else is on different 192.168.x.x subnets.

I thought the last firewall rule would make the trick, but apparently it does not. Does anyone of you have tips what may be wrong here?

Every tutorial or documentation I can find on the net either describes configuring OpenVPN on the router itself or on another device but without an OpenWRT setup.

Thank you for your help.

Kind regards
Mamue

jeff · December 11, 2018, 3:56pm

At least looking at the OpenVPN documentation, I'm not sure why you're working with port 54449 instead of TCP 443 and UDP 1194

mikma · December 11, 2018, 3:59pm

I would run tcpdump on Raspberry Pi to check if it receives any UDP traffic to the port you want to use: tcpdump -i any -n udp and port <port no>

Mamue · December 11, 2018, 4:00pm

Hi,

thank you for your tip. I don't like to use standard ports, it's a schtick of mine. As nmap shows the port as open/filtered, I don't think moving ports will make a difference. This has worked without issues in my old setup with an OpenVPN server on a QNAP or a Raspberry Pi behind an ISP-provided router, where I only had to enter a forward rule.

mk24 · December 11, 2018, 4:00pm

Do not set up a DMZ, forward the one port instead. Use of a non-standard port number is often advised to make it harder for hackers to find the server with a port scan.

It often does not work to access your public IP from inside your LAN. You need to test services from "outside" using an independent Internet connection.

You should test your client from inside your LAN by temporarily configuring it to the server's LAN IP address and port. This should work the same as outside other than changing the server address.

Mamue · December 11, 2018, 4:07pm

Here is the tcpdump:

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
17:05:51.313472 IP 89.204.130.80.13473 > 192.168.99.3.54449: UDP, length 54
17:05:51.314869 IP 192.168.99.3.54449 > 89.204.130.80.13473: UDP, length 66
17:05:51.373715 IP 89.204.130.80.13473 > 192.168.99.3.54449: UDP, length 194
17:05:52.393586 IP 89.204.130.80.13473 > 192.168.99.3.54449: UDP, length 194
17:05:53.392561 IP 89.204.130.80.13473 > 192.168.99.3.54449: UDP, length 194
17:05:54.392568 IP 89.204.130.80.13473 > 192.168.99.3.54449: UDP, length 194

This seems to go through.

Mamue · December 11, 2018, 4:11pm

Hi,

thank you, I will check whether it works locally and report the result. If not, then my OVPN setup seems incorrect. As I am less experienced with OpenWRT I thought to first look for support here.

Could you explain why I should not set up a DMZ? I will have mutliple devices (e.g. 2 Raspberry Pi, 1 QNAP NAS etc.) in there I (and others) want to access from remote, but not other devices on my LAN

NAT Loopback is activated, so accessing it from inside should work. But I testet it with mobile data from my phone, so I was not on my LAN.

mk24 · December 11, 2018, 4:16pm

If you are going to have multiple devices on the LAN offering services to outside you can't use a DMZ. You have to direct each incoming port to the internal IP that serves it by using separate port forwards in the main router. It is also more secure to open only the ports you need and let the firewall on the main router block all the other ones.

Mamue · December 11, 2018, 4:29pm

That was the plan. The DMZ is not completely open, but rather a different LAN segment I simply name "DMZ".

See my setup with the zones. It's another "LAN" segment, with the exception that I will put specific port forward rules from WAN to "DMZ" for services in this segment, like for OpenVPN. I don't want devices on the DMZ to have access to other local devices on my LAN. But LAN devices should be able to initialize connections to devices in the DMZ.

If I am on the same subnet (I connected the Raspi to a port on my LAN) it does not work either. Seems like its an issue with my OVPN setup.

Thank you @mk24 and @mikma for your support. I will set this topic to closed for now. Who knows, maybe once OVPN works locally I might need to get back here

Kind regards
Mamue

system · December 21, 2018, 4:29pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.