Openvpn server: General understanding of forwarding and routing

tunneldigger · October 12, 2022, 2:45pm

Hi folks,

I have a Fritzbox 7490 with FritzOS which makes the VDSL-connection to the provider. It has port forwarding activated to the 2nd Fritzbox running Openwrt acting as the OpenVPN server attached to the lan.
I followed the guide on openwrt.org and get a connection but cannot reach anything in the LAN.

Can anyone enlighten my darkness with regards to how I can make this happen? As the 7362SL is part of the LAN, the use of wan-lan forwading doesn't make much sense, right? What would I set instead in the firewall rules for wan?
And generally spoken, can't that be also achieved by just setting a route on the default gateway (the 7490) for the tunnel network? The 7362SL should be aware of were to send packets as it is the OpenVPN server, right?

Thanks in advance, Alfonso

psherman · October 12, 2022, 3:18pm

How is the openwrt router connected to the main router? Is it lan-lan or lan-wan?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

And also post your OpenVPN configuration.

tunneldigger · October 12, 2022, 9:24pm

How is the openwrt router connected to the main router? Is it lan-lan or lan-wan?

lan-lan

cat /etc/config/network
cat /etc/config/firewall

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb3:1a85:4208::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'b'
	option tone 'av'
	option ds_snr_offset '0'
	option firmware '/etc/dsl/vr9-A-dsl.bin'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr '34:31:C4:E8:DE:FA'

config device
	option name 'lan2'
	option macaddr '34:31:C4:E8:DE:FA'

config device
	option name 'lan3'
	option macaddr '34:31:C4:E8:DE:FA'

config device
	option name 'lan4'
	option macaddr '34:31:C4:E8:DE:FA'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.120.2'
	list dns '192.168.120.1'
	option gateway '192.168.120.1'

config device
	option name 'dsl0.7'
	option macaddr '34:31:C4:E8:DE:FD'

config interface 'wan'
	option device 'dsl0.7'
	option proto 'pppoe'
	option ipv6 '1'
	option username '***'
	option password '***'

config interface 'wan6'
	option device '@wan'
	option proto 'dhcpv6'

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun0'
	list device 'tun+'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

I removed all entries from further trials following several tutorials, so the setup should be more or less the original one.

psherman · October 12, 2022, 9:29pm

Add this to the lan zone definition:

	option masq '1'

tunneldigger · October 13, 2022, 7:57am

Add this to the lan zone definition:

	option masq '1'

Well, this makes the router kind of inaccessible. Clients then don't get answers to their DHCP and DNS requests from the 7362SL, which acts as the lan's DHCP and DNS server.

pavelgl · October 13, 2022, 9:43am

Are you using DHCP option 3 to advertise the 7490 as the default gateway to LAN clients?

Please do so. In any case, it won't hurt.

Are there any push directives in the server configuration?
push "redirect-gateway def1" or at least push "route 192.168.120.0 255.255.255.0

Also check if the firewall of the lan device you are using for tests accepts connections from outside its own lan subnet.

tunneldigger · October 14, 2022, 12:40pm

Are you using DHCP option 3 to advertise the 7490 as the default gateway to LAN clients?
Yes
Are there any push directives in the server configuration?
push "redirect-gateway def1" or at least push "route 192.168.120.0 255.255.255.0

Yes, both.

The scenerio has worked quite well with an earlier version of Openwrt, but unfortunately I didn't document the settings.

Also check if the firewall of the lan device you are using for tests accepts connections from outside its own lan subnet.

I will, but not before next week.

pavelgl · October 14, 2022, 1:18pm

Then creating a static route on the 7490 for the vpn subnet (via 192.168.120.2) becomes mandatory.

tunneldigger · October 19, 2022, 12:29pm

I have found two pages that clearly explain the requirements:

First paragraph:
https://openvpn.net/community-resources/expanding-the-scope-of-the-vpn-to-include-additional-machines-on-either-the-client-or-server-subnet/

And https://community.openvpn.net/openvpn/wiki/263-openvpn-can-ping-both-peers-but-i-cant-reach-any-of-the-other-machines-on-the-remote-subnet
which explains the three options.

To sum it up, it should be possible to solve this by just setting routes.