Hi to all!
I have small box web server at home using ISPs static IP and port forward to make connections to it.
After installing openvpn server I can't connect to the web server outside from lan.
OpenWrt 19.07.5
If anybody can give a hint....
Thank you 
Well I would assume you need to share your network, vpn and firewall config for people to give "hints".
After installing or enabling ?
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
uci export openvpn; head -n -0 /etc/openvpn/*.conf /etc/openvpn/*.ovpn ; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
Here you are sir. After having the openvpn service enabled, this is the output
BusyBox v1.30.1 () built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 19.07.5, r11257-5090152ae3
-----------------------------------------------------
root@OpenWrt:~# ubus call system board;
{
"kernel": "4.14.209",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT1900ACS",
"board_name": "linksys,shelby",
"release": {
"distribution": "OpenWrt",
"version": "19.07.5",
"revision": "r11257-5090152ae3",
"target": "mvebu/cortexa9",
"description": "OpenWrt 19.07.5 r11257-5090152ae3"
}
}
root@OpenWrt:~# uci export network; uci export wireless;
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdff:0dbc:09c7::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth1.2'
option proto 'pppoe'
option password 'xxxxxxx'
option ipv6 'auto'
option username 'xxxxxxxx@tellas.gr'
option peerdns '0'
list dns '103.86.96.100'
list dns '103.86.99.100'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option htmode 'VHT80'
option country 'FR'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option macaddr 'xxxxxx'
option key 'xxxxx'
option ssid 'xxxxx'
option encryption 'psk2'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option htmode 'HT20'
option country 'FR'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option macaddr 'xxxxxxx'
option key 'xxxxxx'
option ssid 'xxxxx'
option encryption 'psk2'
config wifi-iface 'wifinet2'
option network 'lan'
option ssid 'xxxxx'
option encryption 'psk2'
option device 'radio1'
option mode 'ap'
option isolate '1'
option key 'xxxxxxx'
config wifi-iface 'wifinet3'
option ssid 'xxxxxxx'
option encryption 'psk2'
option device 'radio1'
option mode 'ap'
option network 'lan'
option key 'xxxxxxxx'
root@OpenWrt:~# uci export dhcp; uci export firewall;
package dhcp
config dnsmasq
option domainneeded '1'
option noresolv '1'
option localuse '1'
option boguspriv '0'
option cachesize '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option confdir '/tmp/dnsmasq.d'
list server '127.0.0.1#5300'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option dest_port '80'
option name '80'
option src_dport '80'
option target 'DNAT'
option dest_ip '192.168.1.2'
option src 'wan'
option dest 'lan'
config redirect
option dest_port '443'
option name '443'
option src_dport '443'
option target 'DNAT'
option dest_ip '192.168.1.2'
option src 'wan'
option dest 'lan'
config redirect
option dest_port '44422'
option name '44422'
option src_dport '44422'
option target 'DNAT'
option dest_ip '192.168.1.2'
option src 'wan'
option dest 'lan'
config forwarding
option dest 'wan'
option src 'lan'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
root@OpenWrt:~# head -n -0 /etc/firewall.user;
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
#if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
# iptables -I forwarding_rule -j REJECT
#fi
root@OpenWrt:~# uci export openvpn; head -n -0 /etc/openvpn/*.conf /etc/openvpn/
*.ovpn ;
package openvpn
config openvpn 'custom_config'
option config '/etc/openvpn/my-vpn.conf'
config openvpn 'sample_server'
option port '1194'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh1024.pem'
option server '10.8.0.0 255.255.255.0'
option ifconfig_pool_persist '/tmp/ipp.txt'
option keepalive '10 120'
option compress 'lzo'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-status.log'
option verb '3'
config openvpn 'sample_client'
option client '1'
option dev 'tun'
option proto 'udp'
list remote 'my_server_1 1194'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/client.crt'
option key '/etc/openvpn/client.key'
option compress 'lzo'
option verb '3'
config openvpn 'nordvpn'
option config '/etc/openvpn/gr26.nordvpn.com.udp.ovpn'
option enabled '1'
head: /etc/openvpn/*.conf: No such file or directory
==> /etc/openvpn/gr26.nordvpn.com.udp.ovpn <==
client
dev tun
proto udp
remote xxxxxxxxx 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
remote-cert-tls server
auth-user-pass login
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
ca ca.crt
key-direction 1
tls-auth ta.key 1
root@OpenWrt:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
10: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
inet xxxxxxxxx peer 62.169.255.58/32 scope global pppoe-wan
valid_lft forever preferred_lft forever
15: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 10.8.3.6/24 brd 10.8.3.255 scope global tun0
valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.8.3.1 dev tun0
default via 62.169.255.58 dev pppoe-wan proto static
10.8.3.0/24 dev tun0 proto kernel scope link src 10.8.3.6
62.169.255.58 dev pppoe-wan proto kernel scope link src xxxxx
128.0.0.0/1 via 10.8.3.1 dev tun0
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
xxxxxx via xxxxxxxx dev pppoe-wan
broadcast 10.8.3.0 dev tun0 table local proto kernel scope link src 10.8.3.6
local 10.8.3.6 dev tun0 table local proto kernel scope host src 10.8.3.6
broadcast 10.8.3.255 dev tun0 table local proto kernel scope link src 10.8.3.6
local xxxxxxxx dev pppoe-wan table local proto kernel scope host src xxxxxxxx
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@OpenWrt:~# ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0
/etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx 1 root root 16 Dec 6 09:31 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 32 Jan 12 13:32 /tmp/resolv.conf
-rw-r--r-- 1 root root 66 Jan 12 13:31 /tmp/resolv.conf.auto
-rw-r--r-- 1 root root 50 Jan 12 13:31 /tmp/resolv.conf.ppp
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 103.86.96.100
nameserver 103.86.99.100
==> /tmp/resolv.conf.ppp <==
nameserver 62.169.194.47
nameserver 62.169.194.48
head: /tmp/resolv.*/*: No such file or directory
root@OpenWrt:~#
You are routing all your traffic through the VPN. So that means your replies from your server are not going the same way as the requests.
Do you generally want to route all your LAN traffic through Nordvpn? If yes then you would need to separate the Webserver and have individual routing for that.
I want to route all the traffic via the openvpn except the web servers traffic, how to do that;
I thought I would do it with the package vpn policy routing but it wouldn't do that or I don't know how to configure it.
VPN-PBR does that exactly. Or there is the vpn bypass.
Any idea what Iam missing;
Both packages work, I can route my desktop or other lan client traffic out of the nordvpn, but when I set web servers lan ip still I can't visit my website from outside.
uci export vpn-policy-routing; uci export vpnbypass
This is the output
root@OpenWrt:~# uci export vpn-policy-routing; uci export vpnbypass
package vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option src_ipset '0'
option dest_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list supported_interface ''
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_chain_column '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_enable_column '1'
option webui_protocol_column '0'
option strict_enforcement '0'
option enabled '1'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option interface 'wan'
option name 'web-server'
option src_addr '192.168.1.2'
config policy
option interface 'wan'
option name 'web'
option dest_addr 'xx.xx.xx.xx'
option dest_port '80 443 777'
option src_port '80 443 777'
option enabled '0'
config policy
option interface 'wan'
option name 'w'
option src_addr 'xx.xx.xx.xx'
option src_port '80 443 777'
option dest_port '80 443 777'
option enabled '0'
config policy
option interface 'wan'
option name 'test'
option src_addr '192.168.1.3'
option enabled '0'
package vpnbypass
config vpnbypass 'config'
list localsubnet '192.168.1.2'
option enabled '1'
Use on of them at a time or there might be some conflicts.
After you disable one service, post also: iptables-save -c; ip -4 addr; ip -4 ro li table all; ip -4 ru
I thing the problem is solved, it just works. The reason I couldn't see that is because I had set my mobile on mobile data and pinging at a domain on that server. This action fails but visiting via a browser works ok.
I don't understand the reason though why ping fails
Also visiting from local machine firefox is impossible, but this is another thing
The only thing you can ping in your case is the wan interface of the router. Which by the way accepts pings, so a ping should respond, if the provider is not blocking it.
Use the internal name when you are testing from the lan, not the one you use in ddns.
Thank you all.
I put the lan IP and their names in /etc/hosts in my computer, it seems to be working except the nextcloud client which stopped syncing between server and desktop
I had to reboot or restart nextcloud and working now.
Thank you all for showing the way. I think everything is in order now
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.