OpenVPN - Site to Site - Firewall Rules

Hello,
Fundamental question: What am I missing to allow traffic from a vpn client on tun22 --> br-lan?

I recently updated a router from 19.X to 23.5 doing so migrates from IPtables to NFTables. I have copied over the VPN config and not changed the client end at all.

The OpenVPN connection is established properly however:

  1. I can only route traffic from the server(new Openwrt instance) to client and not the other way around. Used to be able to do both.
  2. The NFT Tables I am using to do this are very broad and would like to substantially narrow it.

Objective:

  • br-lan can access tun22
  • tun22 IP:X.Y.Z.W/27 can access br-lan without issue
  • tun22 IP:X.Y.Z.W/27 can access internet via vpn server.
  • tun22 in general can respond but not access anything
  • tun22 can access 192.168.X.Y:8888 over TCP
    VPN is routed, not masqueraded

I had all of this with IP Tables, but despite trying dozens of ways, I cannot seem to get nftables to work correctly. Please help

I am fairly certain I can properly narrow the firewall rules when the time comes... Given the current rule set, I have no idea what is blocking the communication from client to server.

table inet filter {
    chain input {
        type filter hook input priority 0;

        # Accept all traffic from the VPN interface
        iifname "tun+" accept
    }

    chain forward {
        type filter hook forward priority 0;

        # Forward all traffic from br-lan to tun+
        iifname "br-lan" oifname "tun+" accept

        # Forward all traffic from tun+ to br-lan
        iifname "tun+" oifname "br-lan" accept
    }
}

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

System is a ESXI 8 Virtual machine. Switch set to enable Promiscuous mode
ubus call system board

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "AMD Ryzen 7 8700G w/ Radeon 780M Graphics",
        "model": "VMware, Inc. VMware Virtual Platform",
        "board_name": "vmware-inc-vmware-virtual-platform",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "x86/64",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdcc:c640:e3d3::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.19.254'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'GUEST'
        option proto 'static'
        option ipaddr '192.168.100.254'
        option netmask '255.255.255.0'
        option device 'eth2'

cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory

root@OpenWrt:~# cat /etc/config/dhcp

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '128'
        option limit '62'
        option leasetime '24h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'GUEST'
        option interface 'GUEST'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'

cat /etc/config/firewall


root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'GuestZone'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'GUEST'

config forwarding
        option src 'GuestZone'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'GuestZone'

config rule
        option name 'OpenVPN'
        option src 'wan'
        option dest_port '9123'
        option target 'ACCEPT'

and route (IP addressses Truncated)

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         X.X.X.X 0.0.0.0         UG    0      0        0 eth1
10.62.1.0       10.32.180.2     255.255.255.0   UG    0      0        0 tun22
10.32.180.0     10.32.180.2     255.255.255.0   UG    0      0        0 tun22
10.32.180.2     *               255.255.255.255 UH    0      0        0 tun22
192.168.19.0    *               255.255.255.0   U     0      0        0 br-lan
192.168.100.0   *               255.255.255.0   U     0      0        0 eth2

There is no need to use nftables rules directly here. Write this as regular fw4 rules.

The simplest site to site VPN firewall configuration is just to add the tunnel to the lan zone. Since forwarding is accepted in lan, this allows the two lans to forward to each other. You have no control other than to trust everything in both lans though. I recommend this for initial testing to make sure that everything else is correct about the VPN configuration and routing tables.

To be able to restrict certain forwarding, create a separate zone called vpn (or other name of your choice) and write rules to selectively forward.

RESOLVED
Thank you.

I had at various points in this debug had the VPN as part of Lan or part of a VPN firewall rule without success. However, there are 3 things I needed together that I apparently did not do at the same time.

  1. OpenVPN needs to start AFTER creating the Firewall "Interface". Connecting before hand seems to cause OpenVPN to no longer associate the IP address and breaks routing

  2. (Primary cause) - I had early in my debugging neglected to turn on Promiscuous mode on VMWARE ESXI virtual switch. So the switch was dropping packets on me.

  3. Since I toggled back and forth between the old Router on 1 ESXI server and the new router on the other ESXI server my network switches routing tables appear to have gotten confused. With both switches thinking they had the router mac address/IP address.

Use a list device 'tun22' in the firewall zone instead of naming an interface. Old instructions will tell you to create a dummy interface in /etc/config/network, but that is no longer necessary now that the firewall can accept device names directly.

Please check the "Solution" box on my post then. This bumps up an internal score and will mark the topic as solved in the index.