OpenVPN Site-to-Site

blinton · December 3, 2019, 4:28pm

Dear openwrt community,

I‘m migrating my pfSense to OpenWRT
(APU2 with 2x WLE900VX and lots of openvpn servers and clients).

All openvpn servers and clients (wirh vpn splitting and vlans work, except with site-to-site where I‘m stuck.
Followed openvpn extras (thanks!) and used openvpn config parameters from pfsense which I adapted for openwrt (ie folders).
The other site is an openwrt router remains unchanged, as it worked with pfsense.

I‘m almost there, from the home router (ssh into apu2) I can ping and ssh into the other site‘s router, but I cannot do that from any lan device from the home site, the home router somehow blocks.

So I guess it may be some firewall rule on the home router which I need to add ?

Many thanks and

cheers Blinton

trendy · December 3, 2019, 4:42pm

You could post here some configs and troubleshooting:
uci show network; uci show firewall; ip -4 addr; ip -4 ru; ip -4 ro ls ta all; uci show openvpn
If you have used different file for openvpn configuration, e.g /etc/config/server.conf, post it here too.
Use preformatted text </> and remove any sensitive data, like passwords/keys/Mac.

blinton · December 3, 2019, 7:51pm

Hi trendy,

This is very kind of you, thanks in advance !

Here we go (I deleted all other stuff which is not relevant, eg other openvpn servers and client, all are on different ports than this one)

uci show network
###
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'

network.globals=globals

network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ipaddr='192.168.1.1'

network.wan=interface
network.wan.ifname='eth0.10'
network.wan.proto='dhcp'
network.wan.peerdns='0'

network.SRVs=interface
network.SRVs.ifname='tun4'
network.SRVs.proto='none'
network.SRVs.auto='1'
###

uci show firewall
###
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'

firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'

firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'

firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'

firewall.@rule[11]=rule
firewall.@rule[11].name='Allow-OpenVPN-STU-Inbound'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].src='*'
firewall.@rule[11].proto='udp'
firewall.@rule[11].dest_port='1194'

firewall.@zone[9]=zone
firewall.@zone[9].name='SRVs_FW'
firewall.@zone[9].input='ACCEPT'
firewall.@zone[9].output='ACCEPT'
firewall.@zone[9].network='SRVs'
firewall.@zone[9].forward='ACCEPT'

firewall.@forwarding[10]=forwarding
firewall.@forwarding[10].dest='lan'
firewall.@forwarding[10].src='SRVs_FW'

firewall.@forwarding[11]=forwarding
firewall.@forwarding[11].dest='wan'
firewall.@forwarding[11].src='SRVs_FW'
###

ip -4 addr
###
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever

14: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever

16: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet X.X.X.X/26 brd X.X.X.X scope global eth0.10
       valid_lft forever preferred_lft forever

27: tun4: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 10.10.10.1/24 brd 10.10.10.255 scope global tun4
       valid_lft forever preferred_lft forever
###

ip -4 ru
###
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
###

ip -4 ro
###
default via X.X.X.X dev eth0.10  src X.X.X.X 

10.10.10.0/24 dev tun4 scope link  src 10.10.10.1 

192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 

X.X.X.X/26 dev eth0.10 scope link  src X.X.X.X 

192.168.100.0/24 via 10.10.10.2 dev tun4 
###

uci show openvpn
###
openvpn.SRVs=openvpn
openvpn.SRVs.config='/etc/openvpn/SRVs.ovpn'
openvpn.SRVs.enabled='1'

cat /etc/openvpn/SRVs.ovpn
###
dev tun4
verb 3
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-CBC
auth SHA512
tls-server
server 10.10.10.0 255.255.255.0
ifconfig 10.10.10.1 10.10.10.2
lport 1194
route 192.168.100.0 255.255.255.0 10.10.10.2
push "route 192.168.0 255.255.255.0"
client-config-dir /etc/openvpn/ccd
dh none
ecdh-curve secp521r1
ncp-ciphers AES-128-CBC
persist-remote-ip
float
topology subnet
log /var/log/SVRs.log

<ca>
-----BEGIN CERTIFICATE-----
blabla
-----END CERTIFICATE-----
</ca>

ca
-----BEGIN CERTIFICATE-----
blabla
-----END CERTIFICATE-----
ca

cert
-----BEGIN CERTIFICATE-----
blabla
-----END CERTIFICATE-----
cert

key
-----BEGIN PRIVATE KEY-----
blabla
-----END PRIVATE KEY-----
key

tls-crypt

-----BEGIN OpenVPN Static key V1-----
blabla
-----END OpenVPN Static key V1-----
tls-crypt

trendy · December 4, 2019, 8:37am

I am not so sure you can have both server and ifconfig in the same configuration.
float is not needed when you are confuring the server.
Other than that I don't see anything very wrong.
Just in case these won't work, I suggest to create a basic server config and then customize it to your needs.

blinton · December 4, 2019, 4:59pm

Switched off float and ifconfig, no impact.
As you stated, it must be somerhing on the server side, I‘ll try to minimize to openvpn basic openvpn commands in the server conf file.
cheers Blinton

blinton · December 9, 2019, 7:16am

I found the error, which was in the firewall, permuted src and dest for lan and server...

However, wanted to block the ssh port to the router from the second site (config rule, target REJECT) which doesn‘t block. Maybe I need to use something with DNAT (what‘s the difference) ?

Also, how do I implement tls-verify ?

cheers Blinton

trendy · December 9, 2019, 8:04am

How do you write this rule?
DNAT is for rewritting the destination fields of the packet, i.e different IP and port.
A rule will allow or deny (or do other things) to a packet.

blinton · December 9, 2019, 6:12pm

Not sure why it doesn't work, maybe there's a rule from above overriding it ?

config rule
  option name 'SSH deny access to site'
  option target 'REJECT'
  option proto 'tcp'
  option dest 'lan'
  option dest_port '22'
  option src 'SRVs_FW'
  option dest_ip '192.168.1.1'

or should I use
option src_ip '192.168.100.1'
in addition? (how can I use a src ip range ?)

Many thanks in advance !

cheers Blinton

ulmwind · December 9, 2019, 6:50pm

If you specify both src and dest, it is FORWARD rule, however you need INPUT rule.

dest zone name no (none) Specifies the traffic destination zone . Must refer to one of the defined zone names , or * for any zone. If specified, the rule applies to forwarded traffic; otherwise, it is treated as input rule.

blinton · December 12, 2019, 6:24pm

Hi ulmwind
thanks a lot, this did the trick !

config rule
        option name 'SSH_router_deny_access'
        option target 'REJECT'
        option proto 'tcp'
        option dest_port '22'
        option src 'SRVs_FW'

cheers blinton !

system · December 22, 2019, 6:24pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.