Hello everyone,
I'm an old time OpenWRT user (back from the White Russian days) and fairly experienced with OpenVPN and iptables. Right now I'm running LEDE 17.01.4 on my home router which, among other things, acts as an (Open)VPN client. I've been using this setup for several years already, but lately I came across a different scenario which I hadn't needed before.
Like I just mentioned, my router is set up as an OpenVPN client with one of my remote servers. In the past I've always needed to access resources available behind the VPN from my LAN, so that the traffic has been outbound first. However, this time around I need to access my home router from my remote server (long story short, I have an USB cellular modem attached to my router which I need to send SMS alerts from my server). When the VPN connection is first established I can connect from the server to the router through the VPN and the other way around. However, after a couple of minutes with no traffic, I can no longer initiate an inbound connection this way, even though the VPN is still up. As soon as I initiate another outbound connection through the VPN (be it a ping, ssh or whatever) I can again make inbound connections.
As I mentioned before I am fairly experienced with iptables (and networking in general) but I believe this might be an edge case where the custom fw3 zones, chains and rules are getting in the way. Right now I have two options: I can get rid of fw3 and just use a 'manual' iptables setup, or try to fix it the proper way. During my tests the first option worked fine, but I would rather keep things the OpenWRT way, if possible.
Here's a copy of my /etc/config/
network
, openvpn
and firewall
files, along with the output from iptables
:
# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd9b:06a9:9ddc::/48'
config interface 'lan'
option ifname 'eth0.1'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.6.1'
config interface 'wan'
option ifname 'eth1'
option _orig_ifname 'eth1'
option _orig_bridge 'false'
option proto 'pppoe'
option username 'xxxx'
option password 'xxxx'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
option blinkrate '2'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_port
option device 'switch0'
option port '1'
option led '6'
config switch_port
option device 'switch0'
option port '2'
option led '9'
config switch_port
option device 'switch0'
option port '5'
option led '2'
config interface 'vpn'
option proto 'none'
option ifname 'tun0'
option auto '1'
config interface 'alias'
option ifname 'br-lan'
option proto 'static'
option ipaddr '192.168.1.254'
option netmask '255.255.255.0'
Nothing fancy here:
# cat /etc/config/openvpn
config openvpn 'remotevpn'
option config '/etc/openvpn/server.conf'
option enabled '1'
# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'vpn'
list device 'tun+'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option src 'wan'
option src_dport '443'
option dest 'lan'
option dest_port '1194'
option proto 'udp'
option name 'Redirect UDP port 443 to OpenVPN'
option target 'DNAT'
option reflection '1'
config rule
option target 'ACCEPT'
option name 'Allow OpenVPN'
option src 'wan'
option proto 'udp'
option dest_port '1194'
option enabled '1'
config forwarding
option dest 'vpn'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'lan'
option src 'vpn'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
My /etc/firewall.user
file is empty. Here's the output from iptables
:
# iptables -L -n -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
2 859 126K input_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for input */
3 578 54161 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
4 8 328 syn_flood tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 /* !fw3 */
5 261 70263 zone_lan_input all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
6 0 0 zone_vpn_input all -- tun+ * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
7 18 1254 zone_wan_input all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 103K 86M forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for forwarding */
2 103K 86M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
3 219 26395 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
4 0 0 zone_vpn_forward all -- tun+ * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
5 0 0 zone_wan_forward all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
6 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
2 868 250K output_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for output */
3 373 65733 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
4 379 176K zone_lan_output all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
5 0 0 zone_vpn_output all -- * tun+ 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
6 116 7895 zone_wan_output all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain MINIUPNPD (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.6.249 udp dpt:5353
Chain forwarding_lan_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain forwarding_vpn_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain forwarding_wan_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain input_lan_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain input_vpn_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain input_wan_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain output_lan_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain output_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain output_vpn_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain output_wan_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain reject (3 references)
num pkts bytes target prot opt in out source destination
1 16 648 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ reject-with tcp-reset
2 2 606 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ reject-with icmp-port-unreachable
Chain syn_flood (1 references)
num pkts bytes target prot opt in out source destination
1 8 328 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_dest_ACCEPT (3 references)
num pkts bytes target prot opt in out source destination
1 379 176K ACCEPT all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_forward (1 references)
num pkts bytes target prot opt in out source destination
1 219 26395 forwarding_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for forwarding */
2 219 26395 zone_vpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: forwarding lan -> vpn */
3 219 26395 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: forwarding lan -> wan */
4 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
5 0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_input (1 references)
num pkts bytes target prot opt in out source destination
1 261 70263 input_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for input */
2 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
3 261 70263 zone_lan_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_output (1 references)
num pkts bytes target prot opt in out source destination
1 379 176K output_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for output */
2 379 176K zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_src_ACCEPT (1 references)
num pkts bytes target prot opt in out source destination
1 261 70263 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_vpn_dest_ACCEPT (3 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * tun+ 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage */
2 0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_vpn_forward (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 forwarding_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for forwarding */
2 0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: forwarding vpn -> lan */
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
4 0 0 zone_vpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_vpn_input (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 input_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for input */
2 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
3 0 0 zone_vpn_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_vpn_output (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 output_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for output */
2 0 0 zone_vpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_vpn_src_ACCEPT (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_wan_dest_ACCEPT (2 references)
num pkts bytes target prot opt in out source destination
1 49 2392 DROP all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage */
2 286 31898 ACCEPT all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_dest_REJECT (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 reject all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_forward (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 forwarding_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for forwarding */
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
4 0 0 zone_wan_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_input (1 references)
num pkts bytes target prot opt in out source destination
1 18 1254 input_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for input */
2 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 /* !fw3: Allow-DHCP-Renew */
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* !fw3: Allow-Ping */
4 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 /* !fw3: Allow OpenVPN */
5 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
6 18 1254 zone_wan_src_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_output (1 references)
num pkts bytes target prot opt in out source destination
1 116 7895 output_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for output */
2 116 7895 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_src_REJECT (1 references)
num pkts bytes target prot opt in out source destination
1 18 1254 reject all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
# iptables -t nat -L -n -v --line-numbers
Chain PREROUTING (policy ACCEPT 153 packets, 14389 bytes)
num pkts bytes target prot opt in out source destination
1 308 30719 prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for prerouting */
2 290 29305 zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
3 0 0 zone_vpn_prerouting all -- tun+ * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
4 12 1014 zone_wan_prerouting all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain INPUT (policy ACCEPT 61 packets, 4390 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 73 packets, 5023 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 293 28391 postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for postrouting */
2 2 458 zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
3 0 0 zone_vpn_postrouting all -- * tun+ 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
4 291 27933 zone_wan_postrouting all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain MINIUPNPD (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5353 to:192.168.6.249:5353
Chain MINIUPNPD-POSTROUTING (1 references)
num pkts bytes target prot opt in out source destination
Chain postrouting_lan_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain postrouting_vpn_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain prerouting_vpn_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain zone_lan_postrouting (1 references)
num pkts bytes target prot opt in out source destination
1 2 458 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for postrouting */
Chain zone_lan_prerouting (1 references)
num pkts bytes target prot opt in out source destination
1 290 29305 prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for prerouting */
Chain zone_vpn_postrouting (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 postrouting_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for postrouting */
2 0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_vpn_prerouting (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 prerouting_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for prerouting */
Chain zone_wan_postrouting (1 references)
num pkts bytes target prot opt in out source destination
1 291 27933 MINIUPNPD-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
2 291 27933 postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for postrouting */
3 291 27933 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_prerouting (1 references)
num pkts bytes target prot opt in out source destination
1 11 854 MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0
2 12 1014 prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for prerouting */
3 0 0 REDIRECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443 /* !fw3: Redirect UDP port 443 to OpenVPN */ redir ports 1194
# iptables -t mangle -L -n -v --line-numbers
Chain PREROUTING (policy ACCEPT 111K packets, 92M bytes)
num pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1147 packets, 155K bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 110K packets, 92M bytes)
num pkts bytes target prot opt in out source destination
1 145 8928 TCPMSS tcp -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* !fw3: wan (mtu_fix) */ TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT 1082 packets, 306K bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 111K packets, 92M bytes)
num pkts bytes target prot opt in out source destination
Thank you for your time and please excuse me in advance for the length of my (first) post, but I wanted to give as much as relevant info as possible.