OpenWRT, two subnets, Caddy, certificates

smoltron · February 1, 2025, 5:48pm

I want to put a web server on port 3 of my Openwrt router and create another interface and address series to it. Port 0 is WAN and 1 and 2 br-lan. I managed to create the interface, a working DHCP and a new IP series 192.168.22.x under port 3. I can access the server from LAN and LAN is not visible to the server. Fine so far.

Then I installed Caddy, created port forwards 80 and 443, and registered two names to my registrar. The names propagated and Caddy created the certificates fine. Now I can access the server from OUTSIDE and certificates work right.

Unfortunately, if I access the server from LAN, the certificates are wrong. OpenWRT router seems to do some kind of address translation where the address and certificate do not match.

Is there a solution to this certificate problem? I wanted to bridge port 3 and WAN and get a second IP from my provider, but could not figure out how. Maybe that could have solved the issue.

smoltron · February 1, 2025, 5:52pm

Here is my network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd0f:2424:0d12::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.11.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0'
        option reqprefix 'auto'
        option reqaddress 'try'

config interface 'dmz'
        option proto 'static'
        option device 'eth3'
        list ipaddr '192.168.22.1/24'

smoltron · February 1, 2025, 5:54pm

here the system board:

{
        "kernel": "5.15.137",
        "hostname": "cerelon",
        "system": "Intel(R) Celeron(R) N5105 @ 2.00GHz",
        "model": "Default string Default string",
        "board_name": "default-string-default-string",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "x86/64",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

smoltron · February 1, 2025, 5:57pm

Here part of my firewall

config zone
        option name 'dmz'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'dmz'

config forwarding
        option src 'lan'
        option dest 'dmz'

config forwarding
        option src 'dmz'
        option dest 'wan'

config redirect
        option dest 'dmz'
        option target 'DNAT'
        option name 'http to silakka'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.22.137'
        option dest_port '80'

config redirect
        option dest 'dmz'
        option target 'DNAT'
        option name 'https to silakka'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.22.137'
        option dest_port '443'

brada4 · February 1, 2025, 7:18pm

How translation can change certificate presented in legitimate ssl hello?

Can you check with conntrack -E where connections from your browser are actually going?

smoltron · February 1, 2025, 7:34pm

Here from the browser computer, xxx.xxx.177.136 is the port-forwarded public address.

    [NEW] tcp      6 120 SYN_SENT src=192.168.11.101 dst=xxx.xxx.177.136 sport=40336 dport=443 [UNREPLIED] src=xxx.xxx.177.136 dst=192.168.11.101 sport=443 dport=40336
 [UPDATE] tcp      6 60 SYN_RECV src=192.168.11.101 dst=xxx.xxx.177.136 sport=40336 dport=443 src=xxx.xxx.177.136 dst=192.168.11.101 sport=443 dport=40336
 [UPDATE] tcp      6 432000 ESTABLISHED src=192.168.11.101 dst=xxx.xxx.177.136 sport=40336 dport=443 src=xxx.xxx.177.136 dst=192.168.11.101 sport=443 dport=40336 [ASSURED]

I also checked that from the web server itself, I can wget self and the certificates are right. Also from an external computer. Certificates are wrong only to the local LAN.

I also checked if rebind protection could cause this, but did not notice any change.

smoltron · February 1, 2025, 7:38pm

SOLUTION. Add reflection_zones to redirects! I found this from here: https://github.com/openwrt/openwrt/issues/8868#issuecomment-1229441623

config redirect
        option dest 'dmz'
        option target 'DNAT'
        option name 'https to silakka'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.22.137'
        option dest_port '443'
        list reflection_zone 'dmz'
        list reflection_zone 'lan'

system · February 11, 2025, 7:39pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.