OpenWrt22.03 on RPI3b VPN client in dhcp network

gennaro18 · September 8, 2022, 1:14pm

Greetings,
I would like to use openwrt on RPI3b which is set in DHCP on a fastweb router.

Router Fastweb main gateway (192.168.1.254/24) -> Openwrt ( IP 192.168.1.205) in lan.

On OpenWrt i have installed VPN IPSEC go to my fritzbox ( external ip 151........).

Proceeding with a first configuration, I saw that all the traffic, including that of the internet, passed but I could not ping the hosts, not even the host of the fritzbox network ( 192.168.29.0/24 - Gateway (192.168.29.1)

Then adding a first static route :
From OpenWrt console:
Ping from 192.168.1.205 (openwrt) to 192.168.29.1 (gateway fritzbox )
Ping is ok with this route ( interface vpn-vpn2 192.168.29.0/24 none 0 main ).

Now I would like to ping with a PC on the network 192.168.1.0/24 (es. 192.168.1.130) to the network 192.168.29.0/24, es. i want ping Gateway fritzbox( 192.168.29.1).

I have added a route on windows ( commnd line route add 192.168.29.0 mask 255.255.255.0 192.168.1.205 (gw openwrt).
but ping not work.
1 8 ms 6 ms 2 ms OPENWRT [192.168.1.205]
2 * * * Request timed out.
traceroute is correct becouse without route on windows is :
Traceroute to 192.168.29.1 over a max 30 ....
1 1 ms 1 ms 3 ms FASTGATE [192.168.1.254]

I don't understand why if I play on Openwrt console to 192.168.29.1 or host es. 192.168.29.10 is OK.
but if ping from PC on network 192.168.1.0/24 to 192.168.29.0/24 with (route added on windows). not work.

I think that less any route on router can help me pls?

I add all info to image.

THanks alot for help.

pavelgl · September 9, 2022, 10:12am

When using the OpenWrt console, the "real" source IP address is not 192.168.1.205 but 192.168.29.201 and therefore you can ping network 192.168.29.0/24.

You need to create a static route in the fritzbox.

ip route add 192.168.1.0/24 via 192.168.29.201 dev ...

The other way would be to hide the traffic leaving the vpn-vpn2 interface behind 192.168.29.201 by enabling masquerading in the openvpn zone.

gennaro18 · September 9, 2022, 10:42am

Wow i have acitved from Tab firewall, flag masquarated and now work.

So the return route was missing?

How work masquerad becouse don't need the return back route?

Thanks so much for help.

pavelgl · September 9, 2022, 11:29am

https://tldp.org/HOWTO/IP-Masquerade-HOWTO/ipmasq-background2.5.html

The main disadvantage is that it will cost extra CPU load (to rewrite packet headers) and you won't be able to access devices on network 192.168.1.0/24 from network 192.168.29.0/24 unless you create port forwarding rules.

gennaro18 · September 9, 2022, 12:54pm

Thanks a lot for information.

When try to add route at Fritzbox i have this error :

I can't put the same IP that is on my network. If I put as gateway 192.168.29.203 work becouse 192.168.29.203 the ip is not used in network.

i don't know if is incompatible with ip vpn on fritz.

pavelgl · September 9, 2022, 1:29pm

Sorry, I can't help you with that.

It's Fritz!Box specific and it seems you are not the only one experiencing such a problem.

https://wiert.me/2016/03/15/fritzbox-7360-and-7490-static-routes-over-vpn-dont-work/

gennaro18 · September 9, 2022, 2:09pm

Ah, ok thanks.
If i want (as before you said) ping from pc on network 192.168.29.0/24 es. 192.168.29.10 -> 192.168.1.254 i have put static route on server 192.168.1.0/24 via 192.168.29.202 dev eth0

but not work also put the masquered. It is normal? you know if there are any workaround?
Thanks

pavelgl · September 9, 2022, 5:05pm

For two-way communication, you need to disable masquerading on the openvpn firewall zone of the OpenWrt router and create a static route in the Fritz!Box.

Apparently the second is not possible, so your options are limited to keep masquerading in the openvpn zone enabled.

Thus, all devices on network 192.168.1.0/24 will have access to all devices on network 192.168.29.0/24.

As I said before, for communication 192.168.29.0 -> 192.168.1.0 you need to create separate port forwarding (DNAT) rules, which is quite restrictive.

Let's say 192.168.1.100 is hosting a web server and you want to access it from network 192.168.29.0/24.
You should create a DNAT rule that looks like this:

config redirect
        option target 'DNAT'
        option name 'HTTP'
        list proto 'tcp'
        option src 'openvpn'
	    option dest 'lan'
        option src_dport '8080'
        option dest_port '80'   
        option dest_ip '192.168.1.100'

Then if you initiate an http request from network 192.168.29.0/24 to 192.168.29.201:8080 it will be forwarded to 192.168.1.100:80

Ping from 192.168.29.0/24 to 192.168.1.0/24 will not work and there is no workaround.

BTW 192.168.1.254 (your primary router) also needs a static route to network 192.168.29.0/24.
If you can do this, you don't need to create individual routes on each lan host.

gennaro18 · September 10, 2022, 7:15am

I understand, all clear. I was thinking if i set on a PC: es. 192.168.29.10 a route static 192.168.1.0/24 via 192.168.29.201 shouldn't that work?

i am doing a test but not work.
From PC 192.168.29.10 i ping 192.168.29.201 .
but if i try to ping 192.168.1.205 not response

where is the error logic?

pavelgl · September 10, 2022, 10:46am

If 192.168.1.205 is the router LAN IP address, the default policy for the INPUT chain is set to ACCEPT (as in the screenshot you posted) and the routing table of host 192.168.29.10 is correct, it should work.

Run tcpdump on the router to monitor icmp traffic.

opkg update; opkg install tcpdump; tcpdump -nnqti any icmp

gennaro18 · September 12, 2022, 9:50am

Hi Pavel,
i am trying to do some tests. the first thing and i am trying to disable masquerated on openwrt.
I think that to do the test you indicate I must first make sure to deactivate the masq.
And so I was looking to do the following tests

1* Test:
VPN is up -> ip 192.168.29.202
from console openwrt route print:

62.x.x.x via 192.168.1.254 dev br-lan proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.205
192.168.29.0/24 via 192.168.29.202 dev vpn-vpn2 proto static

ping from console OWrt 1.0/24 -> 29.0/24 is OK

2* Test now test from pc on lan 1.0 to 29.0
IP PC TEST: 192.168.1.130

I have try 2 Type of route test:
1 route test:
192.168.29.202 mask 255.255.255.255 192.168.1.205 ( so i can give at pc what route do to arrive at 29.202)

192.168.29.0 mask 255.255.255.0 192.168.1.205

This config work with masquarated on Router OpenWrt.

2 : second route test: ( it does not work with both masquerade and without masquarade)

192.168.29.202 mask 255.255.255.255 192.168.1.205
192.168.29.0 mask 255.255.255.0 192.168.29.202

Why second route not work?

On network 192.168.29.0 on the PC2: 192.168.29.10 i have added this route:

192.168.1.0/24 via 192.168.29.202 dev eth0 proto static

but i see that the route is not correct becouse :

if ping from PC2 192.168.29.10 -> 192.168.29.202 The PING IS OK.
if i ping 192.168.1.205 ( ip openwrt) not response and don't see come tcpdump.

TCPDUMP RESULT:
When ping from 192.168.29.10 to 192.168.29.202
IP 192.168.29.10 > 192.168.29.202: ICMP echo request, id 57047, seq 1, length 64
IP 192.168.29.202 > 192.168.29.10: ICMP echo reply, id 57047, seq 1, length 64
The test is correct i see the response.

if i ping from PC2 192.168.29.10 -> 192.168.1.205

No TCPDUMP.
no traffic come
and the traceroute is this:

1 fritz.box (192.168.29.1) 0.393 ms 0.768 ms 0.929 ms
2 151.X.X.X 9.962 ms 9.895 ms 9.947 ms
3 151.X.X.X 9.880 ms 13.698 ms 13.683 ms
4 151 ....... 12.928 ms

I think that i need Force route to 192.168.29.202 and not go to 29.1 -> go to external right?

PS: I have also contact Support AVM this is the result:

Summary

Dear Mr Gennaro,

Thank you for your request to AVM support.

If I understand correctly, he has configured a VPN on the FRITZ! Box and wants to use the IP of the VPN in question as a gateway for a static route to another router's network.

Please correct me if anything is wrong up to this point.

What happens in your case is in line with expectations. This is not an error as the gateway of the static route must necessarily be the IP that the other router has in the local network of the FRITZ! Box: the router in question must therefore be connected in cascade to the FRITZ! Box and not vice versa. .

More information below:

Create a static IP route in the FRITZ! Box
Online help

As stated in the online help, under Gateway you must enter the IP assigned by the FRITZ! Box to the device that would connect the FRITZ! Box network to the other network, i.e. the IP assigned by the FRITZ! Box to the other router. The address of a VPN from the FRITZ! Box cannot be used.

For any other information or clarification I am gladly available.

I wish you a nice weekend.

Kind regards from Berlin
Andrea Salafia (AVM Support)

pavelgl · September 13, 2022, 12:49pm

Turns out it won't work that way because the connection to 192.168.29.202 is not bridged.

The Fritz!Box acts as a proxy arp (it responds to the request who-has 192.168.29.202 tell 192.168.29.10) and the packet is sent to it, but because the final destination is an unknown network (192.168.1.0/24), it uses its default gateway and there is no way to change this.

Regarding the response from AVM

You do exactly that, but for some reason the route is not accepted and as you can see from the link above, a similar problem has existed at least since 2016.

system · September 23, 2022, 12:50pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.