PBR VPN bypass help with SSH DNAT

FredDag · December 16, 2022, 2:37am

I have recently connected to IVPN by wireguard for the usual reasons, sick of tracking and the like, but I also want to run some existing services which are DNAT'ed in to some machines on my LAN.
PBR seemed to be the obvious solution to keep my DNAT services directed out to my one public IP address and then send all adhoc web browsing etc. out over the IVPN service.
My web server is working fine with this new arrangement as is my email server, but you guessed it, one service is not

For reasons that I won't go in to now, several hosts out on the Internet make ssh connections in to my router and there they are locked into a chroot jail - these services all work fine without the IVPN and PBR running.

This is what I have got so far:-

in /etc/config/firewall I have the following.
config redirect              
        option dest_port '22' 
        option src 'wan'       
        option src_dport '<a-high-port-number>'
        option target 'DNAT'
        list proto 'tcp'  
        option name 'AutoSSH-in_to_router'
        option dest 'lan'          
        option dest_ip '<the-LAN-address-of-my-openwrt-router>'
        option reflection '0'

config policy
        option name 'autossh-in'
        option src_addr '<the-LAN-address-of-my-openwrt-router>'
        option dest_port '<a-high-port-number>'
        option interface 'ignore'

When I watch the SSH connection from the far end I see nothing at after
"debug1: Connecting to [] port ."

and at the same time while I watch SSHD running in the foreground on my router, I see nothing at all.
Neither do I see anything interesting on my router's syslog .

From this I conclude that no packets are ever reaching SSHD from the DNAT entry while PBR is running.

...have I described my problem clearly?
... and constructive advice would be appreciated.

stangri · December 16, 2022, 7:57am

config policy
        option name 'autossh-in'
        option chain 'output'
        option src_port '<a-high-port-number>'
        option interface 'wan'

FredDag · December 16, 2022, 9:43am

G'day stangri,
Thanks for the quick reply - but there must be more to it because SSHD on the router is still seeing absolutely nothing.

Any more I can provide as 'debug', any other ideas?

stangri · December 16, 2022, 6:21pm

Should have just copied an example from README rather than correct yours -- it's src_port in the policy of course, not dest_port.

FredDag · December 17, 2022, 12:16am

No change unfortunately - must be something else going on too.

I will go back and carefully read the README again.

stangri · December 17, 2022, 1:23am

yeah, the example for (TCP-based) OpenVPN server (which I based my reply on) is a known-working config. Not sure how it would all work with your redirect tho.

FredDag · January 7, 2023, 11:01am

... I think there is something in the redirect to the endpoint on the router itself that I don't understand.
If I change the redirect to be on a PC inside my LAN it seems to work as expected, but that somewhat defeats the purpose of doing routing on the router, I don't want to go down that rabbit hole again (keeping a PC rinning in my LAN just to do routing).

For the time being, I will be like the other donkey and just give up too.

FredDag · January 28, 2023, 12:51pm

Just in case someone else needs this in the future.
My work around was not to do the port translation from the inbou d high port down to 22, but just to forward the high port straight to the router AND then to have sshd listen for connections on port 22 as well as the high port.
With the PBR config described by stangri everything works as expected

system · February 7, 2023, 12:52pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.