Problem with NAT for OpenVPN after reconfig

witek1308 · August 2, 2018, 10:08pm

Hi,
I need a help as the issue I'm experiencing is taking me mad.
Router with OpenWRT 18.06.0 I have is in the LAN behind VDSL modem connected to WAN port. Historically WAN network was bridged with WiFi and used as actual home LAN whereas LAN ports where used as another network for some other purposes. I wanted to clean a bit my config and reconfigured it to be as normally it is - WAN for WAN and LAN bridged with WiFi for local home access. All works fine apart from the OpenVPN which is not NAT'ed although setting tells it to be (I checked with tcpdump - on eth0.1 traffic goes out with internal openvpn addressing)
I hate erasing configuration and start from scratch as I need to understand the problem at least for educational purposes.
IMHO config looks ok so either there is some obvious mistake which I can't spot or some rubbish leftovers in some file which I haven't found.
Please see it below (problem with vpn0):

root@owrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde2:4964:533a::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        option broadcast '192.168.1.255'
        option ipaddr '192.168.1.30'
        option type 'bridge'
        option ifname 'eth0.1 tap0 radio1'
        option dns '192.168.1.30'

config interface 'wan'
        option proto 'dhcp'
        option ifname 'eth0.2'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2 3 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t 1'

config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'
        option auto '1'

config interface 'vpn1'
        option proto 'none'
        option ifname 'tap0'
        option auto '1'

config route
        option interface 'lan'
        option target '10.8.1.0'
        option netmask '255.255.255.0'
        option gateway '192.168.1.23'

root@owrt:~# cat /etc/config/firewall

config rule
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option src 'lan'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option dest_port '1883'
        option name 'MQTT'
        option src 'lan'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'lan vpn1'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option mtu_fix '1'
        option masq '1'
        option input 'ACCEPT'
        option network 'wan'
        option forward 'REJECT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        option network 'vpn0'
        option forward 'REJECT'
        option input 'ACCEPT'
        option masq '1'

config forwarding
        option dest 'lan'
        option src 'vpn'

config forwarding
        option dest 'vpn'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'vpn'

root@owrt:~#
root@owrt:~# cat /etc/config/openvpn

config openvpn 'vpnNAT'
        option enabled '1'
        option verb '3'
        option dev 'tun'
        option topology 'subnet'
        option server '10.8.0.0 255.255.255.0'
        option ifconfig '10.8.0.1 255.255.255.0'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/dom-owrt.crt'
        option key '/etc/openvpn/dom-owrt.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key'
        option tls_version_min '1.2'
        option client_to_client '1'
        option persist_key '1'
        option persist_tun '1'
        list push 'redirect-gateway def1'
        list push 'dhcp-option DNS 192.168.1.30'
        option cipher 'AES-256-CBC'
        option port '443'
        option tls_server '1'
        option auth 'SHA512'
        option key_direction '0'
        option compress 'lzo'
        option proto 'tcp'

config openvpn 'vpnBridge'
        option keepalive '10 60'
        option compress 'lzo'
        option mode 'server'
        option tls_server '1'
        list push 'route-gateway dhcp'
        list push 'redirect-gateway def1'
        option client_to_client '1'
        option enabled '1'
        option dev 'tap0'
        option persist_tun '1'
        option persist_key '1'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/dom-owrt.crt'
        option key '/etc/openvpn/dom-owrt.key'
        option dh '/etc/openvpn/dh2048.pem'
        option cipher 'AES-256-CBC'
        option port '1194'
        option proto 'udp'
        option auth 'SHA512'
        option tls_version_min '1.2'
        option tls_auth '/etc/openvpn/tls-auth-bridge.key'
        option key_direction '0'
        option verb '3'

root@owrt:~#

Any hints are welcome. Maybe I need to clean up some other files or so? Router was restarted (I actually started with 18.06rc1 and then upgraded to rc2 and 18.06.01 as I thought maybe this is an issue). Before reconfiguration NAT was working well for the VPN so I am pretty sure this is configuration issue

JW0914 · August 3, 2018, 1:10am

@witek1308 Please put code, config, and log output within code boxes (three ways to do so).

JW0914 · August 3, 2018, 1:59am

The only networks that should have masquerade enabled are WAN facing interfaces.
- Firewall: Remove option masq '1' from vpn
  - This is likely the cause of your issue on vpnNAT.
  - Issue: cd /etc/init.d && ./firewall reload && ./openvpn restart

If you're still having issues, please perform the steps under Troubleshooting for your next post.

NOTE:

Cipher is set way too high... AES128 will remain uncrackable until at least 2030...
- Change AES-256-CBC to AES-128-CBC
  - Even if one is the target of a nation state, re-keying every 5 - 10 min would be more efficient than AES256
You're specifying TLS, but no TLS ciphers.
- Add: option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'
Only utilize auth 'SHA512' if clients are using x64 CPUs, as x64 CPUs process SHA512 more efficiently than SHA256.

witek1308 · August 3, 2018, 6:01am

JW0914, thanks for your response but it doesn't help I tried it before (some NAT is needed there unless instead of this some SNAT would be used, no masq option). But since it worked before I think problem is elsewhere maybe.

Edit - I changed to SNAT and it works. I don't understand why this way it does but not the way with masq (maybe because of what you said above), but I'll leave it like that

regarding your other comments about VPN, I'll review and implement relevant changes this afternoon

JW0914 · August 3, 2018, 3:22pm

Why are you using TCP (or did you change it simply for troubleshooting)?

TCP only has two use cases:
1. High packet loss when utilizing UDP
  OR
2. Troubleshooting

SNAT should not be required... your server config is missing a pushed network route directive.

list push 'route 192.168.1.0 255.255.255.0'
See the following two wiki sections, this and that, for reference on server and client configs

witek1308 · August 3, 2018, 7:25pm

TCP is to pass some public wifi restrictions which normally allow tcp:443 but block other traffic

the route directive will not help as my vpn traffic was leaving router with private openvpn network (10.0.x.x) which was not known by any other element in the network.

JW0914 · August 4, 2018, 11:57am

I'd recommend testing each hotspot you connect to for verification that it's blocking UDP 443 packets, as a SSL VPN will lose throughput with TCP since TCP cannot efficiently encapsulate itself.

All OpenVPN traffic is TCP, and when utilizing UDP, it wraps those TCP packets within UDP packets, however if utilizing TCP, it wraps TCP packets within TCP packets.
- This is also why tuning the tunnel MTU should be done (tunnel MTU is separate from the interface MTU)

I didn't realize you were utilizing it for hotspots - are you utilizing this router only for public hotspots, never receiving a WAN IP on the WAN interface?