VPS: https://pastebin.com/XECh80Zf
ROUTER: https://pastebin.com/yHzbgdpK
1 Like
Do you have any ideas what is wrong?
Your VPS and router firewalls restrict traffic and port forwarding:
# VPS
iptables -A FORWARD -i tun0 -j ACCEPT
# OpenWrt
uci -q delete firewall.lan_vpn
uci set firewall.lan_vpn="forwarding"
uci set firewall.lan_vpn.src="lan"
uci set firewall.lan_vpn.dest="vpn"
uci -q delete firewall.vpn_lan
uci set firewall.vpn_lan="forwarding"
uci set firewall.vpn_lan.src="vpn"
uci set firewall.vpn_lan.dest="lan"
uci commit firewall
/etc/init.d/firewall restart
The config can be simplified if you assign both LAN and VPN networks to the LAN firewall zone.
1 Like
After adding these on both router and VPN, I have Internet access on my NAS, and curl -s checkip.dyndns.org shows that my IP is one assigned to VPS, so this seems to work, but unfortunately, I don't have Internet on all other devices connected to router. I think, that there is a problem with routing tables:
config interface 'lan'
option ip4table '1'
config interface 'vpn'
option ip4table '2'
config rule 'lan_vpn'
option in 'lan'
option src '192.168.1.100'
option lookup '2'
option priority '30000'
When I set route_allowed_ips to 0, I again have Internet working, but NAS is as well inaccesible via VPS's public IP address. Should I do anything else to make it working? The actual problem is that it want to route all traffic via VPN or none.
1 Like
I have one more question. After adding /32 netmask everything works correctly now, except 1 thing.
When I try to reach NAS from LAN (i.e. my computer) I got connection timed out. Tcpdump shows traffic on router, but not on NAS. On router it says that all packets are dropped by interface. What else do I miss?
When I try to check IP from NAS, I got the IP from VPS and when I try to access NAS via VPS's IP from outside of my network, everything works perfectly. Also traffic from other devices are not routed via VPN.
Access the NAS with its internal IP (192.168.1.100) not by the public IP you are forwarding from the VPS.
1 Like
I could do that, but if I can access it with domain name as well and without bothering about DNS hacks, then why not do that? Especially, I see the incoming traffic on router, but dropped by interface, so probably missing something in the firewall configuration.
Because you are wasting router cpu cycles on a flow that shouldn't go through the router cpu and you'll start wondering why the speed is slow.
2 Likes
You just need to add a respective host entry on the router DNS
2 Likes
Yes, this seems to be the easiest way that will not load the CPU.
Many thanks to all of you!
I think I need additional help.
I have added new interface:
config interface 'wan6'
option ifname 'wan6'
option ip6addr '###'
option ip6prefix '###'
option peeraddr '###'
option proto '6in4'
option send_rs '0'
option tunnelid '###'
option username '###'
option updatekey '###'
And log is being spammed by:
Wed Jun 16 20:54:52 2021 daemon.notice netifd: Interface 'wan6' is now down
Wed Jun 16 20:54:52 2021 daemon.notice netifd: Interface 'wan6' is setting up now
However when I set route_allowed_ips to 0 in VPN configuration, IPv6 starts working.
Could you tell me, what is again wrong with the routing that prevents tunnelbroker from working?
Or maybe some ideas how to troubleshoot this? I don't find more information in logs.
In tcpdump I have found the following when trying to connect to HE:
19:48:34.931454 IP AAA.BBB.CCC.DDD > he.net: ICMP AAA.BBB.CCC.DDD protocol 41 port 46141 unreachable, length 556
When I set route_allowed_ips to 0 this lines disappear in tcpdump.
ip route show table all shows this:
he.net dev tun0 proto static scope link
so I guess, it tries to route tunnel to HurricaneElectric via VPN, instead of directly via Internet. How can I fix that?
I tried executing 'ip route del he.net dev tun0' but it adds this route all the time.
uci set network.wan6.tunlink="wan"
uci commit network
/etc/init.d/network restart
1 Like
This worked. Thank you!
Actually I got 2 more question:
First of them is what if I would like to prepare a failover wan connection (i.e. LTE)? Will IPv6 tunnel work there as well if I specify tunlink as wan? I suppose, I will have to create wan2 interface for that. Actually it is not a case, but I have something like that in my plans.
Second question is about accessing another subnet over wireguard if I would like to connect from different location. I mean I don't have any kind of 192.168.0.0/16 via tun0 route now. I could add it via ifplugd script, but I wonder ff this is possible with pure openwrt config?
1 Like
Duplicate the 6in4 interface with different tunlink, or customize it dynamically:
mkdir -p /etc/hotplug.d/online
cat << "EOF" > /etc/hotplug.d/online/20-6in4
NET_IF="wan6"
if [ "${INTERFACE}" = "${NET_IF}" ]
then exit 0
fi
uci set network.${NET_IF}.tunlink="${INTERFACE}"
ifup ${NET_IF}
EOF
https://openwrt.org/docs/guide-user/advanced/hotplug_extras
Add a custom rule to lookup the VPN routing table for a specific destination subnet:
https://openwrt.org/docs/guide-user/network/routing/ip_rules
By "customize tunlink with hotplug" you mean an iface script that will add/change route when interface wan6 goes up?
Then I think this solution is not ideal, because both interfaces can be up all the time (i.e. hilink modem) and you only check if internet works and change default route between 2 links. In this case, I think that duplicated 6in4 interface is more flexible way. This will anyway require to specify different interfaces probably and I am not sure how and if this will work.
Thank you for all your help.
1 Like