Remote LAN access from client

Well, there're several topic - some solved - those describe this problem.
But unfortunately I do not get it working and want to ask for help again.

I'm running an OpenWRT router as client connected to an OpenVPN server (my VPS) in the internet.
All clients behind are routed via wan/vpn - depending on my own wishes - using pbr. Works fine, so far so good.
What not work: Connecting with any device out of my home LAN (for example a mobile) to the VPS I'm not able to ping any client behind my router. The router itself I can ping with the VPN-IP as well as the LAN-IP. But no other devices.

This is what I want:


Unfortunately I'm not able to ping from the right side to any device behind the router on the left side.

Some configs:

On the VPS side:

# server.conf
server 10.8.0.0 255.255.255.0
route 192.168.11.0 255.255.255.0
push "route 192.168.11.0 255.255.255.0"
client-to-client
client-config-dir /etc/openvpn/ccd

# ccd/router
iroute 192.168.11.0 255.255.255.0

-------------------------

On the router:

# /etc/config/network
config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.11.1'
config interface 'vpn'
        option proto 'none'
        option device 'tun0'

# /etc/config/firewall
config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'
config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
config forwarding
        option src 'lan'
        option dest 'wan'
config forwarding
        option src 'lan'
        option dest 'vpn'
config forwarding
        option src 'vpn'
        option dest 'lan'
config zone
        option name 'vpn'
        option output 'ACCEPT'
        option masq '1'
        list network 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'

This looks loke here:

Any hints how to get this working (to be able to ping fom a VPN client outside my LAN into my LAN)?

Your lan should not have masquerading enabled. Turn that off, restart, and try again.

Thanks for that.
Changed, but unfortunately no change...

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

Collect the log from the VPN server when connecting the router.

Server logs:

2023-10-23 23:42:40 37.63.23.167:15059 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-10-23 23:42:40 37.63.23.167:15059 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-10-23 23:42:40 37.63.23.167:15059 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-10-23 23:42:40 37.63.23.167:15059 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-10-23 23:42:40 37.63.23.167:15059 TLS: Initial packet from [AF_INET]37.63.23.167:15059, sid=ffed303a 0db9c5a5
2023-10-23 23:42:40 37.63.23.167:15059 VERIFY OK: depth=1, CN=cn_iVOkpGys9uqRg6MF
2023-10-23 23:42:40 37.63.23.167:15059 VERIFY OK: depth=0, CN=router
2023-10-23 23:42:40 37.63.23.167:15059 peer info: IV_VER=2.5.7
2023-10-23 23:42:40 37.63.23.167:15059 peer info: IV_PLAT=linux
2023-10-23 23:42:40 37.63.23.167:15059 peer info: IV_PROTO=6
2023-10-23 23:42:40 37.63.23.167:15059 peer info: IV_NCP=2
2023-10-23 23:42:40 37.63.23.167:15059 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2023-10-23 23:42:40 37.63.23.167:15059 peer info: IV_LZ4=1
2023-10-23 23:42:40 37.63.23.167:15059 peer info: IV_LZ4v2=1
2023-10-23 23:42:40 37.63.23.167:15059 peer info: IV_LZO=1
2023-10-23 23:42:40 37.63.23.167:15059 peer info: IV_COMP_STUB=1
2023-10-23 23:42:40 37.63.23.167:15059 peer info: IV_COMP_STUBv2=1
2023-10-23 23:42:40 37.63.23.167:15059 peer info: IV_TCPNL=1
2023-10-23 23:42:40 37.63.23.167:15059 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
2023-10-23 23:42:40 37.63.23.167:15059 [router] Peer Connection Initiated with [AF_INET]37.63.23.167:15059
2023-10-23 23:42:40 router/37.63.23.167:15059 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
2023-10-23 23:42:40 router/37.63.23.167:15059 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/router
2023-10-23 23:42:40 router/37.63.23.167:15059 MULTI: Learn: 10.8.0.2 -> router/37.63.23.167:15059
2023-10-23 23:42:40 router/37.63.23.167:15059 MULTI: primary virtual IP for router/37.63.23.167:15059: 10.8.0.2
2023-10-23 23:42:40 router/37.63.23.167:15059 MULTI: internal route 192.168.11.0/24 -> router/37.63.23.167:15059
2023-10-23 23:42:40 router/37.63.23.167:15059 MULTI: Learn: 192.168.11.0/24 -> router/37.63.23.167:15059
2023-10-23 23:42:40 router/37.63.23.167:15059 REMOVE PUSH ROUTE: 'route 192.168.11.0 255.255.255.0'
2023-10-23 23:42:40 router/37.63.23.167:15059 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
2023-10-23 23:42:40 router/37.63.23.167:15059 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
2023-10-23 23:42:40 router/37.63.23.167:15059 SENT CONTROL [router]: 'PUSH_REPLY,dhcp-option DNS 94.140.14.14,dhcp-option DNS 94.140.15.15,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM' (status=1)
1 Like

Check runtime settings on the server including firewall ruleset, routing tables and rules, IP forwarding.

I don't think this is anything on the server.

On the router:
$ service firewall stop

From any other device outside my LAN now:
$ ping 192.168.11.170
-> This is working now

On the router:
$ service firewall start
Now I'm no longer able to ping

Sorry, have you removed blank lines between sections?

Well, just removed to copy/paste here, but I was not aware that this could confuse.
Now again my (already changed) router configs in total without removing anything.

# /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2c:9755:eb56::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.11.1'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0'

config interface 'wwan'
        option proto 'dhcp'

config interface 'vpn'
        option proto 'none'
        option device 'tun0'
# /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        option masq '1'
        list network 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'vpn'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
        option src 'vpn'
        option dest 'lan'

Please don't recommend masquerade! There is a reason why we have routing! You just need proper routes on both sides and a firewall rule which allowed traffic from both directions. But there is no $$$$ing reason to use masquerade or any other kind of NAT in such a scenario.

OK, please, repeat test above with LAN IP: 192.168.11.1

Please, in firewall configuration place zone section after zone, and forwarding section after forwarding.

Please, in firewall configuration place zone section after zone, and forwarding section after forwarding.

Changed my config (hopefully that is what you mean):

# /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        list network 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'lan'

config rule
[...]

OK, please, repeat test above with LAN IP: 192.168.11.1

Yes, I can ping the router itself from a computer outside my LAN.
But no other device behind.

Ha, I got it!
The trick was just to move the firewall zones in LuCi:

# /etc/config/firewall

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        list network 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'

[...]

I was specifically saying that masquerading should not be enabled on the lan zone. Please reread my statement.

For a site-to-site setup you can just add the tun interface to the LAN zone and Bob is your uncle (the LAN zone does not Masquerade normally :wink: )

Maybe you are pushing the wrong route, you are pushing the route of the router and you should push a route to the LAN of the VPS

pardon. Maybe I should have finished my first coffee first :sweat:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.