Route into a Open-VPN-Client Subnet

Hi all,

at the moment i struggeling with following scenario:
I have a running OpenVPN server on an VPS in the www.
I have a VPN-Client called "SubnetClient" that automatically connects to the OpenVPN-Server. This Client is running on the Device "GL-MT200N-V2" and works as router.

I also have a VPN-Client called "Service" that is used to maintain devices in the subnet of "SubnetClient".

So far i was able to ping the "SubnetClient" with the local subnet ip-address.

List of Ip-Networks:
192.168.129.0/24 - Netzwork of SubnetClient
192.168.129.1 - Ip of OpenWRT with VPN Client
192.168.255.0/24 - OpenVPN Clients Ip-Range?
192.168.254.0/24 - OpenVPN Dummy Routing network?
192.168.123.1/24 - Network of "Service" (shouldn't matter imo)

My problem now is, that i am not able to open (any) webinterface from the OpenWRT device (OpenVPN-Client "SubnetClient") when i am connected over the Vpn-Client "Service".
A really strange effect for me is, that the ssh connection to the openwrt device is working for some bytes of transmission and then stops (command result isn't completly printed).
Developer console of chrome is telling me "Status: pending" when i try to access the webinterface.

Server-Configuration

server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/dummy.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/dummy.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

user nobody
group nogroup
comp-lzo no

### Route Configurations Below
route 192.168.254.0 255.255.255.0
route 192.168.129.0 255.255.255.0
client-to-client

### Push Configurations Below
# push "block-outside-dns"  #We want the dns outside working as well
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"

CCD "Service"

push "route 192.168.129.0 255.255.255.0"

CCD "SubnetClient"

iroute 192.168.129.0 255.255.255.0

uci show firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].enabled='0'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@include[0].reload='1'
firewall.glfw=include
firewall.glfw.type='script'
firewall.glfw.path='/usr/bin/glfw.sh'
firewall.glfw.reload='1'
firewall.guestzone=zone
firewall.guestzone.name='guestzone'
firewall.guestzone.network='guest'
firewall.guestzone.forward='REJECT'
firewall.guestzone.output='ACCEPT'
firewall.guestzone.input='REJECT'
firewall.guestzone_fwd=forwarding
firewall.guestzone_fwd.src='guestzone'
firewall.guestzone_fwd.dest='wan'
firewall.guestzone_fwd.enabled='0'
firewall.guestzone_dhcp=rule
firewall.guestzone_dhcp.name='guestzone_DHCP'
firewall.guestzone_dhcp.src='guestzone'
firewall.guestzone_dhcp.target='ACCEPT'
firewall.guestzone_dhcp.proto='udp'
firewall.guestzone_dhcp.dest_port='67-68'
firewall.guestzone_dns=rule
firewall.guestzone_dns.name='guestzone_DNS'
firewall.guestzone_dns.src='guestzone'
firewall.guestzone_dns.target='ACCEPT'
firewall.guestzone_dns.proto='tcp udp'
firewall.guestzone_dns.dest_port='53'
firewall.glservice_rule=rule
firewall.glservice_rule.name='glservice'
firewall.glservice_rule.dest_port='83'
firewall.glservice_rule.proto='tcp udp'
firewall.glservice_rule.src='wan'
firewall.glservice_rule.target='ACCEPT'
firewall.glservice_rule.enabled='0'
firewall.gls2s=include
firewall.gls2s.type='script'
firewall.gls2s.path='/var/etc/gls2s.include'
firewall.gls2s.reload='1'
firewall.glqos=include
firewall.glqos.type='script'
firewall.glqos.path='/usr/sbin/glqos.sh'
firewall.glqos.reload='1'
firewall.mwan3=include
firewall.mwan3.type='script'
firewall.mwan3.path='/var/etc/mwan3.include'
firewall.mwan3.reload='1'
firewall.vpn_zone=zone
firewall.vpn_zone.name='ovpn'
firewall.vpn_zone.input='ACCEPT'
firewall.vpn_zone.output='ACCEPT'
firewall.vpn_zone.network='ovpn'
firewall.vpn_zone.masq='1'
firewall.vpn_zone.mtu_fix='1'
firewall.vpn_zone.forward='REJECT'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest='ovpn'
firewall.@forwarding[2].src='guestzone'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].dest='ovpn'
firewall.@forwarding[3].src='lan'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].dest='lan'
firewall.@forwarding[4].src='ovpn'

So please help me finding the solution for the following:

  • How to configure the openvpn server right?
  • What kind of adjustments are needed on the openwrt firewall?

Something that i have seen some time ago is this solution für the rasperry pi:
Could this (technical way) the solution for the "some bytes get transmitted"-issue? And how can i "convert" this rules for the firewall of openwrt?

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

Why i write here? I think the major problem belongs to the openwrt firewall settings..

Thank u very much for help!
If u need more information, simply ask me and i send the needed information.

Greeting!

There are working and tested how-tos:

WireGuard is preferable for better performance and easier configuration.

3 Likes

Hi vgaetera,

thanks for ur response.
I reset all and beginn from new with the linked examples for OpenVPN.

Server Setup (using docker container)
I have adjusted the settings based on the example linked (https://openwrt.org/docs/guide-user/services/vpn/openvpn/server). UCI isn't available in the docker enviroment, so i skipped this step.
Also disabled the "redirect-gateway def1"-feature

Resulting openvpn-server config.

verb 3
key /etc/openvpn/pki/private/dummy.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/dummy.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0

user nobody
group nogroup
dev tun0
port 1194
proto udp
server 192.168.8.0 255.255.255.0 # Changed in this config
topology subnet #New in is config
client-to-client
keepalive 10 60
persist-tun
persist-key

push "persist-tun"
push "persist-key"

status /tmp/openvpn-status.log

Resulting client-config-file (same for both right now):

client
nobind
dev tun
remote-cert-tls server
auth-nocache # Added in this config

remote myCrazyHostname 11194 udp

<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
....
-----END OpenVPN Static key V1-----
</tls-auth>

So, far both vpn clients could connect.
Most significant change in the settings are the "topology subnet"-property.

Site-to-Site adjustments
Following the site-to-site instruction (https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#site-to-site)

For the ClientSubnet CCD

ifconfig-push 192.168.8.101 255.255.255.0 # static ip address
iroute 192.168.129.0 255.255.255.0 # client handles this subnet

Added to openvpn-server config.

route 192.168.129.0 255.255.255.0 192.168.8.101
push "route 192.168.1.0 255.255.255.0"  # <-- Dont understand this

This push "route 192.168.1.0 255.255.255.0" confused me... i though i need a route to the client network. right now i haven't an server lan (i think)-

At the moment i cannot ping the ClientSubnet 192.168.129.0/24 from the "Service"-VPN connection.
But ping between client's (VPN-ip) is working.

Server console log (hbClient = SubnetClient)

Tue Oct 13 09:47:15 2020 MY.IP.ADD.HIDDEN:57239 TLS: Initial packet from [AF_INET]MY.IP.ADD.HIDDEN:57239, sid=1527b086 d8551baa
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57239 VERIFY OK: depth=1, CN=hbNet RZ
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57239 VERIFY OK: depth=0, CN=hbClient
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57172 TLS: Initial packet from [AF_INET]MY.IP.ADD.HIDDEN:57172, sid=6ac1e467 9fdd311e
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57239 peer info: IV_VER=2.4.5
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57239 peer info: IV_PLAT=linux
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57239 peer info: IV_PROTO=2
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57239 peer info: IV_NCP=2
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57239 peer info: IV_LZ4=1
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57239 peer info: IV_LZ4v2=1
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57239 peer info: IV_LZO=1
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57239 peer info: IV_COMP_STUB=1
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57239 peer info: IV_COMP_STUBv2=1
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57239 peer info: IV_TCPNL=1
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57239 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57239 [hbClient] Peer Connection Initiated with [AF_INET]MY.IP.ADD.HIDDEN:57239
Tue Oct 13 09:47:16 2020 hbClient/MY.IP.ADD.HIDDEN:57239 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/hbClient
Tue Oct 13 09:47:16 2020 hbClient/MY.IP.ADD.HIDDEN:57239 MULTI: Learn: 192.168.8.101 -> hbClient/MY.IP.ADD.HIDDEN:57239
Tue Oct 13 09:47:16 2020 hbClient/MY.IP.ADD.HIDDEN:57239 MULTI: primary virtual IP for hbClient/MY.IP.ADD.HIDDEN:57239: 192.168.8.101
Tue Oct 13 09:47:16 2020 hbClient/MY.IP.ADD.HIDDEN:57239 MULTI: internal route 192.168.129.0/24 -> hbClient/MY.IP.ADD.HIDDEN:57239
Tue Oct 13 09:47:16 2020 hbClient/MY.IP.ADD.HIDDEN:57239 MULTI: Learn: 192.168.129.0/24 -> hbClient/MY.IP.ADD.HIDDEN:57239
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57172 VERIFY OK: depth=1, CN=hbNet RZ
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57172 VERIFY OK: depth=0, CN=Service
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57172 peer info: IV_VER=2.4.6
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57172 peer info: IV_PLAT=win
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57172 peer info: IV_PROTO=2
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57172 peer info: IV_NCP=2
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57172 peer info: IV_LZ4=1
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57172 peer info: IV_LZ4v2=1
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57172 peer info: IV_LZO=1
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57172 peer info: IV_COMP_STUB=1
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57172 peer info: IV_COMP_STUBv2=1
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57172 peer info: IV_TCPNL=1
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57172 peer info: IV_GUI_VER=OpenVPN_GUI_11
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57172 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Oct 13 09:47:16 2020 MY.IP.ADD.HIDDEN:57172 [Service] Peer Connection Initiated with [AF_INET]MY.IP.ADD.HIDDEN:57172
Tue Oct 13 09:47:16 2020 Service/MY.IP.ADD.HIDDEN:57172 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/Service
Tue Oct 13 09:47:16 2020 Service/MY.IP.ADD.HIDDEN:57172 MULTI_sva: pool returned IPv4=192.168.8.2, IPv6=(Not enabled)
Tue Oct 13 09:47:16 2020 Service/MY.IP.ADD.HIDDEN:57172 MULTI: Learn: 192.168.8.2 -> Service/MY.IP.ADD.HIDDEN:57172
Tue Oct 13 09:47:16 2020 Service/MY.IP.ADD.HIDDEN:57172 MULTI: primary virtual IP for Service/MY.IP.ADD.HIDDEN:57172: 192.168.8.2

Thanks for support

1 Like

Is this a typo or are you redirecting the 11194/udp port to the container?

That's supposed to be the server side LAN, you can ignore/remove it.

Looks fine.

Post runtime configs from both server and client:

ip address show; ip route show; ip rule show; iptables-save
1 Like

Redirecting to the port in the container.

Removed that route from the serverconfig.

root@GL-MT300N-V2:~# ip address show; ip route show; ip rule show; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::9683:c4ff:fe09:4aa8/64 scope link
       valid_lft forever preferred_lft forever
3: teql0: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 100
    link/void
4: ra0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
    link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
5: ra1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 96:83:c4:19:4a:a8 brd ff:ff:ff:ff:ff:ff
6: wds0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
7: wds1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
8: wds2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
9: wds3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
10: apcli0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 96:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.129.1/24 brd 192.168.129.255 scope global br-lan
       valid_lft forever preferred_lft forever
12: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
14: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.123.126/24 brd 192.168.123.255 scope global eth0.2
       valid_lft forever preferred_lft forever
17: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 192.168.8.101/24 brd 192.168.8.255 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 dev tun0 scope link
default via 192.168.123.1 dev eth0.2 proto static src 192.168.123.126 metric 10
128.0.0.0/1 dev tun0 scope link
185.250.248.18 via 192.168.123.1 dev eth0.2
192.168.8.0/24 dev tun0 proto kernel scope link src 192.168.8.101
192.168.123.0/24 dev eth0.2 proto static scope link metric 10
192.168.129.0/24 dev br-lan proto kernel scope link src 192.168.129.1
0:      from all lookup local
1001:   from all iif eth0.2 lookup main
2001:   from all fwmark 0x100/0x3f00 lookup 1
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.6.2 on Tue Oct 13 10:42:03 2020
*nat
:PREROUTING ACCEPT [470:61039]
:INPUT ACCEPT [8:528]
:OUTPUT ACCEPT [20:1636]
:POSTROUTING ACCEPT [0:0]
:GL_SPEC_DMZ - [0:0]
:GL_SPEC_FORWARDING - [0:0]
:postrouting_guestzone_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_ovpn_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guestzone_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_ovpn_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guestzone_postrouting - [0:0]
:zone_guestzone_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_ovpn_postrouting - [0:0]
:zone_ovpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j GL_SPEC_DMZ
-A PREROUTING -j GL_SPEC_FORWARDING
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guestzone_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_ovpn_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guestzone_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_ovpn_postrouting
-A zone_guestzone_postrouting -m comment --comment "!fw3: Custom guestzone postrouting rule chain" -j postrouting_guestzone_rule
-A zone_guestzone_prerouting -m comment --comment "!fw3: Custom guestzone prerouting rule chain" -j prerouting_guestzone_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_ovpn_postrouting -m comment --comment "!fw3: Custom ovpn postrouting rule chain" -j postrouting_ovpn_rule
-A zone_ovpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_ovpn_prerouting -m comment --comment "!fw3: Custom ovpn prerouting rule chain" -j prerouting_ovpn_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Tue Oct 13 10:42:03 2020
# Generated by iptables-save v1.6.2 on Tue Oct 13 10:42:03 2020
*mangle
:PREROUTING ACCEPT [547:73009]
:INPUT ACCEPT [153:24547]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [100:16324]
:POSTROUTING ACCEPT [100:16324]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_wan - [0:0]
:mwan3_iface_out_wan - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_ifaces_out - [0:0]
:mwan3_policy_default_poli - [0:0]
:mwan3_rules - [0:0]
-A PREROUTING -j mwan3_hook
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone ovpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j mwan3_hook
-A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_out
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
-A mwan3_iface_in_wan -i eth0.2 -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_iface_in_wan -i eth0.2 -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
-A mwan3_iface_out_wan -o eth0.2 -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
-A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_wan
-A mwan3_ifaces_out -m mark --mark 0x0/0x3f00 -j mwan3_iface_out_wan
-A mwan3_policy_default_poli -m mark --mark 0x0/0x3f00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0x3f00
-A mwan3_rules -m mark --mark 0x0/0x3f00 -m comment --comment default_rule -j mwan3_policy_default_poli
COMMIT
# Completed on Tue Oct 13 10:42:03 2020
# Generated by iptables-save v1.6.2 on Tue Oct 13 10:42:03 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:GL_SPEC_OPENING - [0:0]
:forwarding_guestzone_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_ovpn_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guestzone_rule - [0:0]
:input_lan_rule - [0:0]
:input_ovpn_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guestzone_rule - [0:0]
:output_lan_rule - [0:0]
:output_ovpn_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guestzone_dest_ACCEPT - [0:0]
:zone_guestzone_dest_REJECT - [0:0]
:zone_guestzone_forward - [0:0]
:zone_guestzone_input - [0:0]
:zone_guestzone_output - [0:0]
:zone_guestzone_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_ovpn_dest_ACCEPT - [0:0]
:zone_ovpn_dest_REJECT - [0:0]
:zone_ovpn_forward - [0:0]
:zone_ovpn_input - [0:0]
:zone_ovpn_output - [0:0]
:zone_ovpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -j GL_SPEC_OPENING
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guestzone_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_ovpn_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guestzone_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_ovpn_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guestzone_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_ovpn_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_guestzone_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
-A zone_guestzone_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
-A zone_guestzone_forward -m comment --comment "!fw3: Custom guestzone forwarding rule chain" -j forwarding_guestzone_rule
-A zone_guestzone_forward -m comment --comment "!fw3: Zone guestzone to ovpn forwarding policy" -j zone_ovpn_dest_ACCEPT
-A zone_guestzone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_guestzone_forward -m comment --comment "!fw3" -j zone_guestzone_dest_REJECT
-A zone_guestzone_input -m comment --comment "!fw3: Custom guestzone input rule chain" -j input_guestzone_rule
-A zone_guestzone_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: guestzone_DHCP" -j ACCEPT
-A zone_guestzone_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: guestzone_DNS" -j ACCEPT
-A zone_guestzone_input -p udp -m udp --dport 53 -m comment --comment "!fw3: guestzone_DNS" -j ACCEPT
-A zone_guestzone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_guestzone_input -m comment --comment "!fw3" -j zone_guestzone_src_REJECT
-A zone_guestzone_output -m comment --comment "!fw3: Custom guestzone output rule chain" -j output_guestzone_rule
-A zone_guestzone_output -m comment --comment "!fw3" -j zone_guestzone_dest_ACCEPT
-A zone_guestzone_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to ovpn forwarding policy" -j zone_ovpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_ovpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_ovpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_ovpn_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_ovpn_forward -m comment --comment "!fw3: Custom ovpn forwarding rule chain" -j forwarding_ovpn_rule
-A zone_ovpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_ovpn_forward -m comment --comment "!fw3" -j zone_ovpn_dest_REJECT
-A zone_ovpn_input -m comment --comment "!fw3: Custom ovpn input rule chain" -j input_ovpn_rule
-A zone_ovpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_ovpn_input -m comment --comment "!fw3" -j zone_ovpn_src_ACCEPT
-A zone_ovpn_output -m comment --comment "!fw3: Custom ovpn output rule chain" -j output_ovpn_rule
-A zone_ovpn_output -m comment --comment "!fw3" -j zone_ovpn_dest_ACCEPT
-A zone_ovpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Oct 13 10:42:03 2020
bash-4.4# ip address show; ip route show; ip rule show; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 192.168.8.1/24 brd 192.168.8.255 scope global tun0
       valid_lft forever preferred_lft forever
71: eth0@if72: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:11:00:0a brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.10/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
default via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.10
192.168.8.0/24 dev tun0 proto kernel scope link src 192.168.8.1
192.168.129.0/24 via 192.168.8.101 dev tun0
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.6.1 on Tue Oct 13 10:46:43 2020
*nat
:PREROUTING ACCEPT [77:5098]
:INPUT ACCEPT [4:316]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [73:4782]
-A POSTROUTING -s 192.168.255.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.254.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Oct 13 10:46:43 2020

1 Like
...
-A POSTROUTING -s 192.168.255.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.254.0/24 -o eth0 -j MASQUERADE
...

After seeing this, i have replaced and adjusted the enviroment-vars of the container... didn't help

...
declare -x OVPN_ROUTES=([0]="192.168.129.0/24")  
declare -x OVPN_SERVER=192.168.8.0/24
...
bash-4.4# ip address show; ip route show; ip rule show; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 192.168.8.1/24 brd 192.168.8.255 scope global tun0
       valid_lft forever preferred_lft forever
75: eth0@if76: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:11:00:0a brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.10/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
default via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.10
192.168.8.0/24 dev tun0 proto kernel scope link src 192.168.8.1
192.168.129.0/24 via 192.168.8.101 dev tun0
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.6.1 on Tue Oct 13 10:59:52 2020
*nat
:PREROUTING ACCEPT [4:276]
:INPUT ACCEPT [4:276]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.8.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.129.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Oct 13 10:59:52 2020
1 Like

But I don't see the ovpn to lan forwarding.
You need to add it as well.

In addition, check on the server:

sysctl net.ipv4 | grep -e forward
2 Likes

True... on my first attempted i tried to change some settings. So i need to change this again.

Just to be clear (see screenshots) https://ibb.co/n6tPYX7

I simply have to enable the checkmark in the lan field for the forwarding zones, right?

bash-4.4# sysctl net.ipv4 | grep -e forward
net.ipv4.conf.all.bc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.bc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.bc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.lo.bc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.tun0.bc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
1 Like

Also disable masquerading for the VPN zone, as you are performing it on the server.

2 Likes

So, summerize the current state.

  • I disabled masquerading for the vpn zone
  • I add the lan zone into the forwarding zone from ovpn
  • i changed the forwardoption from the ovpn from reject to accept

After restarting the container and reconnect both client i get following results.

client runtime info:

root@GL-MT300N-V2:~# ip address show; ip route show; ip rule show; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::9683:c4ff:fe09:4aa8/64 scope link
       valid_lft forever preferred_lft forever
3: teql0: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 100
    link/void
4: ra0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
    link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
5: ra1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 96:83:c4:19:4a:a8 brd ff:ff:ff:ff:ff:ff
6: wds0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
7: wds1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
8: wds2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
9: wds3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
10: apcli0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 96:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.129.1/24 brd 192.168.129.255 scope global br-lan
       valid_lft forever preferred_lft forever
12: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
14: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.123.126/24 brd 192.168.123.255 scope global eth0.2
       valid_lft forever preferred_lft forever
21: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 192.168.8.101/24 brd 192.168.8.255 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 dev tun0 scope link
default via 192.168.123.1 dev eth0.2 proto static src 192.168.123.126 metric 10
128.0.0.0/1 dev tun0 scope link
185.250.248.18 via 192.168.123.1 dev eth0.2
192.168.8.0/24 dev tun0 proto kernel scope link src 192.168.8.101
192.168.123.0/24 dev eth0.2 proto static scope link metric 10
192.168.129.0/24 dev br-lan proto kernel scope link src 192.168.129.1
0:      from all lookup local
1001:   from all iif eth0.2 lookup main
2001:   from all fwmark 0x100/0x3f00 lookup 1
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.6.2 on Tue Oct 13 11:26:08 2020
*nat
:PREROUTING ACCEPT [2081:268377]
:INPUT ACCEPT [38:2965]
:OUTPUT ACCEPT [94:8030]
:POSTROUTING ACCEPT [23:2034]
:GL_SPEC_DMZ - [0:0]
:GL_SPEC_FORWARDING - [0:0]
:postrouting_guestzone_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_ovpn_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guestzone_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_ovpn_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guestzone_postrouting - [0:0]
:zone_guestzone_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_ovpn_postrouting - [0:0]
:zone_ovpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j GL_SPEC_DMZ
-A PREROUTING -j GL_SPEC_FORWARDING
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guestzone_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_ovpn_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guestzone_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_ovpn_postrouting
-A zone_guestzone_postrouting -m comment --comment "!fw3: Custom guestzone postrouting rule chain" -j postrouting_guestzone_rule
-A zone_guestzone_prerouting -m comment --comment "!fw3: Custom guestzone prerouting rule chain" -j prerouting_guestzone_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_ovpn_postrouting -m comment --comment "!fw3: Custom ovpn postrouting rule chain" -j postrouting_ovpn_rule
-A zone_ovpn_prerouting -m comment --comment "!fw3: Custom ovpn prerouting rule chain" -j prerouting_ovpn_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Tue Oct 13 11:26:08 2020
# Generated by iptables-save v1.6.2 on Tue Oct 13 11:26:08 2020
*mangle
:PREROUTING ACCEPT [2575:360378]
:INPUT ACCEPT [886:165719]
:FORWARD ACCEPT [10:1047]
:OUTPUT ACCEPT [477:104901]
:POSTROUTING ACCEPT [491:107132]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_wan - [0:0]
:mwan3_iface_out_wan - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_ifaces_out - [0:0]
:mwan3_policy_default_poli - [0:0]
:mwan3_rules - [0:0]
-A PREROUTING -j mwan3_hook
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone ovpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j mwan3_hook
-A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_out
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
-A mwan3_iface_in_wan -i eth0.2 -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_iface_in_wan -i eth0.2 -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
-A mwan3_iface_out_wan -o eth0.2 -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
-A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_wan
-A mwan3_ifaces_out -m mark --mark 0x0/0x3f00 -j mwan3_iface_out_wan
-A mwan3_policy_default_poli -m mark --mark 0x0/0x3f00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0x3f00
-A mwan3_rules -m mark --mark 0x0/0x3f00 -m comment --comment default_rule -j mwan3_policy_default_poli
COMMIT
# Completed on Tue Oct 13 11:26:08 2020
# Generated by iptables-save v1.6.2 on Tue Oct 13 11:26:08 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:GL_SPEC_OPENING - [0:0]
:forwarding_guestzone_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_ovpn_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guestzone_rule - [0:0]
:input_lan_rule - [0:0]
:input_ovpn_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guestzone_rule - [0:0]
:output_lan_rule - [0:0]
:output_ovpn_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guestzone_dest_ACCEPT - [0:0]
:zone_guestzone_dest_REJECT - [0:0]
:zone_guestzone_forward - [0:0]
:zone_guestzone_input - [0:0]
:zone_guestzone_output - [0:0]
:zone_guestzone_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_ovpn_dest_ACCEPT - [0:0]
:zone_ovpn_forward - [0:0]
:zone_ovpn_input - [0:0]
:zone_ovpn_output - [0:0]
:zone_ovpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -j GL_SPEC_OPENING
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guestzone_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_ovpn_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guestzone_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_ovpn_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guestzone_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_ovpn_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_guestzone_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
-A zone_guestzone_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
-A zone_guestzone_forward -m comment --comment "!fw3: Custom guestzone forwarding rule chain" -j forwarding_guestzone_rule
-A zone_guestzone_forward -m comment --comment "!fw3: Zone guestzone to ovpn forwarding policy" -j zone_ovpn_dest_ACCEPT
-A zone_guestzone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_guestzone_forward -m comment --comment "!fw3" -j zone_guestzone_dest_REJECT
-A zone_guestzone_input -m comment --comment "!fw3: Custom guestzone input rule chain" -j input_guestzone_rule
-A zone_guestzone_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: guestzone_DHCP" -j ACCEPT
-A zone_guestzone_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: guestzone_DNS" -j ACCEPT
-A zone_guestzone_input -p udp -m udp --dport 53 -m comment --comment "!fw3: guestzone_DNS" -j ACCEPT
-A zone_guestzone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_guestzone_input -m comment --comment "!fw3" -j zone_guestzone_src_REJECT
-A zone_guestzone_output -m comment --comment "!fw3: Custom guestzone output rule chain" -j output_guestzone_rule
-A zone_guestzone_output -m comment --comment "!fw3" -j zone_guestzone_dest_ACCEPT
-A zone_guestzone_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to ovpn forwarding policy" -j zone_ovpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_ovpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_ovpn_forward -m comment --comment "!fw3: Custom ovpn forwarding rule chain" -j forwarding_ovpn_rule
-A zone_ovpn_forward -m comment --comment "!fw3: Zone ovpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_ovpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_ovpn_forward -m comment --comment "!fw3" -j zone_ovpn_dest_ACCEPT
-A zone_ovpn_input -m comment --comment "!fw3: Custom ovpn input rule chain" -j input_ovpn_rule
-A zone_ovpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_ovpn_input -m comment --comment "!fw3" -j zone_ovpn_src_ACCEPT
-A zone_ovpn_output -m comment --comment "!fw3: Custom ovpn output rule chain" -j output_ovpn_rule
-A zone_ovpn_output -m comment --comment "!fw3" -j zone_ovpn_dest_ACCEPT
-A zone_ovpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Oct 13 11:26:08 2020

server runtime info:

bash-4.4# ip address show; ip route show; ip rule show; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 192.168.8.1/24 brd 192.168.8.255 scope global tun0
       valid_lft forever preferred_lft forever
79: eth0@if80: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:11:00:0a brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.10/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
default via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.10
192.168.8.0/24 dev tun0 proto kernel scope link src 192.168.8.1
192.168.129.0/24 via 192.168.8.101 dev tun0
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.6.1 on Tue Oct 13 11:27:09 2020
*nat
:PREROUTING ACCEPT [30:2218]
:INPUT ACCEPT [4:403]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.8.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.129.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Oct 13 11:27:09 2020
1 Like

Make sure your LAN hosts allow incoming traffic and ping/ICMP in particular from outside the local subnet.

If the issue persists, troubleshoot it with traceroute and tcpdump.

2 Likes

I struggle a bit with ur instructions, but i give my best.

Inside the openvpn-server-container i am able to ping the OpenVPN-Client with the lokal subnet ip (192.168.129.1).
I am also able to ping an other client in the subnet (192.168.129.n) (incl. wget the webinterface for communication test).

On my windows client ("Service") i "tracert 192.168.129.1" and think something is going wrong.

C:\Users\Chris>tracert 192.168.129.1
Routenverfolgung zu 192.168.129.1 über maximal 30 Hops

  1    <1 ms     1 ms     1 ms  fritz.box [192.168.123.1]   # <-- Local DHCP via Fritzbox
  2     2 ms     1 ms     1 ms  192.168.124.1   # <-- Internet connection device (connected to fritzbox)
  3     *        *        *     Zeitüberschreitung der Anforderung.

it seems it tries to find this device over the "local subnet".

I don't understand how my system (VPN-Client "Service") knows the route to 192.168.129.0/24?

Here the route list while connected to the vpn server




C:\Users\Chris>route print
===========================================================================
Schnittstellenliste
 14...00 15 5d 41 ba 4b ......Hyper-V Virtual Ethernet Adapter
 19...78 24 af 34 bc c8 ......Intel(R) Ethernet Connection (2) I218-V
 26...0a 00 27 00 00 1a ......VirtualBox Host-Only Ethernet Adapter
  7...80 1f 02 e1 8c 98 ......Microsoft Wi-Fi Direct Virtual Adapter
 16...80 1f 02 e1 8c 98 ......Microsoft Wi-Fi Direct Virtual Adapter #2
 20...00 ff 9a c9 1d 6e ......TAP-Windows Adapter V9
 25...80 1f 02 e1 8c 98 ......150Mbps Wireless 802.11bgn Nano USB Adapter
  1...........................Software Loopback Interface 1
===========================================================================

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0    192.168.123.1   192.168.123.45     25
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    331
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    331
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    331
    172.18.92.176  255.255.255.240   Auf Verbindung     172.18.92.177    271
    172.18.92.177  255.255.255.255   Auf Verbindung     172.18.92.177    271
    172.18.92.191  255.255.255.255   Auf Verbindung     172.18.92.177    271
      192.168.8.0    255.255.255.0   Auf Verbindung       192.168.8.2    291
      192.168.8.2  255.255.255.255   Auf Verbindung       192.168.8.2    291
    192.168.8.255  255.255.255.255   Auf Verbindung       192.168.8.2    291
     192.168.56.0    255.255.255.0   Auf Verbindung      192.168.56.1    281
     192.168.56.1  255.255.255.255   Auf Verbindung      192.168.56.1    281
   192.168.56.255  255.255.255.255   Auf Verbindung      192.168.56.1    281
    192.168.123.0    255.255.255.0   Auf Verbindung    192.168.123.45    281
   192.168.123.45  255.255.255.255   Auf Verbindung    192.168.123.45    281
  192.168.123.255  255.255.255.255   Auf Verbindung    192.168.123.45    281
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    331
        224.0.0.0        240.0.0.0   Auf Verbindung       192.168.8.2    291
        224.0.0.0        240.0.0.0   Auf Verbindung      192.168.56.1    281
        224.0.0.0        240.0.0.0   Auf Verbindung    192.168.123.45    281
        224.0.0.0        240.0.0.0   Auf Verbindung     172.18.92.177    271
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    331
  255.255.255.255  255.255.255.255   Auf Verbindung       192.168.8.2    291
  255.255.255.255  255.255.255.255   Auf Verbindung      192.168.56.1    281
  255.255.255.255  255.255.255.255   Auf Verbindung    192.168.123.45    281
  255.255.255.255  255.255.255.255   Auf Verbindung     172.18.92.177    271
===========================================================================
Ständige Routen:
  Keine

IPv6-Routentabelle
===========================================================================
Aktive Routen:
 If Metrik Netzwerkziel             Gateway
  1    331 ::1/128                  Auf Verbindung
 20    291 fe80::/64                Auf Verbindung
 26    281 fe80::/64                Auf Verbindung
 19    281 fe80::/64                Auf Verbindung
 14    271 fe80::/64                Auf Verbindung
 14    271 fe80::815b:664f:a0fd:d632/128
                                    Auf Verbindung
 20    291 fe80::9503:faa5:3cda:4018/128
                                    Auf Verbindung
 26    281 fe80::dc64:da76:726b:7b24/128
                                    Auf Verbindung
 19    281 fe80::f812:5d9d:b0ea:b88a/128
                                    Auf Verbindung
  1    331 ff00::/8                 Auf Verbindung
 20    291 ff00::/8                 Auf Verbindung
 26    281 ff00::/8                 Auf Verbindung
 19    281 ff00::/8                 Auf Verbindung
 14    271 ff00::/8                 Auf Verbindung
===========================================================================
Ständige Routen:
  Keine
1 Like

Tried to add a route to my windows client (VPN-Client "Service") manually.

Used this command: route add 192.168.129.0 mask 255.255.255.0 192.168.8.101

Results in following from Windows client (VPN-Client "Service") :

  • Ping to 192.168.123.1 is possible
  • Ping to other device in subnet 192.168.123.n is possible
  • Accessing webinterface of other device in subnet 192.168.123.n is possible
  • Accessing webinterface of openwrt is NOT possible

End up in the same problem from the beginning:
When i request any kind of data (e. g. ssh-command) the connection stucks after some transmitted bytes/packets/...

root@GL-MT300N-V2:~# uci show
ddns.global=ddns
ddns.global.ddns_dateformat='%F %R'
ddns.global.ddns_loglines='250'
ddns.global.upd_privateip='0'
ddns.myddns_ipv4=service
ddns.myddns_ipv4.lookup_host='yourhost.example.com'
ddns.myddns_ipv4.domain='yourhost.example.com'
ddns.myddns_ipv4.username='your_username'
ddns.myddns_ipv4.password='your_password'
# Waiting here for ages...
1 Like

Add one of the following options to the server config:

# To redirect all traffic
push "redirect-gateway def1"

# To route a specific subnet
push "route 192.168.129.0 255.255.255.0 vpn_gateway 1000"

Change the input policy to ACCEPT for the ovpn zone, or create a custom firewall rule to allow incoming traffic to the web interface ports for that zone.

1 Like

Added this solution to server config. vpn-gateway is in my case 192.168.8.101.

Last issue is still the "terminated" communication of larger "responses" (e. g. webinterface etc.). Ping is working (small data package).

Example SSH when connected to OpenWRT VPN-Client via my windows VPN-Client ("service"):

root@GL-MT300N-V2:~# echo "Hellllllllllllllllllllllllllllll"
Hellllllllllllllllllllllllllllll
root@GL-MT300N-V2:~# echo "Hellllllllllllllllllllllllllllll"
Hellllllllllllllllllllllllllllll
root@GL-MT300N-V2:~# echo "Hellllllllllllllllllllllllllllll"
Hellllllllllllllllllllllllllllll
root@GL-MT300N-V2:~# echo "Hellllllllllllllllllllllllllllll"
Hellllllllllllllllllllllllllllll
root@GL-MT300N-V2:~# echo "Hellllllllllllllllllllllllllllll"
Hellllllllllllllllllllllllllllll
root@GL-MT300N-V2:~# echo "Hellllllllllllllllllllllllllllll"
Hellllllllllllllllllllllllllllll
root@GL-MT300N-V2:~# echo "Hellllllllllllllllllllllllllllll"
Hellllllllllllllllllllllllllllll
root@GL-MT300N-V2:~# echo "Hellllllllllllllllllllllllllllll"
Hellllllllllllllllllllllllllllll
root@GL-MT300N-V2:~# echo "Hellllllllllllllllllllllllllllll"
Hellllllllllllllllllllllllllllll
root@GL-MT300N-V2:~# echo "Hellllllllllllllllllllllllllllll"
Hellllllllllllllllllllllllllllll
root@GL-MT300N-V2:~# echo "Hellllllllllllllllllllllllllllll"
Hellllllllllllllllllllllllllllll
root@GL-MT300N-V2:~# echo "Hellllllllllllllllllllllllllllll"
Hellllllllllllllllllllllllllllll
root@GL-MT300N-V2:~# echo "Hellllllllllllllllllllllllllllll"
Hellllllllllllllllllllllllllllll
root@GL-MT300N-V2:~# echo "Hellllllllllllllllllllllllllllll"
Hellllllllllllllllllllllllllllll
root@GL-MT300N-V2:~# echo "Hellllllllllllllllllllllllllllll"
Hellllllllllllllllllllllllllllll
root@GL-MT300N-V2:~# echo "Short transmit works"
Short transmit works
root@GL-MT300N-V2:~# echo "Short transmit works"
Short transmit works
root@GL-MT300N-V2:~# echo "Short transmit works"
Short transmit works
root@GL-MT300N-V2:~# echo "Short transmit works"
Short transmit works
root@GL-MT300N-V2:~# echo "Short transmit works"
Short transmit works
root@GL-MT300N-V2:~# echo "Short transmit works"
Short transmit works
root@GL-MT300N-V2:~# echo "Short transmit works"
Short transmit works
root@GL-MT300N-V2:~# echo "Short transmit works"
Short transmit works
root@GL-MT300N-V2:~# echo "Following contains much data -> transmission abort?"
Following contains much data -> transmission abort?
root@GL-MT300N-V2:~# uci show
ddns.global=ddns
ddns.global.ddns_dateformat='%F %R'
ddns.global.ddns_loglines='250'
ddns.global.upd_privateip='0'
ddns.myddns_ipv4=service
ddns.myddns_ipv4.lookup_host='yourhost.example.com'
ddns.myddns_ipv4.domain='yourhost.example.com'
ddns.myddns_ipv4.username='your_username'
ddns.myddns_ipv4.password='your_password'

After this no more data are transmitted.
When i connected directly to lan with this device the output of "uci show" works well.

Current settings are:

1 Like

It should also work with the vpn_gateway as is.

Add to the server config:

mssfix
push mssfix

If this doesn't help, then also try the option fragment in accordance with the documentation.

U R MY HERO!!!

The problem is solved with the mssfix!

mssfix 1200
push mssfix

Useful link:

I will "summerzie" all changes and "rebuild" this setup from default setting and write it down here :slight_smile:

@vgaetera: Thank u very much!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.