Router as OpenVPN server, VPN client can't access LAN clients

Flamingi · May 16, 2022, 1:13pm

I have set up an OpenVPN server on my router, in order to connect to my server when I'm not at home. I have followed the guide in the wiki, and I can connect to VPN and access LuCI via my routers IP address (192.168.1.1). Unfortunately, I cannot access my server (hostname server.home correctly resolves to 192.168.1.30 but the connection times out) or any other devices on the LAN. I guess I'm missing some firewall rule somewhere, but I have tried all the suggested solutions of other threads unsuccessfully.

Here are some outputs commonly asked:

Server config:

user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN home"
push "route 192.168.1.0 255.255.255.0"    // I added this line later, but didn't change anything
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
<...>

Client config:

user nobody
group nogroup
dev tun
nobind
client
remote XXXX 1194 udp
auth-nocache
remote-cert-tls server
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 client key-----
<...>

/etc/firewall.user:

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
iptables -A POSTROUTING -t mangle -p udp --dport 68 -j CHECKSUM --checksum-fill

/etc/config/network:

config globals 'globals'
        option ula_prefix 'fdae:3665:fcd5::/48'

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option device 'br-lan'
        option ipaddr '192.168.1.1'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

/etc/config/firewall:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'tun+'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'

ip -4 addr; ip -4 ru; ip -4 ro ls tab all

Looks the same no matter if a client is connected or not?:
root@OpenWrt:/etc/openvpn# ip -4 addr; ip -4 ru; ip -4 ro ls tab all
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.2.100/24 brd 192.168.2.255 scope global eth1
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet 192.168.8.1/24 scope global tun0
       valid_lft forever preferred_lft forever
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
default via 192.168.2.1 dev eth1 proto static src 192.168.2.100
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.100
192.168.8.0/24 dev tun0 proto kernel scope link src 192.168.8.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.2.0 dev eth1 table local proto kernel scope link src 192.168.2.100
local 192.168.2.100 dev eth1 table local proto kernel scope host src 192.168.2.100
broadcast 192.168.2.255 dev eth1 table local proto kernel scope link src 192.168.2.100
broadcast 192.168.8.0 dev tun0 table local proto kernel scope link src 192.168.8.1
local 192.168.8.1 dev tun0 table local proto kernel scope host src 192.168.8.1
broadcast 192.168.8.255 dev tun0 table local proto kernel scope link src 192.168.8.1

Maybe one of you can help me fix this

trendy · May 16, 2022, 1:29pm

Your settings are correct. Check if the lan hosts have some firewall blocking incoming packets from not local networks.

Flamingi · May 16, 2022, 1:38pm

My server is running Ubuntu Server 22.04LTS. According to the docs it uses ufw, so I tried that one:

flamingi@server:~$ sudo ufw status
Status: inactive

I assume this means the firewall is disabled? (I didn't change anything about that, is that the standard setting?) Is there maybe another firewall service used?

I can't event ping my server, not quite sure if that would be blocked by a firewall as well.

trendy · May 16, 2022, 1:40pm

Yes, even ping can be blocked. Try with iptables-save -c to see what's running.

Flamingi · May 16, 2022, 1:43pm

We're entering stuff I'm kinda a novice in, so I have to rely on your knowledge

flamingi@server:~$ sudo iptables-save -c
# Generated by iptables-save v1.8.7 on Mon May 16 13:41:01 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[16224702:16793574133] -A FORWARD -j DOCKER-USER
[16224702:16793574133] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[10628557:16491549102] -A FORWARD -o br-89d700966e7c -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[2555:333660] -A FORWARD -o br-89d700966e7c -j DOCKER
[5593592:301691475] -A FORWARD -i br-89d700966e7c ! -o br-89d700966e7c -j ACCEPT
[2418:325728] -A FORWARD -i br-89d700966e7c -o br-89d700966e7c -j ACCEPT
[0:0] -A DOCKER -d 172.18.0.2/32 ! -i br-89d700966e7c -o br-89d700966e7c -p tcp -m tcp --dport 9001 -j ACCEPT
[0:0] -A DOCKER -d 172.18.0.2/32 ! -i br-89d700966e7c -o br-89d700966e7c -p tcp -m tcp --dport 8883 -j ACCEPT
[116:6688] -A DOCKER -d 172.18.0.4/32 ! -i br-89d700966e7c -o br-89d700966e7c -p tcp -m tcp --dport 443 -j ACCEPT
[0:0] -A DOCKER -d 172.18.0.4/32 ! -i br-89d700966e7c -o br-89d700966e7c -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A DOCKER -d 172.18.0.5/32 ! -i br-89d700966e7c -o br-89d700966e7c -p tcp -m tcp --dport 9000 -j ACCEPT
[0:0] -A DOCKER -d 172.18.0.5/32 ! -i br-89d700966e7c -o br-89d700966e7c -p tcp -m tcp --dport 8000 -j ACCEPT
[0:0] -A DOCKER -d 172.18.0.6/32 ! -i br-89d700966e7c -o br-89d700966e7c -p tcp -m tcp --dport 8123 -j ACCEPT
[0:0] -A DOCKER -d 172.18.0.3/32 ! -i br-89d700966e7c -o br-89d700966e7c -p tcp -m tcp --dport 5000 -j ACCEPT
[0:0] -A DOCKER -d 172.18.0.3/32 ! -i br-89d700966e7c -o br-89d700966e7c -p tcp -m tcp --dport 1935 -j ACCEPT
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[5593592:301691475] -A DOCKER-ISOLATION-STAGE-1 -i br-89d700966e7c ! -o br-89d700966e7c -j DOCKER-ISOLATION-STAGE-2
[16224704:16793574237] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-89d700966e7c -j DROP
[5593592:301691475] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[16224702:16793574133] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Mon May 16 13:41:01 2022
# Generated by iptables-save v1.8.7 on Mon May 16 13:41:01 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
[2644:160993] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[3670:220200] -A POSTROUTING -s 172.18.0.0/16 ! -o br-89d700966e7c -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 9001 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 8883 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.4/32 -d 172.18.0.4/32 -p tcp -m tcp --dport 443 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.4/32 -d 172.18.0.4/32 -p tcp -m tcp --dport 80 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.5/32 -d 172.18.0.5/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.5/32 -d 172.18.0.5/32 -p tcp -m tcp --dport 8000 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.6/32 -d 172.18.0.6/32 -p tcp -m tcp --dport 8123 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.3/32 -d 172.18.0.3/32 -p tcp -m tcp --dport 5000 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.3/32 -d 172.18.0.3/32 -p tcp -m tcp --dport 1935 -j MASQUERADE
[0:0] -A DOCKER -i docker0 -j RETURN
[2505:150345] -A DOCKER -i br-89d700966e7c -j RETURN
[0:0] -A DOCKER ! -i br-89d700966e7c -p tcp -m tcp --dport 9001 -j DNAT --to-destination 172.18.0.2:9001
[0:0] -A DOCKER ! -i br-89d700966e7c -p tcp -m tcp --dport 8883 -j DNAT --to-destination 172.18.0.2:8883
[110:6376] -A DOCKER ! -i br-89d700966e7c -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.18.0.4:443
[0:0] -A DOCKER ! -i br-89d700966e7c -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.18.0.4:80
[0:0] -A DOCKER ! -i br-89d700966e7c -p tcp -m tcp --dport 9000 -j DNAT --to-destination 172.18.0.5:9000
[0:0] -A DOCKER ! -i br-89d700966e7c -p tcp -m tcp --dport 8000 -j DNAT --to-destination 172.18.0.5:8000
[0:0] -A DOCKER ! -i br-89d700966e7c -p tcp -m tcp --dport 8123 -j DNAT --to-destination 172.18.0.6:8123
[0:0] -A DOCKER ! -i br-89d700966e7c -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.18.0.3:5000
[0:0] -A DOCKER ! -i br-89d700966e7c -p tcp -m tcp --dport 1935 -j DNAT --to-destination 172.18.0.3:1935
COMMIT
# Completed on Mon May 16 13:41:01 2022

pavelgl · May 16, 2022, 1:58pm

Temporarily enable masquerading on the lan zone to see if it will make a difference.

uci set firewall.@zone[0].masq='1'
fw3 restart

Flamingi · May 16, 2022, 2:15pm

That worked. You mentioned this would be a temporary fix, what would be the long term solution?

trendy · May 16, 2022, 2:25pm

A long term fix is to identify the component which is blocking the incoming traffic. From a first look on the firewall output there doesn't seem to be anything blocked. Is it possible to try to ping or connect to a system without docker? Maybe a mobile phone or a laptop.

Flamingi · May 16, 2022, 2:29pm

I tried pinging various devices, I'm getting 100% packet loss for all of them. This also still happens when trying to ping various Windows PCs, iPhones and Android Devices even with masquerading turned on.

I can ping my Ubuntu server now tho...

trendy · May 16, 2022, 2:34pm

Just to verify that it's not an OpenWrt issue. Install tcpdump if you don't have it already opkg update; opkg install tcpdump
Then capture the packets on the lan interface coming from the vpn.
tcpdump -i br-lan -vn net 192.168.8.0/24
Remove the masquerade applied earlier before you test.

Flamingi · May 16, 2022, 2:49pm

I have removed the masquerade, restarted the firewall and the VPN server.

root@OpenWrt:/etc/openvpn# tcpdump -i br-lan -vn net 192.168.8.0/24
tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
16:37:37.745404 IP (tos 0x0, ttl 63, id 65208, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.30: ICMP echo request, id 7123, seq 1, length 64
16:37:38.813384 IP (tos 0x0, ttl 63, id 65218, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.30: ICMP echo request, id 7123, seq 2, length 64
16:37:39.767649 IP (tos 0x0, ttl 63, id 65368, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.30: ICMP echo request, id 7123, seq 3, length 64
16:37:40.790636 IP (tos 0x0, ttl 63, id 59, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.30: ICMP echo request, id 7123, seq 4, length 64
16:38:18.795879 IP (tos 0x0, ttl 63, id 13045, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.237: ICMP echo request, id 7125, seq 1, length 64
16:38:19.269462 IP (tos 0x0, ttl 64, id 52601, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.1.237 > 192.168.8.2: ICMP echo reply, id 7125, seq 1, length 64
16:38:19.798804 IP (tos 0x0, ttl 63, id 13205, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.237: ICMP echo request, id 7125, seq 2, length 64
16:38:19.826383 IP (tos 0x0, ttl 64, id 52653, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.1.237 > 192.168.8.2: ICMP echo reply, id 7125, seq 2, length 64
16:38:20.833980 IP (tos 0x0, ttl 63, id 13300, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.237: ICMP echo request, id 7125, seq 3, length 64
16:38:21.114726 IP (tos 0x0, ttl 64, id 52790, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.1.237 > 192.168.8.2: ICMP echo reply, id 7125, seq 3, length 64
16:38:21.813073 IP (tos 0x0, ttl 63, id 13451, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.237: ICMP echo request, id 7125, seq 4, length 64
16:38:21.878277 IP (tos 0x0, ttl 64, id 52803, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.1.237 > 192.168.8.2: ICMP echo reply, id 7125, seq 4, length 64
16:38:57.267006 IP (tos 0x0, ttl 63, id 1510, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.113: ICMP echo request, id 7126, seq 1, length 64
16:38:58.268537 IP (tos 0x0, ttl 63, id 1670, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.113: ICMP echo request, id 7126, seq 2, length 64
16:38:59.319100 IP (tos 0x0, ttl 63, id 1889, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.113: ICMP echo request, id 7126, seq 3, length 64
16:39:00.357555 IP (tos 0x0, ttl 63, id 2071, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.113: ICMP echo request, id 7126, seq 4, length 64
16:40:16.279310 IP (tos 0x0, ttl 63, id 10043, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34196 > 192.168.1.30.443: Flags [S], cksum 0x6c9a (correct), seq 3994772899, win 65535, options [mss 1361,sackOK,TS val 4004349848 ecr 0,nop,wscale 10], length 0
16:40:17.335273 IP (tos 0x0, ttl 63, id 10044, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34196 > 192.168.1.30.443: Flags [S], cksum 0x68a4 (correct), seq 3994772899, win 65535, options [mss 1361,sackOK,TS val 4004350862 ecr 0,nop,wscale 10], length 0
16:40:19.308608 IP (tos 0x0, ttl 63, id 10045, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34196 > 192.168.1.30.443: Flags [S], cksum 0x60c8 (correct), seq 3994772899, win 65535, options [mss 1361,sackOK,TS val 4004352874 ecr 0,nop,wscale 10], length 0
16:40:23.587387 IP (tos 0x0, ttl 63, id 10046, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34196 > 192.168.1.30.443: Flags [S], cksum 0x5048 (correct), seq 3994772899, win 65535, options [mss 1361,sackOK,TS val 4004357098 ecr 0,nop,wscale 10], length 0
16:41:38.845152 IP (tos 0x0, ttl 63, id 21716, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34276 > 192.168.1.30.443: Flags [S], cksum 0x4ad9 (correct), seq 3086514871, win 65535, options [mss 1361,sackOK,TS val 4004432407 ecr 0,nop,wscale 10], length 0
16:41:39.864193 IP (tos 0x0, ttl 63, id 21717, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34276 > 192.168.1.30.443: Flags [S], cksum 0x46e6 (correct), seq 3086514871, win 65535, options [mss 1361,sackOK,TS val 4004433418 ecr 0,nop,wscale 10], length 0
16:41:40.207662 IP (tos 0x0, ttl 63, id 50809, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34278 > 192.168.1.30.443: Flags [S], cksum 0x2b51 (correct), seq 1825693730, win 65535, options [mss 1361,sackOK,TS val 4004433753 ecr 0,nop,wscale 10], length 0
16:41:41.200789 IP (tos 0x0, ttl 63, id 50810, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34278 > 192.168.1.30.443: Flags [S], cksum 0x2760 (correct), seq 1825693730, win 65535, options [mss 1361,sackOK,TS val 4004434762 ecr 0,nop,wscale 10], length 0
16:41:41.885229 IP (tos 0x0, ttl 63, id 21718, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34276 > 192.168.1.30.443: Flags [S], cksum 0x3f05 (correct), seq 3086514871, win 65535, options [mss 1361,sackOK,TS val 4004435435 ecr 0,nop,wscale 10], length 0
16:41:43.296958 IP (tos 0x0, ttl 63, id 50811, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34278 > 192.168.1.30.443: Flags [S], cksum 0x1f80 (correct), seq 1825693730, win 65535, options [mss 1361,sackOK,TS val 4004436778 ecr 0,nop,wscale 10], length 0
16:41:46.046110 IP (tos 0x0, ttl 63, id 21719, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34276 > 192.168.1.30.443: Flags [S], cksum 0x2f05 (correct), seq 3086514871, win 65535, options [mss 1361,sackOK,TS val 4004439531 ecr 0,nop,wscale 10], length 0
16:41:47.334923 IP (tos 0x0, ttl 63, id 50812, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34278 > 192.168.1.30.443: Flags [S], cksum 0x0fbf (correct), seq 1825693730, win 65535, options [mss 1361,sackOK,TS val 4004440811 ecr 0,nop,wscale 10], length 0
16:41:49.003990 IP (tos 0x0, ttl 63, id 58853, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34282 > 192.168.1.30.443: Flags [S], cksum 0x2938 (correct), seq 2261099985, win 65535, options [mss 1361,sackOK,TS val 4004442571 ecr 0,nop,wscale 10], length 0
16:41:50.107322 IP (tos 0x0, ttl 63, id 58854, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34282 > 192.168.1.30.443: Flags [S], cksum 0x2539 (correct), seq 2261099985, win 65535, options [mss 1361,sackOK,TS val 4004443594 ecr 0,nop,wscale 10], length 0
16:41:52.107941 IP (tos 0x0, ttl 63, id 58855, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34282 > 192.168.1.30.443: Flags [S], cksum 0x1d58 (correct), seq 2261099985, win 65535, options [mss 1361,sackOK,TS val 4004445611 ecr 0,nop,wscale 10], length 0
16:41:56.276082 IP (tos 0x0, ttl 63, id 58856, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34282 > 192.168.1.30.443: Flags [S], cksum 0x0d18 (correct), seq 2261099985, win 65535, options [mss 1361,sackOK,TS val 4004449771 ecr 0,nop,wscale 10], length 0
16:42:00.550219 IP (tos 0x0, ttl 63, id 32660, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34288 > 192.168.1.30.443: Flags [S], cksum 0xc4b4 (correct), seq 143219578, win 65535, options [mss 1361,sackOK,TS val 4004454108 ecr 0,nop,wscale 10], length 0
16:42:01.564986 IP (tos 0x0, ttl 63, id 32661, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34288 > 192.168.1.30.443: Flags [S], cksum 0xc0c6 (correct), seq 143219578, win 65535, options [mss 1361,sackOK,TS val 4004455114 ecr 0,nop,wscale 10], length 0
16:42:03.597706 IP (tos 0x0, ttl 63, id 32662, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34288 > 192.168.1.30.443: Flags [S], cksum 0xb8e6 (correct), seq 143219578, win 65535, options [mss 1361,sackOK,TS val 4004457130 ecr 0,nop,wscale 10], length 0
16:42:07.775149 IP (tos 0x0, ttl 63, id 32663, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.8.2.34288 > 192.168.1.30.443: Flags [S], cksum 0xa8a6 (correct), seq 143219578, win 65535, options [mss 1361,sackOK,TS val 4004461290 ecr 0,nop,wscale 10], length 0
16:44:47.514610 IP (tos 0x0, ttl 63, id 57654, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.233: ICMP echo request, id 7128, seq 1, length 64
16:44:48.572486 IP (tos 0x0, ttl 63, id 57761, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.233: ICMP echo request, id 7128, seq 2, length 64
16:44:49.540628 IP (tos 0x0, ttl 63, id 57949, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.233: ICMP echo request, id 7128, seq 3, length 64
16:44:50.580575 IP (tos 0x0, ttl 63, id 58158, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.233: ICMP echo request, id 7128, seq 4, length 64
16:44:51.610543 IP (tos 0x0, ttl 63, id 58328, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.233: ICMP echo request, id 7128, seq 5, length 64
16:44:52.642621 IP (tos 0x0, ttl 63, id 58367, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.233: ICMP echo request, id 7128, seq 6, length 64
16:44:53.672857 IP (tos 0x0, ttl 63, id 58623, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.8.2 > 192.168.1.233: ICMP echo request, id 7128, seq 7, length 64

First, I tried to ping my Ubuntu Server (192.168.1.30), no answer and 100% packet loss. Then I pinged a Xiaomi Mi 11 Android phone (192.168.1.237) where I surprisingly did get an answer. Next on the list an iPhone ( 192.168.1.113). I'm not quite sure what the next requests to my server are, I did not ping etc, but maybe it was one of my installed apps checking access in the background (e.g. Homeassistant). Finally I tried to ping a Windows machine (192.168.1.233), again without any answer.

trendy · May 16, 2022, 2:56pm

The successful reply from the Xiaomi and the lack of responses confirm that everything is configured properly from the OpenWrt side. The lan hosts which drop the packets either have some firewall to block incoming connections or do not have a default gateway configured. Either way it is something you should look into, because enabling masquerade on the lan zone can be a solution but adds more cpu cycles.

Flamingi · May 16, 2022, 3:07pm

Well, good to hear I'm able to follow guides
I tried turning off my Windows firewall and look at that, it answered to my pings.

I'm not that experienced when it comes to networking, but from what I understand, if the VPN clients had an IP in the same 192.168.1.0/24-subnet, then my server's firewall wouldn't block the requests, is that correct?

That would leave me with two options:

Keep the VPN settings as is in the 192.168.8.0/24-subnet and configure the firewall correctly
Leave the firewall as is and change the VPN clients to use the 192.168.1.0/24-subnet

Which of those would be the better one to pursue? (Or if there is an even better third option, feel free to mention that as well)

trendy · May 16, 2022, 5:39pm

You could change the IP of the subnet to .1.0/24, but then you'd need to change the tunnel to tap mode.

system · May 26, 2022, 5:39pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.