Setting up OpenVPN for 2 VLANs

Kentril · December 2, 2020, 5:54pm

Hello everyone, I'm trying setting up OpenVPN from WAN to 2 VLANs. I managed to setup OpenVPN but I can't use ping to other VLANs. Are these VLANS secure from each other?
Can you help me with Firewall and Zones settings? Thank you.

server.conf

user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"

dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'naslan'

config dhcp 'LAN2'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'LAN2'

firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan naslan'
	list device 'tun+'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 tun0'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'nasZone'
	option input 'ACCEPT'
	option forward 'REJECT'
	option network 'nasZone naslan'
	option output 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'nasZone'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option input 'ACCEPT'
	option forward 'REJECT'
	option name 'LAN2Zone'
	option output 'ACCEPT'
	option network 'LAN2'

config forwarding
	option dest 'wan'
	option src 'LAN2Zone'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8e:5370:d4ee::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr '192.168.10.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'static'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '74:da:88:ef:1c:29'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 4 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 2'
	option vid '3'

config interface 'naslan'
	option ifname 'eth0.3'
	option proto 'static'
	option ipaddr '10.10.0.1'
	option netmask '255.255.255.0'
	option gateway '10.10.0.1'
	option broadcast '10.10.0.255'
	option dns '8.8.8.8'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 3'
	option vid '4'

config interface 'LAN2'
	option ifname 'eth0.4'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr '10.0.2.1'

config interface 'tun0'
	option ifname 'tun0'
	option proto 'none'

trendy · December 2, 2020, 7:06pm

tun and naslan defined in multiple firewall zones.
LAN2Zone is only allowed to forward to wan.
naslan interface shouldn't have gateway nor dns.
wan doesn't have default gateway.

Kentril · December 3, 2020, 8:40am

Can somebody pls help me correct lines? I just need OpenVPN to access ALL Zones and Zones must be separate, thank you. WAN is for test purpose static Address. Thank you very much. I'm noob

trendy · December 3, 2020, 10:32pm

Each interface must be member of one zone only.
Between two zones you must enable forwardings if you want traffic to flow from one to the other.

Kentril · December 6, 2020, 5:58am

thank you trendy.
Finally I manged to get it working.

If someone else is interested I post my conf. int this example VLAN1 and VLAN2 see each other and OpenVPN clients have access to both VLANs. Removing them from forwarding will disable access.

UCI FIREWALL

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option mtu_fix '1'
	option network 'wan wan6'
	option forward 'REJECT'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest '*'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest '*'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option input 'ACCEPT'
	option name 'VLAN1'
	option output 'ACCEPT'
	option network 'vlan1'
	option forward 'REJECT'

config zone
	option input 'ACCEPT'
	option name 'VLAN2'
	option output 'ACCEPT'
	option network 'vlan2'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'VLAN1'

config forwarding
	option dest 'wan'
	option src 'VLAN2'

config forwarding
	option dest 'VLAN2'
	option src 'VLAN1'

config forwarding
	option dest 'VLAN1'
	option src 'VLAN2'

config zone
	option input 'ACCEPT'
	option forward 'REJECT'
	option name 'OpenVPN'
	option output 'ACCEPT'
	option network 'tun0'

config forwarding
	option dest 'VLAN1'
	option src 'OpenVPN'

config forwarding
	option dest 'VLAN2'
	option src 'OpenVPN'

config forwarding
	option dest 'wan'
	option src 'OpenVPN'

UCI NETWORK

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8e:5370:d4ee::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr '192.168.10.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dynamic'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '74:da:88:ef:1c:29'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 4 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 2'
	option vid '3'

config interface 'vlan1'
	option ifname 'eth0.3'
	option proto 'static'
	option ipaddr '10.0.1.1'
	option netmask '255.255.255.0'
	option delegate '0'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 3'
	option vid '4'

config interface 'vlan2'
	option ifname 'eth0.4'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr '10.0.2.1'

config interface 'tun0'
	option ifname 'tun0'
	option proto 'none'

Thanks again!

system · December 16, 2020, 5:58am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.