Hi, I'm experimenting difficulty to connect to my devices when I'm not at home.
I've configured one openvpn server (maybe I miss some firewall rules?) And then I connect to it when I'm not at home, then from here I reach all my lan, but I miss some!
I added the route rule to my nas and seems to be ok, maybe I set in a bad way the openvpn server or I do mistake with the firewall?
Here the route on my router:
root@OpenWrt:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0.2
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.47.10.1 10.47.10.5 255.255.255.255 UGH 0 0 0 tun1
10.47.10.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.2
209.222.18.222 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
tun0 -> the openvpn server
tun1 -> the openvpn client (PIA)
This's the route from my nas:
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 bond0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 bond0
10.8.0.0 10.0.0.1 255.255.255.0 UG 0 0 0 bond0
I also have installed the PBR script and I put
pull-filter ignore "redirect-gateway"
To client configuration so in this way the pbr rule works inside-out
Here the vpn-policy-routing config:
config vpn-policy-routing 'config'
option enabled '1'
option verbosity '2'
option ipv6_enabled '0'
option ipset_enabled '1'
option dnsmasq_enabled '0'
option strict_enforcement '1'
option boot_timeout '30'
list supported_interface 'PIA_VPN'
list ignored_interface 'lan'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option chain 'PREROUTING'
option name 'Nas'
option local_address '10.0.0.100/32'
option proto 'tcp udp'
option interface 'PIA_VPN'
This's the support:
root@OpenWrt:~# /etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.0.7-7 running on OpenWrt 18.06.4.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0.2
IPv4 Table 201: default via 192.168.1.1 dev eth0.2
IPv4 Table 201 Rules:
32727: from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 10.47.10.5 dev tun1
IPv4 Table 202 Rules:
32726: from all fwmark 0x20000 lookup 202
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 10.0.0.100/32 -p udp -m comment --comment Nas -c 3283 479683 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -s 10.0.0.100/32 -p tcp -m comment --comment Nas -c 5561 472261 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set PIA_VPN dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create PIA_VPN hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
My modem is 192.168.1.1
Router 192.168.1.50 with dhch to 10.0.0.1
All my devices are under 10.0.0.X
What I miss?
J