[SOLVED] Can't access to devices, wrong firewall rule or missing route?

Hi, I'm experimenting difficulty to connect to my devices when I'm not at home.

I've configured one openvpn server (maybe I miss some firewall rules?) And then I connect to it when I'm not at home, then from here I reach all my lan, but I miss some!

I added the route rule to my nas and seems to be ok, maybe I set in a bad way the openvpn server or I do mistake with the firewall?

Here the route on my router:

root@OpenWrt:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0.2
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 br-lan
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
10.47.10.1      10.47.10.5      255.255.255.255 UGH   0      0        0 tun1
10.47.10.5      0.0.0.0         255.255.255.255 UH    0      0        0 tun1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0.2
209.222.18.222  0.0.0.0         255.255.255.255 UH    0      0        0 tun1

tun0 -> the openvpn server
tun1 -> the openvpn client (PIA)

This's the route from my nas:

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 bond0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 bond0
10.8.0.0        10.0.0.1        255.255.255.0   UG    0      0        0 bond0

I also have installed the PBR script and I put

pull-filter ignore "redirect-gateway"
To client configuration so in this way the pbr rule works inside-out

Here the vpn-policy-routing config:

config vpn-policy-routing 'config'
	option enabled '1'
	option verbosity '2'
	option ipv6_enabled '0'
	option ipset_enabled '1'
	option dnsmasq_enabled '0'
	option strict_enforcement '1'
	option boot_timeout '30'
	list supported_interface 'PIA_VPN'
	list ignored_interface 'lan'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

config policy
	option chain 'PREROUTING'
	option name 'Nas'
	option local_address '10.0.0.100/32'
	option proto 'tcp udp'
	option interface 'PIA_VPN'

This's the support:

root@OpenWrt:~# /etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.0.7-7 running on OpenWrt 18.06.4.
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0.2
IPv4 Table 201: default via 192.168.1.1 dev eth0.2
IPv4 Table 201 Rules:
32727:  from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 10.47.10.5 dev tun1
IPv4 Table 202 Rules:
32726:  from all fwmark 0x20000 lookup 202
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 10.0.0.100/32 -p udp -m comment --comment Nas -c 3283 479683 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -s 10.0.0.100/32 -p tcp -m comment --comment Nas -c 5561 472261 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set PIA_VPN dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create PIA_VPN hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]

My modem is 192.168.1.1
Router 192.168.1.50 with dhch to 10.0.0.1
All my devices are under 10.0.0.X

What I miss?

J

What exact you miss? I don't get the point, what is not working...

Only one device can not be reached from external over your openvpn server, I am right?
The OpenVPN Server is on your Router (Default GW) or your NAS?

From your routing table your posted, the server is running on your OpenWRT-Router.
The NAS is the device you can't reach???
The 10.0.0.1 is the internal ip of your openwrt-router ? (as you have written)

10.8.0.0/24 is your VPN network (from your routing table - yes)? when yes, you don't need to define it on your NAS, because your default gw will handle the route.

for what your use vpn-policy-routing??

You need to configure OpenVPN server over TCP if you want to run server and client with gateway redirection.

Maybe was not clear, but yes, my nas.

Now I can reach all my lan and the nas too, I've another problem (from the very last update) but for this I think I've to open a new post

@vgaetera, @ThomasCr

I resolved this, following the documentation and with a lot of search, because I'm noob on firewall etc!!!!
Openvpn server is under udp and working, till today but is a different problem.

So for me the solution is:

1. add this rule to client configuration
   pull-filter ignore "redirect-gateway"
   In this way the rule that I put inside Policies are vice-versa style
2. Then only one policies
   10.0.0.100/32 that use the vpn interface
3. Then from advanced configuration -> Append local IP Tables rules
   ! -d 10.8.0.0/24

In this way I can reach my nas when I connect from outside home.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.