[Solved] Can't reach system through VPN in a certain state

Hi,

I don't know how to describe this any better.
The issue is:
I have my router (R7800) behind a Unitymedia ConnectBox.
The Connectbox is runninger on 192.168.1.1
The WAN IP of the R7800 is 192.168.1.9 and is configured as DMZ

The LAN is running on 192.168.8.0/24
This is all working fine.

I'm also running an OpenVPN server. Now what I'm trying to do is:

1. Wake up my PC from the router.
2. Connect to my PC from a VPN client (PC is running linux and is runninger dropbear in initramfs so I can type in my LUKS password)

What happens right now is:

1. Works but I had to use the wakeonlan package where I could specify the broadcast IP as 192.168.8.255. Etherwake did not work.
2. This is the weird thing. If I connect to the router via SSH and then from there connect to my PC it works.
   If I connect directly from my VPN client it doesn't work and the connection just times out.
   Once the PC is running though I can connect just fine.

I had all of this working on my old router running Openwrt (WNDR3700)

Now I also tried to enable firewall logging but couldn't see anything interesting.

So in my understanding my VPN routing seems to work. The firewall should be ok, so I don't understand what's causing this.

The only difference is, that once the PC is running the network is in bridge mode, but it has the same IP so I don't get it.

Any ideas?

Is the router configured to forward traffic between the VPN and the LAN?

When you connect through the VPN, the PC receives a connection from an IP address in the range of the VPN, not the LAN. Is the firewall in the PC configured to admit such connections?

Yes. I can access the router via it's lan IP from the client PC.
Also once my PC has fully booted I can access it via it's lan IP as well.
Router: 192.168.8.1
PC: 192.168.8.2

Also here are my configs below. Let me know if you need anything else.

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option flow_offloading '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule 'Allow_OpenVPN_Inbound'
	option target 'ACCEPT'
	option src '*'
	option proto 'tcp'
	option dest_port '443'

config zone 'vpn'
	option name 'vpn'
	option network 'vpn0'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option masq '1'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'vpn'

config forwarding
	option dest 'wan'
	option src 'vpn'

config forwarding
	option dest 'vpn'
	option src 'lan'

/etc/config/network


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.8.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'static'
	option ipaddr '192.168.1.9'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option dns '192.168.1.1'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'vpn0'
	option ifname 'tun0'
	option proto 'none'
	option auto '1'

/etc/config/openvpn

config openvpn 'myvpn'
	option enabled '1'
	option dev 'tun'
	option proto 'tcp'
	option log '/tmp/openvpn.log'
	option verb '3'
	option ca '/etc/openvpn/ca.crt'
	option pkcs12 '/etc/openvpn/my-server.p12'
#	option cert '/etc/openvpn/my-server.crt'
#	option key '/etc/openvpn/my-server.key'
	option server '10.8.0.0 255.255.255.0'
	option port '443'
	option keepalive '10 120'
	option dh '/etc/openvpn/dh2048.pem'
	list push 'route 192.168.8.0 255.255.255.0'
#	option push 'redirect-gateway def1'
	option cipher 'AES-256-CBC'
	option tls_auth '/etc/openvpn/ta.key 0'
	option compress lzo 'yes'
	option client_to_client '1'
	option persist_key '1'
	option persist_tun '1'
	option sndbuf '393216'
	option rcvbuf '393216'
#	option fragment '0'
	option mssfix '0'
	option tun_mtu '24000'
	list push 'sndbuf 393216'
	list push 'rcvbuf 393216'
#	option crl_verify '/etc/easy-rsa/keys/crl.pem'

I managed to find a fix.
I'm using the kernel cmd line's ip= attribute.
I didn't set the netmask and gateway. This didn't cause any issues before but now I switched to ip=dhcp briefly and it worked so I then added my manual IP again and added gateway and netmask. Now everything works.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.