Hello everyone.
I have set up openvpn and have a dedicated VPN interface (tun0, unmanaged) with its own firewall zone. I set up the firewall rules so that the LAN zone is only able to connect via the VPN zone (killswitch) and this works great.
Problem occurs after reboot, as openvpn is unable to connect (and bring up the tun0 interface). For it to connect I need to allow the LAN zone to also connect via the WAN zone. Once allowed, it brings up tun0. Then, I need to manually remove the access via the WAN zone again.
I have not managed to find a solution to simply be able to reboot the router without manually working the firewall rules, can anybody help?
Thanks a lot,
T
trendy
March 23, 2020, 9:23pm
2
Could you post the following configuration?
uci export network; uci export firewall; uci export dhcp; uci export openvpn; \
head -n -0 /etc/openvpn/*.conf ; ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
Redact any sensitive data, like usename, pass, keys, mac
Use preformatted text to paste console output (the </> button)
Thanks for your quick reply, please see below the outputs:
root@OpenWrt:~# uci export network; uci export firewall; uci export dhcp; uci export openvpn;
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:xxx::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.0.1'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option peerdns '0'
list dns '192.168.0.157'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option reqprefix 'auto'
option reqaddress 'try'
option peerdns '0'
list dns '192.168.0.157'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config interface 'VPN'
option ifname 'tun0'
option proto 'none'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'xxxx::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'VPN'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
option name 'VPN_FireW'
option masq '1'
option mtu_fix '1'
config forwarding
option dest 'VPN_FireW'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package openvpn
config openvpn 'XXX'
option config '/etc/XXX.ovpn'
option enabled '1'
root@OpenWrt:~# head -n -0 /etc/openvpn/*.conf ; ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
head: /etc/openvpn/*.conf: No such file or directory
lrwxrwxrwx 1 root root 16 Feb 27 21:05 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 32 Mar 23 19:45 /tmp/resolv.conf
-rw-r--r-- 1 root root 83 Mar 23 19:45 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 192.168.0.157
# Interface wan6
nameserver 192.168.0.157
192.168.0.157 = pihole
See my openvpn config file below:
dev tun
fast-io
persist-key
persist-tun
nobind
remote xxx.xxx.com 1195
remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass /etc/openvpn/xxxx.auth
<cert>
-----BEGIN CERTIFICATE-----
XXXX
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
XXX
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
XXXX
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
</ca>
You appear to be missing a traffic rule in the firewall allowing port 1195.
Try adding that and see if that fixes the problem.
Thanks a lot for your help. Just for the record I added it as follows:
config rule
option dest_port '1195'
option src '*'
option name 'XXX_VPN'
option dest 'wan'
option target 'ACCEPT'
This does not seem to help the problem.
trendy
March 24, 2020, 10:03am
6
The NS .157 is wrongly assigned under wan and wan6 interfaces. It should be under LAN, since it is reachable from the LAN interface.
In firewall zone wan you have listed tun0 and then in zone VPN_FireW you have network VPN which is tun0.
It is not necessary, there is lan->wan forwarding already.
If the comments above don't fix the issue, post here the logread -e openvpn
after a reboot.
Thank you very much trendy! After setting the wan and wan6 nameservers to 1.1.1.1 and assigning the pihole address as the custom DNS server via the lan interface everything seems to be working as expected.
Lastly, can I ask you if you think this is a good way to implement a killswitch?
Thanks again!
trendy
March 24, 2020, 11:52am
8
Not really.
You allow lan to access wan altogether, so if vpn is down hosts can use wan.
What are your expectations from the killswitch?
As far as I understand I now only allow lan access via the VPN firewall zone/tun0. And this seems to be confirmed as when the openvpn connection drops none of the lan machines are able to access the internet.
See below for clarity:
trendy
March 24, 2020, 12:05pm
10
If you changed something in the config you'll need to post again the config files. The screenshot doesn't show anything that helps understanding.
Sure thing, please see below. Openvpn config file remains as above.
root@OpenWrt:~# uci export network; uci export firewall; uci export dhcp; uci export openvpn;
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix xxxx:xxxx:xxxx::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.0.1'
list dns '192.168.0.157'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option reqprefix 'auto'
option reqaddress 'try'
option peerdns '0'
list dns '1.1.1.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config interface 'VPN'
option ifname 'tun0'
option proto 'none'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'xxxx::/6'
option dest_ip 'xxxx::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'xxxx::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'VPN'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
option name 'VPN_FireW'
option masq '1'
option mtu_fix '1'
config forwarding
option dest 'VPN_FireW'
option src 'lan'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package openvpn
config openvpn 'xxxx'
option config '/etc/openvpn/xxxx.ovpn'
option enabled '1'
Let me know if this would work! Thanks again
trendy
March 24, 2020, 1:00pm
12
In network, under wan6 replace 1.1.1.1 with 2606:4700:4700::1111
In firewall, under wan zone the tun0 interface is still there.
Apart from that, it looks good!
Excellent, updated per your tips and works like a charm!
1 Like
trendy
March 24, 2020, 1:30pm
14
If the problem is solved, feel free to mark the topic accordingly .
1 Like
system
Closed
April 3, 2020, 1:30pm
15
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.