Hi, I've a router Netgear WNDR3700 in my home with OpenWrt 21.02.5. It's a client openvpn and the server is a VPS, also my pc is a client openvpn. I can connect in SSH from my pc on lan to the router , but in vpn the router refuse the connection. This is my problem.
In vpn my pc can ping the router and also VPS ping the router and my PC.
How can I solve?
BR
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export dropbear; \
uci export firewall; netstat -lnp | grep 22
You probably need to restart dropbear
after VPN connection is established.
Alternatively you can configure a port forwarding from VPN zone to LAN IP of the router, 22/TCP.
Here the output. Thank you.
{
"kernel": "5.4.215",
"hostname": "OpenWrt",
"system": "Atheros AR7161 rev 2",
"model": "Netgear WNDR3700",
"board_name": "netgear,wndr3700",
"release": {
"distribution": "OpenWrt",
"version": "21.02.5",
"revision": "r16688-fa9a932fdb",
"target": "ath79/generic",
"description": "OpenWrt 21.02.5 r16688-fa9a932fdb"
}
}
package network
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:xxxx::/48'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan'
option ipaddr '192.168.1.1'
config device 'lan_dev'
option name 'eth0'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan'
option proto 'dhcp'
option device 'eth1'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
option blinkrate '2'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_port
option device 'switch0'
option port '1'
option led '6'
config switch_port
option device 'switch0'
option port '2'
option led '9'
config switch_port
option device 'switch0'
option port '5'
option led '2'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'tun0'
option device 'tun0'
option proto 'static'
package dropbear
config dropbear
option PasswordAuth 'on'
option Port '22'
option Interface 'lan'
config dropbear
option PasswordAuth 'on'
option Interface 'tun0'
option Port '22'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
tcp 0 0 192.168.1.1:22 0.0.0.0:* LISTEN 2205/dropbear
tcp 0 0 xxxx:xxxx:xxxx::1:22 :::* LISTEN 2205/dropbear
If I act the dns restart the output is:
root@OpenWrt:~# service dnsmasq restart
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
root@OpenWrt:~#
My mistake, sorry - should be dropbear
, not dnsmasq
As you can see, dropbear
is not listening on VPN interface as that interface was down when dropbear
was started.
OK, so Di I restart Dropbear?
My personal choice is port forwarding, but you can add a hotplug script to restart the SSH server if you wish.
If I act the dropbear restart the output is:
root@OpenWrt:~# /etc/init.d/dropbear restart
interface tun0 has no physdev or physdev has no suitable ip
Interface is set as static but doesn't have any IP assigned. You generally leave it to unmanaged and let openvpn handle the addresses.
Also tun0 is not part of any firewall zone, which means it will use the default policy which is to allow input. So you are not blocked by the firewall.
And as it is evident from the netstat, the tun0 interface is not bound to dropbear.
You can still ssh to the lan IP from the openvpn, since the result will be the same.
Now I set interface as unmanaged, but nothing is changed.
I don't understand what do you mean. Pardon. What can I do?
And as it is evident from the netstat, the tun0 interface is not bound to dropbear.
You can still ssh to the lan IP from the openvpn, since the result will be the same.
Can you help me with port forwarding?
It's strange, in the past I had another openwrt router without problem!
From the live system:
config zone 'zt'
option name 'zt'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'zt0'
option masq '1'
option mtu_fix '1'
config redirect 'zt_ssh'
option name 'ZT-Allow-ssh'
option target 'DNAT'
option src 'zt'
option dest 'lan'
option proto 'tcp'
option src_dport '22'
option dest_ip '192.168.1.1'
option dest_port '22'
Edit (inspired by @trendy ): the example above is valid if you need to have a NAT between zones. Without NAT you just need to take care about routing between the subnets and if you have a dedicated firewall zone for VPN you will need a simple allow rule for the given port/protocol.
ssh directly to 192.168.1.1, provided there is a route in the tunnel for the 192.168.1.0/24 via the tun0 address.
Where I can write this istruction?
/etc/config/firewall
Make sure you use your names, addresses and ports.
First of all, it is a list of zones, not interfaces.
You need to create a new zone (and assign the interface to it) in the interface configuration.