Ssh refused from openvpn

Hi, I've a router Netgear WNDR3700 in my home with OpenWrt 21.02.5. It's a client openvpn and the server is a VPS, also my pc is a client openvpn. I can connect in SSH from my pc on lan to the router , but in vpn the router refuse the connection. This is my problem.
In vpn my pc can ping the router and also VPS ping the router and my PC.
How can I solve?
BR

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dropbear; \
uci export firewall; netstat -lnp | grep 22

1 Like

You probably need to restart dropbear after VPN connection is established.
Alternatively you can configure a port forwarding from VPN zone to LAN IP of the router, 22/TCP.

Here the output. Thank you.

{
        "kernel": "5.4.215",
        "hostname": "OpenWrt",
        "system": "Atheros AR7161 rev 2",
        "model": "Netgear WNDR3700",
        "board_name": "netgear,wndr3700",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.5",
                "revision": "r16688-fa9a932fdb",
                "target": "ath79/generic",
                "description": "OpenWrt 21.02.5 r16688-fa9a932fdb"
        }
}
package network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan'
        option ipaddr '192.168.1.1'

config device 'lan_dev'
        option name 'eth0'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option blinkrate '2'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5'

config switch_port
        option device 'switch0'
        option port '1'
        option led '6'

config switch_port
        option device 'switch0'
        option port '2'
        option led '9'

config switch_port
        option device 'switch0'
        option port '5'
        option led '2'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'tun0'
        option device 'tun0'
        option proto 'static'

package dropbear

config dropbear
        option PasswordAuth 'on'
        option Port '22'
        option Interface 'lan'

config dropbear
        option PasswordAuth 'on'
        option Interface 'tun0'
        option Port '22'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

tcp        0      0 192.168.1.1:22          0.0.0.0:*               LISTEN      2205/dropbear
tcp        0      0 xxxx:xxxx:xxxx::1:22    :::*                    LISTEN      2205/dropbear

If I act the dns restart the output is:

root@OpenWrt:~# service dnsmasq restart
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
root@OpenWrt:~#

My mistake, sorry - should be dropbear, not dnsmasq
As you can see, dropbear is not listening on VPN interface as that interface was down when dropbear was started.

OK, so Di I restart Dropbear?

1 Like

My personal choice is port forwarding, but you can add a hotplug script to restart the SSH server if you wish.

If I act the dropbear restart the output is:

root@OpenWrt:~# /etc/init.d/dropbear restart
interface tun0 has no physdev or physdev has no suitable ip

Interface is set as static but doesn't have any IP assigned. You generally leave it to unmanaged and let openvpn handle the addresses.
Also tun0 is not part of any firewall zone, which means it will use the default policy which is to allow input. So you are not blocked by the firewall.
And as it is evident from the netstat, the tun0 interface is not bound to dropbear.
You can still ssh to the lan IP from the openvpn, since the result will be the same.

Now I set interface as unmanaged, but nothing is changed.

I don't understand what do you mean. Pardon. What can I do?

And as it is evident from the netstat, the tun0 interface is not bound to dropbear.
You can still ssh to the lan IP from the openvpn, since the result will be the same.

Can you help me with port forwarding?

It's strange, in the past I had another openwrt router without problem!

From the live system:

config zone 'zt'
        option name 'zt'
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'zt0'
        option masq '1'
        option mtu_fix '1'

config redirect 'zt_ssh'
        option name 'ZT-Allow-ssh'
        option target 'DNAT'
        option src 'zt'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '22'
        option dest_ip '192.168.1.1'
        option dest_port '22'

Edit (inspired by @trendy ): the example above is valid if you need to have a NAT between zones. Without NAT you just need to take care about routing between the subnets and if you have a dedicated firewall zone for VPN you will need a simple allow rule for the given port/protocol.

ssh directly to 192.168.1.1, provided there is a route in the tunnel for the 192.168.1.0/24 via the tun0 address.

Where I can write this istruction?

/etc/config/firewall
Make sure you use your names, addresses and ports.

why in firewall I don't see tun?

First of all, it is a list of zones, not interfaces.
You need to create a new zone (and assign the interface to it) in the interface configuration.

1 Like

I create new zone and associate interface:

then

I act forwarding:

But no work!
BR