Also, have you rebooted the router or at least restarted the firewall?
Yes!
ssh in again using 192.168.1.1 and then let's take a look at the output of ifconfig
@suibaf has now reached the maximum number of allowed posts for the day by the forum software, so there is an 11 hour timeout. I got a DM directly regarding the ifconfig output. Here it is:
br-lan Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: xxxx::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
inet6 addr: xxxx:xxxx:xxxx::x/xx Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:262691 errors:0 dropped:0 overruns:0 frame:0
TX packets:645978 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:16431004 (15.6 MiB) TX bytes:897835650 (856.2 MiB)
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:255729 errors:0 dropped:0 overruns:0 frame:0
TX packets:640286 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:19015224 (18.1 MiB) TX bytes:894835678 (853.3 MiB)
Interrupt:4
eth1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:192.168.0.28 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: xxxx::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:642848 errors:0 dropped:0 overruns:0 frame:0
TX packets:258194 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:896777062 (855.2 MiB) TX bytes:19424175 (18.5 MiB)
Interrupt:5
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:129 errors:0 dropped:0 overruns:0 frame:0
TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11205 (10.9 KiB) TX bytes:11205 (10.9 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 -00
inet addr:10.8.0.6 P-t-P:255.255.255.0 Mask:255.255.255.255
inet6 addr: xxxx::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:92 errors:0 dropped:0 overruns:0 frame:0
TX packets:125 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:15861 (15.4 KiB) TX bytes:10848 (10.5 KiB)
wlan0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet6 addr: xxxx::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7372 errors:0 dropped:0 overruns:0 frame:0
TX packets:9539 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1208387 (1.1 MiB) TX bytes:4046051 (3.8 MiB)
wlan1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet6 addr: xxxx::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2527 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:494809 (483.2 KiB)
At this point, I've exhausted all my ideas as to what is going wrong (unless there is something on the server side that is blocking this)... I am hoping someone else will see the root-cause....
to recap:
- tun0 is setup as a network currently with proto none (this could be removed but I don't think that it would change the equation)
- tun0 as a network is associated with a firewall zone called vpn which has the same zone settings as lan. (if the tun0 network is deleted, tun0 could be defined as a device instead, but again, I don't think that's going to change this situation)
- The tunnel is up and has an address of 10.8.0.6
- the router can ssh to the other OpenVPN clients and the server.
It just occurs to me that we have not looked at the dropbear file... I'll report back on that when the OP provides that... maybe that is where the issue lies.
It is also evident that dropbear is not listening to the tun0 IP.
OP could ssh directly to lan IP, if there is a route, or do the redirect.
Hi,
dropbear config file:
config dropbear
option PasswordAuth 'on'
option Port '22'
option Interface 'lan'
config dropbear
option PasswordAuth 'on'
option Interface 'tun0'
and netstat -plnt output:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1609/uhttpd
tcp 0 0 10.8.0.6:53 0.0.0.0:* LISTEN 2703/dnsmasq
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2703/dnsmasq
tcp 0 0 192.168.0.28:53 0.0.0.0:* LISTEN 2703/dnsmasq
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN 2703/dnsmasq
tcp 0 0 192.168.1.1:22 0.0.0.0:* LISTEN 2208/dropbear
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1609/uhttpd
tcp 0 0 :::80 :::* LISTEN 1609/uhttpd
tcp 0 0 fe80::9d38:a2b9:63ff:b57d:53 :::* LISTEN 2703/dnsmasq
tcp 0 0 fe80::3246:9aff:fe0b:88e0:53 :::* LISTEN 2703/dnsmasq
tcp 0 0 ::1:53 :::* LISTEN 2703/dnsmasq
tcp 0 0 xxxx::xxxx:xxxx:xxxx:xxxx:53 :::* LISTEN 2703/dnsmasq
tcp 0 0 xxxx:xxxx:xxxx::1:53 :::* LISTEN 2703/dnsmasq
tcp 0 0 fe80::3046:xxxx:xxxx:xxxx:53 :::* LISTEN 2703/dnsmasq
tcp 0 0 xxxx::xxxx:xxxx:xxxx:xxxx:53 :::* LISTEN 2703/dnsmasq
tcp 0 0 xxxx:xxxx:xxxx::1:22 :::* LISTEN 2208/dropbear
tcp 0 0 :::443 :::* LISTEN 1609/uhttpd
@trendy if tun0 does not work as is, it it no possible to access to the router from outside (with vpn).
From inside there is no problem because I can access with lan.
Why dropbear is not listening to the tun0? Dropbear config file is correct!
One solution is to change the dropbear to listen to all interfaces. Then it will not verify if tun0 has an IP configured in uci.
The other solution is the port forward to redirect the ssh traffic to the lan IP.
One solution is to change the dropbear to listen to all interfaces. Then it will not verify if tun0 has an IP configured in uci.
I tried! The resul is that no possible to arrive inside with ssh from everywhere!
The other solution is the port forward to redirect the ssh traffic to the lan IP
To act this is need before to arrive inside and then forward. But it's not possible to entry in router
I think, after 2 days, that dropbear no work very well on this router and on this Openwrt.
Are the packets arriving to the router?
opkg update; opkg install tcpdump; tcpdump -i tun0 -c 10 -vn tcp port 22
Is dropbear listening to port 22 on the tun0 or all interfaces?
netstat -lnp | grep 22
Is it allowed on the firewall?
iptables-save -c
As you can see, dropbear is not listening on VPN interface as that interface was down when dropbear was started.
I restart dropbear manually for to be sure that VPN is up! Nothing!
Are the packets arriving to the router?
Yes
root@OpenWrt:~# tcpdump -i tun0 -c 10 -vn tcp port 22
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
14:35:22.820477 IP (tos 0x0, ttl 64, id 12005, offset 0, flags [DF], proto TCP (6), length 60)
10.8.0.14.42293 > 10.8.0.6.22: Flags [S], cksum 0x9815 (correct), seq 2535029828, win 64240, options [mss 1357,sackOK,TS val 267770014 ecr 0,nop,wscale 7], length 0
14:35:22.820677 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
10.8.0.6.22 > 10.8.0.14.42293: Flags [R.], cksum 0xe302 (correct), seq 0, ack 2535029829, win 0, length 0
No and I don't Know why.
root@OpenWrt:~# netstat -lnp | grep 22
tcp 0 0 192.168.1.1:22 0.0.0.0:* LISTEN 3988/dropbear
tcp 0 0 fd6c:aa45:6332::1:22 :::* LISTEN 3988/dropbear
Remove the last line. Reboot and try again.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.