SSH through VPN

ster1um · November 5, 2021, 9:17am

Hello,
I try to configure access ssh on router inside the VPN LAN without success.

My configuration

VPN server (WireGuard) running on remote VPS machine
OpenWRT it's set a client (I've create the specific firewall zone for this)
Forward vpn to router IP
-A zone_wg0_prerouting -p tcp -m tcp --dport XXXX -m comment --comment "!fw3: SSH Router IntraVPN" -j DNAT --to-destination 192.168.2.1:22

192.168.2.1 it's a router IP

If I try connect from other vpn client to ssh on openwrt router the connection it's rejected but if try to connect other machine behind the router with creation similar firewall rule the connection works wonderfully.

vgaetera · November 5, 2021, 9:30am

Add the router's IP and LAN to the allowed IPs in the peer section on the server.
Assign the VPN interface to the LAN firewall zone on the router.

ster1um · November 5, 2021, 10:50am

Add the router's IP and LAN to the allowed IPs in the peer section on the server.

on server all ip is allowed 0.0.0.0.0/24

Assign the VPN interface to the LAN firewall zone on the router.

I try this without success and I don't think the brilliant idea mix the lan and vpn in an global firewall zone.
I've to forward ports in lan machines

vgaetera · November 5, 2021, 11:31am

Make sure the VPN server has the route to your router and its LAN.
There's no need to forward ports between hosts connected to the VPN.
Both VPN and LAN should be mutually reachable with plain routing.
Just harden the server security, and the VPN can be considered trusted.
If you are feeling paranoid, then configure firewall rules to filter traffic.

psherman · November 5, 2021, 2:42pm

This needs to be 0.0.0.0/0

The vpn zone must have a rule to accept input to the router - this can be global or targeted for port 22.

ster1um · November 6, 2021, 8:03am

yes it's 0.0.0.0/0 in the precedent post I wrong.

ster1um · November 6, 2021, 8:06am

I try to add the vpn on lan zone without success.
Only the router it's impossible to call inside the vpn>lan, other device in lan it's ok.

vgaetera · November 6, 2021, 8:56am

It works for me, so the issue should be on your side.
Start posting configs from each of the involved devices.

ster1um · November 6, 2021, 3:09pm

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdbf:65f8:9e2d::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'static'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option ipaddr '172.16.0.2'
	option gateway '172.16.0.1'

config interface 'wg0'
	option proto 'wireguard'
	list addresses '10.66.66.9/32'
	list addresses 'fd42:42:42::9/128'
	option private_key '***'

config wireguard_wg0
	option endpoint_host '89.**.**.**'
	option description 'wg0'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	option public_key '***'
	option preshared_key '***'
	option endpoint_port '51820'

config interface 'WAN6'
	option proto 'dhcpv6'
	option device 'wan'
	option reqaddress 'try'
	option reqprefix 'auto'

firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'WAN6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config forwarding
	option src 'lan'
	option dest 'wg0'

config redirect
	option target 'DNAT'
	option name 'SSH Router IntraVPN'
	list proto 'tcp'
	option dest 'lan'
	option dest_ip '192.168.2.1'
	option src 'lan'
	option src_dport '35'
	option dest_port '22'

psherman · November 6, 2021, 4:08pm

You have a few unnecessary rules currently since the wireguard and lan interfaces are both part of the lan zone. But let's try changing a few things here:

remove wg0 from your lan zone.
create a new wg zone and assign wg0 to the wg zone.
set the wg zone with input = accept, output = accept, forward = drop
remove the forwarding rule from lan > wg0 (this rule doesn't make sense since it is mixing a zone and an interface)
remove the redirect rule "SSH Router IntraVPN" since it doesn't do anything (based on the fact that both the source and dest are in the same zone).
optionally add forwarding from wg > lan (this is desired if you want to be able to connect to the rest of your LAN remotely via the wg connection, this does not apply to the router itself)
optionally add forwarding from lan > wg (if you want to be able to send traffic from your LAN out to/through the wg tunnel; again, this doesn't apply to the router itself).

trendy · November 6, 2021, 8:20pm

--to-destionation 10.66.66.9:22
If you need to access 192.168.2.0/24, then server needs to know about it, either from routing the allowed IPs in wireguard configuration or by a static route. In any case it must be added in allowed IPs in server.

vgaetera · November 7, 2021, 5:03am

The server and runtime configs are missing.
See the troubleshooting section in the wiki.

ster1um · November 7, 2021, 8:08pm

I try this suggest but don't work

Other device connected on router work flawless

All IP are allowed

ster1um · November 7, 2021, 8:12pm

can you link me the section on the wiki?
thanks

vgaetera · November 7, 2021, 8:45pm

In short, you need to check the following on the server:

wg show; ip route show table all; ip rule show; \
iptables-save -c; nft list ruleset

trendy · November 7, 2021, 8:52pm

The dnat must be on vps not on Operwrt.

ster1um · November 8, 2021, 7:42am

yes I change with you suggest but don't work

mk24 · November 8, 2021, 2:27pm

It appears to be the IP of this router. That means you're trying to DNAT to yourself or something.

When you link remote LANs by routing through a VPN, all the LANs should be different subnets.

ster1um · November 8, 2021, 2:51pm

yes the router ip is 192.168.2.1 the vpn client interface on router is 10.66.66.9

I just try all trick for call the ssh port on router through other vpn client but don't work nothing.

Others devices connected on router (with correct port forwarding) it's ok through vpn.

mk24 · November 8, 2021, 2:53pm

If you're ssh'ing to the router itself, why not use port 22 where dropbear is already listening?