Trouble with static routing

Installing and Using OpenWrt Network and Wireless Configuration
1

I'm having trouble configuring my openwrt router to use a static route to forward traffic back to vpn clients, but I'm not sure what the next steps to take are in debugging or fixing the problem.

I setup an OpenVPN server in tun mode on a Raspberry PI on my LAN. My router has fkwnop (spa port knocking) that forwards vpn connection requests to the OpenVPN server. Routing rules on the OpenVPN Server and Router are supposed to be bridging the two subnets.

  • my ovpn server config pushes a route for the LAN to clients
  • I set a static route on my router for the VPN subnet pointing at the VPN server
  • my ovpn server has ip forwarding enabled, with routes defined.

Currently, I can successfully

  • connect the vpn client to the vpn server through the port knocking
  • From the vpn client, ping the vpn server using either its VPN address or LAN address.
  • from the vpn client, ping the router LAN address
  • from the router, ping the vpn client
  • from the vpn server, ping the vpn client

The problem is, I don't seem to be able to fully talk to other devices on the LAN. Ping messages from the vpn client to other LAN clients don't get returned. However...

  • On a LAN client running Wireshark, I can see ping messages being received from the VPN client. When the LAN client sends its reply, it gets a ICMP redirect message back from the router, with a gateway address defined as the vpn server's LAN ip address. NOTE: I don't think this is what I want - What I really want is for the router to just forward the packets to the vpn server.
  • On a LAN client, If I manually set a route definition with the vpn server as a gateway for the vpn subset (e.g. route add), I have full connectivity between the VPN client and that particular LAN client.

Why is my router sending redirect messages instead of forwarding packets?

Here is a diagram of the network.

VPN CLIENT           ROUTER      OVPNServer       MediaPC     NAS 
                     <============== LAN 10.10.1.x/24 ========================>
<==== OVPN TUNNEL 172.31.1.x/24 =======>
<--conn working -------->
<--conn working (ssh/ping/etc) -------->
<-- Not working (ssh/ping/etc) -------------------->
<-- Not working (ssh/ping/etc) ------------------------------->

Network Configuration

  • Router

    • OpenWRT

    • br-lan: 10.10.1.1

    • eth0: xx.xx.xx.xx (public ip)

    • routing table

      Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         xx.xx.xx.xx     0.0.0.0         UG    0      0        0 eth0
10.10.1.0       0.0.0.0         255.255.255.0   U     0      0        0 br-lan
xx.xx.xx.xx     0.0.0.0         255.255.240.0   U     0      0        0 eth0
172.31.1.0      10.10.1.21      255.255.255.0   UG    0      0        0 br-lan

    • IP Tables forwards VPN connections to OVPNServer (verified, working)

  • OVPNServer

    • eth0: 10.10.1.21

    • tun0: 172.31.1.1

    • tun0: P-t-P 172.31.1.2

    • net.ipv4.ip_forward=1

    • routing table:

      Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.10.1.1       0.0.0.0         UG    0      0        0 eth0
10.10.1.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
172.31.1.0      172.31.1.2      255.255.255.0   UG    0      0        0 tun0
172.31.1.2      0.0.0.0         255.255.255.255 UH    0      0        0 tun0

    • /etc/openvpn/server.conf

      /etc/openvpn/server.conf
# IP address of the interface OpenVPN should listen on (optional)
local 10.10.1.21
proto tcp
port 1194
dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/xx.crt
key /etc/openvpn/xx.key
dh /etc/openvpn/xx.pem

# OpenVPN Subnet - server will take 172.31.1.1
server 172.31.1.0 255.255.255.0
route 172.31.1.0 255.255.255.0
push "route 10.10.1.0 255.255.255.0"

push "dhcp-option DNS 10.10.1.1"

# Tell Client to route all traffic through VPN
push "redirect-gateway"

# Allow clients to see each other
client-to-client

# Allow multiple clients to connect with the same cert/key files
# Less secure but you have to manage less keys
duplicate-cn

# Ping every 10 seconds, client is gone if no response afer 120s
keepalive 10 120

persist-key
persist-tun

verb 1
log-append /var/log/openvpn.log
1 Like
2

I may have found a solution for my own problem - I think the firewall was preventing the static route from forwarding.

My firewall zone rules had been set to

lan > wan    input:accept    output:accept    forward:drop    masq:no    mssclamp:no
wan > drop   input:drop      output:accept    forward:drop    masq:yes   mssclamp:yes

I changed the lan "forward" policy to accept and everything afterword VPN clients could connect to any host on the LAN.

The only remaining question I have is - did changing the LAN forwarding policy to accept compromise my security in any way beyond allowing traffic to be forwarded to the VPN. Or is there a more restrictive way I could accomplish the same thing?

Here are my current firewall rules

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option network 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
3

The default is ACCEPT anyway. You have only one interface assigned to the lan zone, so as long as you don't have a dedicated zone for the VPN, you'll have to live with that.