I have openVPN to a remote network in my home router and I am having some forwarding issues.
Could you please give me some suggestion on how troubleshooting it?
The local interface in the router is this:
17: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.168.30.2/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::81e6:8e9a:524d:40/64 scope link stable-privacy
valid_lft forever preferred_lft forever
and I can ping the remote interface:
root@mglinksys01:/etc/config# ping 10.168.30.1
PING 10.168.30.1 (10.168.30.1): 56 data bytes
64 bytes from 10.168.30.1: seq=0 ttl=64 time=19.360 ms
64 bytes from 10.168.30.1: seq=1 ttl=64 time=19.393 ms
64 bytes from 10.168.30.1: seq=2 ttl=64 time=18.541 ms
From the router the remote 443 port on the server is open:
root@mglinksys01:/etc/config# nmap -sU 192.168.30.1 443
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-27 11:06 CEST
Nmap scan report for 192.168.30.1
Host is up (0.020s latency).
Not shown: 998 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
123/udp open ntp
Nmap done: 2 IP addresses (1 host up) scanned in 12.31 seconds
But from my laptop it is not:
$ sudo nmap -sU 192.168.30.1 443
[sudo] password for mgem:
Starting Nmap 7.95 ( https://nmap.org ) at 2024-08-27 11:07 CEST
Nmap done: 2 IP addresses (0 hosts up) scanned in 3.09 seconds
I also have PBR in the router and this is the part relative to the OpenVPN connection:
config policy
option name 'FW04'
option dest_addr '192.168.30.0/24'
option interface 'vpnFW04'
option enabled '1'
this is in /etc/config/network:
config interface 'vpnFW04'
option proto 'none'
option device 'tun0'
and this is in /etc/config/firewall:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'guest24'
option name 'guest24lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list device 'tun0'
list device 'tun1'
list device 'WG0'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option family 'ipv4'
option target 'ACCEPT'
list icmp_type 'echo-request'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config forwarding
option src 'wan'
config zone 'guest24'
option name 'guest24'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest24'
config rule 'guest24_dns'
option name 'Allow-DNS-Guest'
option src 'guest24'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'guest24_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest24'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config zone 'guest50'
option name 'guest50'
option network 'guest50'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config rule 'guest50_dns'
option name 'Allow-DNS-Guest'
option src 'guest50'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'guest50_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest50'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config forwarding
option dest 'lan'
config forwarding
option dest 'lan'
In general what is a good tool in order to trobleshoot this kind of issues?
I have tried to use tcpdump in the router but only see the ongoing traffic:
# tcpdump -i br-lan host 192.168.30.1 -v
tcpdump: listening on br-lan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:20:49.072529 IP (tos 0x0, ttl 64, id 61528, offset 0, flags [DF], proto TCP (6), length 60)
dellg5.mgnet.net.47078 > 192.168.30.1.443: Flags [S], cksum 0x1441 (correct), seq 1988938425, win 64240, options [mss 1460,sackOK,TS val 1216959536 ecr 0,nop,wscale 7], length 0
10:20:50.099340 IP (tos 0x0, ttl 64, id 61529, offset 0, flags [DF], proto TCP (6), length 60)
dellg5.mgnet.net.47078 > 192.168.30.1.443: Flags [S], cksum 0x103e (correct), seq 1988938425, win 64240, options [mss 1460,sackOK,TS val 1216960563 ecr 0,nop,wscale 7], length 0
10:20:51.112728 IP (tos 0x0, ttl 64, id 61530, offset 0, flags [DF], proto TCP (6), length 60)
dellg5.mgnet.net.47078 > 192.168.30.1.443: Flags [S], cksum 0x0c49 (correct), seq 1988938425, win 64240, options [mss 1460,sackOK,TS val 1216961576 ecr 0,nop,wscale 7], length 0
10:20:52.122731 IP (tos 0x0, ttl 64, id 61531, offset 0, flags [DF], proto TCP (6), length 60)
dellg5.mgnet.net.47078 > 192.168.30.1.443: Flags [S], cksum 0x0857 (correct), seq 1988938425, win 64240, options [mss 1460,sackOK,TS val 1216962586 ecr 0,nop,wscale 7], length 0
10:20:53.136177 IP (tos 0x0, ttl 64, id 61532, offset 0, flags [DF], proto TCP (6), length 60)
dellg5.mgnet.net.47078 > 192.168.30.1.443: Flags [S], cksum 0x0462 (correct), seq 1988938425, win 64240, options [mss 1460,sackOK,TS val 1216963599 ecr 0,nop,wscale 7], length 0
10:20:54.152747 IP (tos 0x0, ttl 64, id 61533, offset 0, flags [DF], proto TCP (6), length 60)
dellg5.mgnet.net.47078 > 192.168.30.1.443: Flags [S], cksum 0x0069 (correct), seq 1988938425, win 64240, options [mss 1460,sackOK,TS val 1216964616 ecr 0,nop,wscale 7], length 0