Vpn client turn off port forwarding

paminh666 · October 27, 2022, 9:41pm

Hello people,
I have openwrt on my router and I am passing ports 80 and 443 to a raspberry pi4 with nextcloud.
Everything works fine. Also I have a VPN client with a VPN provider. This I have installed and also works great. All devices in my LAN use this VPN client by default.
But as soon as the VPN client is running, the ports 80 and 443 are no longer accessible from the outside. If I turn off the VPN, the Raspberry pi is immediately accessible again.

Maybe someone could point me in the right direction.

firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        option input 'REJECT'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone 'vpn_client'
        option name 'vpn_cl'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list device 'vpn1'
        list device 'vpn2'

config forwarding 'vpn_client_forward'
        option dest 'vpn_cl'
        option src 'lan'

config redirect
        option dest_port '80'
        option src 'wan'
        option name 'pi80'
        option src_dport '80'
        option dest 'lan'
        option dest_ip '192.168.1.10'
        option target 'DNAT'

config redirect
        option dest_port '443'
        option src 'wan'
        option name 'pi443'
        option src_dport '443'
        option dest 'lan'
        option dest_ip '192.168.1.10'
        option target 'DNAT'

sorry for my english, translate with DeepL

kind regards paminh

psherman · October 27, 2022, 11:42pm

You almost certainly will need policy based routing to achieve this goal. The issue is fairly simple -- when the VPN is enabled, the default gateway (i.e. egress traffic) is via the VPN. This means that traffic entering the router by the normal WAN and port forwarding rules will end up exiting via a path that doesn't have an established connection to the original remote host that had initiated the connection. PBR can be used to solve that.

paminh666 · October 29, 2022, 5:22pm

hello psherman,

thank you for your anwer. I installed the extension and played around with it a bit.
Unfortunately without success. Attached is the config to look over.
Maybe someone can find my error.

Thank you very much.

cat /etc/config/vpn-policy-routing 

config vpn-policy-routing 'config'
        option verbosity '2'
        option src_ipset '0'
        option dest_ipset '0'
        option boot_timeout '30'
        option iptables_rule_option 'append'
        option procd_reload_delay '1'
        option webui_sorting '1'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'
        option ipv6_enabled '0'
        option webui_enable_column '1'
        option webui_protocol_column '1'
        option webui_chain_column '1'
        option webui_show_ignore_target '1'
        option strict_enforcement '0'
        option enabled '1'
        option resolver_ipset 'none'
        list supported_interface 'vpn_cl'

config policy
        option interface 'wan'
        option name 'pi'
        option src_addr '192.168.1.10'
        option src_port '80 443'
        option dest_port '80 443'

stangri · October 29, 2022, 7:19pm

Check the vpn-policy-routing README and follow example of the Plex Server.

paminh666 · November 1, 2022, 12:07pm

hi stangri,

thank you for your answer.
I have already read the readme and have played around with various settings. Unfortunately without success. My current configuration works partially. After turning on the VPN client I can reach the server for a certain time. The client works during this time, I tested this. After a certain time I can't reach the server again.
No idea why this no longer works after a certain time.
Attached is my current configuration. Maybe someone has another idea.

Thanks to all.

cat /etc/config/vpn-policy-routing 

config policy
        option name 'Pi Local'
        option interface 'wan'
        option src_addr '192.168.1.10'
        option src_port '80 443'

config policy
        option name 'pi'
        option interface 'wan'
        option dest_addr 'my.ddns.puplic-address'

config vpn-policy-routing 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option src_ipset '0'
        option dest_ipset '0'
        option resolver_ipset 'dnsmasq.ipset'
        option boot_timeout '30'
        option iptables_rule_option 'append'
        option procd_reload_delay '1'
        option webui_sorting '1'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'
        list supported_interface 'vpn_cl'
        option enabled '1'
        option webui_enable_column '1'
        option webui_protocol_column '1'
        option webui_chain_column '1'
        option webui_show_ignore_target '1'

stangri · November 2, 2022, 7:54am

And your public IP stays the same when the server becomes unreachable and your local IP is set to 192.168.1.10?

paminh666 · November 3, 2022, 12:08pm

hello stangri,

thank you for your feedback. I am now a few steps further. I have reset the router to factory settings and started again.
The Pi is now reachable when I am connected to the VPN client. Also I now have a VPN server running and I can connect to the home network with my Android for example.
However, there is now another problem.
The router itself has no internet.
opkg update fails and a ping to an address end with:

ping: sendmsg: Operation not permitted

I followed these instructions exactly: this one

i think, it is a firewall problem....

can I somehow help the router back to the internet for updates and ddns?