VPN killswitch Adjusting for having local access and ping

Docop3 · April 20, 2021, 1:47pm

Hi
So from fresh install, i setup Wireguard or OpenVpn and both work fine. I can ping and access rdp pc on the network and ping the wan network. But as soon i put the config for the kill switch as per guide with tun and tun+ : https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci , i can't do anymore. As wan is cut and all pass over the ovpn. (wiki give: Lan Allow forward to destination : Openvpn / wan: nothing in Allow forward / OpenVpn Allow forward from Source:Lan)

OpenWrt is 192.168.40.1. Wan : 192.168.70.1

If you ping in the Diagnose menu the wan 192.168.70.1 = you got the reply.
But if you ping from a client ..40.8 ..40.xx nothing.
i try to put many allow rule in traffic rules but nothing pass. So after setting up the killswitch as per wiki, what do we do to get only the local access pass?

Sure putting back lan into wan will do, but the sole purpose of the killswitch get kill too, isn't it?

thanks for this one.

trendy · April 20, 2021, 1:52pm

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

Which address are you trying to access?

Docop3 · April 20, 2021, 3:36pm

indeed here's the detail and yes from the official image 19.07.7 / "kernel": "4.14.221"

uci export network

package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd85:eee2:1e51::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.40.1'
        option ip6assign '60'
        option netmask '255.255.255.248'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

-=-=-=-=-=-

~# uci export firewall

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'
        option network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option name 'ISAKMP old block'
        option target 'REJECT'

config include
        option path '/etc/firewall.user'

config zone
        list device 'tun+'
        option name 'openvpn'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'

config forwarding
        option dest 'openvpn'
        option src 'lan'

config redirect
        option name 'Divert-DNS, port 53'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config rule
        option name 'Reject-DoT, port 853'
        option src 'lan'
        option dest 'wan'
        list proto 'tcp udp'
        option dest_port '853'
        option target 'REJECT'

config redirect
        option name 'Divert-DNS, port 5353'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '53'
        option target 'DNAT'

-=-=-=----

head -n -0 /etc/firewall.user

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

ip -4 addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    inet 192.168.70.12/28 brd 192.168.70.15 scope global eth1
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.40.1/29 brd 192.168.40.7 scope global br-lan
       valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 10.10.66.194/26 brd 10.10.66.255 scope global tun0
       valid_lft forever preferred_lft forever

-=-=-=-=-=-

# ip -4 ro li tab all
0.0.0.0/1 via 10.10.66.193 dev tun0
default via 192.168.70.1 dev eth1  src 192.168.70.12
10.10.66.192/26 dev tun0 scope link  src 10.10.66.194
45.12.222.166 via 192.168.70.1 dev eth1
128.0.0.0/1 via 10.10.66.193 dev tun0
192.168.40.0/29 dev br-lan scope link  src 192.168.40.1
192.168.70.0/28 dev eth1 scope link  src 192.168.70.12
broadcast 10.10.66.192 dev tun0 table local scope link  src 10.10.66.194
local 10.10.66.194 dev tun0 table local scope host  src 10.10.66.194
broadcast 10.10.66.255 dev tun0 table local scope link  src 10.10.66.194
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.40.0 dev br-lan table local scope link  src 192.168.40.1
local 192.168.40.1 dev br-lan table local scope host  src 192.168.40.1
broadcast 192.168.40.7 dev br-lan table local scope link  src 192.168.40.1
broadcast 192.168.70.0 dev eth1 table local scope link  src 192.168.70.12
local 192.168.70.12 dev eth1 table local scope host  src 192.168.70.12
broadcast 192.168.70.15 dev eth1 table local scope link  src 192.168.70.12

-=-=-=-=-=-

# ip -4 ru
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

here i did have dnscrypt running, but another 1907.7 without it give same result, as having the exact same rule config.

vgaetera · April 20, 2021, 3:51pm

uci -q delete firewall.@zone[1].device
uci commit firewall
/etc/init.d/firewall restart
uci set network.lan.netmask="255.255.255.0"
uci commit network
/etc/init.d/network restart
/etc/init.d/openvpn restart

Docop3 · April 20, 2021, 4:37pm

with those command : that now break the net (web access) the vpn connection cannot get to the ip and also, the local ping still don't work.
from diag - all cannot resolve.
=also, the vpn connection is made with ip, not via provider.com

Docop3 · April 20, 2021, 5:34pm

yeah , i still stuck at : 6]: Attempting to establish TCP connection with [AF_INET]45.56.xxx.6:1194 [nonblock] and not connecting.
It's really only the 2 step of the wiki. putting the lan forward to destination: to the vpn, and in vpn the forward from source: lan. with the rest of the vpn zone, with in:rjct / out:accp/forward:rejt / masquerad: check / mss: check.

i try Mss turn off , and reboot at each change, but no help.

Docop3 · April 20, 2021, 9:49pm

i continue to dig on that and then : firewall rule : add: ipv4 From Lan to Wan. proto : icmp. And hop i was able to ping. Half way to it. Now i try to get an xrdp server. I try from lan to wan and put wan to lan in/out port on both as 3389. proto udp/tcp. But don<t get anything.. i can ping the unit, but no rdp connection. over tcpdump i see packet, but well, not sure what it mean..

:~# tcpdump -i any -c34 -X -A -vv port 3389

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
21:47:56.822732 IP (tos 0x0, ttl 128, id 44777, offset 0, flags [DF], proto TCP (6), length 52)
    w10Lt.lan.49862 > 192.168.70.6.3389: Flags [S], cksum 0x3910 (correct), seq 939022262, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
        0x0000:  4500 0034 aee9 4000 8006 707d c0a8 1406  E..4..@...p}....
        0x0010:  c0a8 4606 c2c6 0d3d 37f8 57b6 0000 0000  ..F....=7.W.....
        0x0020:  8002 faf0 3910 0000 0204 05b4 0103 0308  ....9...........
        0x0030:  0101 0402                                ....
21:47:56.822732 IP (tos 0x0, ttl 128, id 44777, offset 0, flags [DF], proto TCP (6), length 52)
    w10Lt.lan.49862 > 192.168.70.6.3389: Flags [S], cksum 0x3910 (correct), seq 939022262, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
        0x0000:  4500 0034 aee9 4000 8006 707d c0a8 1406  E..4..@...p}....
        0x0010:  c0a8 4606 c2c6 0d3d 37f8 57b6 0000 0000  ..F....=7.W.....
        0x0020:  8002 faf0 3910 0000 0204 05b4 0103 0308  ....9...........
        0x0030:  0101 0402                                ....
21:47:56.822787 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.70.6.3389 > w10Lt.lan.49862: Flags [R.], cksum 0xdb77 (incorrect -> 0x74c0), seq 0, ack 939022263, win 0, length 0
        0x0000:  4500 0028 0000 4000 4006 5f73 c0a8 4606  E..(..@.@._s..F.
        0x0010:  c0a8 1406 0d3d c2c6 0000 0000 37f8 57b7  .....=......7.W.
        0x0020:  5014 0000 db77 0000                      P....w..
21:47:56.822790 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.70.6.3389 > w10Lt.lan.49862: Flags [R.], cksum 0xdb77 (incorrect -> 0x74c0), seq 0, ack 1, win 0, length 0
        0x0000:  4500 0028 0000 4000 4006 5f73 c0a8 4606  E..(..@.@._s..F.
        0x0010:  c0a8 1406 0d3d c2c6 0000 0000 37f8 57b7  .....=......7.W.
        0x0020:  5014 0000 db77 0000                      P....w..
21:47:57.326688 IP (tos 0x0, ttl 128, id 44778, offset 0, flags [DF], proto TCP (6), length 52)
    w10Lt.lan.49862 > 192.168.70.6.3389: Flags [S], cksum 0x3910 (correct), seq 939022262, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
        0x0000:  4500 0034 aeea 4000 8006 707c c0a8 1406  E..4..@...p|....
        0x0010:  c0a8 4606 c2c6 0d3d 37f8 57b6 0000 0000  ..F....=7.W.....
        0x0020:  8002 faf0 3910 0000 0204 05b4 0103 0308  ....9...........
        0x0030:  0101 0402                                ....
21:47:57.326688 IP (tos 0x0, ttl 128, id 44778, offset 0, flags [DF], proto TCP (6), length 52)
    w10Lt.lan.49862 > 192.168.70.6.3389: Flags [S], cksum 0x3910 (correct), seq 939022262, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
        0x0000:  4500 0034 aeea 4000 8006 707c c0a8 1406  E..4..@...p|....
        0x0010:  c0a8 4606 c2c6 0d3d 37f8 57b6 0000 0000  ..F....=7.W.....
        0x0020:  8002 faf0 3910 0000 0204 05b4 0103 0308  ....9...........
        0x0030:  0101 0402                                ....
21:47:57.326741 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.70.6.3389 > w10Lt.lan.49862: Flags [R.], cksum 0xdb77 (incorrect -> 0x74c0), seq 0, ack 1, win 0, length 0
        0x0000:  4500 0028 0000 4000 4006 5f73 c0a8 4606  E..(..@.@._s..F.
        0x0010:  c0a8 1406 0d3d c2c6 0000 0000 37f8 57b7  .....=......7.W.
        0x0020:  5014 0000 db77 0000                      P....w..
21:47:57.326745 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.70.6.3389 > w10Lt.lan.49862: Flags [R.], cksum 0xdb77 (incorrect -> 0x74c0), seq 0, ack 1, win 0, length 0
        0x0000:  4500 0028 0000 4000 4006 5f73 c0a8 4606  E..(..@.@._s..F.
        0x0010:  c0a8 1406 0d3d c2c6 0000 0000 37f8 57b7  .....=......7.W.
        0x0020:  5014 0000 db77 0000                      P....w..
21:47:57.828312 IP (tos 0x0, ttl 128, id 44779, offset 0, flags [DF], proto TCP (6), length 52)
    w10Lt.lan.49862 > 192.168.70.6.3389: Flags [S], cksum 0x3910 (correct), seq 939022262, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
        0x0000:  4500 0034 aeeb 4000 8006 707b c0a8 1406  E..4..@...p{....
        0x0010:  c0a8 4606 c2c6 0d3d 37f8 57b6 0000 0000  ..F....=7.W.....
        0x0020:  8002 faf0 3910 0000 0204 05b4 0103 0308  ....9...........
        0x0030:  0101 0402                                ....
21:47:57.828312 IP (tos 0x0, ttl 128, id 44779, offset 0, flags [DF], proto TCP (6), length 52)
    w10Lt.lan.49862 > 192.168.70.6.3389: Flags [S], cksum 0x3910 (correct), seq 939022262, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
        0x0000:  4500 0034 aeeb 4000 8006 707b c0a8 1406  E..4..@...p{....
        0x0010:  c0a8 4606 c2c6 0d3d 37f8 57b6 0000 0000  ..F....=7.W.....
        0x0020:  8002 faf0 3910 0000 0204 05b4 0103 0308  ....9...........
        0x0030:  0101 0402                                ....
21:47:57.828354 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.70.6.3389 > w10Lt.lan.49862: Flags [R.], cksum 0xdb77 (incorrect -> 0x74c0), seq 0, ack 1, win 0, length 0
        0x0000:  4500 0028 0000 4000 4006 5f73 c0a8 4606  E..(..@.@._s..F.
        0x0010:  c0a8 1406 0d3d c2c6 0000 0000 37f8 57b7  .....=......7.W.
        0x0020:  5014 0000 db77 0000                      P....w..
21:47:57.828357 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.70.6.3389 > w10Lt.lan.49862: Flags [R.], cksum 0xdb77 (incorrect -> 0x74c0), seq 0, ack 1, win 0, length 0
        0x0000:  4500 0028 0000 4000 4006 5f73 c0a8 4606  E..(..@.@._s..F.
        0x0010:  c0a8 1406 0d3d c2c6 0000 0000 37f8 57b7  .....=......7.W.
        0x0020:  5014 0000 db77 0000                      P....w..

trendy · April 21, 2021, 9:29am

Docop3:

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'
        option network 'wan'

Docop3:

config zone
        list device 'tun+'
        option name 'openvpn'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'

tun0 is defined in two zones. It must be in one only. I hope you have fixed that already.
Regarding the RDP session that you are trying to set up, the 70.6 host is replying to the SYN from w10Lt with a Reset packet. Most likely the firewall of 70.6 does not allow connections from devices outside of its subnet. It is a common Windows firewall issue.

Docop3 · April 21, 2021, 12:53pm

Hi So a bit strange about the dual tun you said, as wasn't it the whole purpose of the killswitch by doing it for 19.07 ? It's wiki step 4.1-b & 6.1-b
Or it's because i haven't created the interface that give some headache..

Also, a quick one and easier to chase vs the ms thing.. : If i put 2 openwrt back to back : how can i access the login page of the first one, while keeping the killswitch setup ?
inet -) wan owrt #1 192.168.40.1 lan -) wan Owrt #2 ..20.1 - Pc
Pc on 192.168.20.6 want to log into owr#1 ..40.1

trendy · April 21, 2021, 3:31pm

Good catch, I have added an explanation in the wiki for that.

You don't need anything special. As long as the route for the destination is in the routing table of the second OpenWrt, it will get there.

Docop3 · April 21, 2021, 7:39pm

Thanks for guidance. i did change as well the port of the first one to be sure it\s not going all over 80. rule:
from Lan to Wan / Tcp / destina: select the router .1 / port: 5000 /adv: ipv4

trendy · April 21, 2021, 8:01pm

I think you can safely add a rule for the whole subnet you have on the wan side, that is:

uci add firewall rule
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].name='local'
uci add_list firewall.@rule[-1].src_ip='192.168.40.0/24'
uci set firewall.@rule[-1].family='ipv4'
uci add_list firewall.@rule[-1].dest_ip='192.168.70.0/24'
uci set firewall.@rule[-1].dest='wan'
uci add_list firewall.@rule[-1].proto='all'
uci commit firewall
service firewall restart

Docop3 · April 23, 2021, 6:48pm

Yeah, finally dig some more part. To get the xrdp stuff and pass along ssh and other from netwrk2 to the first owrt 1 its: forward: src Lan to desti: Wan , Desti ip : 192.168.70.0/29 - proto all -ipv4.
But the part of the luci http... was were it hang. /etc/config/uhttpd if i put port 5000 to 80 and 443, it do work for few time, and after it cannot be reach anymore. After a reboot, it cannot for sure. From different web browser, fresh, no cookies..
But if i only change the port 443 to 5000 and Leave the 80 = i can log to xxx70.1:5000
i check other post and i don't have other http related like lighthttp.. i only put
opkg install luci-ssl.

trendy · April 23, 2021, 8:40pm

Better open a new thread for this problem as it is not connected to the current one.

system · May 3, 2021, 8:41pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.