Hi All,
Brand new OpenWrt user here. Liking it so far. I'm having trouble getting a site-to-site vpn connection to work. Or, at least I am fine in one direction, but not the other. Not sure if this an openwrt firewall issue or an openvpn issue.
Here is my setup:
I have two actual machines in play that I am in control of.
-
Public server running on a cloud service running Ubuntu 20something and latest open vpn. This is the VPN server that sits on a public/static ipaddress. We will call (VPN_Server) 100.100.100.100.
(VPN_Server): is standalone and does nothing but ssh and openvpn. -
I sit on a laptop hooked up to a wifi, connected to my isp, and my public IP address is shared.
-
On said laptop, running linux, I have 4 virtualbox instances.
a) 2x instances of Openwrt. First is 19x called (OpenWrt), second is 21x latest stable called (Openwrt-vpn)
b) one instance of Linux (kali)
c) one instance of Windows 7(win7)
d) VPN Tunnel device address/net = 10.8.0.0/24My laptop (linux) get an Ip address of (192.168.1.5) from my wifi. Call my public address (200.200.200.200)
The two OpenWrt instances are acting as independent routers for the kali and windows instances. They are setup in Virtual box as:
(OpenWrt):
eth0: = bridged adapter to the wifi (192.168.1.10)
eth1: = Host-Only adapter set to Ip (192.168.99.0/24)(vboxnet0)(OpenWrt-VPN):
eth0: = bridged adapter to the wifi (192.168.1.15)
eth1: = host-only adapter set to Ip (172.16.100.0/24)(vboxnet1)(kali):
eth0: = host-only adapter set to (192.168.99.179)(vboxnet0)(win7)
eth0: = host-only adapter set to (172.16.100.184)(vboxnet1)So the network looks like this:
(win7)--->(OpenWrt-VPN)\
--->(VirtualBox)---->(Laptop)----->(Wifi-Router)---->(Internet)---->(VPN_Server)
(kali)--->(OpenWrt) /
With me so far ?
So:
A) On the (OpenWrt-VPN) instance, I have the VPN started on the virtual "router" itself, so that (win7) doesn't have to do anything. This works.
B) On the (OpenWrt) instance, I do nothing, mostly default config.
C) (kali)--->(openwrt) instance, connects to (VPN_server) by manual control via: openvpn --config /file.ovpn. This works.
I can connect both [(win7)(Openwrt-VPN)], as well as (kali) to the VPN. Once connected to the vpn. I can ping the (VPN_Server) via the tunnel address (10.8.0.1) from both (win7) and (kali).
Here is where my problem is...
I can ping from (kali): (VPN_Server) (10.8.0.1)
(Openwrt-VPN) (10.8.0.6)
I can ping from (win7): (VPN_Server) (10.8.0.1)
(kali) (192.168.99.179)(10.8.0.10)
(OpenWrt-VPN) (10.8.0.6)
I can ping from (VPN_Server) (VPN_Server) (10.8.0.1)
(Openwrt-VPN) (10.8.0.6)
(kali) (192.168.99.179)(10.8.0.10)
From (VPN_Server) I can ping (kali) once connected on both it's VPN IP (10.8.0.10), and lan subnet IP (192.168.99.179) addresses. But I get 100% packet loss when pinging anything on the 172.16.100.0/24 subnet.
I can confirm that (kali) can reach (OpenWrt-Vpn) using netcat, can only reach it by it's vpn ip (10.8.0.6), and not on (172.16.100.1) or anything else.
So what's the point of all this ? (kali) is a simulated user connecting from anywhere into vpn server and should have access to (win7) and anything else behind (OpenWrt-VPN), a simulated lan. (win7) can access (kali) just fine. (kali) can't access anything behind (OpenWrt-VPN).
I'm guessing my issue here is routing or firewalling (masquereding) on the(OpenWrt-VPN) side ?, and I think it's Openwrt related. Unless it's something wierd with Virtualbox, openvpn or my ISP. I don't know. I've tried many configs, read the docs about site-to-site. Nothing seems to work.
What am I missing?!? Configs below:
p.s: note: For some reason when on the Openvpn server.conf config I do a push "route 172.16.100.0 255.255.255.0", when I restart the server, and make a vpn connection
from (OpenWrt-VPN), I can no longer ssh into the virtualbox instance(OpenWrt-VPN). kills all access. I'm missing something, or thinking about something wrong.
Any Idea's?
-R.D.
#############################(VPN_Server)#############################
/etc/openvpn/server.conf
------------------------
askpass /etc/openvpn/chaos-server.auth
auth-nocache
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
#;topology subnet
server 10.8.0.0 255.255.255.0
route 172.16.100.0 255.255.255.0 10.8.0.10
route 192.168.99.0 255.255.255.0
#push "route 172.16.100.0 255.255.255.0"
#push "route 192.168.99.0 255.255.25..0"
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
route 172.16.100.0 255.255.255.0
#;push "route 172.16.100.0 255.255.255.0"
#;route 192.168.99.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 5
explicit-exit-notify 1
-------------------------
/etc/openvpn/ccd/client
-------------------------
ifconfig-push 10.8.0.10 255.255.255.0
iroute 172.16.100.0 255.255.255.0 10.8.0.10
-------------------------
ip route show
-------------------------
default via 100.100.100.1 dev eth0 proto static
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
100.100.100.0/24 dev eth0 proto kernel scope link src 100.100.100.100
172.16.100.0/24 via 10.8.0.2 dev tun0
192.168.99.0/24 via 10.8.0.2 dev tun0
Destination Gateway Genmask Flags MSS Window irtt Iface
default gw-my-isp.stuff 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
100.100.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
172.16.100.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.99.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
-------------------------
#############################(kali)#############################
/etc/openvpn/virtkali.ovpn:
---------------------------
askpass /etc/openvpn/virtkali.auth
auth-nocache
client
dev tun
proto udp
remote 100.100.100.100 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
verb 3
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
#############################(OpenWrt-VPN)#############################
/etc/config/network
---------------------
onfig interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'fd7d:da05:d810::/48'
config interface 'wan'
option proto 'dhcp'
option device 'eth0'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '172.16.100.1'
option broadcast '172.16.100.255'
option force_link '0'
option device 'eth1'
option gateway '172.16.100.0'
config interface 'ovpn'
option proto 'none'
option device 'tun0'
-------------------------------------------------------------------------------------------------------------------------------------------------
/etc/config/firewall
-------------------------------------------------------------------------------------------------------------------------------------------------
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'fd7d:da05:d810::/48'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'ovpn'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option output 'ACCEPT'
option mtu_fix '1'
option input 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list network 'lan'
list network 'ovpn'
config forwarding
option src 'vpn'
option dest 'lan'
config rule
option name 'VPN'
option src 'vpn'
option dest 'lan'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'vpn'
--------------------------------------------------------------------------
ip route show (openwrt-vpn)
--------------------------------------------------------------------------
0.0.0.0/1 via 10.8.0.5 dev tun0
default via 192.168.1.1 dev eth0 src 192.168.1.14
10.8.0.0/24 via 10.8.0.5 dev tun0
10.8.0.5 dev tun0 scope link src 10.8.0.6
100.100.100.100 via 192.168.1.1 dev eth0
128.0.0.0/1 via 10.8.0.5 dev tun0
172.16.100.0/24 dev eth1 scope link src 172.16.100.1
192.168.1.0/24 dev eth0 scope link src 192.168.1.14
Destination Gateway Genmask Flags MSS Window irtt Iface
default 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
10.8.0.5 * 255.255.255.255 UH 0 0 0 tun0
100.100.100.100 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
128.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
172.16.100.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0type or paste code here