OpenWrt Forum Archive

Topic: Firewall/Routing Issue with OpenVPN

The content of this topic has been archived on 15 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
johngillespie
20 May 2009, 10:22

Hi,

I'm running:

- 8.09, r13118 on a Asus WL500GP
- OpenVPN 2.0.9

I use OpenVPN to establish a site-to-site VPN (OpenWRT is acting as a client).

I've been trying to redirect a port from my VPN server via the VPN to my laptop but can't get it to work. I had a look at the traffic going through the VPN and was able to see my request (port forward is fine) however I never reach the end point... The firewall on my Laptop is disabled so I'm guessing the problem is with my openwrt setup.

I've added a rule allowing all incoming traffic via the vpn

I can ping the VPN server from my router but can't reach my laptop from the VPN server. I keep getting "Destination Port Unreachable" messages.

Any idea what the problem could be ?

Regards,
John

Post #2
zorxd
20 May 2009, 12:52

iptables -A forward  -i tun0 -j ACCEPT

Post #3
johngillespie
25 May 2009, 14:02

I've already done that. I can access everything between the different sites via the site-to-site vpn. The part that isn't working is the port redirection from the VPN server to one of the hosts on the WAN.

Any ideas ?

Post #4
zorxd
25 May 2009, 14:42

Are you using masquerading for your VPN or plain routing?

Post #5
johngillespie
25 May 2009, 17:41

I'm using a routed vpn.

Post #6
zorxd
26 May 2009, 00:11

I am not sure that I fully understand your setup, but your problem might be this :

the client tries to connect to, let say public_ip_wl500gp:80
your router forward the connection to vpn_ip_laptop:80

Your laptop receive the packet, but it sees it comming from some_public_ip:34500 and so answer via the Internet instead of the VPN. If it is so, it's an assymetric routing problem.

Post #7
johngillespie
27 May 2009, 15:51

I've tested your theory but unfortunately you were wrong. The laptop doesn't receive the packet (confirmed with wireshark). The VPN server has the following forwarding rule set up :

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 10.2.0.31

Default behaviour with the FORWARD chain is to accept packets so I haven't added a ACCEPT rule.

My laptop is currently connected to another part of my WAN. I've noticed that the VPN server can ping my laptop here but the port redirection still doesn't work (and yes... I have changed the destination IP since I'm on a different LAN).

Post #9
johngillespie
28 May 2009, 08:52

After looking at all the traffic going through my VPN server I noticed that the traffic "hitting" the port I redirected isn't redirected at all.
The VPN server is a debian machine.

Here is a diagram of my network setup:
http://john.nurvnet.org/Nurvnet.png

(Last edited by johngillespie on 28 May 2009, 08:52)

Post #10
johngillespie
28 May 2009, 15:57

Got it working, I needed to add a SNAT rule.

Post #11
kennedy101
25 Jul 2009, 20:37

johngillespie,
Any chance you can share your /etc/config/network, firewall and firewall user files?

Post #12
johngillespie
25 Jul 2009, 21:30

you need to add a SNAT rule to the VPN server (I'm running debian). My openwrt files won't be of any use to you since all they do is accept all traffic coming via the tun0 interface.

Post #13
kennedy101
26 Jul 2009, 07:43

It's DEF the firewall that's causing me grief. If I disable the firewall (/etc/init.d/firewall stop) then a ping to an internap PC completes. Also, a tcpdump on the vpn interface shows the request received, but the VPN tun0 interface repsonds (destination port unreachable).

I'm at a loss. Overall the objective is to have VPN clients connect and have access to all internal LAN devices. Here's the important configs.

**********************************
br-lan    Link encap:Ethernet  HWaddr 00:1C:10:59:02:F5
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7253 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5514 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:533821 (521.3 KiB)  TX bytes:6514519 (6.2 MiB)

eth0      Link encap:Ethernet  HWaddr 00:1C:10:59:02:F5
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:253552 errors:0 dropped:0 overruns:0 frame:0
          TX packets:200672 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:32732688 (31.2 MiB)  TX bytes:31588542 (30.1 MiB)
          Interrupt:4

eth0.0    Link encap:Ethernet  HWaddr 00:1C:10:59:02:F5
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:183719 errors:0 dropped:0 overruns:0 frame:0
          TX packets:188959 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:15042253 (14.3 MiB)  TX bytes:28269492 (26.9 MiB)

eth0.1    Link encap:Ethernet  HWaddr 00:1C:10:59:02:F5
          inet addr:xx.xx.xx.xx  Bcast:xx.xx.xx.255  Mask:255.255.240.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:69795 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11715 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:13123471 (12.5 MiB)  TX bytes:2457652 (2.3 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:82 errors:0 dropped:0 overruns:0 frame:0
          TX packets:82 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:6328 (6.1 KiB)  TX bytes:6328 (6.1 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.15.1.1  P-t-P:10.15.1.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1359 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1381 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:90487 (88.3 KiB)  TX bytes:244265 (238.5 KiB)

wl0       Link encap:Ethernet  HWaddr 00:1C:10:59:02:F7
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:193606 errors:0 dropped:0 overruns:0 frame:4074
          TX packets:193831 errors:15 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:23749059 (22.6 MiB)  TX bytes:20979427 (20.0 MiB)
          Interrupt:2 Base address:0x5000
************************************

===========================
/jffs/etc/config/network

config 'switch' 'eth0'
        option 'vlan0' '0 1 2 3 5*'
        option 'vlan1' '4 5'

config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'lan'
        option 'type' 'bridge'
        option 'ifname' 'eth0.0'
        option 'proto' 'static'
        option 'netmask' '255.255.255.0'
        option 'ipaddr' '192.168.2.1'
        option 'defaultroute' '0'
        option 'peerdns' '0'

config 'interface' 'wan'
        option 'ifname' 'eth0.1'
        option 'proto' 'dhcp'

config 'interface' 'vpn'
        option 'ifname' 'tun0'
        option 'proto' 'none'
        option 'auto' 'disable'
        option 'defaultroute' '0'
        option 'peerdns' '0'
===========================

Here's the firewall
+++++++++++++++++++++++
/jffs/etc/config/firewall

config 'defaults'
        option 'syn_flood' '1'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'lan'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'wan'
        option 'input' 'REJECT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'masq' '1'

config 'zone'
        option 'name' 'vpn'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'ACCEPT'
        option 'network' 'vpn'

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'vpn'
        option 'forward' 'ACCEPT'

config 'forwarding'
        option 'src' 'vpn'
        option 'dest' 'lan'
        option 'forward' 'ACCEPT'
        option 'mtu_fix' '1'

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'wan'
        option 'mtu_fix' '1'

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'VPN'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'dest_port' '8091'

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'SSH'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'dest_port' '22'
+++++++++++++++++++++++

Suggestions what to modify? I need my VPN client (10.15.1.6) to be able to RDP to say 192.168.2.151.

(Last edited by kennedy101 on 26 Jul 2009, 07:47)

Post #14
johngillespie
26 Jul 2009, 10:04

add this to your /etc/firewall.user:

iptables -A input_rule -i tun0 -j ACCEPT
iptables -A forwarding_rule -i tun0 -j ACCEPT
iptables -A forwarding_rule -o tun0 -j ACCEPT
iptables -A output_rule -o tun0 -j ACCEPT

Post #15
kennedy101
26 Jul 2009, 16:02

thank you VERY much. I added these rules to /etc/config/firewall.user and ensured the option was reference in /etc/config/firewall. After doing this I am now able to see the internal network from my VPN connection. Again, thank you VERY much!!!

Post #16
johngillespie
26 Jul 2009, 16:03

no problem

Post #17
monnier
3 Oct 2009, 03:54
johngillespie wrote:

add this to your /etc/firewall.user:
iptables -A input_rule -i tun0 -j ACCEPT
iptables -A forwarding_rule -i tun0 -j ACCEPT
iptables -A forwarding_rule -o tun0 -j ACCEPT
iptables -A output_rule -o tun0 -j ACCEPT

I have a problem with openvpn that might be similar, and indeed the
above commands help.  As it turns out the only one I need id the "iptables -A forwarding_rule -i tun0 -j ACCEPT".  So, thank you for providing me with a solution.
I'd still like to figure out why my /etc/config/firewall rules aren't sufficient, and how I could fix them so I don't need to use /etc/firewall.user.

I.e. my /etc/config/firewall has the following rules for my VPN (the rest is just the default OpenWRT config), which I thought should be sufficient (and indeed, they only require the above extra iptables rules, so it's close):

config zone
        option name             vpn
        option input    ACCEPT
        option output   ACCEPT
        option forward  ACCEPT

config forwarding
        option src      vpn
        option dest     wan

Why would the above not be sufficient to allow all forwarding between VPN and WAN?  Why would an additional "iptables -A forwarding_rule -i tun0 -j ACCEPT" be needed?

Post #18
jow
3 Oct 2009, 17:52
monnier wrote:

Why would the above not be sufficient to allow all forwarding between VPN and WAN?  Why would an additional "iptables -A forwarding_rule -i tun0 -j ACCEPT" be needed?

Did you define something like that in /e/c/network as well ?

config interface vpn
  option proto none
  option auto 1
  option ifname tun0

~ JoW

Post #19
Dogge
3 Oct 2009, 18:10
jow wrote:

Did you define something like that in /e/c/network as well ?

config interface vpn
  option proto none
  option auto 1
  option ifname tun0

~ JoW

The UCI CLI way to add this config section is:

root@OpenWrt:~# uci set network.vpn=interface
root@OpenWrt:~# uci set network.vpn.proto=none
root@OpenWrt:~# uci set network.vpn.auto=1
root@OpenWrt:~# uci set network.vpn.ifname=tun0
root@OpenWrt:~# uci commit network

(Last edited by Dogge on 3 Oct 2009, 18:11)

The discussion might have continued from here.