Topic: firewall rules for openvpn
Hi again. I've gotten openvpn working successfully under both kamikaze and backfire, as both server and client, but I've always had to descend into /etc/firewall.user and iptables commands to do so. I'd think this should be possible with uci and /etc/config/firewall, but I've never figured out how, and I'm not the only one, so I thought I'd ask here for the right way.
In /etc/firewall.user, I have this (which works):
iptables -I FORWARD -i tun+ -j ACCEPT # allow VPN packets onto LAN iptables -I FORWARD -o tun+ -j ACCEPT # allow allow LAN packets onto VPN
In /etc/config/firewall, there was the following prepopulated (and commented out, which I thought was weird):
#config forwarding # option src vpn # option dest lan # #config forwarding # option src lan # option dest vpn
This looks to me like it is meant to achieve the same thing; I uncommented it, but the firewall blocks packets between LAN and VPN. (If I disable the firewall, packets flow as desired; if I use the iptables rules above, packets flow as desired; if the firewall is enabled without my manual iptables rules, the router returns ICMP "destination port unreachable" responses to the LAN client.)
Reading the docs for /etc/config/firewall (http://wiki.openwrt.org/doc/uci/firewall), it seems to say that the "config forwarding" sections rely on state match which relies on connection tracking so conntrack has to be on for either the source or destination zone, which by default is not true of either vpn or lan, so I turned on conntrack for the vpn zone; that didn't help.
So I fell back to my manual iptables rules, and as I said I'm not the only one -- I found this article, http://www.tolaris.com/2010/09/01/openwrt-10-03-on-buffalo-wzr-hp-g300nh/, where the author also didn't find a cleaner way of handling the firewall<>openvpn interaction.
So my questions:
- why doesn't the obvious "config forwarding" stuff in /etc/config/firewall work?
- why is that stuff commented out by default?
- is the conntrack for vpn zone actually necessary, as the docs seem to imply, and if so, should that be added by default?
- does anyone know how to get vpn<>lan traffic forwarding to work via /etc/config/firewall?
- barring that, are the iptables commands I'm using in /etc/firewall.user an acceptable substitute?
Thanks in advance.