OpenWrt Forum Archive

Topic: How to let openvpn listening on a interface instead of a ip?

The content of this topic has been archived on 1 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
evilroach
21 Jun 2016, 08:54

Hi, guys.

Is there any way to specify the interface to listen on with the name of the interface,
instead of the IP of the interface ?
In my case, the IPs of both sides(client and server) are all dynamic (assigned by ISP).
I use a dynamic dns tool(luci-app-ddns & ddns-scripts) to refresh(re-bind) the new ip of Internet interface of my server to my domain name.
Yes, they all have their own dns name !
Obviously, it's necessary to config the "--remote" with the dns name of server on client side, instead of the ip of the server.
But my server has more than one Internet link.
While openwrt is starting, the sddns.sh script has not yet re-binded the new ip related to it's dns name.
At the same time, OpenVPN trys to resolve the ip of this dns name and to listen on this ip specified by former binding.
So, it fails inevitably (trys to listen a ip not belong to it).
Casually, it sometimes successfully listened on a IP, but not the correct ip related to the dns name (the ip belongs to another internet link).
A few minutes later,  after sddns.sh re-bind the correct ip successfully, the clients can not establish vpn through the dns name of my server.
Considering security reasons, I don't like listen on all of my interface.

So, I want to start the openvpn server, and force it listen on a fixed interface such as "pppoe-wan1" in my case.
Then, I will config the sddns.sh script to bind the ip of this fixed interface to the dns name always.

Is there existing this way ?
Thanks!

(Last edited by evilroach on 21 Jun 2016, 16:46)

Post #2
khain
21 Jun 2016, 13:27

Openvpn doens't support listening on specific interface. Opening openvpn port only for pppoe-wan1 didn't solve the problem?

Post #3
evilroach
21 Jun 2016, 16:21
khain wrote:

Openvpn doens't support listening on specific interface. Opening openvpn port only for pppoe-wan1 didn't solve the problem?

Thanks a lot !
How to "open openvpn port only for pppoe-wan1" ?

Post #4
JW0914
18 Apr 2017, 04:05
khain wrote:

Openvpn doens't support listening on specific interface.

This is factually inaccurate, which is quite clear had anyone bothered checking the numerous OpenVPN wikis available on the OpenWrt Wikis site, the OpenVPN HowTo, or the OpenVPN Man page...

See Config.

(Last edited by JW0914 on 18 Apr 2017, 04:07)

Post #5
evilroach
18 Apr 2017, 07:27
JW0914 wrote:
khain wrote:

Openvpn doens't support listening on specific interface.

This is factually inaccurate, which is quite clear had anyone bothered checking the numerous OpenVPN wikis available on the OpenWrt Wikis site, the OpenVPN HowTo, or the OpenVPN Man page...

See Config.

thanks for your reply.
Could you please tell me where to find out the options can resolve this issu ?
I had checked so many sites including you offered, but I got nothing about this.
thanks.

Post #6
JW0914
18 Apr 2017, 13:23

You would specify an additional option  dev, followed by the interface name, such as option  dev tun0


/etc/config/openvpn

#

    ##::[[---  OpenWrt OpenVPN Config  ---]]::##

####################################################
        ##----- VPN Server -----##
####################################################

config openvpn 'VPNserver'
    option  enabled             1
 
    # Protocol #
#------------------------------------------------
    option  dev                 'tun'
    option  dev                 'tun0'
    option  topology            'subnet'
    option  proto               'udp'

    # Routes # 
#------------------------------------------------
    option  server              '10.1.0.0 255.255.255.240'
    option  ifconfig            '10.1.0.1 255.255.255.240'

  • Normally, one would also need to specify an option  ifconfig command for the OpenVPN interface, such as the one shown above, however you can configure the OpenVPN interface for DHCP via /etc/config/network


/etc/config/network

#

    ##::[[---  OpenWrt WAN Network Config  ---]]::##

####################################################
        ##----- Active Networks w/ WAN-----##
####################################################

    # OpenVPN #
#---------------------------------------------------
config interface 'openvpn'
    option  ifname          'tun0'
    option  proto           'dhcp'

All of this information is also contained within the Config link in my post above, which links to the OpenWrt OpenVPN wiki I wrote, as well as in the OpenVPN Man Page.

(Last edited by JW0914 on 18 Apr 2017, 13:24)

Post #7
eduperez
18 Apr 2017, 15:02

@JW0914: I think that you are confusing the external interface where OpenVPN listens for new connections (similar to "port" or "proto" options) with the internal interface where OpenVPN hooks when a connection is established (the "dev" option you mentioned).

Post #8
JW0914
18 Apr 2017, 17:15
eduperez wrote:

@JW0914: I think that you are confusing the external interface where OpenVPN listens for new connections (similar to "port" or "proto" options) with the internal interface where OpenVPN hooks when a connection is established (the "dev" option you mentioned).

OpenVPN listens for new connections on the internal interface assigned to the OpenVPN tunnel, not the external facing WAN interface. 

  • DNAT is used on the external WAN side interface for port redirection of the OpenVPN listening port.

  • No SSL VPN listens on another interface except for the interface assigned to the VPN (it can listen on a specific IP by specifying the local directive), but a tunnel interface is not an external WAN facing interface.

    • The only somewhat differing exception to this that I've seen are OSes that rely on custom ConfD programming.  On these OSes, such as Sophos UTM, a route command is used to route the remote host from the external WAN interface to the netmask broadcast address [255.255.255.255] which forwards it on to a variable parameter that finally connects to the internal SSL tunnel interface.


Traffic would look like:

  • Remote client -> Internet -> WAN interface -> DNAT 1194 to device -> OpenVPN Server sees & receives port forward on internal tunnel interface, authentication begins.


Firewall would look like:

#::: Traffic Rules :::#

# LuCI: Network - Firewall - Traffic Rules
# CLI:  /etc/config/firewall
 
 
#::: Defaults :::#
# Allow initial VPN connection #
#------------------------------------------------
# LuCI: From any host in any zone To any router
# IP at port 5000 on this device (Accept Input) 
config rule
    option  target          'ACCEPT'
    option  family          'ipv4'
    option  proto           'tcp udp'
    option  src             '*'
    option  dest_port       5000
    option  name            'Allow Forwarded VPN Request -> <device>'
 
# Once Assigned VPN IP, Allow Inbound -> LAN #
#------------------------------------------------
# LuCI: From IP range 10.1.0.0/28 in any zone To IP
# range 192.168.1.0/28 on this device (Accept Input)
config rule
    option  target          'ACCEPT'
    option  family          'ipv4'
    option  proto           'tcp udp'
    option  src             '*'
    option  src_ip          '10.1.0.0/28'
    option  dest_ip         '192.168.1.0/26'
    option  name            'Allow VPN0 -> LAN'
 
# Once Assigned VPN IP, Allow Forwarded -> LAN #
#------------------------------------------------
# LuCI: From IP range 10.1.0.0/28 in any zone To IP
# range 192.168.1.0/28  on this device (Accept Forward)
config rule
    option  target          'ACCEPT'
    option  proto           'tcp udp'
    option  family          'ipv4'
    option  src             '*'
    option  src_ip          '10.1.0.0/28'
    option  dest            '*'
    option  dest_ip         '192.168.1.0/26'
    option  name            'Allow Forwarded VPN0 -> LAN'
 
# Allow Outbound ICMP Traffic from VPN #
#------------------------------------------------
# LuCI: ICMP From IP range 10.1.0.0/28 in any 
# zone To any host in lan (Accept Forward)
config rule
    option  target          'ACCEPT'
    option  proto           'icmp'
    option  src             '*'
    option  src_ip          '10.1.0.0/28'
    option  dest            'lan'
    option  name            'Allow VPN0 (ICMP) -> LAN'
 
# Allow Outbound Ping Requests from VPN #
#------------------------------------------------
# LuCI: ICMP with type echo-request From IP range
# 10.1.0.0/28 in any zone To any host in wan (Accept Forward)
config rule
    option  target          'ACCEPT'
    option  proto           'icmp'
    list    icmp_type       'echo-request'
    option  src             '*'
    option  src_ip          '10.1.0.0/28'
    option  dest            'wan'
    option  name            'Allow VPN0 (ICMP 8) -> <device> '
 
 
#::: Zones :::#
# LuCI: Network - Firewall - Zones
#------------------------------------------------
 
# VPN #
config zone
    option  name            'vpn'
    option  network         'vpn0'
    option  input           'ACCEPT'
    option  output          'ACCEPT'
    option  forward         'ACCEPT'
 
 
#::: InterZone Forwarding :::#
# LuCI: Network -> Firewall -> Zones -
# VPN - Edit - Inter-Zone Forwarding
#------------------------------------------------
 
# LAN to VPN #    
config forwarding
    option  dest            'vpn'
    option  src             'lan'
 
# VPN to LAN #    
config forwarding
    option  dest            'lan'
    option  src             'vpn'

A TAP configuration may be able to accomplish what @evilroach is looking to do since it works as a layer 2, whereas tunnels are a layer 3, however some research would need to be done by @evilroach reading through the man page and HowTo linked to earlier (it's also highly probable there's a thread discussing this on the OpenVPN forum).  Those two links can answer any question one could possibly have about configuring an OpenVPN server/client.

(Last edited by JW0914 on 18 Apr 2017, 17:57)

The discussion might have continued from here.