Hi Folks,
Has anyone got experience/example of setting up an OpenVPN server on LEDE/OpenWRT where the VPN users only have access to the WAN connection, not anything on the LAN/WLAN?
Would you do this with interfaces/VLANs/firewall rules?
Topic: Internet Only VPN
The content of this topic has been archived on 21 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
Page 1 of 1
Just to add, the use case is to create a 'proxy' so I can watch my home-country Netflix/Amazon/Sky etc while travelling.
Don't push the route for the LAN's internal subnet.
Optionally, also insert a custom iptables rule in the zone_vpn_forward chain, blocking traffic from the VPN to the LAN:
iptables -I zone_vpn_forward -d x.x.x.x/x -j REJECTReplace x.x.x.x/x with the appropriate subnet address and CIDR mask for your LAN. Also, change "_vpn_" in the chain name if your VPN firewall zone isn't called "vpn".
The command iptables -S will show you how your existing firewall rules are translated from UCI/LuCI into iptables directives, which should give you some clues for experimentation. Just be careful when testing iptables changes - they take effect immediately, so it's possible to lock yourself out if you apply a deny rule to the chain which affects your connection to the router.
(Last edited by 600cc on 6 Mar 2018, 20:39)
Would you recommend a TAP or TUN connection for this?
seb101 wrote:
Would you recommend a TAP or TUN connection for this?
TUN.
TUN is routed, TAP is bridged. Routing is easier for your use-case. Not saying you couldn't get it working with TAP, but how long do you want to spend tearing your hair out?
So, I have finished setting up OpenVPN with OpenSSL using this guide https://openwrt.org/docs/guide-user/ser … rver.setup and its working, however I now have the opposite of what I want!
VPN clients can access everything on the LAN but fail to resolve anything on the WAN. How do I fix this?
What are the contents of the following files?
/etc/config/network
/etc/config/firewall
/etc/config/openvpn
Redact any passwords which might be revealed.
config openvpn 'vpnserver'
option enabled '1'
option dev_type 'tun'
option dev 'ovpns0'
option port '1194'
option proto 'tcp'
option comp_lzo 'yes'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/my-server.crt'
option key '/etc/openvpn/my-server.key'
option dh '/etc/openvpn/dh2048.pem'
option tls_auth '/etc/openvpn/tls-auth.key 0'
option mode 'server'
option tls_server '1'
option server '192.168.200.0 255.255.255.0'
option topology 'subnet'
option route_gateway 'dhcp'
option client_to_client '1'
list push 'comp-lzo yes'
list push 'persist-key'
list push 'persist-tun'
list push 'topology subnet'
list push 'route-gateway dhcp'
list push 'redirect-gateway def1'
list push 'route 192.168.200.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.1.1'config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option network 'guest'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Allow DNS Queries'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule
option name 'Allow DHCP request'
option src 'guest'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'tcp udp'
option dest_port '1194'
config zone
option name 'vpnserver'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option network 'vpnserver'
config forwarding
option src 'vpnserver'
option dest 'wan'
config forwarding
option src 'vpnserver'
option dest 'lan'config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd99:6cb2:719c::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'guest'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'vpnserver'
option proto 'none'
option ifname 'ovpns0'
option auto '1'I have limited diagnostic capability as my only test client is currently an iPhone, so this could be a DNS resolution issue possibly.
seb101 wrote:
I have limited diagnostic capability as my only test client is currently an iPhone, so this could be a DNS resolution issue possibly.
Possibly, but there could be other things going on as well. Give me a few minutes to go through the config files.
One thing immediately leaps out, though: your openvpn config file tells your VPN clients to use 192.168.1.1 for DNS, but you don't want your VPN clients to see your LAN. You want them only to have Internet access. 192.168.1.1 is a private address, not routable on the Internet (search for RFC1918 if you want to know more), so DNS resolution will fail if iptables is blocking traffic to 192.168.1.1
If you want your VPN clients to be able to resolve DNS, you have two options:
Push a public DNS server, e.g. 8.8.8.8 for Google's DNS or 208.67.222.222 for OpenDNS, or;
Allow DNS traffic from the VPN clients to your router/LAN
(Last edited by 600cc on 10 Mar 2018, 17:28)
Forgot to ask in the previous post: what are the contents of /etc/firewall.user as well?
Second thing to leap out: your firewall permits forwarded traffic from the VPN to the LAN. If you want Internet access only, then forward from the VPN to the WAN, but not to the LAN.
Next thing to leap out: in /etc/config/openvpn:
Remove
list push 'route-gateway dhcp'Change
list push 'redirect-gateway def1'to
list push 'redirect-gateway def1 bypass-dhcp'Remove
list push 'route 192.168.200.0 255.255.255.0'And, as mentioned above, change
list push 'dhcp-option DNS 192.168.1.1'Pick a public DNS server instead.
/etc/firewall.user is empty
While I set this up I have not implemented any firewall rules to block LAN traffic, wanted to get it working 'normally' first before I try and start locking it down. So DNS through to 192.168.1.1 should work.
(Last edited by seb101 on 10 Mar 2018, 17:41)
seb101 wrote:
/etc/firewall.user is empty
While I set this up I have not implemented any firewall rules to block LAN traffic, wanted to get it working 'normally' first before I try and start locking it down. So DNS through to 192.168.1.1 should work.
It would... if your openvpn config pushed a route to 192.168.1.1 to your VPN clients. But it doesn't, so DNS fails.
Try changing list push 'route 192.168.200.0 255.255.255.0' to list push 'route 192.168.1.0 255.255.255.0' and see how you get on.
Here are some extracts from my configuration, to help illustrate. My LAN subnet is 192.168.20.0/24, and I've allocated 192.168.30.0/24 to OpenVPN on UDP.
/etc/config/openvpn
config openvpn 'routed_udp'
# My VPN server is on a public IP address; replace x.x.x.x with your WAN address, or leave the line out completely for the default of 0.0.0.0
option local 'x.x.x.x'
option port '1194'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh4096.pem'
option tls_auth '/etc/openvpn/ta.key 0'
option duplicate_cn '1'
option server '192.168.30.0 255.255.255.0'
option topology 'subnet'
list push 'topology subnet'
list push 'redirect-gateway def1 bypass-dhcp'
# This next line provides a route from the VPN to my LAN. Remove it if you don't want the VPN clients to have a route to the LAN
list push 'route 192.168.20.0 255.255.255.0'
# Change this next line to provide the DNS server of your choice
list push 'dhcp-option DNS 192.168.20.1'
list push 'dhcp-option DOMAIN lan'
option client_to_client '1'
option keepalive '10 120'
option cipher 'AES-256-GCM'
option compress 'lzo'
option verb '3'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-udp-status.log'
option mute '20'
option enabled '1'/etc/config/firewall - this is an excerpt from the firewall file, not the complete file. Do not simply copy/paste over your entire firewall config. In my configuration, my VPN zone is called simply "vpn", not "vpnserver". Change the names to match your configuration.
[...]
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'vpn'
# I also have OpenVPN on TCP/443, using vtun1 - this is optional
option network 'vtun0 vtun1'
option forward 'DROP'
# This section allows VPN clients to reach the LAN
config forwarding
option dest 'lan'
option src 'vpn'
# This section allows VPN clients to reach the Internet
config forwarding
option dest 'wan'
option src 'vpn'
[...]And, finally, in my case this firewall rule would block traffic from the VPN to my LAN, even if the client knew the route:
/etc/firewall.user
iptables -I zone_vpn_forward -d 192.168.20.0/24 -j REJECTYou could use this instead, with your configuration:
iptables -I zone_vpnserver_forward -d 192.168.1.0/24 -j REJECT(Last edited by 600cc on 10 Mar 2018, 20:32)
So I've tried mixing some of your push rules in but it isn't working. Which is the line that's supposed to give the client access to the WAN interface?
Oh man. This is frustrating. After days of messing with this I was curious why the VPN interface in the LUCI network config was showing 0 throughput so just out of sheer frustration I hit the 'Connect' button (which I think restarts the interface) and suddenly VPN started working, just like that. Now it works every time.
So annoying - I guess the interface got 'stuck'?
Thanks for all your help 600cc, it was useful and taught me a lot never-the-less.
No worries. You're welcome. Glad it's working now!
(I was away for work for the last couple of days, so couldn't reply until tonight.)
seb101 wrote:
So I've tried mixing some of your push rules in but it isn't working. Which is the line that's supposed to give the client access to the WAN interface?
list push 'redirect-gateway def1 bypass-dhcp'I realise you've got yours working, but I've put the line here just in case anyone else gets stuck on the same thing.
The discussion might have continued from here.
Page 1 of 1