OpenWrt Forum Archive

Topic: firewall rules for openvpn

The content of this topic has been archived on 29 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi again. I've gotten openvpn working successfully under both kamikaze and backfire, as both server and client, but I've always had to descend into /etc/firewall.user and iptables commands to do so. I'd think this should be possible with uci and /etc/config/firewall, but I've never figured out how, and I'm not the only one, so I thought I'd ask here for the right way.

In /etc/firewall.user, I have this (which works):

iptables -I FORWARD -i tun+ -j ACCEPT    # allow VPN packets onto LAN
iptables -I FORWARD -o tun+ -j ACCEPT   # allow allow LAN packets onto VPN

In /etc/config/firewall, there was the following prepopulated (and commented out, which I thought was weird):

#config forwarding
#    option src vpn
#    option dest lan
#
#config forwarding
#    option src lan
#    option dest vpn

This looks to me like it is meant to achieve the same thing; I uncommented it, but the firewall blocks packets between LAN and VPN. (If I disable the firewall, packets flow as desired; if I use the iptables rules above, packets flow as desired; if the firewall is enabled without my manual iptables rules, the router returns ICMP "destination port unreachable" responses to the LAN client.)

Reading the docs for /etc/config/firewall (http://wiki.openwrt.org/doc/uci/firewall), it seems to say that the "config forwarding" sections rely on state match which relies on connection tracking so conntrack has to be on for either the source or destination zone, which by default is not true of either vpn or lan, so I turned on conntrack for the vpn zone; that didn't help.

So I fell back to my manual iptables rules, and as I said I'm not the only one -- I found this article, http://www.tolaris.com/2010/09/01/openw … hp-g300nh/, where the author also didn't find a cleaner way of handling the firewall<>openvpn interaction.

So my questions:
- why doesn't the obvious "config forwarding" stuff in /etc/config/firewall work?
- why is that stuff commented out by default?
- is the conntrack for vpn zone actually necessary, as the docs seem to imply, and if so, should that be added by default?
- does anyone know how to get vpn<>lan traffic forwarding to work via /etc/config/firewall?
- barring that, are the iptables commands I'm using in /etc/firewall.user an acceptable substitute?

Thanks in advance.

BTW, I can't remember now if the vpn zone, and the related forwarding rules, in /etc/config/firewall were put there by the system by default, or by me messing around with luci, or by me manually; there's a good chance I put them there weeks ago and forgot about it, in which case please ignore all the stuff I said about that stuff being there by default.

If it's entirely wrong, my bad, but I'd still appreciate hearing from anyone who can tell me how to do it right.

Here's my entire /etc/config/firewall:

config 'defaults'
    option 'syn_flood' '1'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'

config 'zone'
    option 'name' 'lan'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'

config 'zone'
    option 'name' 'wan'
    option 'input' 'REJECT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'
    option 'masq' '1'
    option 'mtu_fix' '1'
    
config zone
    option name    vpn
    option input    ACCEPT
    option output    ACCEPT
    option forward    REJECT
    option conntrack    '1'

# I don't know why the following lines are commented out, but they were
#config forwarding
#    option src vpn
#    option dest lan
#
#config forwarding
#    option src lan
#    option dest vpn

config 'forwarding'
    option 'src' 'lan'
    option 'dest' 'wan'

config 'rule'
    option 'src' 'wan'
    option 'proto' 'udp'
    option 'dest_port' '68'
    option 'target' 'ACCEPT'

config 'include'
    option 'path' '/etc/firewall.user'

this is my working config:

/etc/conf/network:

config 'interface' 'vpn'
    option 'ifname' 'tun0'
    option 'proto' 'static'
    option 'ipaddr' '192.168.27.1' #
    option 'netmask' '255.255.255.0'

/etc/conf/firewall:

config 'zone'
    option 'name' 'vpn'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'ACCEPT'
    option 'network' 'vpn'
                    
config 'forwarding'
    option 'src' 'lan'
    option 'dest' 'vpn'
    option 'forward' 'ACCEPT'
                                
config 'forwarding'
    option 'src' 'vpn'
    option 'dest' 'lan'
                            
config 'rule'
    option 'src' 'wan'
    option 'proto' 'tcp'
    option 'dest_port' '443' #my openvpn-server is listening on this port
    option 'target' 'ACCEPT'

/etc/conf/openvpn:

    option script_security 2
    option up "/sbin/ifup vpn"
    option down "/sbin/ifdown vpn"

the special settings in openvpn-configfile is a workaround which I have been using since ages for the problem mentioned in sayaps link. This issue is addressed in changeset 21641. But the workaround with the up- and down-script works great for me.

For the up up script I used this last time:

/etc/openvpn/up.sh

#!/bin/sh

ACTION=ifup DEVICE=tun0 INTERFACE=vpn /sbin/hotplug-call iface

exit 0

/etc/config/openvpn

    [..]
    option 'script_security' '2'
    option 'up' '/etc/openvpn/up.sh'
    [..]

The forwarding_rule table should be used instead of FORWARD. There is a deny_all rule at the end of the FORWARD. Your later FORWARD rules won't take effect as deny_all is in the front. For your case, add the following lines to firewall.user:

iptables -A forwarding_rule -i tun+ -j ACCEPT
iptables -A forwarding_rule -o tun+ -j ACCEPT

Then "/etc/init.d/firewall restart".

(Last edited by watermark on 10 Nov 2010, 20:49)

watermark wrote:

The forwarding_rule table should be used instead of FORWARD. There is a deny_all rule at the end of the FORWARD. Your later FORWARD rules won't take effect as deny_all is in the front. For your case, add the following lines to firewall.user:

iptables -A forwarding_rule -i tun+ -j ACCEPT
iptables -A forwarding_rule -o tun+ -j ACCEPT

Interesting. The iptables commands I'm using (quoted again) are:

iptables -I FORWARD -i tun+ -j ACCEPT    # allow VPN packets onto LAN
iptables -I FORWARD -o tun+ -j ACCEPT   # allow allow LAN packets onto VPN

which I can confirm are working. But I can see why you're saying -A FORWARD would not. (-A appends to end of chain, -I inserts at beginning of chain.)

Is there a reason to use "-A forwarding_rule" instead of "-I FORWARD"? (Maybe the intent is for users to change the lowercase foo_rule chains, and not the uppercase chains?)

Anyway, my complaint wasn't that I couldn't get it to work with direct iptables commands, but that I couldn't figure out how to get it to work from uci. Though I'm happy to hear advice if the iptables commands I'm using aren't doing what I thought they were / wanted them to.

eleon216 wrote:

this is my working config:

/etc/conf/firewall:

config 'zone'
    option 'name' 'vpn'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'ACCEPT'
    option 'network' 'vpn'
                    
config 'forwarding'
    option 'src' 'lan'
    option 'dest' 'vpn'
    option 'forward' 'ACCEPT'

eleon216, many thanks, this is what I was looking for.

You're using some uci options I don't recognize and haven't seen documented, though (doc link at http://wiki.openwrt.org/doc/uci/firewall):

- zone.network: ah, didn't know about that one. But it defaults to zone.name, so shouldn't be necessary in that case.
- forwarding.forward: don't see that in the docs. You have it for the lan->vpn direction but not the vpn->lan direction. What does it mean to have a "forwarding" section without the "forward" option?

Basically the difference between what you have and what I tried is

1) the zone.network option for the vpn zone, setting the interface name the same as the zone name (but that should already be the default)
2) zone.forward set to accept for vpn zone
3) forwarding.forward set to accept for the forwarding section with src lan, dest vpn

I guess I'm unclear on the specifics of these forwarding options -- I'd think that a pair of forwarding sections (for src lan dest vpn, and src vpn dest lan) should obviate the need for #2, and I don't know what #3 does.

So I'll assume this is right and try playing with it, but I'd appreciate knowing *why* it's right.

Hi,
back then this config was the result of  just try&error.

I was not sure why it wasn't working so I tried to add different paramters until it did work.

I revisited the config now, and you are right:

no need for option network in 1. 
no need for 2. (and maybe a security problem) the default policy for the forward-chain should be set to "reject" and only traffic from/to the lan-zone should be accepted (is done by the two forwarding-rules).

3. option forwarding.forward is nonsense I guess it just gets ignored.

So your config should be just fine

The discussion might have continued from here.