Topic: Firewall problems with openvpn when - how to enable access from WAN?

I tried to follow this guide: http://wiki.openwrt.org/doc/howto/vpn.openvpn so I tried to setup openwrt as a (bridged) server that I could connect to with my laptop from everywhere. I am on ASUS WL-500g if it matters.

However, I keep getting this error:

 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

That and the fact that I can connect just fine when I use LAN IP address of the Openwrt router but not the public one leads me to think that my issue is with the firewall.

I bridged tap0 interface to lan as suggested in the guide:

config 'switch' 'eth0'
    option 'enable' '1'

config 'switch_vlan' 'eth0_0'
    option 'device' 'eth0'
    option 'vlan' '0'
    option 'ports' '1 2 3 4 5'

config 'switch_vlan' 'eth0_1'
    option 'device' 'eth0'
    option 'vlan' '1'
    option 'ports' '0 5'

config 'interface' 'loopback'
    option 'ifname' 'lo'
    option 'proto' 'static'
    option 'ipaddr' '127.0.0.1'
    option 'netmask' '255.0.0.0'

config 'interface' 'lan'
    option 'type' 'bridge'
    option 'proto' 'static'
    option 'netmask' '255.255.255.0'
    option 'ipaddr' '192.168.22.1'
    option '_orig_ifname' 'eth0 wlan0'
    option '_orig_bridge' 'true'
    option 'ifname' 'eth0 tap0'

config 'interface' 'wan'
    option 'ifname' 'eth1'
    option 'proto' 'dhcp'

Firewall is as follows:

config 'defaults'
    option 'syn_flood' '1'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'drop_invalid' '1'
    option 'forward' 'REJECT'

config 'zone'
    option 'name' 'lan'
    option 'network' 'lan'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'ACCEPT'

config 'zone'
    option 'name' 'wan'
    option 'network' 'wan'
    option 'output' 'ACCEPT'
    option 'masq' '1'
    option 'mtu_fix' '1'
    option 'input' 'REJECT'
    option 'forward' 'REJECT'

config 'forwarding'
    option 'src' 'lan'
    option 'dest' 'wan'

config 'rule'
    option 'name' 'Allow-DHCP-Renew'
    option 'src' 'wan'
    option 'proto' 'udp'
    option 'dest_port' '68'
    option 'target' 'ACCEPT'
    option 'family' 'ipv4'

config 'rule'
    option 'name' 'Allow-Ping'
    option 'src' 'wan'
    option 'proto' 'icmp'
    option 'icmp_type' 'echo-request'
    option 'family' 'ipv4'
    option 'target' 'ACCEPT'

config 'rule'
    option 'name' 'Allow-DHCPv6'
    option 'src' 'wan'
    option 'proto' 'udp'
    option 'src_ip' 'fe80::/10'
    option 'src_port' '547'
    option 'dest_ip' 'fe80::/10'
    option 'dest_port' '546'
    option 'family' 'ipv6'
    option 'target' 'ACCEPT'

config 'rule'
    option 'name' 'Allow-ICMPv6-Input'
    option 'src' 'wan'
    option 'proto' 'icmp'
    list 'icmp_type' 'echo-request'
    list 'icmp_type' 'destination-unreachable'
    list 'icmp_type' 'packet-too-big'
    list 'icmp_type' 'time-exceeded'
    list 'icmp_type' 'bad-header'
    list 'icmp_type' 'unknown-header-type'
    list 'icmp_type' 'router-solicitation'
    list 'icmp_type' 'neighbour-solicitation'
    option 'limit' '1000/sec'
    option 'family' 'ipv6'
    option 'target' 'ACCEPT'

config 'rule'
    option 'name' 'Allow-ICMPv6-Forward'
    option 'src' 'wan'
    option 'dest' '*'
    option 'proto' 'icmp'
    list 'icmp_type' 'echo-request'
    list 'icmp_type' 'destination-unreachable'
    list 'icmp_type' 'packet-too-big'
    list 'icmp_type' 'time-exceeded'
    list 'icmp_type' 'bad-header'
    list 'icmp_type' 'unknown-header-type'
    option 'limit' '1000/sec'
    option 'family' 'ipv6'
    option 'target' 'ACCEPT'

config 'include'
    option 'path' '/etc/firewall.user'

config 'rule'
    option 'target' 'ACCEPT'
    option 'dest_port' '1194'
    option 'src' 'wan'
    option 'proto' 'tcpudp'
    option 'family' 'ipv4'

config 'rule'
    option 'src' 'wan'
    option 'proto' 'tcp'
    option 'dest_port' '22'
    option 'target' 'ACCEPT'

I suspect I need to add some sort of forwarding like this old guide suggests http://wiki.openwrt.org/doc/howto/vpn.server.openvpn.tap , ie:

### Allow OpenVPN connections
iptables -t nat -A prerouting_rule -i $WAN -p udp –dport 1194 -j ACCEPT
iptables        -A input_rule      -i $WAN -p udp –dport 1194 -j ACCEPT

iptables -I OUTPUT -o tap+ -j ACCEPT
iptables -I INPUT -i tap+ -j ACCEPT

iptables -I FORWARD -o tap+ -j ACCEPT
iptables -I FORWARD -i tap+ -j ACCEPT

But I do not know how to do it in the new configuratin format and frankly I am not sure exactly what rules I need to set up.

BTW: my openvpn configuration file is

config 'openvpn' 'doma'
        option 'tls_server' '1'
    option 'enable' '1'
    option 'port' '1194'
    option 'proto' 'udp'
    option 'dev' 'tap0'
    option 'ca' '/etc/openvpn/keys/ca.crt'
    option 'cert' '/etc/openvpn/keys/server.crt'
    option 'key' '/etc/openvpn/keys/server.key'
    option 'dh' '/etc/openvpn/keys/dh1024.pem'
    option 'ifconfig-pool-persist' '/etc/openvpn/ipp.txt'
    option 'server-bridge' '192.168.22.1 255.255.255.0 192.168.22.220 192.168.22.229'
    option list 'push' 'route 10.0.0.0 255.0.0.0'
    #option 'push' 'dhcp-option DNS 10.98.231.66'
    #option 'push' 'dhcp-option DNS 10.98.236.1'
    #option 'push' 'redirect-gateway'
    option 'client-to-client' '1'
    option 'comp_lzo' '1'
    option 'keepalive' '10 120'
    option 'status' '/tmp/openvpn.status'
    option 'persist-key' '1'
    option 'persist-tun' '1'
    option 'verb' '3'
    option 'mute' '20'

Re: Firewall problems with openvpn when - how to enable access from WAN?

Are you attempting to access your vpn server by its public ip from within the lan? That will probably confuse the masquerading. Try it from the outside, e.g. via 3g.

3 (edited by sup 2012-05-07 17:19:20)

Re: Firewall problems with openvpn when - how to enable access from WAN?

jow wrote:

Are you attempting to access your vpn server by its public ip from within the lan? That will probably confuse the masquerading. Try it from the outside, e.g. via 3g.

I tried it through another vpn that works reliably (adn that I connect to trough Network manager) but I am going to be on another network tomorrow so I will see if it works from there.

Re: Firewall problems with openvpn when - how to enable access from WAN?

sup wrote:
jow wrote:

Are you attempting to access your vpn server by its public ip from within the lan? That will probably confuse the masquerading. Try it from the outside, e.g. via 3g.

I tried it through another vpn that works reliably (adn that I connect to trough Network manager) but I am going to be on another network tomorrow so I will see if it works from there.

Now I feel pretty stupid, I came home ( I was not setting the openvpn server at home) and it started to work. Well, at least it works now.