OpenWrt Forum Archive

Topic: OpenVPN, Interface/Firewall/Forwarding issue

The content of this topic has been archived on 30 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
darkwise13
21 Apr 2014, 20:02

Router: Netgear WNDR3700v2
Firmware: OpenWrt Barrier Breaker r40521 / LuCI Trunk (svn-r9964)

I'm currently signed up with an OpenVPN account from StrongVPN and got some challenges for setup the router so the devices only can access Internet, services+++ throw IF the VPN Tunnel (tun0) is up. The issue now is that when the router boots, it shows with REAL IP before the VPN Client starts.

Following is done: (Taken from another guide in this forum)

Part 1: Creating our "VPN" interface/unmanaged switch

Go to Network -> Interfaces.
Create new Interface called VPN.
Protocol: "Unmanaged"/none
Interface: tun0

Part 2: Create VPN Firewall Zone

Go to Network -> Firewall
Create a new zone called "VPN".
Incoming and Outgoing Accepted. Forwarding rejected
Covered Networks: VPN

Part 3: Create Traffic Forward Rules to allow ALL communication between LAN and VPN zones and vice versa.

Go to Network -> Firewall -> Traffic Rules
   
Rule 1 Name: LAN->VPN
Source Zone: LAN
Destination Zone: VPN
   
Rule 2 Name:  VPN->LAN
Source Zone: VPN
Destination Zone: LAN

Rule 3 Name: OpenVPN
Protocol: UDP
Source: WAN
Destination Port: 4672
Destination Zone: Device
(Added 3 times for port 4672, 123, 53 according to my VPN Config)


In additional, I have done the following for the LAN Firewall:

Network - Interfaces - Firewall - Zones - "lan" Inter-Zone Forwarding is set to VPN.

When "LAN Zone" above is changed from WAN to VPN, all my Internet access is lost offcourse.
Then, I start my VPN Client by the following command: openvpn --cd /etc/openvpn --config ovpn160.ovpn &
The VPN Tunnel start up without errors and I can see some small packets passing through tun0 interface.

But, I can't get out to the big world (Internet) and wondering what I miss...

My VPN Config:

remote 108.171.16.59 4672 udp
remote 108.171.16.59 123 udp
remote 108.171.16.59 53 udp
key-direction 1
cipher AES-128-CBC
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
;http-proxy-retry
;http-proxy 108.171.16.59 80
verb 4
reneg-sec 86400
echo vpn32 ovpn178
tun-mtu 1500
route-method exe
route-delay 2
redirect-gateway def1
comp-lzo no
fragment 1390
mssfix 1390
hand-window 30

Without all the Steps above , but Port forwarding done in the GUI, I can get VPN to work with the Firewall settings below.
I got this from a friend, but not sure if I need all and what everything does.

firewall.user:

#
#Location: /etc/firewall.user
#
#Drop all connections for Remote Access to the router on VPN Interface
#
iptables -I INPUT -i tun+ -p tcp --dport telnet -j DROP
iptables -I INPUT -i tun+ -p tcp --dport ssh -j DROP
iptables -I INPUT -i tun+ -p tcp --dport www -j DROP
iptables -I INPUT -i tun+ -p tcp --dport https -j DROP
iptables -I INPUT -i tun+ -p icmp --icmp-type 8 -j DROP #Echo Request
#
## Set tun device to act as default connection to the Internet.
## Notice the -o tun+. This indicates that it is looking for outbound packets on tun+
iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE
#
## Accept all outgoing traffic to the Internet via the tun device
iptables -I OUTPUT -o tun+ -j ACCEPT
#
## Allow all outgoing forwarding connections
iptables -I FORWARD -o tun+ -j ACCEPT
#
## Allow only ESTABLISHED incoming packets.
## I guess this is for normal web browsing as you establish a connection first via a HTTP request
iptables -I INPUT -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
#
## Allow all incoming forwarded connections through the tun interface
iptables -I FORWARD -i tun+ -j ACCEPT
#
## Defining specific routes
#
iptables -t nat -I PREROUTING -i tun+ -p tcp --dport 23678 -j DNAT --to-destination 192.168.1.140
iptables -t nat -I PREROUTING -i tun+ -p tcp --dport 22875 -j DNAT --to-destination 192.168.1.140
#
#Block Port Scanning, Block all the standard stealth scans, not nmap.
#
# Anyone who tried to portscan us is locked out
iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
#

I really apreciate if someone could please review my post and give me some hints.
Also, not sure about the custom firewall rules and what is good or not.

Thanks!

Post #2
darkwise13
23 Apr 2014, 20:31

I has now tried the following without success:

/etc/config/firewall:

config 'forwarding'
        option 'src' 'VPN'
        option 'dest' 'wan'

/etc/firewall.user:
(Without my previous firewall.user settings)

iptables -t nat -A prerouting_wan -p udp --dport 4672 -j ACCEPT
iptables -A input_wan -p udp --dport 4672 -j ACCEPT
iptables -t nat -A prerouting_wan -p udp --dport 123 -j ACCEPT
iptables -A input_wan -p udp --dport 123 -j ACCEPT
iptables -t nat -A prerouting_wan -p udp --dport 53 -j ACCEPT
iptables -A input_wan -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

But, still no Internet access. I can ping out from the router.

Any ideas?

Post #3
Adze
23 Apr 2014, 21:25

Your VPN zone probably needs masq enabled?

Nevermind, read your post wrong..

(Last edited by Adze on 23 Apr 2014, 21:27)

Post #4
darkwise13
24 Apr 2014, 19:52

Thanks for your tip, but already tried that smile

Post #5
3zl
24 Apr 2014, 21:05

I could do that statement all day :

proper tools are the way to go

use firewall debug mode and tcpdump/wireshark

regards
3zl

Post #6
darkwise13
27 Apr 2014, 19:53
3zl wrote:

I could do that statement all day :

proper tools are the way to go

use firewall debug mode and tcpdump/wireshark

regards
3zl

Thanks, but do I need to use Iptables for logging or is there something in the OpenWRT by command I can enable?

The easiest think for me in this case is a simple code that disable traffic until the VPN tunnel is up tongue

Post #7
3zl
27 Apr 2014, 20:12

crossroad ahead :

you want to understand/learn what you are doing  :    ->start with http://wiki.openwrt.org/doc/uci/firewall

you want quick STRONGVPN solution out of the box:    ->Openwrt-Tomato

now choose...............


regards
3zl

The discussion might have continued from here.