I have an OpenWRT router running 12.09 r36088.

Everything has been working correctly.  The router has OpenVPN installed so that I can access machines remotely.

I'm now trying to run OpenVPN on another machine on the network behind the router.  I'm doing this so that remote phones can use their built-in OpenVPN software and connect directly.

I'm using port 1194 for the router's OpenVPN and trying to use 1190 for the PBX machine.

Let's call the machines RTR (router) and PBX (raspberry pi running asterisk/freepbx and openvpn)

Presently, I can log into RTR without problems.  When I try to log into PBX, I never hit the machine (i.e. no logs are updated).  This leads me to believe I'm getting dropped at the router.

I have the following lines in firewall.user

# lines for RTR's OpenVPN
iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables -A input_wan -p udp --dport 1194 -j ACCEPT

# add additional firewall accept for Raspi OpenVPN instance
iptables -I FORWARD 1 -d 192.168.40.210 -p tcp --dport 1190 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 1190 -j DNAT --to 192.168.40.210:1190

Under Network - Firewall - Port Forward's in Luci, I have created this rule:

Match: IPv4-TCP, UDP
From any host in wan
Via any router IP at port 1190

Forward to: IP 192.168.40.210, port 1190 in lan

Under edit, Enable NAT loopback is ticked.

and have it enabled.  If there is a way to do this forward in firewall.user, I'll take the 'line' and paste it in; I just don't have a handle on all the syntax.

So, I'd like to have 1190 redirected to 192.168.40.210 and have it go into that VPN directly, and bypass the router.

Thanks for any help.

Andrew

What exactly are you doing when you "try to log into PBX"? Is your VPN using TCP or UDP? Why are you using firewall.user instead of normal firewall rules? Why do you have TCP on one line and UDP on the next?

qasdfdsaq,

Thanks for replying.

the TCP/UDP was a cut and paste error.

I have 3 lines which should be related to port opening/forwarding to the PBX machine.

iptables -t nat -A prerouting_wan -p udp --dport 1190 -j ACCEPT
iptables -I FORWARD 1 -d 192.168.40.210 -p udp --dport 1190 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 1190 -j DNAT --to 192.168.40.210:1190

Trying to 'log on' means connecting via OpenVPN from a client machine.  I can use the VPN on the router without any problems.  I can't connect via a VPN client to the PBX machine.  Since the PBX machine has OpenVPN logging turned on and the logs don't change (using the append command in the server.conf) it seems realistic to believe that the outside client is never getting to the PBX machine - it's either getting blocked, dropped or lost by my router (RTR).

So, I have adjusted the TCP/UDP error - thank you - but I still don't connect using the 3 lines above.

I have removed the port forwarding rule from Luci and I'm using firewall.user only

What line(s) do I need to add/change in firewall.user to allow the machine at 192.168.40.210 to correctly grab client connections on port 1190 and seamlessly VPN into that machine?  I don't care about these VPN connections being able to see any other machine on the network - just the PBX.

Thanks.

Andrew

(Last edited by AndyInNYC on 2 Aug 2014, 00:31)

I struck my head repeatedly on my desk and had a thought - perhaps the Raspberry Pi is dropping the packets, not the router.

I temporarily disabled iptables on the Pi and 'bang' (like my head hitting the desk) the iPhone OpenVPN client connected.

Now I need a set of iptables lines to allow the VPN connection into the Pi over port 1190.

The Pi uses a different format in iptables than my firewall.user file, so I'm not sure of translation.  Additionally, I don't want/need access to the other machines on my network - just the Pi.

The Pi's iptables format reads like:

-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

whereas the the firewall.user has iptables and -t or -I, etc.

Any help on what lines I need on the Pi's iptables to finish off my project?

Andrew

-A INPUT -p udp -m udp --dport 1190 -j ACCEPT

(Last edited by qasdfdsaq on 3 Aug 2014, 02:54)