Topic: problem with Port Forwarding and OpenVPN

The content of this topic has been archived on 1 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

clara

25 Aug 2015, 11:53

Hi everyone,

I hope you guys can help me out.

I have a problem with the Port Forwarding.
All Ports are closed while OpenVPN ist running, and all Ports are open while OpenVPN ist stopped.

My setting:
I have two Router. One for the Internet and a other with OpenWR+OpenVPN behind the first.

Internet -> (Router 192.168.1.1) -> (OpenWRT wan 192.168.1.2) -> (OpenWRT lan 192.168.2.1) -> (OpenWRT VPN)

Software:
OpenWrt Barrier Breaker 14.07 / LuCI Trunk (0.12+svn-r10530)
openvpn-openssl 2.3.4-1

What i want:
Access to OpenWRT lan (Port 12345 where a web server is behind)
With my online ip (from first Router not vpn) IP:PORT i can only access while OpenVPN ist not running.

OpenVPN ist normaly running well, all clients on the lan are tunneled.

Sorry for bad english

/etc/config/network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd07:c655:478c::/48'

config interface 'lan'
    option ifname 'eth0.1'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.2.1'
    option gateway '192.168.1.2'
    option dns '208.67.222.222 208.67.222.220'

config interface 'wan'
    option ifname 'eth0.2'
    option _orig_ifname 'eth0.2'
    option _orig_bridge 'false'
    option proto 'static'
    option ipaddr '192.168.1.2'
    option gateway '192.168.1.1'
    option netmask '255.255.255.0'
    option dns '208.67.222.222 208.67.222.220'

config interface 'wan6'
    option ifname '@wan'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0t 2 3 4 5'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '0t 1'

config interface 'VPN'
    option ifname 'tun255'
    option _orig_ifname 'tun255'
    option _orig_bridge 'false'
    option proto 'none'

/etc/config/firewall

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'

config zone
    option name 'wan'
    option network 'wan wan6'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config include
    option path '/etc/firewall.user'

config zone
    option input 'ACCEPT'
    option output 'ACCEPT'
    option name 'VPN'
    option network 'VPN'
    option masq '1'
    option mtu_fix '1'
    option forward 'ACCEPT'

config forwarding
    option dest 'VPN'
    option src 'lan'

route mit OpenVPN

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.20.32.1     128.0.0.0       UG    0      0        0 tun255
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0.2
81.171.56.22    192.168.1.1     255.255.255.255 UGH   0      0        0 eth0.2
128.0.0.0       172.20.32.1     128.0.0.0       UG    0      0        0 tun255
172.20.32.0     *               255.255.252.0   U     0      0        0 tun255
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0.2
192.168.2.0     *               255.255.255.0   U     0      0        0 br-lan

route ohne OpenVPN

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0.2
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0.2
192.168.2.0     *               255.255.255.0   U     0      0        0 br-lan

ifconfig -a mit OpenVPN

br-lan    Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:70  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fd07:c655:478c::1/60 Scope:Global
          inet6 addr: fe80::fa1a:67ff:fed8:df70/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5879 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6393 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:554839 (541.8 KiB)  TX bytes:2712087 (2.5 MiB)

eth0      Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:70  
          inet6 addr: fe80::fa1a:67ff:fed8:df70/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10558 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5456 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4561347 (4.3 MiB)  TX bytes:1051233 (1.0 MiB)
          Interrupt:4

eth0.1    Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:70  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:738 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:65097 (63.5 KiB)

eth0.2    Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:70  
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::fa1a:67ff:fed8:df70/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10538 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4714 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4365184 (4.1 MiB)  TX bytes:963880 (941.2 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:4492 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4492 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:403671 (394.2 KiB)  TX bytes:403671 (394.2 KiB)

tun255    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:172.20.33.83  P-t-P:172.20.33.83  Mask:255.255.252.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:380 (380.0 B)  TX bytes:1640 (1.6 KiB)

wlan0     Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:71  
          inet6 addr: fe80::fa1a:67ff:fed8:df71/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6166 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6647 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:670106 (654.4 KiB)  TX bytes:2890130 (2.7 MiB)

wlan1     Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:72  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ifconfig -a ohne OpenVPN

br-lan    Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:70  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fd07:c655:478c::1/60 Scope:Global
          inet6 addr: fe80::fa1a:67ff:fed8:df70/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5877 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6344 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:554582 (541.5 KiB)  TX bytes:2708317 (2.5 MiB)

eth0      Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:70  
          inet6 addr: fe80::fa1a:67ff:fed8:df70/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10211 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5280 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4490125 (4.2 MiB)  TX bytes:1029688 (1005.5 KiB)
          Interrupt:4

eth0.1    Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:70  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:712 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:63460 (61.9 KiB)

eth0.2    Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:70  
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::fa1a:67ff:fed8:df70/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10191 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4564 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4300208 (4.1 MiB)  TX bytes:944676 (922.5 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:4484 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4484 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:402659 (393.2 KiB)  TX bytes:402659 (393.2 KiB)

wlan0     Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:71  
          inet6 addr: fe80::fa1a:67ff:fed8:df71/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6164 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6619 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:669821 (654.1 KiB)  TX bytes:2887859 (2.7 MiB)

wlan1     Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:72  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Post #2

clara

27 Aug 2015, 20:03

i played a little with the iptables.

/etc/firewall.user

iptables -t nat -A PREROUTING -p tcp -i eth0.2 --dport 38000 -j DNAT --to-destination 192.168.2.1:38000

so with this i have a SYN_RECV but it not ESTABILISHED (without this iptable i get nothing)
netstat -antun

root@OpenWrt:~# netstat -antun
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:38400           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:38500           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:38600           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:38000           0.0.0.0:*               LISTEN
tcp        0      0 192.168.2.1:38000       198.199.98.246:45265    SYN_RECV
tcp        0      0 192.168.2.1:38000       198.199.98.246:45271    SYN_RECV
tcp        0      0 192.168.2.1:38000       198.199.98.246:45268    SYN_RECV
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:38001           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:38002           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:38003           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:38100           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:38004           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:38005           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:38006           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:38999           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:38007           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:38200           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:38300           0.0.0.0:*               LISTEN
tcp        0      0 192.168.1.2:22          192.168.1.5:45757       ESTABLISHED
tcp        0      0 192.168.2.1:38999       192.168.2.130:1027      ESTABLISHED
tcp        0      0 192.168.1.2:80          192.168.1.5:52603       ESTABLISHED
tcp        0    268 192.168.1.2:22          192.168.1.5:45666       ESTABLISHED
tcp        0      0 192.168.1.2:22          192.168.1.5:45748       ESTABLISHED
tcp        0      0 :::80                   :::*                    LISTEN
tcp        0      0 :::53                   :::*                    LISTEN
tcp        0      0 :::22                   :::*                    LISTEN
udp        0      0 0.0.0.0:53              0.0.0.0:*
udp        0      0 0.0.0.0:67              0.0.0.0:*
udp        0      0 0.0.0.0:56999           0.0.0.0:*
udp        0      0 0.0.0.0:1000            0.0.0.0:*
udp        0      0 :::546                  :::*
udp        0      0 :::547                  :::*
udp        0      0 :::53                   :::*

whats the problem? please help

Post #3

clara

31 Aug 2015, 16:19

can nobody help?

nobody with a working Port Forwarding + OpenVPN?

Post #4

clara

16 Sep 2015, 08:59

still need help

Post #5

eduperez

16 Sep 2015, 11:31

When your OpenWrt+OpenVPN router receives a connection request, it tries to answer using the VPN interface, because it is configured to send all traffic through the VPN interface. Then the device that sent the request receives an answer from a different IP address, and that confuses it. Other than receiving the connections on the VPN interface, I do not know of any solution for this problem.

Post #6

clara

28 Sep 2015, 12:04

eduperez wrote:

When your OpenWrt+OpenVPN router receives a connection request, it tries to answer using the VPN interface, because it is configured to send all traffic through the VPN interface. Then the device that sent the request receives an answer from a different IP address, and that confuses it. Other than receiving the connections on the VPN interface, I do not know of any solution for this problem.

Thanx eduperez. It could be the problem.

But how to solve it?

Post #7

eduperez

28 Sep 2015, 13:08

clara wrote:

Thanx eduperez. It could be the problem.
But how to solve it?

Sorry, but I have no solution for this...

Post #8

clara

3 Oct 2015, 13:27

it cant be, that nobody has a solution.

Post #9

clara

11 Oct 2015, 16:13

push

Post #10

clara

24 Oct 2015, 13:07

so. i now reinstall all. And iam now on chaos calmer .

still dont work.

Guy please help :'(

Post #11

SoCal_sky

27 Oct 2015, 07:44

I have a very similar problem....
The set up:
Router Netgear WNDR3700.
Router OS: CHAOS CALMER 15.05, r46767 (git-15.248.30277-3836b45)

openvpn server installed, certificates and keys are generated, distributed... etc.

OpenVPN server itself configured, DDNS running and working just fine....

I can connect from internet via WAN (coming from port 1194) to the router just fine, the tunnel is up, i can ping the routers IP... log-in to web-gui ..... and that is it!

No matter what i try with firewall rules and zone forwarding, nothing works.

I read the guides from OpenWRT.org up and down for a week.... erased and reconfigured from scratch about 4 times by now... with no success.

It appears as of there is something broken in CC 15.05 (iptables) but forwarding just does not work

IP of the router 192.168.0.1
IP of the OpenVPN is 10.0.8.1 (and it's a 'tun' set up)
VPN clients get connected and addresses 10.0.8.6, 10.0.8.7 and so on...
The tun0 iface itself has and address 10.0.8.1 (OpenVPN server itself)

I can ping the 10.0.8.6 client from the router but not from LAN hosts in 192.168.0.XX network.

The goal is:
1. to be able to reach via VPN in to the internal LAN;
2. connecting via VPN from.. let's say a cell-phone in to LAN via VPN and be routed outside to open internet so that it appears as the cell-phone public IP is the IP of the cable modem at home.

If some one knows how to set this up correctly, please advise.

PFSense is doing just that with OpenVPN in a heart beat... just the way I want it.... no issues... it was simple to set it up via GUI but.... i have to have a whole ESXI host running PFsense instance and it's a loud server that drains a lot of power.

If anyone from OpenWRT project, could possibly write a simple sand straight forward wiki to replace this set up.... this router (OpenWRT OS+ OpenVPN) would be a priceless gift of the open source community for the rest of us to take some of our privacy and security back to users hands.

Please help guys... !!!

(Last edited by SoCal_sky on 27 Oct 2015, 07:56)

The discussion might have continued from here.

Page 1 of 1