1 (edited by mamat_do 2017-08-15 14:02:39)

Topic: [SOLVED] Openvpn Openwrt connection problem with Ipcop as server

I tried connecting the router lede (tplink-1043nd-v2) as client with ipcop as a server using openvpn.
I from the point of view of the user can already ping to ip tunnel 10.10.73.1
But I from the point of view the user can not ping and access to server port 80 on ip 192.168.0.170
Previously when the connection is still using ipcop vs ipcop, connection to the server behind ipcop can happen
Problem arises when openvpn client ipcop is replaced with openvpn client lede
Please help for enlightenment
Sorry for my bad English

Ps: ipcop openvpn server is not in administration by me

user------------------------lede--------------------------net-------------------ipcop------------server
192.168.73.20----192.168.73.26----10.10.73.2----------10.10.73.1-------------192.168.0.170

openvpn config

config openvpn 'OscarBEKASI'
option float '1'
option comp_lzo 'yes'
option dev 'tun'
option verb '3'
option remote '123.231.xxx.xxx'
option port '2073'
option keepalive '10 60'
option proto 'udp'
option cipher 'BF-CBC'
option ifconfig '10.10.73.2 10.10.73.1'
option tls_client '1'
option route '192.168.0.0 255.255.255.0'
option tun_mtu '1400'
option ca '/etc/luci-uploads/cbid.openvpn.OscarBEKASI.ca'
option cert '/etc/luci-uploads/cbid.openvpn.OscarBEKASI.cert'
option key '/etc/luci-uploads/cbid.openvpn.OscarBEKASI.key'
option enabled '1


network config

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd6b:cc75:5764::/48'

config interface 'lan'
option type 'bridge'
option ifname 'eth1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option dns '208.67.222.123 208.67.220.123'
option ipaddr '192.168.73.26'

config interface 'wan'
option ifname 'eth0'
option origifname 'eth0'
option origbridge 'false'
option proto 'static'
option netmask '255.255.255.240'
option gateway '202.158.xxx.xxx'
option ipaddr '202.158.xxx.xxx'

config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 6'

config interface 'guest'
option origifname 'wlan0-1'
option origbridge 'false'
option proto 'static'
option ipaddr '192.168.5.1'
option netmask '255.255.255.0'
option dns '208.67.222.123 208.67.220.123'

config interface 'vpn0'
option ifname 'tun0'
option proto 'none'
option auto '1'

config interface 'vpn1'
option proto 'none'
option ifname 'tun1'
option auto '1'


firewall config

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'guest dns'
option src 'guest'

config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'guest dns on wan'
option src 'guest'
option dest 'wan'
option enabled '0'

config rule
option target 'ACCEPT'
option proto 'udp'
option src_port '67-68'
option dest_port '67-68'
option name 'guest dhcp'
option src 'guest'

config rule
option src 'guest'
option dest 'lan'
option name 'Deny Guest -> LAN'
option proto 'all'
option target 'DROP'

config rule
option target 'ACCEPT'
option src 'guest'
option dest 'wan'
option name 'Allow Guest -> WAN 80'
option proto 'tcp'
option dest_port '80'

config rule
option target 'ACCEPT'
option src 'guest'
option dest 'wan'
option name 'Allow Guest -> WAN 443'
option proto 'tcp'
option dest_port '443'

config rule
option src 'guest'
option dest 'wan'
option name 'Deny Guest -> WAN'
option proto 'all'
option target 'DROP'

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'

config forwarding
option src 'lan'
option dest 'wan'

config include
option path '/etc/firewall.user'

config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option network 'guest'
option input 'REJECT'

config forwarding
option dest 'wan'
option src 'guest'

config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '1194'

config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option network 'vpn0 vpn1'

config forwarding
option dest 'lan'
option src 'vpn'

config forwarding
option dest 'wan'
option src 'vpn'

config forwarding
option dest 'vpn'
option src 'lan'

Re: [SOLVED] Openvpn Openwrt connection problem with Ipcop as server

I get 1 hint, if I temporarily turn off the firewall with /etc/init.d/firewall stop.
Then I can access host 192.168.0.170 which is behind the ipcop.
But unfortunately until now I still have not found the enlightenment...
Please help me give the solution, as well as for learning for me...

Re: [SOLVED] Openvpn Openwrt connection problem with Ipcop as server

You can add VPN to "LAN" firewall

From web:
Network => interfaces => VPN => firewall settings => Assing Firewall Zone => LAN (green option)

Best regards.

Re: [SOLVED] Openvpn Openwrt connection problem with Ipcop as server

wow.... thank you bro....
I think with:

config forwarding
option dest 'vpn'
option src 'lan'

is enough...

Can you explain more clearly about

Network => interfaces => VPN => firewall settings => Assing Firewall Zone => LAN (green option)

or in config is:

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan vpn1'

Once again I say many thanks...

Re: [SOLVED] Openvpn Openwrt connection problem with Ipcop as server

mamat_do wrote:

wow.... thank you bro....

(^u^)

mamat_do wrote:

I think with:

config forwarding
option dest 'vpn'
option src 'lan'

is enough...

Yes! this is enough


mamat_do wrote:

Can you explain more clearly about

Network => interfaces => VPN => firewall settings => Assing Firewall Zone => LAN (green option)

or in config is:

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan vpn1'

Sorry it's my way to show you how to find this configuration under luci. I forgot to mention this!


mamat_do wrote:

Once again I say many thanks...

You're welcome!

Best regards.

Emiliano - gamba47

Re: [SOLVED] Openvpn Openwrt connection problem with Ipcop as server

Sorry for my bad English...
If you do not mind, what is the meaning of the command below:

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan vpn1'

Thank you for your attention

Re: [SOLVED] Openvpn Openwrt connection problem with Ipcop as server

mamat_do wrote:

Sorry for my bad English...
If you do not mind, what is the meaning of the command below:

Sure, let me try!

Every line says something:

config zone

Let configurate a zone

option name 'lan'

This zone will we "lan" (you can put whatever you wan't)

option input 'ACCEPT'

In this zone, INPUT chain will have ACCEPT as a POLICY

option output 'ACCEPT'

In this zone, OUPUT chain will have ACCEPT as a POLICY

option forward 'ACCEPT'

In this zone, FORWARD chain will have ACCEPT as a POLICY

option network 'lan vpn1'

"lan" and "vpn1" will be the netwoks inside this zone.

In others words. This zone is a friendly zone, every packet going in to router (input) or going out from router (output) or pass thru router (forward) will be accepted without any question on this.

mamat_do wrote:

Thank you for your attention

When you learn about this only spread the word!

Take a look at this
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow

Is for Mikrotik but you can use this on every linux system. Is usefull know about firewall tables and policies.

Best regards.

Emiliano - gamba47

Re: [SOLVED] Openvpn Openwrt connection problem with Ipcop as server

Sorry if i ask again....
How to explain for the following:

config forwarding
option dest 'lan'
option src 'vpn'

config forwarding
option dest 'wan'
option src 'vpn'

config forwarding
option dest 'vpn'
option src 'lan'

Thanks before