OpenWrt Forum Archive

Topic: OpenWRT and OpenVPN

The content of this topic has been archived on 1 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
anachronism
13 May 2008, 14:47

All,

I'm not exactly an IPTables expert, and maybe this could be an issue for the OpenVPN forums. However, I have an OpenVPN server separate from my OpenWRT box on my internal LAN. I have the rules set up as seen below. You will notice that I'm forwarding TCP/443 to my .200 OpenVPN box. Using TCP/443 works fine, but I'd like the option of using UDP/1194, which is the OpenVPN default and which is why those rules are also listed. When I have tried this, my clients cannot connect to the server.  Going back to TCP/443 works.  I've narrowed it down to the firewall since I can connect internally on UDP/1194 to the server. I can also connect remotely to a different OpenVPN server on UDP/1194. So it seems that either 1) There's something wrong with my firewall rules or 2) OpenWRT/IPTables has an issue with UDP traffic.  This issue also seems to occur, fWIW, on a Sonicwall firewall I'm attempting to configure for a client, but that's another matter.

Any help would be appreciated.

Thanks

MDH




#!/bin/sh
. /etc/functions.sh

WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

### BIG FAT DISCLAIMER
## The "-i $WAN" is used to match packets that come in via the $WAN interface.
## it WILL NOT MATCH packets sent from the $WAN ip address -- you won't be able
## to see the effects from within the LAN.

### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
iptables        -A input_rule      -i $WAN -p tcp --dport 22 -j ACCEPT
#iptables  -t nat -A prerouting_rule -i $WAN -p tcp --dport 80 -j ACCEPT
#iptables        -A input_rule      -i $WAN -p tcp --dport 80 -j ACCEPT
#iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 443 -j ACCEPT
#iptables       -A input_rule      -i $WAN -p tcp --dport 443 -j ACCEPT




iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT


### Port forwarding
## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8080 -j DNAT --to 192.168.75.200:80
iptables        -A forwarding_rule -i $WAN -p tcp --dport 80 -d 192.168.75.200 -j ACCEPT
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 443 -j DNAT --to 192.168.75.200:443
iptables        -A forwarding_rule -i $WAN -p tcp --dport 443 -d 192.168.75.200 -j ACCEPT
iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 1194 -j DNAT --to 192.168.75.200:1194
iptables        -A forwarding_rule -i $WAN -p udp --dport 1194 -d 192.168.75.200 -j ACCEPT

Post #2
mgiammarco
18 May 2008, 11:51

I have this problem too and it is a serious problem. Basically I have a server openvpn under a openwrt router/firewall and client can access it using openvpn/udp.

I have a server on internet that other people can reach via openvpn/udp but I am not able to reach it because my client is in a lan inside the openwrt router/firewall I told above.

With openvpn/tcp it works.

I have used tcpdump to track the problem and I have discovered that nat does not work for udp. So udp packets from client to server are ok. But return packets from server to client stop at openwrt gateway because nat does not recognize them as "return packets" so it does not change their destination address and port.

I am using 7.09.

It is a serious bug please try to solve it.

The discussion might have continued from here.