Topic: Firewall settings for OpenVPN on Kamikaze 8.09 - no connection

The content of this topic has been archived on 11 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

Netzfetz

8 Apr 2009, 18:20

Hi!

3 years of absence

After years of happily using all WhiteRussians up to version 0.9 on my 3 WRT54Gv2.2 I tried the new Kamikaze 8.09 with kernel 2.6.
So far I am very pleased with the new uci, stability and easy setup.
BUT: Setting up the firewall for OpenVPN is a mess! A least there is not a single howto for OpenVPN on Kamikaze 8.09 (counterexamples welcome!). Well, there are forum entries but they always bypass the new clean config structure and use crippled old config files and iptables directly.

What I want to achieve: the WRT54G should work as VPN server. The clients connect to it from the internet through the wan port (via a routed VPN tunnel) and should then be able to reach the public internet via the WRT54G. This is the most simple roadwarrior setup: clients anywhere in the world get a secured internet connection by using the home internet connection.

Enough text.

Here's what I did so far:

1. Installed openvpn and all dependencies. (Be aware: the most recent libopenssl_0.9.8i-3 produces a false error: "not enough memory". You have to use the slightly older libopenssl_0.9.8i-1 from 8.09 RC2 instead which works perfectly.)

2. Created all keys and certificates and set up the config files for vpn-server and clients. This is fairly easy and clear due to the excellent docs for OpenVPN.
On the WRT54G I used the sample-server part of /etc/config/openvpn with mostly the default settings since I want to use a routed tunnel (the "easier" way...).

3. In /etc/config/network I added

#### VPN configuration
config interface    vpn
    option ifname    tun0
    option proto    none

4. Set up openvpn to be started automatically with

/etc/init.d/openvpn enable

5. Now comes the difficult part: firewall.
I added the following to /etc/config/firewall:

config zone
    option name        vpn
    option input    ACCEPT
    option output    ACCEPT
    option forward    REJECT

config forwarding
    option src    lan
    option dest    vpn

config forwarding
    option src    vpn
    option dest    lan

config rule
    option name        vpn
    option dest        wan        #'src wan' isn't working either
    option dest_port    1234
    option proto    udp
    option target    ACCEPT

What is wrong?
How can that most simple VPN-setup work?

Interesting notice: With WhiteRussian installed I could ping the router's IP (dynamically assigned by the ISP) from the internet by default.
With Kamikaze I can't. There is simply no response. I guess that might be the problem. What needs to be changed?

Thanks for any help!

Post #2

Netzfetz

9 Apr 2009, 08:50

Hi.

Still no solution but I think I forgot to clarify the problem itself:
OpenVPN is runnig smoothly on client and server but the server's firewall doesn't let the client in to establish a VPN tunnel:
Client's attempts to connect stop with the message "TLS Error: TLS key negotiation failed to occur within 60 seconds".

According to OpenVPN's HowTo the server's firewall still blocks the VPN port.
But WHY? I thought my 'config rule' should be enough to open that udp port!?
What else is blocking?

Since in this case the VPN server is also the NAT gateway I don't need to set up a port forward rule (right??).

Post #3

Netzfetz

9 Apr 2009, 19:57

Once again a little bit of details:

For testing I activated inclusion of firewall.user in /etc/config/firewall and tried the following in firewall.user:

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 1234 -j ACCEPT
iptables -A input_rule -i $WAN -p udp -j ACCEPT

Changed nothing.
This:

iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I INPUT -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE

Didn't work either.

How the heck can I get the firewall accepting connections from outside (internet)??

Post #4

buildster

11 Apr 2009, 00:01

The followings in /etc/config/firewall work for me.

config zone
        option name             lan
        option network          "lan vpn"
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

# open a port for OpenVPN connections
config rule
        option  src             wan
        option  dest_port       1194
        option  target          ACCEPT
        option  proto           udp

Hope they can be some help to you.

Post #5

Netzfetz

11 Apr 2009, 23:35

Thanx!
BTW: I realized that I forgot to set the $WAN variable in my first try of firewall.user - STUPID. So this works for me now:

WAN=$(uci get network.wan.ifname)

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -t nat    -A prerouting_rule    -i $WAN -p udp --dport 1234    -j ACCEPT
iptables        -A input_rule        -i $WAN -p udp                    -j ACCEPT

But I'll give your version a try since it is nicer to just use the config/firewall and not the old firewall.user.

(Last edited by Netzfetz on 11 Apr 2009, 23:41)

Post #6

Netzfetz

12 Apr 2009, 00:23

Hmm, buildster, your settings for zone "lan" don't work for me...
I have to stick to the firewall.user file.
Does anyone know how to translate these iptables back to the nicer uci options for config/firewall?

Post #7

buildster

12 Apr 2009, 01:59

Netzfetz wrote:

Hmm, buildster, your settings for zone "lan" don't work for me...
I have to stick to the firewall.user file.
Does anyone know how to translate these iptables back to the nicer uci options for config/firewall?

An assumption of my firewall settings for zone lan is that you still have the following defined in /etc/config/network, in addition to interface lan:

#### VPN configuration
config interface    vpn
    option ifname   tun0
    option proto    none
    option auto     disable # perhaps, optional

With those settings, no need to touch firewall.user.

Post #8

Netzfetz

12 Apr 2009, 02:27

Yep, I still have the vpn interface set in /etc/config/network. Exactly the same as you.
But I still do need the following line in firewall.user:

iptables -A input_rule -i $(uci get network.wan.ifname) -p udp --dport 1234 -j ACCEPT

Otherwise OpenVPN can not establish a connection.

Somehow this must be set as an "input_rule". The Chain "zone_wan" (as it is set by 'config rule') does not work for this.

Post #9

Netzfetz

12 Apr 2009, 17:37

The above line in /etc/firewall.user and the setting for the vpn interface in /etc/config/network are the ONLY two things that are necessary for a VPN connection to work. All the other settings do not change anything.

Does someone know how to write that iptables line in /etc/firewall.user in uci style?

Now I am stuck again: the vpn connection is up and running but from a client I can only ping the vpn server itself (10.8.0.1) and the router's lan IP (192.168.1.1). A client can not access the internet or another IP in the router's lan.
What's the best way to change that? Static routes (I want to avoid that)? Bridging of interfaces?

I already tried the push route and DNS stuff in vpn server config but that did not help.

Post #10

Netzfetz

13 Apr 2009, 21:52

Arrrgh: SPAM! But why in my thread only??

BTW: I found a solution!
With the following code in /etc/firewall.user the whole OpenVPN setup finally works as desired:

WAN=$(uci get network.wan.ifname)
VPN=$(uci get network.vpn.ifname)

iptables -A input_rule  -i $WAN -p udp --dport 1234     -j ACCEPT
iptables -I     INPUT   -i $VPN                         -j ACCEPT
iptables -I     FORWARD -i $VPN                         -j ACCEPT
iptables -I     OUTPUT  -o $VPN                         -j ACCEPT
iptables -I     FORWARD -o $VPN                         -j ACCEPT

Any idea how to put that in /etc/config/firewall to get rid of /etc/firewall.user?

Post #11

zorxd

14 Apr 2009, 16:20

I have this :

config 'zone'
        option 'name' 'vpn'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'ACCEPT'
        option 'network' 'vpn'


config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'vpn'
        option 'forward' 'ACCEPT'

and my vpn works fine

Post #12

therealcmj

14 May 2009, 23:59

After quite a bit of head pounding I have the same sort of configuration working.

/etc/config/network:

config 'interface' 'vpn'
        option 'ifname' 'tun0'
        option 'proto' 'none'
        option 'auto' 'disable'
        option 'defaultroute' '0'
        option 'peerdns' '0'

/etc/config/firewall:

config 'rule'
        option '_name' 'OpenVPN'
        option 'src' 'wan'
        option 'target' 'ACCEPT'
        option 'proto' 'udp'
        option 'dest_port' '1194'

config 'zone'
        option 'name' 'vpn'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'ACCEPT'
        option 'network' 'vpn'

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'vpn'
        option 'forward' 'ACCEPT'

config 'forwarding'
        option 'src' 'vpn'
        option 'dest' 'lan'

My next question is whether I need to have more than one tun interface when I have more than one client. At the moment I have a single VPN client, but very shortly I'll have more than one. Under Kamikaze 7.0 I had an iptables rule like the one Netzfetz showed above which applied to input interface tun+.

On a separate note, the GUI won't allow you to specify source/destination ports when configuring firewall rules. Any known workaround to that?

Post #13

kennedy101

25 Jul 2009, 20:10

@12

Much head banging here too trying to get the firewall to pass traffic from VPN road warrior to internal LAN. Thanks for the firewall and network rules. Worked like a champ!

Post #14

johnf

21 Aug 2009, 03:09

Great thread, thought I'd add one or two things.

If you have more than one vpn client connecting in, you can specify tun+ instead of tun0, which will match all tun interfaces, not just the first to connect to tun0.

This is what I have in /etc/config/network:

config 'interface' 'vpn'
        option 'ifname' 'tun+'
        option 'proto' 'none'

As far as I can tell, nothing else is necessary in the network config, at least with 8.09.1.

Post #15

Dogge

13 Sep 2009, 14:10

Can't get this to work with a stock 8.09.1 (brcm47xx) for a WL500GPv1 downloaded from downloads.openwrt.org.

This is what I did after flashing 8.09.1:

root@OpenWrt:~# passwd
root@OpenWrt:~# opkg update; opkg install openvpn ntpclient

root@OpenWrt:~# mkdir -p /etc/openvpn

me@box$ scp static.key root@192.168.1.1:/etc/openvpn/static.key

root@OpenWrt:~# /etc/init.d/openvpn enable
root@OpenWrt:~# reboot

My network, firewall and openvpn UCI configuration files:

package 'network'

config 'switch' 'eth0'
        option 'vlan0' '1 2 3 4 5*'
        option 'vlan1' '0 5'

config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'lan'
        option 'type' 'bridge'
        option 'ifname' 'eth0.0'
        option 'proto' 'static'
        option 'netmask' '255.255.255.0'
        option 'ipaddr' '192.168.1.1'

config 'interface' 'wan'
        option 'ifname' 'eth0.1'
        option 'proto' 'dhcp'

config 'interface' 'vpn'
        option 'proto' 'none'
        option 'ifname' 'tun+'

package 'firewall'

config 'defaults'
        option 'syn_flood' '1'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'lan'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'wan'
        option 'input' 'REJECT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'masq' '1'

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'wan'
        option 'mtu_fix' '1'

config 'include'
        option 'path' '/etc/firewall.user'

config 'zone'
        option 'name' 'vpn'
        option 'input' 'ACCEPT'
        option 'forward' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'network' 'vpn'

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'vpn'

config 'forwarding'
        option 'src' 'vpn'
        option 'dest' 'lan'

package 'openvpn'

config 'openvpn' 'custom_config'
        option 'enable' '0'
        option 'config' '/etc/openvpn/my-vpn.conf'

config 'openvpn' 'sample_server'
        option 'enable' '0'
        option 'port' '1194'
        option 'proto' 'udp'
        option 'dev' 'tun'
        option 'ca' 'ca.crt'
        option 'cert' 'server.crt'
        option 'key' 'server.key'
        option 'dh' 'dh1024.pem'
        option 'server' '10.8.0.0 255.255.255.0'
        option 'ifconfig_pool_persist' 'ipp.txt'
        option 'keepalive' '10 120'
        option 'comp_lzo' '1'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'status' 'openvpn-status.log'
        option 'verb' '3'

config 'openvpn' 'sample_client'
        option 'enable' '0'
        option 'client' '1'
        option 'dev' 'tun'
        option 'proto' 'udp'
        list 'remote' 'my_server_1 1194'
        option 'resolv_retry' 'infinite'
        option 'nobind' '1'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'ca' 'ca.crt'
        option 'cert' 'client.crt'
        option 'key' 'client.key'
        option 'comp_lzo' '1'
        option 'verb' '3'

config 'openvpn' 'server_routed_ptp'
        option 'dev' 'tun'
        option 'proto' 'udp'
        option 'port' '1194'
        option 'ifconfig' '10.0.0.1 10.0.0.2'
        option 'mssfix' '1420'
        option 'keepalive' '10 60'
        option 'verb' '3'
        option 'comp_lzo' '1'
        option 'secret' '/etc/openvpn/static.key'
        option 'enable' '1'

But no tun interface in the iptables rules

root@OpenWrt:~# ( iptables -nvL; iptables -t nat -nvL )           
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
   47  5255 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    1    68 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    3   172 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 
    3   172 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    3   172 input      all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 forward    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
   43  6147 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    1    68 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    3   212 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    3   212 output     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           

Chain forwarding_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_vpn (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   172 zone_lan   all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           

Chain input_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_vpn (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   212 zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_vpn_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   172 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 25/sec burst 50 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   172 input_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    3   172 zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   172 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    3   212 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_MSSFIX (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TCPMSS     tcp  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 

Chain zone_lan_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 zone_vpn_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_MSSFIX  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 forwarding_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_lan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_vpn (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_vpn  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_vpn_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_vpn_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_vpn_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_vpn_MSSFIX (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_vpn_REJECT (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_vpn_forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 forwarding_vpn  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_vpn_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_wan_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_wan_MSSFIX (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_wan_REJECT (2 references)
 pkts bytes target     prot opt in     out     source               destination         

root@OpenWrt:~# ( iptables -nvL; iptables -t nat -nvL )           
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
  189 15623 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    1    68 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   22  1312 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 
   31  2468 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   31  2468 input      all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 forward    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
  190 33143 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    1    68 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    3   212 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    3   212 output     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           

Chain forwarding_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_vpn (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   31  2468 zone_lan   all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           

Chain input_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_vpn (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   212 zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_vpn_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   22  1312 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 25/sec burst 50 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   31  2468 input_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   31  2468 zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
   31  2468 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    3   212 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_MSSFIX (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TCPMSS     tcp  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 

Chain zone_lan_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 zone_vpn_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_MSSFIX  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 forwarding_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_lan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_vpn (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_vpn  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_vpn_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_vpn_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_vpn_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_vpn_MSSFIX (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_vpn_REJECT (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_vpn_forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 forwarding_vpn  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_vpn_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_wan_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_wan_MSSFIX (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_wan_REJECT (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_wan_forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain PREROUTING (policy ACCEPT 72 packets, 11505 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   72 11505 zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
   72 11505 prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 4 packets, 280 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   280 postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    4   280 zone_wan_nat  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 5 packets, 348 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_vpn (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_lan_nat (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   72 11505 prerouting_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_vpn_nat (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_vpn_prerouting (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 prerouting_vpn  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_nat (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_wan_prerouting (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 prerouting_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
root@OpenWrt:~#

What I'm doing wrong? I'd like to make the full config working with using UCI.

(Last edited by Dogge on 13 Sep 2009, 14:37)

Post #16

Dogge

13 Sep 2009, 15:54

Stupid me. Forgot a 'ifup vpn'. Then everything is fine.

Almost fine. The VPN connection isn't brought up on boot. There was an attempt (https://dev.openwrt.org/changeset/17544) to fix this, but it was not the right way.

To bring up the VPN connection on boot, use the OpenVPN up/down parameters.

root@OpenWrt:~# uci set openvpn.server_routed_ptp.up='"/sbin/ifup vpn"'
root@OpenWrt:~# uci set openvpn.server_routed_ptp.down='"/sbin/ifdown vpn"'
root@OpenWrt:~# uci commit openvpn
root@OpenWrt:~# reboot

This is just a workaround. Finally ifup/ifdown and adding/deleting firewall rules/zones should be managed via hotplug.

If you are using trunk you also have to add the openvpn.server_routed_ptp.script_security option. This is because trunk uses a newer version of OpenVPN.

root@OpenWrt:~# uci set openvpn.server_routed_ptp.script_security=2
root@OpenWrt:~# uci commit openvpn
root@OpenWrt:~# /etc/init.d/openvpn restart

(Last edited by Dogge on 13 Sep 2009, 18:20)

The discussion might have continued from here.

Page 1 of 1