OpenWrt Forum Archive

Topic: Kamikaze 8.09 OpenVPN routing/firewall problem

The content of this topic has been archived on 25 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
Kasei
11 Apr 2009, 19:51

Hello,

I seem to have a problem with my openvpn tunnel since i've moved from kamikaze 7.09 to 8.09
The exact same iptable rules don't seem to work anymore. The tunnel itself is already established, both vpn gateways can ping each other but the one i upgraded to 8.09 rejects packets going in or coming out of the tunnel with that "port xxxxx unreachable" message.

The other router still running on 7.09 however forwards the packages correctly so the rules themselves seem to be okay. Any ideas what could cause this strange behavior or how I can solve this?

I already spotted some other topics where people seem to have trouble aswell with iptables and 8.09 but I didn't want to hijack their threads.

Any help would be appreciated smile

Post #2
Kasei
11 Apr 2009, 20:36

Allowing to forward traffic in the webinterface(network > firewall > zones) magically solved my problem, iptable rules now work lol

Post #3
lpk
28 Apr 2009, 07:58

Hi,

I looked for nearly every hint on making openvpn workin kon my kamikaze 8.09 on Asus WL500gP but nothing happens. So I am vary glad about your note - but can you please provide the /etc/config/network and the /etc/config/firewall entries so I can compare with mine?

Post #4
Kasei
29 Apr 2009, 18:05

Hello there,

I am not using these files.
My openwrt router is running behind a firewall where i have openend and forwarded the necessary udp(proto udp) port(lport = some numbers) to the openwrt router. Afterwards i start up the service via this script(quick and dirty but works fine for me tongue):

------------------------------------------------------------------------
#!/bin/sh

openvpn --daemon --config /etc/openvpn/openvpn.conf

iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
------------------------------------------------------------------------

where tun0 (dev tun0) is the interface defined in my config file.

Is your connection already established? If you type logread you should see something like this:
OpenWrt daemon.notice openvpn[590]: Peer Connection Initiated with 99.88.66.123:6667
OpenWrt daemon.notice openvpn[590]: Initialization Sequence Completed

(Last edited by Kasei on 29 Apr 2009, 18:06)

Post #5
lpk
30 Apr 2009, 12:18

Thanks for the details,

really I got the correct message. Or did I miss something leading to a failure situation?
It is OpenWrt 8.09 with luci plain directly from the download page. openvpn added using luci.

I am using the tap interfacde because I need bridging. The router is firewall and gateway.
ipconfig on my machine gives the correct result.
It does not work on Windows Vista nor on Ubuntu Desktop 9.04
I switched the firewalls off, or in Kaspersky I disabled "attacks from outside" which is normally also port 1194.
I switched off ALL firewalls.

The answer is just

---------------------
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 212.203.93.205: Destination host unreachable.
Reply from 212.203.93.205: Destination host unreachable.
Reply from 212.203.93.205: Destination host unreachable.
Reply from 212.203.93.205: Destination host unreachable.

Ping statistics for 192.168.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

C:\>
--------------------


This is the response of my router

Thu Apr 30 13:06:50 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Thu Apr 30 13:06:50 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Apr 30 13:06:50 2009 LZO compression initialized
Thu Apr 30 13:06:50 2009 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Apr 30 13:06:50 2009 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Apr 30 13:06:50 2009 Local Options hash (VER=V4): 'd79ca330'
Thu Apr 30 13:06:50 2009 Expected Remote Options hash (VER=V4): 'f7df56b8'
Thu Apr 30 13:06:50 2009 UDPv4 link local: [undef]
Thu Apr 30 13:06:50 2009 UDPv4 link remote: yy.xx.cc.vv:1194
Thu Apr 30 13:06:50 2009 TLS: Initial packet from yy.xx.cc.vv:1194, sid=c15140d2 be10373d
Thu Apr 30 13:06:54 2009 VERIFY OK: depth=1, /C=CH/ST=BE/L=Biel/O=Safern/CN=OpenVPN-CHBE/emailAddress=###
Thu Apr 30 13:06:54 2009 VERIFY OK: nsCertType=SERVER
Thu Apr 30 13:06:54 2009 VERIFY OK: depth=0, /C=CH/ST=BE/O=Safern/CN=server/emailAddress=###
Thu Apr 30 13:06:59 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Apr 30 13:06:59 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 30 13:06:59 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Apr 30 13:06:59 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 30 13:07:01 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Apr 30 13:07:01 2009 [server] Peer Connection Initiated with yy.xx.cc.vv:1194
Thu Apr 30 13:07:02 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Apr 30 13:07:02 2009 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.1.1,ping 10,ping-restart 120,ifconfig 192.168.1.30 255.255.255.0'
Thu Apr 30 13:07:02 2009 OPTIONS IMPORT: timers and/or timeouts modified
Thu Apr 30 13:07:02 2009 OPTIONS IMPORT: --ifconfig/up options modified
Thu Apr 30 13:07:02 2009 OPTIONS IMPORT: route options modified
Thu Apr 30 13:07:02 2009 TAP-WIN32 device [Local Area Connection 5] opened: \\.\Global\{21072A12-42FF-4E6D-8D1D-56B63643CDD6}.tap
Thu Apr 30 13:07:02 2009 TAP-Win32 Driver Version 8.4
Thu Apr 30 13:07:02 2009 TAP-Win32 MTU=1500
Thu Apr 30 13:07:02 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 1
92.168.1.30/255.255.255.0 on interface {21072A12-42FF-4E6D-8D1D-56B63643CDD6} [DHCP-serv: 192.168.1.0, lease-time: 31536000]
Thu Apr 30 13:07:02 2009 Successful ARP Flush on interface [37] {21072A12-42FF-4E6D-8D1D-56B63643CDD6}
Thu Apr 30 13:07:02 2009 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Thu Apr 30 13:07:02 2009 Route: Waiting for TUN/TAP interface to come up...
Thu Apr 30 13:07:03 2009 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Thu Apr 30 13:07:03 2009 Initialization Sequence Completed


Now for the configuration

This is my /etc/firewall.user
---------------
iptables -I OUTPUT -o tap+ -j ACCEPT
iptables -I INPUT -i tap+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -o tap+ -j ACCEPT
iptables -I FORWARD -i tap+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -I POSTROUTING -o tap+ -j MASQUERADE
------------------

This is my /etc/config/firewall
------------------
config 'defaults'
        option 'syn_flood' '1'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'lan'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'wan'
        option 'input' 'REJECT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'masq' '1'

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'lan'

config 'zone'
        option 'name' 'vpn'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'ACCEPT'
        option 'network' 'vpn'

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'vpn'

config 'forwarding'
        option 'src' 'vpn'
        option 'dest' 'lan'

config 'rule'
        option 'target' 'ACCEPT'
        option 'src' 'wan'
        option '_name' 'ping'
        option 'proto' 'icmp'


config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'ssh'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'dest_port' '22'


config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'vpn'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'dest_port' '1194'


config 'include'
        option 'path' '/etc/firewall.user'
------------------

This is my /etc/config/network
------------------
#### VLAN configuration
config switch eth0
        option vlan0    "1 2 3 4 5*"
        option vlan1    "0 5"


#### Loopback configuration
config interface loopback
        option ifname   "lo"
        option proto    static
        option ipaddr   127.0.0.1
        option netmask  255.0.0.0


#### LAN configuration
config interface lan
        option type     bridge
        option ifname   "eth0.0"
        option proto    static
        option ipaddr   192.168.1.1
        option netmask  255.255.255.0


#### WAN configuration
config interface        wan
        option ifname   "eth0.1"
        option proto    dhcp


#### VPN configuration
config interface        vpn
        option ifname   tap0
        option proto    none
        option auto     disable
------------------

This is my /etc/config/openvpn
------------------
config 'openvpn' 'my_net'
        option 'config' '/etc/openvpn/server.ovpn'
        option 'enable' '1'
------------------

The discussion might have continued from here.