OpenWrt Forum Archive

Topic: OpenVPN and default routing issues.

The content of this topic has been archived on 26 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
DeathWolf
30 Jul 2009, 06:24

I have and OpenWrt Kamikaze 8.09 running on an WRT54G.
My base layout is the following
lan<-172.16.2.x->openwrt
internet<-dynip->dslrouter<-192.168.1.x->openwrt

With that layout, everything works flawlessly, lan clients can communicate between them and access the internet.

I've now added an openvpn that connects from the openwrt to an internet server, and has an 10.8.0.x ip and nat on the other side.
This vpn connects, add a the tun0 and pushes the proper routes to make the vpn the default gateway.
This works fine as indicated by the fact that from the openwrt, traceroute goes through the vpn, ping works, and curl'ing whatismyip.com shows tcp is also going fine through the vpn.

However my lan clients dont seem to be able to do anything anymore once the vpn goes up.They can still communicate between them but not with the internet anymore, neither the direct connection through the dslrouter nor the vpn one seem to work anymore.

Any hints as to what I am supposed to do?

Post #2
DeathWolf
30 Jul 2009, 06:26

Normal routes:

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.16.2.0      0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0.1
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0.1

Routes when vpn is up:

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
91.121.88.169   192.168.1.1     255.255.255.255 UGH   0      0        0 eth0.1
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
172.16.2.0      0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0.1
0.0.0.0         10.8.0.5        128.0.0.0       UG    0      0        0 tun0
128.0.0.0       10.8.0.5        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0.1
Post #3
xerces8
30 Jul 2009, 11:00

It is probalby the NAT rule for your LAN.
It is set up by hardcoding network devices, so it does not "pick up" the change in default gateway.

This is what I have on my OpenWRTv1.0:

Chain POSTROUTING (policy ACCEPT 279K packets, 19M bytes)
 pkts bytes target     prot opt in     out     source               destination
 928K   88M postrouting_rule  all  --  any    any     anywhere             anywhere
 817K   80M MASQUERADE  all  --  any    ppp0    anywhere             anywhere

You have something similar, but with "eth0.1" instead of "ppp0" (the wan interface).

You need to add something like this:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Note that you probably also need other rules that are in place for your standard wan interface (eth0.1), Like:
allowing incoming connections, port forwardings, etc

Hopefully this points you toward the solution.

Post #4
DeathWolf
30 Jul 2009, 12:32

thanks! for port forwarding I already had my rules planned. I just hadnt thought I needed to add the nat rules for that interface.

Post #5
DeathWolf
31 Jul 2009, 02:08

How would I do port forwarding actually?(incoming connections on tun0/from 10.8.0.x with destination port a-b should be sent to ip 172.16.2.8)

Post #6
xerces8
31 Jul 2009, 11:53

You probably need to issue the iptables commands by hand (or in custom boot script).
It should be same as for regular forwardings, just replacing the WAN interface with "tun0".

How good are you with iptables ?

Post #7
DeathWolf
31 Jul 2009, 15:41

I can manage simple stuff but in this case I cant figure why it isnt working

iptables -t nat -I PREROUTING -p tcp -m tcp -i tun0 --dport 65000:65200 -j DNAT --to-destination 172.16.2.8

am I doing something wrong?(I want that incoming conns from tun0 be forwarded to 172.16.2.8 on my lan)

Post #8
DeathWolf
31 Jul 2009, 21:29

This is starting to drive me insane. I've checked that the forwarding works properly on the router, and it does(nc -l does receive the connection) however the destination computer on the lan does not.

root@YGGDRASIL:~# iptables -L -v
Chain INPUT (policy ACCEPT 71 packets, 8026 bytes)
 pkts bytes target     prot opt in     out     source               destination
   91  4336 DROP       all  --  any    any     anywhere             anywhere            state INVALID
10638 4620K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
   35  2295 ACCEPT     all  --  lo     any     anywhere             anywhere
   14   840 syn_flood  tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
 1995  140K input_rule  all  --  any    any     anywhere             anywhere
 1993  140K input      all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  551  129K DROP       all  --  any    any     anywhere             anywhere            state INVALID
19450 4923K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
 6170  429K forwarding_rule  all  --  any    any     anywhere             anywhere
 6170  429K forward    all  --  any    any     anywhere             anywhere
    0     0 reject     all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 47 packets, 2972 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID
12133 1651K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
   35  2295 ACCEPT     all  --  any    lo      anywhere             anywhere
  155 10998 output_rule  all  --  any    any     anywhere             anywhere
  155 10998 output     all  --  any    any     anywhere             anywhere

Chain forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
 6170  429K zone_lan_forward  all  --  br-lan any     anywhere             anywhere
    0     0 zone_wan_forward  all  --  eth0.1 any     anywhere             anywhere

Chain forwarding_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_vpn (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1906  130K zone_lan   all  --  br-lan any     anywhere             anywhere
   13  1787 zone_wan   all  --  eth0.1 any     anywhere             anywhere

Chain input_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_vpn (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output (1 references)
 pkts bytes target     prot opt in     out     source               destination
  155 10998 zone_lan_ACCEPT  all  --  any    any     anywhere             anywhere
  153 10341 zone_wan_ACCEPT  all  --  any    any     anywhere             anywhere
   47  2972 zone_vpn_ACCEPT  all  --  any    any     anywhere             anywhere

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain reject (5 references)
 pkts bytes target     prot opt in     out     source               destination
   10  1135 REJECT     tcp  --  any    any     anywhere             anywhere            reject-with tcp-reset
    3   652 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination
   14   840 RETURN     tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain zone_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1906  130K input_lan  all  --  any    any     anywhere             anywhere
 1906  130K zone_lan_ACCEPT  all  --  any    any     anywhere             anywhere

Chain zone_lan_ACCEPT (5 references)
 pkts bytes target     prot opt in     out     source               destination
 8076  558K ACCEPT     all  --  br-lan any     anywhere             anywhere
    2   657 ACCEPT     all  --  any    br-lan  anywhere             anywhere

Chain zone_lan_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  br-lan any     anywhere             anywhere
    0     0 DROP       all  --  any    br-lan  anywhere             anywhere

Chain zone_lan_MSSFIX (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TCPMSS     tcp  --  any    br-lan  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain zone_lan_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  br-lan any     anywhere             anywhere
    0     0 reject     all  --  any    br-lan  anywhere             anywhere

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
 6170  429K zone_lan_ACCEPT  all  --  any    any     anywhere             anywhere
    0     0 zone_wan_MSSFIX  all  --  any    any     anywhere             anywhere
    0     0 zone_wan_ACCEPT  all  --  any    any     anywhere             anywhere
    0     0 zone_vpn_ACCEPT  all  --  any    any     anywhere             anywhere
    0     0 forwarding_lan  all  --  any    any     anywhere             anywhere
    0     0 zone_lan_REJECT  all  --  any    any     anywhere             anywhere

Chain zone_vpn (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 input_vpn  all  --  any    any     anywhere             anywhere
    0     0 zone_vpn_ACCEPT  all  --  any    any     anywhere             anywhere

Chain zone_vpn_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_vpn_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_vpn_MSSFIX (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_vpn_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_vpn_forward (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  any    any     anywhere             172.16.2.8             udp dpts:65000:65200
    0     0 ACCEPT     tcp  --  any    any     anywhere             172.16.2.8             tcp dpts:65000:65200
    0     0 zone_lan_ACCEPT  all  --  any    any     anywhere             anywhere
    0     0 forwarding_vpn  all  --  any    any     anywhere             anywhere
    0     0 zone_vpn_REJECT  all  --  any    any     anywhere             anywhere

Chain zone_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination
   13  1787 input_wan  all  --  any    any     anywhere             anywhere
   13  1787 zone_wan_REJECT  all  --  any    any     anywhere             anywhere

Chain zone_wan_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth0.1 any     anywhere             anywhere
  106  7369 ACCEPT     all  --  any    eth0.1  anywhere             anywhere

Chain zone_wan_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  eth0.1 any     anywhere             anywhere
    0     0 DROP       all  --  any    eth0.1  anywhere             anywhere

Chain zone_wan_MSSFIX (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TCPMSS     tcp  --  any    eth0.1  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain zone_wan_REJECT (2 references)
 pkts bytes target     prot opt in     out     source               destination
   13  1787 reject     all  --  eth0.1 any     anywhere             anywhere
    0     0 reject     all  --  any    eth0.1  anywhere             anywhere

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 zone_lan_ACCEPT  all  --  any    any     anywhere             anywhere
    0     0 forwarding_wan  all  --  any    any     anywhere             anywhere
    0     0 zone_wan_REJECT  all  --  any    any     anywhere             anywhere
root@YGGDRASIL:~# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 8208 packets, 586K bytes)
 pkts bytes target     prot opt in     out     source               destination
   13  1787 zone_wan_prerouting  all  --  eth0.1 any     anywhere             anywhere
 8051  564K zone_lan_prerouting  all  --  br-lan any     anywhere             anywhere
 8149  582K prerouting_rule  all  --  any    any     anywhere             anywhere

Chain POSTROUTING (policy ACCEPT 42 packets, 3305 bytes)
 pkts bytes target     prot opt in     out     source               destination
 6412  429K postrouting_rule  all  --  any    any     anywhere             anywhere
 6412  429K zone_wan_nat  all  --  any    any     anywhere             anywhere
 4832  322K zone_vpn_nat  all  --  any    any     anywhere             anywhere
 4794  319K MASQUERADE  all  --  any    tun0    anywhere             anywhere

Chain OUTPUT (policy ACCEPT 201 packets, 14015 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_vpn (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_lan_nat (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  any    br-lan  anywhere             anywhere

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
 8051  564K prerouting_lan  all  --  any    any     anywhere             anywhere

Chain zone_vpn_nat (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_vpn_prerouting (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 prerouting_vpn  all  --  any    any     anywhere             anywhere
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere            tcp dpts:65000:65200 to:172.16.2.8:65000-65200
    0     0 DNAT       udp  --  any    any     anywhere             anywhere            udp dpts:65000:65200 to:172.16.2.8:65000-65200

Chain zone_wan_nat (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1580  107K MASQUERADE  all  --  any    eth0.1  anywhere             anywhere

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
   13  1787 prerouting_wan  all  --  any    any     anywhere             anywhere
root@YGGDRASIL:~# cat /etc/config/firewall
config 'defaults'
        option 'syn_flood' '1'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'lan'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'wan'
        option 'input' 'REJECT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'masq' '1'

config 'zone'
        option 'name' 'vpn'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'masq' '1'

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'vpn'
        option 'mtu_fix' ''

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'wan'
        option 'mtu_fix' '1'

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'lan'
        option 'mtu_fix' ''

config 'forwarding'
        option 'mtu_fix' ''
        option 'src' 'wan'
        option 'dest' 'lan'

config 'redirect' 'MainForward'
        option 'src' 'vpn'
        option 'src_dport' '65000-65200'
        option 'dest_ip' '172.16.2.8'
        option 'dest_port' '65000-65200'
        option 'proto' 'tcpudp'

config 'forwarding'
        option 'src' 'vpn'
        option 'dest' 'lan'
        option 'mtu_fix' ''

config 'include'
        option 'path' '/etc/firewall.user'
root@YGGDRASIL:~# cat /etc/firewall.user
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
root@YGGDRASIL:~# cat /etc/config/network

config 'switch' 'eth0'
        option 'vlan0' '1 2 3 4 5*'
        option 'vlan1' '0 5'

config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'lan'
        option 'ifname' 'eth0.0'
        option 'proto' 'static'
        option 'netmask' '255.255.255.0'
        option 'macaddr' ''
        option 'ipaddr' '172.16.2.1'
        option 'ip6addr' ''
        option 'gateway' ''
        option 'ip6gw' ''
        option 'dns' ''
        option 'type' 'bridge'

config 'interface' 'wan'
        option 'ifname' 'eth0.1'
        option 'macaddr' ''
        option 'ip6addr' ''
        option 'netmask' '255.255.255.0'
        option 'gateway' '192.168.1.1'
        option 'ip6gw' ''
        option 'ipaddr' '192.168.1.10'
        option 'proto' 'static'
        option 'dns' ' 208.67.222.222 208.67.220.220 192.168.1.1'

config 'interface' 'vpn'
        option 'ifname' 'tun0'
Post #9
DeathWolf
1 Aug 2009, 13:41

using the log option here's the info about the incoming packet that should be forwarded(but isnt):

IN=tun0 OUT= MAC= SRC=91.197.33.49 DST=10.8.0.6 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=64811 DF PROTO=TCP SPT=46734 DPT=65006 WINDOW=5840 RES=0x00 SYN URGP=0

(Last edited by DeathWolf on 1 Aug 2009, 13:41)

Post #10
DeathWolf
1 Aug 2009, 14:06

I managed to get it working by using manual FORWARD and INPUT level rules.
However that kind of defeats the purpose of the uci config...

the problem is that for example I dont see any input_vpn zone created... most of the vpn zone flow is missing.

Post #11
DeathWolf
1 Aug 2009, 15:06

Okay for future reference for people using openvpn to route all of their traffic through the vpn... once your vpn is setup youl'll want to add this to your /etc/firewall.user to get proper masquerading.

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

As for port forwarding, let's say you want to forward incoming connections on the vpn on ports 65000-65200 to 172.16.2.8 add that:

iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 65000:65200 -j DNAT --to-destination 172.16.2.8
iptables -I FORWARD -i tun0 -p tcp -d 172.16.2.8 --dport 65000:65200 -j ACCEPT

The discussion might have continued from here.