OpenWrt Forum Archive

Topic: Problem with firewall rules for routed OpenVPN network

The content of this topic has been archived on 9 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
thomasb
18 Aug 2009, 14:40

I have an openvpn server running on my 8.09.1 router.  My clients are able to connect to the VPN server and also ping/access the IP of the VPN server, however they are not able to reach any IPs behind the router (the routes are set up properly).  Before I upgraded to this version (from 8.07) I used these rules:

iptables -A INPUT   -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A OUTPUT  -o tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT
iptables -A forwarding_rule -o tun+ -j ACCEPT
iptables -t nat -A postrouting_rule -o tun+ -j MASQUERADE

However, they don't seem to work anymore.  Does anyone know how to set this up properly (preferrably in /etc/config/firewall)?  It needs to work both ways as the VPN is connecting two LANs.

Thanks for any help!
Thomas

Post #2
Helidude73
18 Aug 2009, 19:04

Hello

I use these iptable rules in my "/etc/firewall.user":

## Set tun device to act as connection to the internet.                                      
## Notice the -o tun+. This indicates that it is looking for outbound packets on tun+
iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE  

## Accept all outgoing traffic to the internet
iptables -I OUTPUT -o tun+ -j ACCEPT

## Allow all outgoing forwarding
iptables -I FORWARD -o tun+ -j ACCEPT

## Allow only ESTABLISHED inncomming packets. 
## I guess this is for normal web browsing
iptables -I INPUT -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT

## Allow all incoming FORWARDed packets
iptables -I FORWARD -i tun+ -j ACCEPT

## Defining spesific routes for port forwarding
iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 40098 -j DNAT --to 192.168.2.102

If still no joy.. check if you can ping an resolved IP on the internet.

Best regards
Ivar

The discussion might have continued from here.