OpenWrt Forum Archive

Topic: OpenConnect VPN routing or firewall issue

The content of this topic has been archived on 27 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
cyrus_mc
17 May 2011, 03:09

I am using OpenConnect to connect to my companies VPN.

Here is the configuration of the routing table, /etc/config/network and /etc/config/firewall:

root@OpenWrt:/etc/openconnect# ifconfig
ath0      Link encap:Ethernet  HWaddr 00:15:6D:65:6E:61  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:251471 errors:0 dropped:251471 overruns:0 frame:0
          TX packets:1047688 errors:0 dropped:12 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:19313512 (18.4 MiB)  TX bytes:1536932110 (1.4 GiB)

br-lan    Link encap:Ethernet  HWaddr 00:15:6D:65:6E:61  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:221763 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1043059 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:17101478 (16.3 MiB)  TX bytes:1536375571 (1.4 GiB)

eth0      Link encap:Ethernet  HWaddr 00:15:6D:C1:C6:8C  
          inet addr:98.248.227.26  Bcast:255.255.255.255  Mask:255.255.254.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:47159339 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3560913 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1816519211 (1.6 GiB)  TX bytes:314131055 (299.5 MiB)
          Interrupt:4 

eth1      Link encap:Ethernet  HWaddr 00:15:6D:C1:C6:8D  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:302782 errors:0 dropped:0 overruns:0 frame:0
          TX packets:511215 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:38697009 (36.9 MiB)  TX bytes:645819991 (615.9 MiB)
          Interrupt:5 

eth1.1    Link encap:Ethernet  HWaddr 00:15:6D:C1:C6:8D  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:301713 errors:0 dropped:0 overruns:0 frame:0
          TX packets:510763 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:34395662 (32.8 MiB)  TX bytes:645771017 (615.8 MiB)

eth1.2    Link encap:Ethernet  HWaddr 00:15:6D:C1:C6:8D  
          inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1064 errors:0 dropped:0 overruns:0 frame:0
          TX packets:450 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:62169 (60.7 KiB)  TX bytes:48890 (47.7 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:923 errors:0 dropped:0 overruns:0 frame:0
          TX packets:923 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:128195 (125.1 KiB)  TX bytes:128195 (125.1 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.5.205  P-t-P:192.168.5.205  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1406  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wifi0     Link encap:UNSPEC  HWaddr 00-15-6D-65-6E-61-00-00-00-00-00-00-00-00-00-00  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10007693 errors:34 dropped:0 overruns:0 frame:1874852
          TX packets:8346917 errors:17700 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:195 
          RX bytes:1726218823 (1.6 GiB)  TX bytes:3465644896 (3.2 GiB)
          Interrupt:48 

---------------------------------

root@OpenWrt:/etc/openconnect# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
192.168.7.0     192.168.5.205   255.255.255.0   UG        0 0          0 tun1
192.168.22.0    192.168.5.205   255.255.255.0   UG        0 0          0 tun1
12.15.7.0       192.168.5.205   255.255.255.0   UG        0 0          0 tun1
192.168.3.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1.2
10.8.0.0        10.8.0.2        255.255.255.0   UG        0 0          0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 br-lan
172.22.235.0    192.168.5.205   255.255.255.0   UG        0 0          0 tun1
172.22.88.0     192.168.5.205   255.255.255.0   UG        0 0          0 tun1
98.248.226.0    0.0.0.0         255.255.254.0   U         0 0          0 eth0
0.0.0.0         98.248.226.1    0.0.0.0         UG        0 0          0 eth0

----------------------------------

/etc/config/network:

config interface cvpn                
        option ifname   tun1         
        option auto     1            
        option proto    none

---------------------------------

/etc/config/firewall:

config 'zone'                    
        option 'name' 'cvpn'     
        option 'input' 'ACCEPT'  
        option 'output' 'ACCEPT' 
        option 'forward' 'REJECT'

config 'forwarding'              
        option 'src' 'cvpn'      
        option 'dest' 'lan'      
                                 
config 'forwarding'              
        option 'src' 'wan'       
        option 'dest' 'cvpn'     
                                 
config 'forwarding'              
        option 'src' 'cvpn'      
        option 'dest' 'wan'

However I can only access destinations on the end of the VPN from the router itself (ie: dest of 192.168.22.62). If I am on a device connected through the LAN it just times out.

As you can see in the firewall rules I added forwards from LAN to CVPN and vice versa.

When doing a tcpdump on the tun1 interface (cvpn) I see traffic coming in from the LAN device to 192.168.22.62 but nothing else.

Any help would be appreciated.

Thanks

Post #2
jow
17 May 2011, 09:30

If stuff just time out it is usually an indication of a missing route pointing back to you, especially since you do not masquerade according to the config above.
Since it is unlikely that your company network will add a route back into your private lan, you more or less must masquerade the "cvpn" zone to hide all your lan behind your single vpn client ip.

The discussion might have continued from here.