quagga wrote:JW0914 wrote:This may not be the correct forum for this question... If I connect to the VPN utilizing udp, which is running on openwrt, then ssh into openwrt via tcp, does the firewall rule created for ssh need to allow both tcp & udp?
Flow of Traffic
VPN --udp--> WAN --> OpenWRT VPN Server --> SSH --tcp--> DropBear
Normally you'd have different firewall rules. I don't run OpenVPN on the router; it runs on a server behind the router. However generally once you connect to OpenVPN, on the OpenVPN server the outbound connections come out of the "tun" interface. In my case, firewall rules which are applied to my wan interface aren't the same as those applied to my "tun" interface. I don't restrict my tun interface via firewall (although you can). Anything coming out of the interface has already been authenticated through the VPN.
So a better model might be:
VPN --udp--> WAN --> OpenWRT VPN Server --> TUN Interface
SSH --tcp-->TUN Interface of VPN client ---> (through VPN Magic) ---> Out TUN interface of router ---> DropBear
Thanks a bunch, much appreciated =] I was firewalling tun0 as an extra layer of precaution, as I only use it to access my server, however your setup makes more sense logically.
I've had issues trying to get ssh traffic through if the tun0 interface is selected instead of wan (it's not a firewall issue within fw3/iptables, as disabling the firewall still wouldn't allow a connection to vpn0)... I'm not sure why this is occurring, but my assumption is it's a similar issue to why I've never been able to use the local directive within my OpenVPN config (which you should be able to do). I worked for about a week with two extremely knowledgeable individuals on the OpenVPN forums to try and narrow down why my VPN was set up perfectly, but I was unable to connect to it... it was finally discovered the local directive was the culprit, but no one within this forum or OpenVPN's knew why this was occurring.
EDIT
Re-reading your post, I saw I misunderstood something...
VPN --udp--> WAN --> OpenWRT VPN Server --> TUN Interface
So, if I'm interpreting this right, I should forward all traffic on the VPN port to the TUN interface:
From any host in wan
To any host in vpn0
then
From IP range 10.*.*.0/27 in tun0 with source MAC ************
To any host, port **** in any zone
(Last edited by JW0914 on 10 Jun 2015, 21:57)