[Solved]Followed OpenWRT tutorials OpenWRT refuse connection

[Traffic]

and Michael still found a work around ..

[JW0914]

I don't think this issue arises from it being a trunk image, as someone else using trunk on the wrt 1900ac was able to get their openvpn vpn up and running fine. The individual did say they had the exact same setup and config files as me, however either they didn't have the local directive in their server config, or they had additional config options added in their config files or on OpenWRT (individual never went into detail about their config files).

This is what I find perplexing:

- OpenWRT is setup by default to not forward any traffic from WAN (eth1) to LAN (eth0) and to forward traffic from LAN to WAN
- When adding the tun0 interface and assigning it to firewall zone VPN, forwarding is added to allow traffic from VPN to WAN, VPN to LAN, WAN to VPN, and LAN to VPN, and a rule is added to allow all
inbound traffic from any zone to device (the router's internal gateway) on port 1194
- if the local directive is set to the router internal gateway (192.168.1.1) and a connection request comes in on 1194, then the VPN should recognize it since it's been told to listen on 192.168.1.1.

From my understanding, this is the path inbound vpn traffic takes (please correct if wrong):

Inbound Traffic:
WAN --> VPN --> LAN

If that's the way Inbound Traffic is flowing, and the local directive is set, shouldn't the forwarding be VPN to LAN instead of WAN to LAN? If WAN traffic comes in on 1194 and is then forwarded direct to LAN on 1194, then the traffic is completely bypassing the VPN Zone and tun0 interface (or do I have this wrong)?

[Traffic]

If WAN traffic comes in on 1194 and is then forwarded direct to LAN on 1194, then the traffic is completely bypassing the VPN Zone and tun0 interface (or do I have this wrong)?

I think you have this wrong ..

Assuming UDP:1194 for OpenVPN with encryption:

• Packets on port 1194 are encrypted and only require that openWRT passes them to openVPN listening on UDP:1194
  (Regardless of router interface)
• Once decrypted, packets are pushed out of the tun interface onto the LAN of the router.
  (Provided everything is configured correctly)

This may give you a better picture:
https://community.openvpn.net/openvpn/w ... orks_Linux

Removing the --local directive from openvpn means it will listen on all interfaces, including the WAN and that is the connection you are making .. you do not have a forwarded port from WAN to LAN. What openWRT does with that does not make any sense to me.

=== OpenWRT Attitude Adjustment VS Barrier Breaker ===

As far as I can tell openwrt-BB (and may be CC) does not setup iptables correctly:

• Attitude Adjustment [Works]
  
  • uci show firewall:
    • firewall.@redirect[0]=redirect
      firewall.@redirect[0].name=OVPN-PFWD-U64021
      firewall.@redirect[0].target=DNAT
      firewall.@redirect[0].src=wan
      firewall.@redirect[0].dest=lan
      firewall.@redirect[0].proto=udp
      firewall.@redirect[0].dest_ip=10.1.101.21 #<-- Destination for forward
      firewall.@redirect[0].dest_port=64021
  • iptables rule:
    • root@OpenWrt21:~# iptables-save|grep 640
      -A zone_wan_prerouting -p udp -j DNAT --to-destination 10.1.101.21:64021
      -A zone_wan -d 10.1.101.21/32 -p udp -m udp --dport 64021 -m conntrack --ctstate DNAT -j ACCEPT
  • Process:
    • root@OpenWrt21:~# openvpn --version
      OpenVPN 2.2.2 i486-openwrt-linux [SSL] [LZO2] [EPOLL] built on Oct 25 2012
      Originally developed by James Yonan
      Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
      
      netstat -antup|grep openvpn
      udp 0 0 10.1.101.21:64021 0.0.0.0:* 1338/openvpn
  
  Barrier Breaker [Does not work] :ROFL:
  
  • uci show firewall:
    • firewall.@redirect[0]=redirect
      firewall.@redirect[0].name=OVPN-PFWD-U64022
      firewall.@redirect[0].target=DNAT
      firewall.@redirect[0].src=wan
      firewall.@redirect[0].dest=lan
      firewall.@redirect[0].proto=udp
      firewall.@redirect[0].dest_ip=10.1.101.22 #<-- Destination for forward
      firewall.@redirect[0].dest_port=64022
  • iptables rule:
    • root@OpenWrt22:~# iptables-save |grep 640
      -A zone_wan_prerouting -p udp -m udp --dport 64022 -m comment --comment OVPN-PFWD-U64022 -j REDIRECT --to-ports 64022
      
      root@OpenWrt22:~# iptables-save |grep 10.1.101.22 #<-- Destination for forward
      {zero matches}
  • Process:
    • root@OpenWrt22:~# openvpn --version
      OpenVPN 2.3.6 i486-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 6 2015
      library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.08
      Originally developed by James Yonan
      Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
      
      netstat -antup|grep openvpn
      udp 0 0 10.1.101.22:64022 0.0.0.0:* 1591/openvpn
  BB only port-forward/redirects (or whatever it wants to call it!) to a different port not host.

1. Note: All this is done using the GUI interface, i am not going to bother learning a language for a router OS.
   Especially with such glaring errors and no up to date documentation!
2. Note: BB has another input field: Traffic Rules/new forward rule but I have given up on this for now.

[JW0914]

Thanks for the link, it explained it quite nicely =]

I know from using pivot overlay on Chaos Calmer that configuration differs from both AA and BB (one example is overlay must be configured as 'overlay not '/overlay'), and I've seen many other differences in other config files; all of which leads me to believe some configuration option is missing in CC for either openvpn or iptables.

Unfortunately, you ran into the same issue I ran into where all information on OpenWRT is dated by several years and while some parts are applicable to CC, many are not (quite frustrating when you're trying to learn how to do something lol). Since I know all tutorials are all written by another user who was nice enough, and probably took quite a bit of time to write up a tutorial, I try to add notes where applicable in OpenWRT wikis when I find something needs to be altered to fit for CC.

From the research you were able to do, do I have a correct interpretation that if I add the iptables rules as shown in AA that I may be able to get the VPN to work with the local directive?

Also, is it having the local directive worth it? Is there a security reason for it, or is it just user preference?

[Traffic]

I like openwrt but I have no need for it at this time .. but I did learn a lot from this.

if I add the iptables rules as shown in AA that I may be able to get the VPN to work with the local directive?

Possibly .. but I tried a backup AA / restore to BB = Brick (not surprising) restore settings at your own risk !

is it having the local directive worth it? Is there a security reason for it, or is it just user preference?

Bit of both ..

I suspect, if you NAT correctly to the internet you should be ok .. but I would prefer it be on the LAN not WAN.

If i get time I will probably come back to this sometime next week .. maybe we can find a solution !
I am sure there must be a way to configure using openwrt GUI to do a port-forward (not a port redirect).

[JW0914]

Possibly .. but I tried a backup AA / restore to BB = Brick (not surprising) restore settings at your own risk !

The WRT 1900ac is only compatible with Chaos Calmer (it was only 3 months ago that Linksys [Belkin] finally released the opensource radio drivers (only a year after launch).

I suspect, if you NAT correctly to the internet you should be ok .. but I would prefer it be on the LAN not WAN.

I am sure there must be a way to configure using openwrt GUI to do a port-forward (not a port redirect).

I would prefer it to be on the LAN as well. For advanced firewall rules, I prefer uci to be able to use iptables, and will try adding the AA rule tonight to see if it makes a difference

[Traffic]

Notice how considerable a change this is:

AA: Network=Firewall=Port.Forwards (Forward an external port to another host)

• eg: -A zone_wan_prerouting -p udp -j DNAT --to-destination 10.1.101.21:64021

BB: Network=Firewall=Port.Forwards (Only forward a port to another port on this host)

• eg: -A zone_wan_prerouting -p udp -m udp --dport 64022 -m comment --comment OVPN-PFWD-U64022 -j REDIRECT --to-ports 64022
  
  Note: -j REDIRECT

  • Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table. It is also valid within user-defined chains that are only called from those chains, and nowhere else. The REDIRECT target takes only one option, as described below.

    https://www.frozentux.net/iptables-tuto ... RECTTARGET

    Table 11-13. REDIRECT target options

    • Option --to-ports

    BB: Network=Firewall=Port.Forwards != PortForward and cannot due to limitation of iptables.
    
    May be frozentux is wrong ..

No doubt there is a simple(ish) fix using custom iptables rules but Port-Forward is a internet basic
and openwrt:BB has totally (and possibly deliberately) bugged it up.

[Traffic]

hmm ..


BB

Now iptables shows this:

Code: Select all

root@OpenWrt22:~# iptables-save|grep 640 # same as before
-A PREROUTING -i eth1 -p udp -m udp --dport 64022 -j DNAT --to-destination 10.1.101.22:64022
-A zone_wan_prerouting -p udp -m comment --comment OVPN-PFWD-U64022 -j REDIRECT --to-ports 64022
-A FORWARD -d 10.1.101.22/32 -p udp -m udp --dport 64022 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
root@OpenWrt22:~#

inexplicably

and openvpn has connected on the LAN ip via port-forward ..

FYI:

Code: Select all

root@OpenWrt22:~#
root@OpenWrt22:~# uci show
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded=1
dhcp.@dnsmasq[0].boguspriv=1
dhcp.@dnsmasq[0].filterwin2k=0
dhcp.@dnsmasq[0].localise_queries=1
dhcp.@dnsmasq[0].rebind_protection=1
dhcp.@dnsmasq[0].rebind_localhost=1
dhcp.@dnsmasq[0].local=/lan/
dhcp.@dnsmasq[0].domain=lan
dhcp.@dnsmasq[0].expandhosts=1
dhcp.@dnsmasq[0].nonegcache=0
dhcp.@dnsmasq[0].authoritative=1
dhcp.@dnsmasq[0].readethers=1
dhcp.@dnsmasq[0].leasefile=/tmp/dhcp.leases
dhcp.@dnsmasq[0].resolvfile=/tmp/resolv.conf.auto
dhcp.lan=dhcp
dhcp.lan.interface=lan
dhcp.lan.start=100
dhcp.lan.limit=150
dhcp.lan.leasetime=12h
dhcp.wan=dhcp
dhcp.wan.interface=wan
dhcp.wan.ignore=1
dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].PasswordAuth=on
dropbear.@dropbear[0].Interface=lan
dropbear.@dropbear[0].Port=22
firewall.@rule[0]=rule
firewall.@rule[0].name=Allow-DHCP-Renew
firewall.@rule[0].src=wan
firewall.@rule[0].proto=udp
firewall.@rule[0].dest_port=68
firewall.@rule[0].target=ACCEPT
firewall.@rule[0].family=ipv4
firewall.@rule[1]=rule
firewall.@rule[1].name=Allow-Ping
firewall.@rule[1].src=wan
firewall.@rule[1].proto=icmp
firewall.@rule[1].icmp_type=echo-request
firewall.@rule[1].family=ipv4
firewall.@rule[1].target=ACCEPT
firewall.@rule[2]=rule
firewall.@rule[2].name=Allow-DHCPv6
firewall.@rule[2].src=wan
firewall.@rule[2].proto=udp
firewall.@rule[2].src_ip=fe80::/10
firewall.@rule[2].src_port=547
firewall.@rule[2].dest_ip=fe80::/10
firewall.@rule[2].dest_port=546
firewall.@rule[2].family=ipv6
firewall.@rule[2].target=ACCEPT
firewall.@rule[3]=rule
firewall.@rule[3].name=Allow-ICMPv6-Input
firewall.@rule[3].src=wan
firewall.@rule[3].proto=icmp
firewall.@rule[3].icmp_type=echo-request echo-reply destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type router-solicitation neighbour-solicitation router-advertisement neighbour-advertisement
firewall.@rule[3].limit=1000/sec
firewall.@rule[3].family=ipv6
firewall.@rule[3].target=ACCEPT
firewall.@rule[4]=rule
firewall.@rule[4].name=Allow-ICMPv6-Forward
firewall.@rule[4].src=wan
firewall.@rule[4].dest=*
firewall.@rule[4].proto=icmp
firewall.@rule[4].icmp_type=echo-request echo-reply destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type
firewall.@rule[4].limit=1000/sec
firewall.@rule[4].family=ipv6
firewall.@rule[4].target=ACCEPT
firewall.@rule[5]=rule
firewall.@rule[5].target=ACCEPT
firewall.@rule[5].src=wan
firewall.@rule[5].proto=udp
firewall.@rule[5].dest_port=64022
firewall.@rule[5].name=OVPN_OPEN
firewall.@rule[5].family=ipv4
firewall.@rule[5].dest=wan
firewall.@rule[5].dest_ip=172.17.2.22
firewall.@rule[5].enabled=0
firewall.@rule[6]=rule
firewall.@rule[6].name=OVPN_FRWD
firewall.@rule[6].dest_ip=10.1.101.22
firewall.@rule[6].dest_port=64022
firewall.@rule[6].family=ipv4
firewall.@rule[6].proto=udp
firewall.@rule[6].src=*
firewall.@rule[6].dest=*
firewall.@rule[6].target=ACCEPT
firewall.@rule[6].enabled=0
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood=1
firewall.@defaults[0].input=ACCEPT
firewall.@defaults[0].output=ACCEPT
firewall.@defaults[0].forward=ACCEPT
firewall.@zone[0]=zone
firewall.@zone[0].name=lan
firewall.@zone[0].network=lan
firewall.@zone[0].input=ACCEPT
firewall.@zone[0].output=ACCEPT
firewall.@zone[0].family=ipv4
firewall.@zone[0].log=1
firewall.@zone[0].forward=ACCEPT
firewall.@zone[1]=zone
firewall.@zone[1].name=wan
firewall.@zone[1].network=wan
firewall.@zone[1].output=ACCEPT
firewall.@zone[1].mtu_fix=1
firewall.@zone[1].family=ipv4
firewall.@zone[1].log=1
firewall.@zone[1].input=ACCEPT
firewall.@zone[1].forward=ACCEPT
firewall.@include[0]=include
firewall.@include[0].path=/etc/firewall.user
firewall.@redirect[0]=redirect
firewall.@redirect[0].target=DNAT
firewall.@redirect[0].src=wan
firewall.@redirect[0].dest=lan
firewall.@redirect[0].proto=udp
firewall.@redirect[0].dest_ip=10.1.101.22
firewall.@redirect[0].name=OVPN-PFWD-U64022
firewall.@redirect[0].dest_port=64022
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest=lan
firewall.@forwarding[0].src=wan
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest=wan
firewall.@forwarding[1].src=lan
luci.main=core
luci.main.lang=auto
luci.main.resourcebase=/luci-static/resources
luci.main.mediaurlbase=/luci-static/bootstrap
luci.flash_keep=extern
luci.flash_keep.uci=/etc/config/
luci.flash_keep.dropbear=/etc/dropbear/
luci.flash_keep.openvpn=/etc/openvpn/
luci.flash_keep.passwd=/etc/passwd
luci.flash_keep.opkg=/etc/opkg.conf
luci.flash_keep.firewall=/etc/firewall.user
luci.flash_keep.uploads=/lib/uci/upload/
luci.languages=internal
luci.sauth=internal
luci.sauth.sessionpath=/tmp/luci-sessions
luci.sauth.sessiontime=3600
luci.ccache=internal
luci.ccache.enable=1
luci.themes=internal
luci.themes.Bootstrap=/luci-static/bootstrap
network.loopback=interface
network.loopback.ifname=lo
network.loopback.proto=static
network.loopback.ipaddr=127.0.0.1
network.loopback.netmask=255.0.0.0
network.lan=interface
network.lan.ifname=eth0
network.lan.proto=dhcp
network.lan.defaultroute=0
network.lan.delegate=0
network.wan=interface
network.wan.proto=dhcp
network.wan.ifname=eth1
network.wan.delegate=0
openvpn.custom_config=openvpn
openvpn.custom_config.enabled=1
openvpn.custom_config.config=/etc/openvpn/simples/simples22.conf
openvpn.sample_server=openvpn
openvpn.sample_server.enabled=0
openvpn.sample_server.port=1194
openvpn.sample_server.proto=udp
openvpn.sample_server.dev=tun
openvpn.sample_server.ca=/etc/openvpn/ca.crt
openvpn.sample_server.cert=/etc/openvpn/server.crt
openvpn.sample_server.key=/etc/openvpn/server.key
openvpn.sample_server.dh=/etc/openvpn/dh1024.pem
openvpn.sample_server.server=10.8.0.0 255.255.255.0
openvpn.sample_server.ifconfig_pool_persist=/tmp/ipp.txt
openvpn.sample_server.keepalive=10 120
openvpn.sample_server.comp_lzo=yes
openvpn.sample_server.persist_key=1
openvpn.sample_server.persist_tun=1
openvpn.sample_server.status=/tmp/openvpn-status.log
openvpn.sample_server.verb=3
openvpn.sample_client=openvpn
openvpn.sample_client.enabled=0
openvpn.sample_client.client=1
openvpn.sample_client.dev=tun
openvpn.sample_client.proto=udp
openvpn.sample_client.remote=my_server_1 1194
openvpn.sample_client.resolv_retry=infinite
openvpn.sample_client.nobind=1
openvpn.sample_client.persist_key=1
openvpn.sample_client.persist_tun=1
openvpn.sample_client.ca=/etc/openvpn/ca.crt
openvpn.sample_client.cert=/etc/openvpn/client.crt
openvpn.sample_client.key=/etc/openvpn/client.key
openvpn.sample_client.comp_lzo=yes
openvpn.sample_client.verb=3
system.@system[0]=system
system.@system[0].zonename=UTC
system.@system[0].timezone=GMT0
system.@system[0].conloglevel=8
system.@system[0].cronloglevel=8
system.@system[0].hostname=OpenWrt22
system.ntp=timeserver
system.ntp.enabled=1
system.ntp.server=10.1.101.101
ucitrack.@network[0]=network
ucitrack.@network[0].init=network
ucitrack.@network[0].affects=dhcp radvd
ucitrack.@wireless[0]=wireless
ucitrack.@wireless[0].affects=network
ucitrack.@firewall[0]=firewall
ucitrack.@firewall[0].init=firewall
ucitrack.@firewall[0].affects=luci-splash qos miniupnpd
ucitrack.@olsr[0]=olsr
ucitrack.@olsr[0].init=olsrd
ucitrack.@dhcp[0]=dhcp
ucitrack.@dhcp[0].init=dnsmasq
ucitrack.@dropbear[0]=dropbear
ucitrack.@dropbear[0].init=dropbear
ucitrack.@httpd[0]=httpd
ucitrack.@httpd[0].init=httpd
ucitrack.@fstab[0]=fstab
ucitrack.@fstab[0].init=fstab
ucitrack.@qos[0]=qos
ucitrack.@qos[0].init=qos
ucitrack.@system[0]=system
ucitrack.@system[0].init=led
ucitrack.@system[0].affects=luci_statistics
ucitrack.@luci_splash[0]=luci_splash
ucitrack.@luci_splash[0].init=luci_splash
ucitrack.@upnpd[0]=upnpd
ucitrack.@upnpd[0].init=miniupnpd
ucitrack.@ntpclient[0]=ntpclient
ucitrack.@ntpclient[0].init=ntpclient
ucitrack.@samba[0]=samba
ucitrack.@samba[0].init=samba
ucitrack.@tinyproxy[0]=tinyproxy
ucitrack.@tinyproxy[0].init=tinyproxy
uhttpd.main=uhttpd
uhttpd.main.listen_http=0.0.0.0:80
uhttpd.main.listen_https=0.0.0.0:443
uhttpd.main.home=/www
uhttpd.main.rfc1918_filter=1
uhttpd.main.max_requests=3
uhttpd.main.max_connections=100
uhttpd.main.cert=/etc/uhttpd.crt
uhttpd.main.key=/etc/uhttpd.key
uhttpd.main.cgi_prefix=/cgi-bin
uhttpd.main.script_timeout=60
uhttpd.main.network_timeout=30
uhttpd.main.http_keepalive=20
uhttpd.main.tcp_keepalive=1
uhttpd.main.ubus_prefix=/ubus
uhttpd.px5g=cert
uhttpd.px5g.days=730
uhttpd.px5g.bits=1024
uhttpd.px5g.country=DE
uhttpd.px5g.state=Berlin
uhttpd.px5g.location=Berlin
uhttpd.px5g.commonname=OpenWrt
root@OpenWrt22:~#

[Traffic]

This is what you need to Port-forward WAN->LAN to OpenVPN with --local lan.ip.add:

• OpenWRT ifconfig:

  • Code: Select all

    eth0      Link encap:Ethernet  HWaddr 08:00:27:C7:3D:C3
              inet addr:10.1.101.22  Bcast:10.1.101.255  Mask:255.255.255.0
              inet6 addr: fe80::a00:27ff:fec7:3dc3/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:25021 errors:0 dropped:0 overruns:0 frame:0
              TX packets:25367 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:2352906 (2.2 MiB)  TX bytes:12881206 (12.2 MiB)
    
    eth1      Link encap:Ethernet  HWaddr 08:00:27:7C:58:A2
              inet addr:172.17.2.22  Bcast:172.17.2.255  Mask:255.255.255.0
              inet6 addr: fe80::a00:27ff:fe7c:58a2/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:3537 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1306 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:310351 (303.0 KiB)  TX bytes:173020 (168.9 KiB)

  OpenVPN server config:

  • Code: Select all

    local 10.1.101.22
    proto udp
    port 64022

  Firewall - Custom Rules:

  • Code: Select all

    iptables -t nat -A PREROUTING -p udp -i eth1 --dport 64022 -j DNAT --to-destination 10.1.101.22:64022

This is why the normal Port Forward does not work:

• • Code: Select all

    root@OpenWrt22:~# uci show firewall.@redirect[0]
    firewall.cfg183837=redirect
    firewall.cfg183837.target=DNAT
    firewall.cfg183837.src=wan
    firewall.cfg183837.dest=lan
    firewall.cfg183837.proto=udp
    firewall.cfg183837.src_dport=64022
    firewall.cfg183837.dest_ip=10.1.101.22
    firewall.cfg183837.dest_port=64022
    firewall.cfg183837.name=OVPN_PFWD_U64022
    

    Code: Select all

    root@OpenWrt22:~# /etc/init.d/firewall restart
    Warning: Unable to locate ipset utility, disabling ipset support
    Warning: Section @redirect[0] (OVPN_PFWD_U64022) refers to a destination address on this router, assuming port redirection
    

  This Port Forward rule works:

  • Code: Select all

    root@OpenWrt22:~# uci show firewall.@redirect[1]
    firewall.cfg1a3837=redirect
    firewall.cfg1a3837.target=DNAT
    firewall.cfg1a3837.src=wan
    firewall.cfg1a3837.dest=lan
    firewall.cfg1a3837.proto=udp
    firewall.cfg1a3837.src_dport=64023
    firewall.cfg1a3837.dest_ip=10.1.101.101
    firewall.cfg1a3837.dest_port=64023
    firewall.cfg1a3837.name=OVPN_PFWD_U64023
    

I would say that is solved

[JW0914]

I can't verify for sure yet as I think the connection is being refused due to a large data transfer that I'm currently doing between my PC and NAS server (~1.5TB).

The exact error I'm getting with UDP is:

Connection reset by peer (WSAECONNRESET) (code=10054)

A few posts I've come across referencing that error code say it's due to a bad connection, and I've been having timeout issues with Xbox Live and utilizing LuCI and uci during the this transfer.

More likely that not, due to the slower write speed with ZFS10, the transfer probably won't complete until tomorrow. Will post whether I'm able to get this to work when transfer is done.

[JW0914]

This Port Forward rule works:
root@OpenWrt22:~# uci show firewall.@redirect[1]
firewall.cfg1a3837=redirect
firewall.cfg1a3837.target=DNAT
firewall.cfg1a3837.src=wan
firewall.cfg1a3837.dest=lan
firewall.cfg1a3837.proto=udp
firewall.cfg1a3837.src_dport=64023
firewall.cfg1a3837.dest_ip=10.1.101.101
firewall.cfg1a3837.dest_port=64023
firewall.cfg1a3837.name=OVPN_PFWD_U64023

What is .101 pointing to, as in your config is listed as NTP server?

[Traffic]

What is .101 pointing to, as in your config is listed as NTP server?

answered your own question there

[JW0914]

What is .101 pointing to, as in your config is listed as NTP server?

answered your own question there

You listed a forwarding rule to that address... I can't replicate that rule without knowing what it's pointing to. In other words, it's pointing to an interface or device on your network.

[Traffic]

I can't replicate that rule without knowing what it's pointing to

sure you can .. use a pc on your network.

In other words, it's pointing to an interface or device on your network.

OpenWRT ifconfig:

Code:

Code: Select all

eth0      Link encap:Ethernet  HWaddr 08:00:27:C7:3D:C3
              inet addr:10.1.101.22  Bcast:10.1.101.255  Mask:255.255.255.0
              inet6 addr: fe80::a00:27ff:fec7:3dc3/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:25021 errors:0 dropped:0 overruns:0 frame:0
              TX packets:25367 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:2352906 (2.2 MiB)  TX bytes:12881206 (12.2 MiB)

    eth1      Link encap:Ethernet  HWaddr 08:00:27:7C:58:A2
              inet addr:172.17.2.22  Bcast:172.17.2.255  Mask:255.255.255.0
              inet6 addr: fe80::a00:27ff:fe7c:58a2/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:3537 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1306 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:310351 (303.0 KiB)  TX bytes:173020 (168.9 KiB)

[JW0914]

sure you can .. use a pc on your network.

I interpreted your post to mean that forwarding rule was required to make the local directive work, perhaps that's not what you meant?

As it stands, those rules do not allow for a vpn client to connect to the vpn server while the local directive is set with a value of the LAN IP at eth0. I've verified it's not the file transfer, as removing the local directive permits traffic, while re-adding it blocks traffic.

Sun Mar 29 14:30:16 2015 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)

This does appear to be an issue with the way iptables routes data on openwrt, as openwrt (at least with kernel 3.18 on CC) doesn't use an actual iptables configuration file to set rules; it simplifies rule making my taking the rules set within the gui and applies them retroactively, flushing all iptables values upon router reboot or firewall restart (which is why all custom iptables commands must be saved in the firewall.user file which is applied every time the firewall is started or restarted).

[Traffic]

I interpreted your post to mean that forwarding rule was required to make the local directive work, perhaps that's not what you meant?

Read it again .. that rule is an example of a working port-forward only.
With explanation and example as to why a local port-forward does not work ..

If you have a vanilla install of OpenWRT Barrier Breaker (which you do not)
that custom rule (customised for your own personal LAN)
will allow you to use --local lan.ip.address in OpenVPN.

[JW0914]

This thread was never about BB, but CC... That comment is like saying "well such and such worked on Windows Vista" while talking about Windows 8.

[Traffic]

This forum is for openVPN not openWRT ..

That custom command is for iptables .. not opwnWRT ..

I have also explained that openWRT does something unexpected ..
I have provided the example for you to replicate the check for yourself ..

Code:
root@OpenWrt22:~# /etc/init.d/firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @redirect[0] (OVPN_PFWD_U64022) refers to a destination address on this router, assuming port redirection

This thread was never about BB, but CC

which you only realised after I politely asked you ..

I am using openwrt x86-generic-ext4 (VM)
You are using ARM ...

I need to confirm: which version of openwrt you use .. AA or BB ?

thanks

[JW0914]

I'm not going to argue with you.

Have a great day

Please close the thread

[Traffic]

Please read and understand the information provided:
post50818.html#p50818

This is what you need to Port-forward OpenWRT-BB: WAN->LAN

Which allows the use of OpenVPN with --local lan.ip.add

Note: Michael found the work around to your problem ..