[Solved]Followed OpenWRT tutorials OpenWRT refuse connection

[maikcat]

so, the removal of local directive did helped?

if your setup works now please let me know so i can mark this as solved..

Michael.

[JW0914]

Yeah works flawlessly now, both on Windows as well as Android.

I'm a bit perplexed why every tutorial I came across said to add that (actually all the tutorials on OpenWRT for tun) and why it prevented clients from communicating with the VPN

[JW0914]

I came across a webpage tutorial a few days ago on how to configure multiple VPN servers, but I forgot to bookmark it and was wondering if either of you could please shoot me in the right direction on where to look.

What I want to accomplish:

1. Private VPN (only accessible by me) of which I have setup at 10.10.10.0/24
2. A separate VPN subnet that only has access to one local IP (192.168.200.23, a NAS server)

Current Network Config

LAN: 192.168.200.1
VPN (me only, already assigned and running): 10.10.10.0/24
VPN (NAS Server; LAN IP 192.168.200.23; not assigned yet): 10.10.0.0


I remember seeing there were two ways of doing it, one via separate conf files the main openvpn config points to, or by using "route" in the main openvpn config file. Is one way better than the other in walling off users for the NAS Server from all other LAN devices?

[maikcat]

I remember seeing there were two ways of doing it, one via separate conf files the main openvpn config points to, or by using "route" in the main openvpn config file.

i would also suggest 2 possible setups,

1) create a second openvpn instance on your router (which btw i am not aware if it can do it)

or

2) use iptables to allow or deny traffic between the relevant endpoints

in the first case you do need another port and a way to block others from connecting

and in second case you do need to configure iptables correctly...

if you do not need anything else i will close this thread now.

Michael.

[Traffic]

Prior to closure:
JW0914, would you mind posting your working "uci show " (at least for network + firewall ?)

So that others (like me) can try to figure out we we did wrong - thanks

BTW: I am not sure removing --local is a solution as I did have it working correctly at one stage ..
I am trying to retrace my steps

[JW0914]

uci show openvpn

openvpn.privatevpn=openvpn
openvpn.privatevpn.enabled=1
openvpn.privatevpn.dev=tun
openvpn.privatevpn.proto=tcp
openvpn.privatevpn.server=10.10.10.0 255.255.255.0
openvpn.privatevpn.route=10.10.0.0 255.255.255.0
openvpn.privatevpn.port=1940
openvpn.privatevpn.keepalive=10 120
openvpn.privatevpn.push=route 192.168.200.0 255.255.255.0 dhcp-option DNS 192.168
openvpn.privatevpn.ca=/etc/openvpn/keys/PrivateVPN/ca.crt
openvpn.privatevpn.cert=/etc/openvpn/keys/PrivateVPN/OpenWRT-VPNserver.crt
openvpn.privatevpn.key=/etc/openvpn/keys/PrivateVPN/OpenWRT-VPNserver.key
openvpn.privatevpn.dh=/etc/openvpn/keys/PrivateVPN/dh2048.pem
openvpn.privatevpn.tls_auth=/etc/openvpn/keys/PrivateVPN/ta.key 0
openvpn.privatevpn.ifconfig_pool_persist=/etc/openvpn/ipp.txt
openvpn.privatevpn.log=/tmp/openvpn.log
openvpn.privatevpn.status=/tmp/openvpn-status.log
openvpn.privatevpn.verb=11
openvpn.privatevpn.comp_lzo=yes
openvpn.privatevpn.cipher=AES-256-CBC
openvpn.privatevpn.client_to_client=1
openvpn.privatevpn.persist_key=1
openvpn.privatevpn.persist_tun=1
openvpn.privatevpn.client_config_dir=/etc/openvpn/clients
openvpn.privatevpn.user=nobody

uci show firewall

firewall.@rule[0]=rule
firewall.@rule[0].name=Allow Inbound VPN
firewall.@rule[0].target=ACCEPT
firewall.@rule[0].family=ipv4
firewall.@rule[0].proto=tcp udp
firewall.@rule[0].src=*
firewall.@rule[0].dest_port=1940
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood=1
firewall.@defaults[0].input=ACCEPT
firewall.@defaults[0].output=ACCEPT
firewall.@defaults[0].forward=REJECT
firewall.@rule[1]=rule
firewall.@rule[1].target=ACCEPT
firewall.@rule[1].name=Allow Inbound SSH
firewall.@rule[1].family=ipv4
firewall.@rule[1].proto=tcp
firewall.@rule[1].dest_port=2221
firewall.@rule[1].src=*
firewall.@zone[0]=zone
firewall.@zone[0].name=lan
firewall.@zone[0].input=ACCEPT
firewall.@zone[0].output=ACCEPT
firewall.@zone[0].forward=ACCEPT
firewall.@zone[0].network=lan
firewall.@zone[1]=zone
firewall.@zone[1].name=wan
firewall.@zone[1].input=REJECT
firewall.@zone[1].output=ACCEPT
firewall.@zone[1].forward=REJECT
firewall.@zone[1].masq=1
firewall.@zone[1].mtu_fix=1
firewall.@zone[1].network=wan wan6
firewall.@include[0]=include
firewall.@include[0].path=/etc/firewall.user
firewall.@zone[2]=zone
firewall.@zone[2].name=vpn
firewall.@zone[2].masq=1
firewall.@zone[2].input=ACCEPT
firewall.@zone[2].forward=ACCEPT
firewall.@zone[2].output=ACCEPT
firewall.@zone[2].network=vpn0
firewall.@zone[2].log=1
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest=wan
firewall.@forwarding[0].src=lan
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest=lan
firewall.@forwarding[1].src=vpn
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest=wan
firewall.@forwarding[2].src=vpn
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].dest=vpn
firewall.@forwarding[3].src=lan
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].dest=vpn
firewall.@forwarding[4].src=wan

openvpn log

Wed Mar 25 18:56:28 2015 us=687738 OpenVPN 2.3.6 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built
Wed Mar 25 18:56:28 2015 us=688055 library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.08
Wed Mar 25 18:56:28 2015 us=978164 Diffie-Hellman initialized with 2048 bit key
Wed Mar 25 18:56:28 2015 us=982808 Control Channel Authentication: using '/etc/openvpn/keys/PrivateVPN/ta.key' as a Op
Wed Mar 25 18:56:28 2015 us=983032 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC
Wed Mar 25 18:56:28 2015 us=983207 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC
Wed Mar 25 18:56:28 2015 us=983412 TLS-Auth MTU parms [ L:1560 D:168 EF:68 EB:0 ET:0 EL:0 ]
Wed Mar 25 18:56:28 2015 us=983645 Socket Buffers: R=[87380->131072] S=[16384->131072]
Wed Mar 25 18:56:28 2015 us=986615 TUN/TAP device tun0 opened
Wed Mar 25 18:56:28 2015 us=986853 TUN/TAP TX queue length set to 100
Wed Mar 25 18:56:28 2015 us=987054 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Mar 25 18:56:28 2015 us=987337 /sbin/ifconfig tun0 10.10.10.1 pointopoint 10.
Wed Mar 25 18:56:28 2015 us=998465 /sbin/route add -net 10.10.0.0 netmask 255.255
Wed Mar 25 18:56:29 2015 us=14562 /sbin/route add -net 10.10.10.0 netmask 255.255
Wed Mar 25 18:56:29 2015 us=27637 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB
Wed Mar 25 18:56:29 2015 us=28124 UID set to nobody
Wed Mar 25 18:56:29 2015 us=28376 Listening for incoming TCP connection on [undef
Wed Mar 25 18:56:29 2015 us=28657 TCPv4_SERVER link local (bound): [undef]
Wed Mar 25 18:56:29 2015 us=28827 TCPv4_SERVER link remote: [undef]
Wed Mar 25 18:56:29 2015 us=28994 MULTI: multi_init called, r=256 v=256
Wed Mar 25 18:56:29 2015 us=29293 IFCONFIG POOL: base=10.10.10.4 size=62, ipv6=0
Wed Mar 25 18:56:29 2015 us=29530 IFCONFIG POOL LIST
Wed Mar 25 18:56:29 2015 us=30176 MULTI: TCP INIT maxclients=1024 maxevents=1028
Wed Mar 25 18:56:29 2015 us=30548 Initialization Sequence Completed

netstat

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 1479/smbd
tcp 0 0 192.168.200.1:2222 0.0.0.0:* LISTEN 1329/dropbear
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1411/uhttpd
tcp 0 0 0.0.0.0:1940 0.0.0.0:* LISTEN 2303/openvpn
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1770/dnsmasq
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 1479/smbd
tcp 0 0 68.114.212.219:1940 68.190.91.177:40119 TIME_WAIT -
tcp 0 0 68.114.212.219:1940 68.190.91.177:40120 TIME_WAIT -
tcp 0 248 192.168.200.1:2222 192.168.200.15:59560 ESTABLISHED 2091/dropbear
tcp 0 0 68.114.212.219:1940 68.190.91.177:40126 ESTABLISHED 2303/openvpn
tcp 0 0 :::139 :::* LISTEN 1479/smbd
tcp 0 0 :::80 :::* LISTEN 1411/uhttpd
tcp 0 0 :::53 :::* LISTEN 1770/dnsmasq
tcp 0 0 :::445 :::* LISTEN 1479/smbd
udp 0 0 0.0.0.0:53 0.0.0.0:* 1770/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 1770/dnsmasq
udp 0 0 192.168.200.255:137 0.0.0.0:* 1481/nmbd
udp 0 0 192.168.200.1:137 0.0.0.0:* 1481/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 1481/nmbd
udp 0 0 192.168.200.255:138 0.0.0.0:* 1481/nmbd
udp 0 0 192.168.200.1:138 0.0.0.0:* 1481/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 1481/nmbd
udp 0 0 :::546 :::* 1579/odhcp6c
udp 0 0 :::53 :::* 1770/dnsmasq
udp 0 0 :::123 :::* 1688/ntpd

It's perplexing that the local directive prevents devices from communicating with the VPN and leads me to believe a configuration setting or two, either within openvpn or within iptables is missing (then again, allow all traffic through the OpenWRT firewall didn't help either). I'm fairly knew to iptables so I'd be curious to know if disabling the firewall via etc/init.d/firewall stop completely disables iptables from routing traffic and/or allowing all traffic via Luci completely disables iptables ability to block traffic. If either is true, it would seem there's a configuration value missing from luci.

As a side note, I first tried setting up the VPN on my FreeNAS server (as the main purpose for it is network storage access), but could never get OpenWRT to allow the connection through on 1194. I spent two weeks trying to figure out why, couldn't determine why the connection was being blocked, then decided to simply use OpenWRT as the VPN server, but ran into the exact same errors I was getting with the VPN server in FreeNAS. (I'd prefer to use my server for an NAS VPN due to it being an octacore 2.4gHz AsRock server board, and everything from the hardware to the OS is intended for server usage).

[JW0914]

if you do not need anything else i will close this thread now.Michael.

If you could leave it open for another day or two to see if @Traffic needs anything else, I'd really appreciate it. As soon as Traffic replies back and doesn't need any more info, please feel free to close the thread.

Thanks again for all of yours and @Traffic's help, I really do appreciate it.

[Traffic]

I am using openwrt x86-generic-ext4 (VM)
You are using ARM ...

I need to confirm: which version of openwrt you use .. AA or BB ?

thanks

[JW0914]

I am using openwrt x86-generic-ext4 (VM)
You are using ARM ...

I need to confirm: which version of openwrt you use .. AA or BB ?

thanks

Neither... CC (Chaos Calmer). It's the snapshot trunk build.

[JW0914]

OpenWrt Chaos Calmer (Bleeding Edge, r44974) / LuCI (git-15.079.29361-3e37216)

KernelL 3.18.9

BusyBox 1.22.1

[Traffic]

and Michael still found a work around ..

[JW0914]

I don't think this issue arises from it being a trunk image, as someone else using trunk on the wrt 1900ac was able to get their openvpn vpn up and running fine. The individual did say they had the exact same setup and config files as me, however either they didn't have the local directive in their server config, or they had additional config options added in their config files or on OpenWRT (individual never went into detail about their config files).

This is what I find perplexing:

- OpenWRT is setup by default to not forward any traffic from WAN (eth1) to LAN (eth0) and to forward traffic from LAN to WAN
- When adding the tun0 interface and assigning it to firewall zone VPN, forwarding is added to allow traffic from VPN to WAN, VPN to LAN, WAN to VPN, and LAN to VPN, and a rule is added to allow all
inbound traffic from any zone to device (the router's internal gateway) on port 1194
- if the local directive is set to the router internal gateway (192.168.1.1) and a connection request comes in on 1194, then the VPN should recognize it since it's been told to listen on 192.168.1.1.

From my understanding, this is the path inbound vpn traffic takes (please correct if wrong):

Inbound Traffic:
WAN --> VPN --> LAN

If that's the way Inbound Traffic is flowing, and the local directive is set, shouldn't the forwarding be VPN to LAN instead of WAN to LAN? If WAN traffic comes in on 1194 and is then forwarded direct to LAN on 1194, then the traffic is completely bypassing the VPN Zone and tun0 interface (or do I have this wrong)?

[Traffic]

If WAN traffic comes in on 1194 and is then forwarded direct to LAN on 1194, then the traffic is completely bypassing the VPN Zone and tun0 interface (or do I have this wrong)?

I think you have this wrong ..

Assuming UDP:1194 for OpenVPN with encryption:

• Packets on port 1194 are encrypted and only require that openWRT passes them to openVPN listening on UDP:1194
  (Regardless of router interface)
• Once decrypted, packets are pushed out of the tun interface onto the LAN of the router.
  (Provided everything is configured correctly)

This may give you a better picture:
https://community.openvpn.net/openvpn/w ... orks_Linux

Removing the --local directive from openvpn means it will listen on all interfaces, including the WAN and that is the connection you are making .. you do not have a forwarded port from WAN to LAN. What openWRT does with that does not make any sense to me.

=== OpenWRT Attitude Adjustment VS Barrier Breaker ===

As far as I can tell openwrt-BB (and may be CC) does not setup iptables correctly:

• Attitude Adjustment [Works]
  
  • uci show firewall:
    • firewall.@redirect[0]=redirect
      firewall.@redirect[0].name=OVPN-PFWD-U64021
      firewall.@redirect[0].target=DNAT
      firewall.@redirect[0].src=wan
      firewall.@redirect[0].dest=lan
      firewall.@redirect[0].proto=udp
      firewall.@redirect[0].dest_ip=10.1.101.21 #<-- Destination for forward
      firewall.@redirect[0].dest_port=64021
  • iptables rule:
    • root@OpenWrt21:~# iptables-save|grep 640
      -A zone_wan_prerouting -p udp -j DNAT --to-destination 10.1.101.21:64021
      -A zone_wan -d 10.1.101.21/32 -p udp -m udp --dport 64021 -m conntrack --ctstate DNAT -j ACCEPT
  • Process:
    • root@OpenWrt21:~# openvpn --version
      OpenVPN 2.2.2 i486-openwrt-linux [SSL] [LZO2] [EPOLL] built on Oct 25 2012
      Originally developed by James Yonan
      Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
      
      netstat -antup|grep openvpn
      udp 0 0 10.1.101.21:64021 0.0.0.0:* 1338/openvpn
  
  Barrier Breaker [Does not work] :ROFL:
  
  • uci show firewall:
    • firewall.@redirect[0]=redirect
      firewall.@redirect[0].name=OVPN-PFWD-U64022
      firewall.@redirect[0].target=DNAT
      firewall.@redirect[0].src=wan
      firewall.@redirect[0].dest=lan
      firewall.@redirect[0].proto=udp
      firewall.@redirect[0].dest_ip=10.1.101.22 #<-- Destination for forward
      firewall.@redirect[0].dest_port=64022
  • iptables rule:
    • root@OpenWrt22:~# iptables-save |grep 640
      -A zone_wan_prerouting -p udp -m udp --dport 64022 -m comment --comment OVPN-PFWD-U64022 -j REDIRECT --to-ports 64022
      
      root@OpenWrt22:~# iptables-save |grep 10.1.101.22 #<-- Destination for forward
      {zero matches}
  • Process:
    • root@OpenWrt22:~# openvpn --version
      OpenVPN 2.3.6 i486-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 6 2015
      library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.08
      Originally developed by James Yonan
      Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
      
      netstat -antup|grep openvpn
      udp 0 0 10.1.101.22:64022 0.0.0.0:* 1591/openvpn
  BB only port-forward/redirects (or whatever it wants to call it!) to a different port not host.

1. Note: All this is done using the GUI interface, i am not going to bother learning a language for a router OS.
   Especially with such glaring errors and no up to date documentation!
2. Note: BB has another input field: Traffic Rules/new forward rule but I have given up on this for now.

[JW0914]

Thanks for the link, it explained it quite nicely =]

I know from using pivot overlay on Chaos Calmer that configuration differs from both AA and BB (one example is overlay must be configured as 'overlay not '/overlay'), and I've seen many other differences in other config files; all of which leads me to believe some configuration option is missing in CC for either openvpn or iptables.

Unfortunately, you ran into the same issue I ran into where all information on OpenWRT is dated by several years and while some parts are applicable to CC, many are not (quite frustrating when you're trying to learn how to do something lol). Since I know all tutorials are all written by another user who was nice enough, and probably took quite a bit of time to write up a tutorial, I try to add notes where applicable in OpenWRT wikis when I find something needs to be altered to fit for CC.

From the research you were able to do, do I have a correct interpretation that if I add the iptables rules as shown in AA that I may be able to get the VPN to work with the local directive?

Also, is it having the local directive worth it? Is there a security reason for it, or is it just user preference?

[Traffic]

I like openwrt but I have no need for it at this time .. but I did learn a lot from this.

if I add the iptables rules as shown in AA that I may be able to get the VPN to work with the local directive?

Possibly .. but I tried a backup AA / restore to BB = Brick (not surprising) restore settings at your own risk !

is it having the local directive worth it? Is there a security reason for it, or is it just user preference?

Bit of both ..

I suspect, if you NAT correctly to the internet you should be ok .. but I would prefer it be on the LAN not WAN.

If i get time I will probably come back to this sometime next week .. maybe we can find a solution !
I am sure there must be a way to configure using openwrt GUI to do a port-forward (not a port redirect).

[JW0914]

Possibly .. but I tried a backup AA / restore to BB = Brick (not surprising) restore settings at your own risk !

The WRT 1900ac is only compatible with Chaos Calmer (it was only 3 months ago that Linksys [Belkin] finally released the opensource radio drivers (only a year after launch).

I suspect, if you NAT correctly to the internet you should be ok .. but I would prefer it be on the LAN not WAN.

I am sure there must be a way to configure using openwrt GUI to do a port-forward (not a port redirect).

I would prefer it to be on the LAN as well. For advanced firewall rules, I prefer uci to be able to use iptables, and will try adding the AA rule tonight to see if it makes a difference

[Traffic]

Notice how considerable a change this is:

AA: Network=Firewall=Port.Forwards (Forward an external port to another host)

• eg: -A zone_wan_prerouting -p udp -j DNAT --to-destination 10.1.101.21:64021

BB: Network=Firewall=Port.Forwards (Only forward a port to another port on this host)

• eg: -A zone_wan_prerouting -p udp -m udp --dport 64022 -m comment --comment OVPN-PFWD-U64022 -j REDIRECT --to-ports 64022
  
  Note: -j REDIRECT

  • Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table. It is also valid within user-defined chains that are only called from those chains, and nowhere else. The REDIRECT target takes only one option, as described below.

    https://www.frozentux.net/iptables-tuto ... RECTTARGET

    Table 11-13. REDIRECT target options

    • Option --to-ports

    BB: Network=Firewall=Port.Forwards != PortForward and cannot due to limitation of iptables.
    
    May be frozentux is wrong ..

No doubt there is a simple(ish) fix using custom iptables rules but Port-Forward is a internet basic
and openwrt:BB has totally (and possibly deliberately) bugged it up.

[Traffic]

hmm ..


BB

Now iptables shows this:

Code: Select all

root@OpenWrt22:~# iptables-save|grep 640 # same as before
-A PREROUTING -i eth1 -p udp -m udp --dport 64022 -j DNAT --to-destination 10.1.101.22:64022
-A zone_wan_prerouting -p udp -m comment --comment OVPN-PFWD-U64022 -j REDIRECT --to-ports 64022
-A FORWARD -d 10.1.101.22/32 -p udp -m udp --dport 64022 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
root@OpenWrt22:~#

inexplicably

and openvpn has connected on the LAN ip via port-forward ..

FYI:

Code: Select all

root@OpenWrt22:~#
root@OpenWrt22:~# uci show
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded=1
dhcp.@dnsmasq[0].boguspriv=1
dhcp.@dnsmasq[0].filterwin2k=0
dhcp.@dnsmasq[0].localise_queries=1
dhcp.@dnsmasq[0].rebind_protection=1
dhcp.@dnsmasq[0].rebind_localhost=1
dhcp.@dnsmasq[0].local=/lan/
dhcp.@dnsmasq[0].domain=lan
dhcp.@dnsmasq[0].expandhosts=1
dhcp.@dnsmasq[0].nonegcache=0
dhcp.@dnsmasq[0].authoritative=1
dhcp.@dnsmasq[0].readethers=1
dhcp.@dnsmasq[0].leasefile=/tmp/dhcp.leases
dhcp.@dnsmasq[0].resolvfile=/tmp/resolv.conf.auto
dhcp.lan=dhcp
dhcp.lan.interface=lan
dhcp.lan.start=100
dhcp.lan.limit=150
dhcp.lan.leasetime=12h
dhcp.wan=dhcp
dhcp.wan.interface=wan
dhcp.wan.ignore=1
dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].PasswordAuth=on
dropbear.@dropbear[0].Interface=lan
dropbear.@dropbear[0].Port=22
firewall.@rule[0]=rule
firewall.@rule[0].name=Allow-DHCP-Renew
firewall.@rule[0].src=wan
firewall.@rule[0].proto=udp
firewall.@rule[0].dest_port=68
firewall.@rule[0].target=ACCEPT
firewall.@rule[0].family=ipv4
firewall.@rule[1]=rule
firewall.@rule[1].name=Allow-Ping
firewall.@rule[1].src=wan
firewall.@rule[1].proto=icmp
firewall.@rule[1].icmp_type=echo-request
firewall.@rule[1].family=ipv4
firewall.@rule[1].target=ACCEPT
firewall.@rule[2]=rule
firewall.@rule[2].name=Allow-DHCPv6
firewall.@rule[2].src=wan
firewall.@rule[2].proto=udp
firewall.@rule[2].src_ip=fe80::/10
firewall.@rule[2].src_port=547
firewall.@rule[2].dest_ip=fe80::/10
firewall.@rule[2].dest_port=546
firewall.@rule[2].family=ipv6
firewall.@rule[2].target=ACCEPT
firewall.@rule[3]=rule
firewall.@rule[3].name=Allow-ICMPv6-Input
firewall.@rule[3].src=wan
firewall.@rule[3].proto=icmp
firewall.@rule[3].icmp_type=echo-request echo-reply destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type router-solicitation neighbour-solicitation router-advertisement neighbour-advertisement
firewall.@rule[3].limit=1000/sec
firewall.@rule[3].family=ipv6
firewall.@rule[3].target=ACCEPT
firewall.@rule[4]=rule
firewall.@rule[4].name=Allow-ICMPv6-Forward
firewall.@rule[4].src=wan
firewall.@rule[4].dest=*
firewall.@rule[4].proto=icmp
firewall.@rule[4].icmp_type=echo-request echo-reply destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type
firewall.@rule[4].limit=1000/sec
firewall.@rule[4].family=ipv6
firewall.@rule[4].target=ACCEPT
firewall.@rule[5]=rule
firewall.@rule[5].target=ACCEPT
firewall.@rule[5].src=wan
firewall.@rule[5].proto=udp
firewall.@rule[5].dest_port=64022
firewall.@rule[5].name=OVPN_OPEN
firewall.@rule[5].family=ipv4
firewall.@rule[5].dest=wan
firewall.@rule[5].dest_ip=172.17.2.22
firewall.@rule[5].enabled=0
firewall.@rule[6]=rule
firewall.@rule[6].name=OVPN_FRWD
firewall.@rule[6].dest_ip=10.1.101.22
firewall.@rule[6].dest_port=64022
firewall.@rule[6].family=ipv4
firewall.@rule[6].proto=udp
firewall.@rule[6].src=*
firewall.@rule[6].dest=*
firewall.@rule[6].target=ACCEPT
firewall.@rule[6].enabled=0
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood=1
firewall.@defaults[0].input=ACCEPT
firewall.@defaults[0].output=ACCEPT
firewall.@defaults[0].forward=ACCEPT
firewall.@zone[0]=zone
firewall.@zone[0].name=lan
firewall.@zone[0].network=lan
firewall.@zone[0].input=ACCEPT
firewall.@zone[0].output=ACCEPT
firewall.@zone[0].family=ipv4
firewall.@zone[0].log=1
firewall.@zone[0].forward=ACCEPT
firewall.@zone[1]=zone
firewall.@zone[1].name=wan
firewall.@zone[1].network=wan
firewall.@zone[1].output=ACCEPT
firewall.@zone[1].mtu_fix=1
firewall.@zone[1].family=ipv4
firewall.@zone[1].log=1
firewall.@zone[1].input=ACCEPT
firewall.@zone[1].forward=ACCEPT
firewall.@include[0]=include
firewall.@include[0].path=/etc/firewall.user
firewall.@redirect[0]=redirect
firewall.@redirect[0].target=DNAT
firewall.@redirect[0].src=wan
firewall.@redirect[0].dest=lan
firewall.@redirect[0].proto=udp
firewall.@redirect[0].dest_ip=10.1.101.22
firewall.@redirect[0].name=OVPN-PFWD-U64022
firewall.@redirect[0].dest_port=64022
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest=lan
firewall.@forwarding[0].src=wan
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest=wan
firewall.@forwarding[1].src=lan
luci.main=core
luci.main.lang=auto
luci.main.resourcebase=/luci-static/resources
luci.main.mediaurlbase=/luci-static/bootstrap
luci.flash_keep=extern
luci.flash_keep.uci=/etc/config/
luci.flash_keep.dropbear=/etc/dropbear/
luci.flash_keep.openvpn=/etc/openvpn/
luci.flash_keep.passwd=/etc/passwd
luci.flash_keep.opkg=/etc/opkg.conf
luci.flash_keep.firewall=/etc/firewall.user
luci.flash_keep.uploads=/lib/uci/upload/
luci.languages=internal
luci.sauth=internal
luci.sauth.sessionpath=/tmp/luci-sessions
luci.sauth.sessiontime=3600
luci.ccache=internal
luci.ccache.enable=1
luci.themes=internal
luci.themes.Bootstrap=/luci-static/bootstrap
network.loopback=interface
network.loopback.ifname=lo
network.loopback.proto=static
network.loopback.ipaddr=127.0.0.1
network.loopback.netmask=255.0.0.0
network.lan=interface
network.lan.ifname=eth0
network.lan.proto=dhcp
network.lan.defaultroute=0
network.lan.delegate=0
network.wan=interface
network.wan.proto=dhcp
network.wan.ifname=eth1
network.wan.delegate=0
openvpn.custom_config=openvpn
openvpn.custom_config.enabled=1
openvpn.custom_config.config=/etc/openvpn/simples/simples22.conf
openvpn.sample_server=openvpn
openvpn.sample_server.enabled=0
openvpn.sample_server.port=1194
openvpn.sample_server.proto=udp
openvpn.sample_server.dev=tun
openvpn.sample_server.ca=/etc/openvpn/ca.crt
openvpn.sample_server.cert=/etc/openvpn/server.crt
openvpn.sample_server.key=/etc/openvpn/server.key
openvpn.sample_server.dh=/etc/openvpn/dh1024.pem
openvpn.sample_server.server=10.8.0.0 255.255.255.0
openvpn.sample_server.ifconfig_pool_persist=/tmp/ipp.txt
openvpn.sample_server.keepalive=10 120
openvpn.sample_server.comp_lzo=yes
openvpn.sample_server.persist_key=1
openvpn.sample_server.persist_tun=1
openvpn.sample_server.status=/tmp/openvpn-status.log
openvpn.sample_server.verb=3
openvpn.sample_client=openvpn
openvpn.sample_client.enabled=0
openvpn.sample_client.client=1
openvpn.sample_client.dev=tun
openvpn.sample_client.proto=udp
openvpn.sample_client.remote=my_server_1 1194
openvpn.sample_client.resolv_retry=infinite
openvpn.sample_client.nobind=1
openvpn.sample_client.persist_key=1
openvpn.sample_client.persist_tun=1
openvpn.sample_client.ca=/etc/openvpn/ca.crt
openvpn.sample_client.cert=/etc/openvpn/client.crt
openvpn.sample_client.key=/etc/openvpn/client.key
openvpn.sample_client.comp_lzo=yes
openvpn.sample_client.verb=3
system.@system[0]=system
system.@system[0].zonename=UTC
system.@system[0].timezone=GMT0
system.@system[0].conloglevel=8
system.@system[0].cronloglevel=8
system.@system[0].hostname=OpenWrt22
system.ntp=timeserver
system.ntp.enabled=1
system.ntp.server=10.1.101.101
ucitrack.@network[0]=network
ucitrack.@network[0].init=network
ucitrack.@network[0].affects=dhcp radvd
ucitrack.@wireless[0]=wireless
ucitrack.@wireless[0].affects=network
ucitrack.@firewall[0]=firewall
ucitrack.@firewall[0].init=firewall
ucitrack.@firewall[0].affects=luci-splash qos miniupnpd
ucitrack.@olsr[0]=olsr
ucitrack.@olsr[0].init=olsrd
ucitrack.@dhcp[0]=dhcp
ucitrack.@dhcp[0].init=dnsmasq
ucitrack.@dropbear[0]=dropbear
ucitrack.@dropbear[0].init=dropbear
ucitrack.@httpd[0]=httpd
ucitrack.@httpd[0].init=httpd
ucitrack.@fstab[0]=fstab
ucitrack.@fstab[0].init=fstab
ucitrack.@qos[0]=qos
ucitrack.@qos[0].init=qos
ucitrack.@system[0]=system
ucitrack.@system[0].init=led
ucitrack.@system[0].affects=luci_statistics
ucitrack.@luci_splash[0]=luci_splash
ucitrack.@luci_splash[0].init=luci_splash
ucitrack.@upnpd[0]=upnpd
ucitrack.@upnpd[0].init=miniupnpd
ucitrack.@ntpclient[0]=ntpclient
ucitrack.@ntpclient[0].init=ntpclient
ucitrack.@samba[0]=samba
ucitrack.@samba[0].init=samba
ucitrack.@tinyproxy[0]=tinyproxy
ucitrack.@tinyproxy[0].init=tinyproxy
uhttpd.main=uhttpd
uhttpd.main.listen_http=0.0.0.0:80
uhttpd.main.listen_https=0.0.0.0:443
uhttpd.main.home=/www
uhttpd.main.rfc1918_filter=1
uhttpd.main.max_requests=3
uhttpd.main.max_connections=100
uhttpd.main.cert=/etc/uhttpd.crt
uhttpd.main.key=/etc/uhttpd.key
uhttpd.main.cgi_prefix=/cgi-bin
uhttpd.main.script_timeout=60
uhttpd.main.network_timeout=30
uhttpd.main.http_keepalive=20
uhttpd.main.tcp_keepalive=1
uhttpd.main.ubus_prefix=/ubus
uhttpd.px5g=cert
uhttpd.px5g.days=730
uhttpd.px5g.bits=1024
uhttpd.px5g.country=DE
uhttpd.px5g.state=Berlin
uhttpd.px5g.location=Berlin
uhttpd.px5g.commonname=OpenWrt
root@OpenWrt22:~#

[Traffic]

This is what you need to Port-forward WAN->LAN to OpenVPN with --local lan.ip.add:

• OpenWRT ifconfig:

  • Code: Select all

    eth0      Link encap:Ethernet  HWaddr 08:00:27:C7:3D:C3
              inet addr:10.1.101.22  Bcast:10.1.101.255  Mask:255.255.255.0
              inet6 addr: fe80::a00:27ff:fec7:3dc3/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:25021 errors:0 dropped:0 overruns:0 frame:0
              TX packets:25367 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:2352906 (2.2 MiB)  TX bytes:12881206 (12.2 MiB)
    
    eth1      Link encap:Ethernet  HWaddr 08:00:27:7C:58:A2
              inet addr:172.17.2.22  Bcast:172.17.2.255  Mask:255.255.255.0
              inet6 addr: fe80::a00:27ff:fe7c:58a2/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:3537 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1306 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:310351 (303.0 KiB)  TX bytes:173020 (168.9 KiB)

  OpenVPN server config:

  • Code: Select all

    local 10.1.101.22
    proto udp
    port 64022

  Firewall - Custom Rules:

  • Code: Select all

    iptables -t nat -A PREROUTING -p udp -i eth1 --dport 64022 -j DNAT --to-destination 10.1.101.22:64022

This is why the normal Port Forward does not work:

• • Code: Select all

    root@OpenWrt22:~# uci show firewall.@redirect[0]
    firewall.cfg183837=redirect
    firewall.cfg183837.target=DNAT
    firewall.cfg183837.src=wan
    firewall.cfg183837.dest=lan
    firewall.cfg183837.proto=udp
    firewall.cfg183837.src_dport=64022
    firewall.cfg183837.dest_ip=10.1.101.22
    firewall.cfg183837.dest_port=64022
    firewall.cfg183837.name=OVPN_PFWD_U64022
    

    Code: Select all

    root@OpenWrt22:~# /etc/init.d/firewall restart
    Warning: Unable to locate ipset utility, disabling ipset support
    Warning: Section @redirect[0] (OVPN_PFWD_U64022) refers to a destination address on this router, assuming port redirection
    

  This Port Forward rule works:

  • Code: Select all

    root@OpenWrt22:~# uci show firewall.@redirect[1]
    firewall.cfg1a3837=redirect
    firewall.cfg1a3837.target=DNAT
    firewall.cfg1a3837.src=wan
    firewall.cfg1a3837.dest=lan
    firewall.cfg1a3837.proto=udp
    firewall.cfg1a3837.src_dport=64023
    firewall.cfg1a3837.dest_ip=10.1.101.101
    firewall.cfg1a3837.dest_port=64023
    firewall.cfg1a3837.name=OVPN_PFWD_U64023
    

I would say that is solved

[JW0914]

I can't verify for sure yet as I think the connection is being refused due to a large data transfer that I'm currently doing between my PC and NAS server (~1.5TB).

The exact error I'm getting with UDP is:

Connection reset by peer (WSAECONNRESET) (code=10054)

A few posts I've come across referencing that error code say it's due to a bad connection, and I've been having timeout issues with Xbox Live and utilizing LuCI and uci during the this transfer.

More likely that not, due to the slower write speed with ZFS10, the transfer probably won't complete until tomorrow. Will post whether I'm able to get this to work when transfer is done.