Page 3 of 4
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Fri Mar 27, 2015 1:12 am
by Traffic
and Michael
still found a
work around ..
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Fri Mar 27, 2015 2:51 pm
by JW0914
I don't think this issue arises from it being a trunk image, as someone else using trunk on the wrt 1900ac was able to get their openvpn vpn up and running fine. The individual did say they had the exact same setup and config files as me, however either they didn't have the local directive in their server config, or they had additional config options added in their config files or on OpenWRT (individual never went into detail about their config files).
This is what I find perplexing:
- OpenWRT is setup by default to not forward any traffic from WAN (eth1) to LAN (eth0) and to forward traffic from LAN to WAN
- When adding the tun0 interface and assigning it to firewall zone VPN, forwarding is added to allow traffic from VPN to WAN, VPN to LAN, WAN to VPN, and LAN to VPN, and a rule is added to allow all
inbound traffic from any zone to device (the router's internal gateway) on port 1194
- if the local directive is set to the router internal gateway (192.168.1.1) and a connection request comes in on 1194, then the VPN should recognize it since it's been told to listen on 192.168.1.1.
From my understanding, this is the path inbound vpn traffic takes (please correct if wrong):
Inbound Traffic:
WAN --> VPN --> LAN
If that's the way Inbound Traffic is flowing, and the local directive is set, shouldn't the forwarding be VPN to LAN instead of WAN to LAN? If WAN traffic comes in on 1194 and is then forwarded direct to LAN on 1194, then the traffic is completely bypassing the VPN Zone and tun0 interface (or do I have this wrong)?
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Fri Mar 27, 2015 4:42 pm
by Traffic
JW0914 wrote:If WAN traffic comes in on 1194 and is then forwarded direct to LAN on 1194, then the traffic is completely bypassing the VPN Zone and tun0 interface (or do I have this wrong)?
I think you have this wrong ..
Assuming UDP:1194 for OpenVPN with encryption:
- Packets on port 1194 are encrypted and only require that openWRT passes them to openVPN listening on UDP:1194
(Regardless of router interface)
- Once decrypted, packets are pushed out of the tun interface onto the LAN of the router.
(Provided everything is configured correctly)
This may give you a better picture:
https://community.openvpn.net/openvpn/w ... orks_Linux
Removing the --
local directive from openvpn means it will listen on all interfaces, including the WAN and that is the connection you are making .. you do not have a forwarded port from WAN to LAN. What openWRT does with that does not make any sense to me.
=== OpenWRT Attitude Adjustment VS Barrier Breaker ===
As far as I can tell openwrt-BB (and may be CC) does not setup iptables correctly:
- Attitude Adjustment [Works]
- uci show firewall:
- firewall.@redirect[0]=redirect
firewall.@redirect[0].name=OVPN-PFWD-U64021
firewall.@redirect[0].target=DNAT
firewall.@redirect[0].src=wan
firewall.@redirect[0].dest=lan
firewall.@redirect[0].proto=udp
firewall.@redirect[0].dest_ip=10.1.101.21 #<-- Destination for forward
firewall.@redirect[0].dest_port=64021
- iptables rule:
- root@OpenWrt21:~# iptables-save|grep 640
-A zone_wan_prerouting -p udp -j DNAT --to-destination 10.1.101.21:64021
-A zone_wan -d 10.1.101.21/32 -p udp -m udp --dport 64021 -m conntrack --ctstate DNAT -j ACCEPT
- Process:
- root@OpenWrt21:~# openvpn --version
OpenVPN 2.2.2 i486-openwrt-linux [SSL] [LZO2] [EPOLL] built on Oct 25 2012
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
netstat -antup|grep openvpn
udp 0 0 10.1.101.21:64021 0.0.0.0:* 1338/openvpn
Barrier Breaker [Does not work] 
:ROFL:
- uci show firewall:
- firewall.@redirect[0]=redirect
firewall.@redirect[0].name=OVPN-PFWD-U64022
firewall.@redirect[0].target=DNAT
firewall.@redirect[0].src=wan
firewall.@redirect[0].dest=lan
firewall.@redirect[0].proto=udp
firewall.@redirect[0].dest_ip=10.1.101.22 #<-- Destination for forward
firewall.@redirect[0].dest_port=64022
- iptables rule:
- root@OpenWrt22:~# iptables-save |grep 640
-A zone_wan_prerouting -p udp -m udp --dport 64022 -m comment --comment OVPN-PFWD-U64022 -j REDIRECT --to-ports 64022
root@OpenWrt22:~# iptables-save |grep 10.1.101.22 #<-- Destination for forward
{zero matches}
- Process:
- root@OpenWrt22:~# openvpn --version
OpenVPN 2.3.6 i486-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 6 2015
library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
netstat -antup|grep openvpn
udp 0 0 10.1.101.22:64022 0.0.0.0:* 1591/openvpn
BB only port-forward/redirects (or whatever it wants to call it!) to a different port not host.
- Note: All this is done using the GUI interface, i am not going to bother learning a language for a router OS.
Especially with such glaring errors and no up to date documentation!
- Note: BB has another input field: Traffic Rules/new forward rule but I have given up on this for now.
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Fri Mar 27, 2015 4:57 pm
by JW0914
Thanks for the link, it explained it quite nicely =]
I know from using pivot overlay on Chaos Calmer that configuration differs from both AA and BB (one example is overlay must be configured as 'overlay not '/overlay'), and I've seen many other differences in other config files; all of which leads me to believe some configuration option is missing in CC for either openvpn or iptables.
Unfortunately, you ran into the same issue I ran into where all information on OpenWRT is dated by several years and while some parts are applicable to CC, many are not (quite frustrating when you're trying to learn how to do something lol). Since I know all tutorials are all written by another user who was nice enough, and probably took quite a bit of time to write up a tutorial, I try to add notes where applicable in OpenWRT wikis when I find something needs to be altered to fit for CC.
From the research you were able to do, do I have a correct interpretation that if I add the iptables rules as shown in AA that I may be able to get the VPN to work with the local directive?
Also, is it having the local directive worth it? Is there a security reason for it, or is it just user preference?
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Fri Mar 27, 2015 6:27 pm
by Traffic
I like openwrt but I have no need for it at this time .. but I did learn a lot from this.
JW0914 wrote:if I add the iptables rules as shown in AA that I may be able to get the VPN to work with the local directive?
Possibly .. but I tried a backup AA / restore to BB = Brick (not surprising) restore settings at your own risk !
JW0914 wrote:is it having the local directive worth it? Is there a security reason for it, or is it just user preference?
Bit of both ..
I suspect, if you NAT correctly to the internet you should be ok .. but I would prefer it be on the LAN not WAN.
If i get time I will probably come back to this sometime next week .. maybe
we can find a solution !
I am sure there must be a way to configure using openwrt GUI to do a port-forward (not a port redirect).
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Fri Mar 27, 2015 6:33 pm
by JW0914
Traffic wrote:Possibly .. but I tried a backup AA / restore to BB = Brick (not surprising) restore settings at your own risk !
The WRT 1900ac is only compatible with Chaos Calmer (it was only 3 months ago that Linksys [Belkin] finally released the opensource radio drivers (only a year after launch).
Traffic wrote:I suspect, if you NAT correctly to the internet you should be ok .. but I would prefer it be on the LAN not WAN.
I am sure there must be a way to configure using openwrt GUI to do a port-forward (not a port redirect).
I would prefer it to be on the LAN as well. For advanced firewall rules, I prefer uci to be able to use iptables, and will try adding the AA rule tonight to see if it makes a difference
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Fri Mar 27, 2015 6:51 pm
by Traffic
Notice how considerable a change this is:
AA: Network=Firewall=Port.Forwards (Forward an external port to another host)
- eg: -A zone_wan_prerouting -p udp -j DNAT --to-destination 10.1.101.21:64021
BB: Network=Firewall=Port.Forwards (Only forward a port to another port on this host)
- eg: -A zone_wan_prerouting -p udp -m udp --dport 64022 -m comment --comment OVPN-PFWD-U64022 -j REDIRECT --to-ports 64022
Note: -j REDIRECT
Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table. It is also valid within user-defined chains that are only called from those chains, and nowhere else. The REDIRECT target takes only one option, as described below.
https://www.frozentux.net/iptables-tuto ... RECTTARGETTable 11-13. REDIRECT target options
BB: Network=Firewall=Port.Forwards != PortForward and cannot due to limitation of iptables.
May be frozentux is wrong .. 
No doubt there is a simple(ish) fix using custom iptables rules but Port-Forward is a internet basic
and openwrt:BB has totally (and possibly deliberately)
bugged it up.
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Fri Mar 27, 2015 8:53 pm
by Traffic
hmm ..
BB
Now iptables shows this:
Code: Select all
root@OpenWrt22:~# iptables-save|grep 640 # same as before
-A PREROUTING -i eth1 -p udp -m udp --dport 64022 -j DNAT --to-destination 10.1.101.22:64022
-A zone_wan_prerouting -p udp -m comment --comment OVPN-PFWD-U64022 -j REDIRECT --to-ports 64022
-A FORWARD -d 10.1.101.22/32 -p udp -m udp --dport 64022 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
root@OpenWrt22:~#
inexplicably
and openvpn has connected on the LAN ip via port-forward ..
FYI:
Code: Select all
root@OpenWrt22:~#
root@OpenWrt22:~# uci show
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded=1
dhcp.@dnsmasq[0].boguspriv=1
dhcp.@dnsmasq[0].filterwin2k=0
dhcp.@dnsmasq[0].localise_queries=1
dhcp.@dnsmasq[0].rebind_protection=1
dhcp.@dnsmasq[0].rebind_localhost=1
dhcp.@dnsmasq[0].local=/lan/
dhcp.@dnsmasq[0].domain=lan
dhcp.@dnsmasq[0].expandhosts=1
dhcp.@dnsmasq[0].nonegcache=0
dhcp.@dnsmasq[0].authoritative=1
dhcp.@dnsmasq[0].readethers=1
dhcp.@dnsmasq[0].leasefile=/tmp/dhcp.leases
dhcp.@dnsmasq[0].resolvfile=/tmp/resolv.conf.auto
dhcp.lan=dhcp
dhcp.lan.interface=lan
dhcp.lan.start=100
dhcp.lan.limit=150
dhcp.lan.leasetime=12h
dhcp.wan=dhcp
dhcp.wan.interface=wan
dhcp.wan.ignore=1
dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].PasswordAuth=on
dropbear.@dropbear[0].Interface=lan
dropbear.@dropbear[0].Port=22
firewall.@rule[0]=rule
firewall.@rule[0].name=Allow-DHCP-Renew
firewall.@rule[0].src=wan
firewall.@rule[0].proto=udp
firewall.@rule[0].dest_port=68
firewall.@rule[0].target=ACCEPT
firewall.@rule[0].family=ipv4
firewall.@rule[1]=rule
firewall.@rule[1].name=Allow-Ping
firewall.@rule[1].src=wan
firewall.@rule[1].proto=icmp
firewall.@rule[1].icmp_type=echo-request
firewall.@rule[1].family=ipv4
firewall.@rule[1].target=ACCEPT
firewall.@rule[2]=rule
firewall.@rule[2].name=Allow-DHCPv6
firewall.@rule[2].src=wan
firewall.@rule[2].proto=udp
firewall.@rule[2].src_ip=fe80::/10
firewall.@rule[2].src_port=547
firewall.@rule[2].dest_ip=fe80::/10
firewall.@rule[2].dest_port=546
firewall.@rule[2].family=ipv6
firewall.@rule[2].target=ACCEPT
firewall.@rule[3]=rule
firewall.@rule[3].name=Allow-ICMPv6-Input
firewall.@rule[3].src=wan
firewall.@rule[3].proto=icmp
firewall.@rule[3].icmp_type=echo-request echo-reply destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type router-solicitation neighbour-solicitation router-advertisement neighbour-advertisement
firewall.@rule[3].limit=1000/sec
firewall.@rule[3].family=ipv6
firewall.@rule[3].target=ACCEPT
firewall.@rule[4]=rule
firewall.@rule[4].name=Allow-ICMPv6-Forward
firewall.@rule[4].src=wan
firewall.@rule[4].dest=*
firewall.@rule[4].proto=icmp
firewall.@rule[4].icmp_type=echo-request echo-reply destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type
firewall.@rule[4].limit=1000/sec
firewall.@rule[4].family=ipv6
firewall.@rule[4].target=ACCEPT
firewall.@rule[5]=rule
firewall.@rule[5].target=ACCEPT
firewall.@rule[5].src=wan
firewall.@rule[5].proto=udp
firewall.@rule[5].dest_port=64022
firewall.@rule[5].name=OVPN_OPEN
firewall.@rule[5].family=ipv4
firewall.@rule[5].dest=wan
firewall.@rule[5].dest_ip=172.17.2.22
firewall.@rule[5].enabled=0
firewall.@rule[6]=rule
firewall.@rule[6].name=OVPN_FRWD
firewall.@rule[6].dest_ip=10.1.101.22
firewall.@rule[6].dest_port=64022
firewall.@rule[6].family=ipv4
firewall.@rule[6].proto=udp
firewall.@rule[6].src=*
firewall.@rule[6].dest=*
firewall.@rule[6].target=ACCEPT
firewall.@rule[6].enabled=0
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood=1
firewall.@defaults[0].input=ACCEPT
firewall.@defaults[0].output=ACCEPT
firewall.@defaults[0].forward=ACCEPT
firewall.@zone[0]=zone
firewall.@zone[0].name=lan
firewall.@zone[0].network=lan
firewall.@zone[0].input=ACCEPT
firewall.@zone[0].output=ACCEPT
firewall.@zone[0].family=ipv4
firewall.@zone[0].log=1
firewall.@zone[0].forward=ACCEPT
firewall.@zone[1]=zone
firewall.@zone[1].name=wan
firewall.@zone[1].network=wan
firewall.@zone[1].output=ACCEPT
firewall.@zone[1].mtu_fix=1
firewall.@zone[1].family=ipv4
firewall.@zone[1].log=1
firewall.@zone[1].input=ACCEPT
firewall.@zone[1].forward=ACCEPT
firewall.@include[0]=include
firewall.@include[0].path=/etc/firewall.user
firewall.@redirect[0]=redirect
firewall.@redirect[0].target=DNAT
firewall.@redirect[0].src=wan
firewall.@redirect[0].dest=lan
firewall.@redirect[0].proto=udp
firewall.@redirect[0].dest_ip=10.1.101.22
firewall.@redirect[0].name=OVPN-PFWD-U64022
firewall.@redirect[0].dest_port=64022
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest=lan
firewall.@forwarding[0].src=wan
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest=wan
firewall.@forwarding[1].src=lan
luci.main=core
luci.main.lang=auto
luci.main.resourcebase=/luci-static/resources
luci.main.mediaurlbase=/luci-static/bootstrap
luci.flash_keep=extern
luci.flash_keep.uci=/etc/config/
luci.flash_keep.dropbear=/etc/dropbear/
luci.flash_keep.openvpn=/etc/openvpn/
luci.flash_keep.passwd=/etc/passwd
luci.flash_keep.opkg=/etc/opkg.conf
luci.flash_keep.firewall=/etc/firewall.user
luci.flash_keep.uploads=/lib/uci/upload/
luci.languages=internal
luci.sauth=internal
luci.sauth.sessionpath=/tmp/luci-sessions
luci.sauth.sessiontime=3600
luci.ccache=internal
luci.ccache.enable=1
luci.themes=internal
luci.themes.Bootstrap=/luci-static/bootstrap
network.loopback=interface
network.loopback.ifname=lo
network.loopback.proto=static
network.loopback.ipaddr=127.0.0.1
network.loopback.netmask=255.0.0.0
network.lan=interface
network.lan.ifname=eth0
network.lan.proto=dhcp
network.lan.defaultroute=0
network.lan.delegate=0
network.wan=interface
network.wan.proto=dhcp
network.wan.ifname=eth1
network.wan.delegate=0
openvpn.custom_config=openvpn
openvpn.custom_config.enabled=1
openvpn.custom_config.config=/etc/openvpn/simples/simples22.conf
openvpn.sample_server=openvpn
openvpn.sample_server.enabled=0
openvpn.sample_server.port=1194
openvpn.sample_server.proto=udp
openvpn.sample_server.dev=tun
openvpn.sample_server.ca=/etc/openvpn/ca.crt
openvpn.sample_server.cert=/etc/openvpn/server.crt
openvpn.sample_server.key=/etc/openvpn/server.key
openvpn.sample_server.dh=/etc/openvpn/dh1024.pem
openvpn.sample_server.server=10.8.0.0 255.255.255.0
openvpn.sample_server.ifconfig_pool_persist=/tmp/ipp.txt
openvpn.sample_server.keepalive=10 120
openvpn.sample_server.comp_lzo=yes
openvpn.sample_server.persist_key=1
openvpn.sample_server.persist_tun=1
openvpn.sample_server.status=/tmp/openvpn-status.log
openvpn.sample_server.verb=3
openvpn.sample_client=openvpn
openvpn.sample_client.enabled=0
openvpn.sample_client.client=1
openvpn.sample_client.dev=tun
openvpn.sample_client.proto=udp
openvpn.sample_client.remote=my_server_1 1194
openvpn.sample_client.resolv_retry=infinite
openvpn.sample_client.nobind=1
openvpn.sample_client.persist_key=1
openvpn.sample_client.persist_tun=1
openvpn.sample_client.ca=/etc/openvpn/ca.crt
openvpn.sample_client.cert=/etc/openvpn/client.crt
openvpn.sample_client.key=/etc/openvpn/client.key
openvpn.sample_client.comp_lzo=yes
openvpn.sample_client.verb=3
system.@system[0]=system
system.@system[0].zonename=UTC
system.@system[0].timezone=GMT0
system.@system[0].conloglevel=8
system.@system[0].cronloglevel=8
system.@system[0].hostname=OpenWrt22
system.ntp=timeserver
system.ntp.enabled=1
system.ntp.server=10.1.101.101
ucitrack.@network[0]=network
ucitrack.@network[0].init=network
ucitrack.@network[0].affects=dhcp radvd
ucitrack.@wireless[0]=wireless
ucitrack.@wireless[0].affects=network
ucitrack.@firewall[0]=firewall
ucitrack.@firewall[0].init=firewall
ucitrack.@firewall[0].affects=luci-splash qos miniupnpd
ucitrack.@olsr[0]=olsr
ucitrack.@olsr[0].init=olsrd
ucitrack.@dhcp[0]=dhcp
ucitrack.@dhcp[0].init=dnsmasq
ucitrack.@dropbear[0]=dropbear
ucitrack.@dropbear[0].init=dropbear
ucitrack.@httpd[0]=httpd
ucitrack.@httpd[0].init=httpd
ucitrack.@fstab[0]=fstab
ucitrack.@fstab[0].init=fstab
ucitrack.@qos[0]=qos
ucitrack.@qos[0].init=qos
ucitrack.@system[0]=system
ucitrack.@system[0].init=led
ucitrack.@system[0].affects=luci_statistics
ucitrack.@luci_splash[0]=luci_splash
ucitrack.@luci_splash[0].init=luci_splash
ucitrack.@upnpd[0]=upnpd
ucitrack.@upnpd[0].init=miniupnpd
ucitrack.@ntpclient[0]=ntpclient
ucitrack.@ntpclient[0].init=ntpclient
ucitrack.@samba[0]=samba
ucitrack.@samba[0].init=samba
ucitrack.@tinyproxy[0]=tinyproxy
ucitrack.@tinyproxy[0].init=tinyproxy
uhttpd.main=uhttpd
uhttpd.main.listen_http=0.0.0.0:80
uhttpd.main.listen_https=0.0.0.0:443
uhttpd.main.home=/www
uhttpd.main.rfc1918_filter=1
uhttpd.main.max_requests=3
uhttpd.main.max_connections=100
uhttpd.main.cert=/etc/uhttpd.crt
uhttpd.main.key=/etc/uhttpd.key
uhttpd.main.cgi_prefix=/cgi-bin
uhttpd.main.script_timeout=60
uhttpd.main.network_timeout=30
uhttpd.main.http_keepalive=20
uhttpd.main.tcp_keepalive=1
uhttpd.main.ubus_prefix=/ubus
uhttpd.px5g=cert
uhttpd.px5g.days=730
uhttpd.px5g.bits=1024
uhttpd.px5g.country=DE
uhttpd.px5g.state=Berlin
uhttpd.px5g.location=Berlin
uhttpd.px5g.commonname=OpenWrt
root@OpenWrt22:~#
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Sat Mar 28, 2015 4:46 pm
by Traffic
This is what you need to Port-forward WAN->LAN to OpenVPN with --local
lan.ip.add:
- OpenWRT ifconfig:
Code: Select all
eth0 Link encap:Ethernet HWaddr 08:00:27:C7:3D:C3
inet addr:10.1.101.22 Bcast:10.1.101.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fec7:3dc3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:25021 errors:0 dropped:0 overruns:0 frame:0
TX packets:25367 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2352906 (2.2 MiB) TX bytes:12881206 (12.2 MiB)
eth1 Link encap:Ethernet HWaddr 08:00:27:7C:58:A2
inet addr:172.17.2.22 Bcast:172.17.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe7c:58a2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3537 errors:0 dropped:0 overruns:0 frame:0
TX packets:1306 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:310351 (303.0 KiB) TX bytes:173020 (168.9 KiB)
OpenVPN server config:Code: Select all
local 10.1.101.22
proto udp
port 64022
Firewall - Custom Rules:Code: Select all
iptables -t nat -A PREROUTING -p udp -i eth1 --dport 64022 -j DNAT --to-destination 10.1.101.22:64022
This is why the normal Port Forward does
not work:
Code: Select all
root@OpenWrt22:~# uci show firewall.@redirect[0]
firewall.cfg183837=redirect
firewall.cfg183837.target=DNAT
firewall.cfg183837.src=wan
firewall.cfg183837.dest=lan
firewall.cfg183837.proto=udp
firewall.cfg183837.src_dport=64022
firewall.cfg183837.dest_ip=10.1.101.22
firewall.cfg183837.dest_port=64022
firewall.cfg183837.name=OVPN_PFWD_U64022
Code: Select all
root@OpenWrt22:~# /etc/init.d/firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @redirect[0] (OVPN_PFWD_U64022) refers to a destination address on this router, assuming port redirection
This Port Forward rule works:
Code: Select all
root@OpenWrt22:~# uci show firewall.@redirect[1]
firewall.cfg1a3837=redirect
firewall.cfg1a3837.target=DNAT
firewall.cfg1a3837.src=wan
firewall.cfg1a3837.dest=lan
firewall.cfg1a3837.proto=udp
firewall.cfg1a3837.src_dport=64023
firewall.cfg1a3837.dest_ip=10.1.101.101
firewall.cfg1a3837.dest_port=64023
firewall.cfg1a3837.name=OVPN_PFWD_U64023
I would say that is solved
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Sun Mar 29, 2015 5:48 pm
by JW0914
I can't verify for sure yet as I think the connection is being refused due to a large data transfer that I'm currently doing between my PC and NAS server (~1.5TB).
The exact error I'm getting with UDP is:
Connection reset by peer (WSAECONNRESET) (code=10054)
A few posts I've come across referencing that error code say it's due to a bad connection, and I've been having timeout issues with Xbox Live and utilizing LuCI and uci during the this transfer.
More likely that not, due to the slower write speed with ZFS10, the transfer probably won't complete until tomorrow. Will post whether I'm able to get this to work when transfer is done.
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Sun Mar 29, 2015 6:53 pm
by JW0914
This Port Forward rule works:
root@OpenWrt22:~# uci show firewall.@redirect[1]
firewall.cfg1a3837=redirect
firewall.cfg1a3837.target=DNAT
firewall.cfg1a3837.src=wan
firewall.cfg1a3837.dest=lan
firewall.cfg1a3837.proto=udp
firewall.cfg1a3837.src_dport=64023
firewall.cfg1a3837.dest_ip=10.1.101.101
firewall.cfg1a3837.dest_port=64023
firewall.cfg1a3837.name=OVPN_PFWD_U64023
What is .101 pointing to, as in your config is listed as NTP server?
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Sun Mar 29, 2015 7:13 pm
by Traffic
JW0914 wrote:What is .101 pointing to, as in your config is listed as NTP server?
answered your own question there
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Sun Mar 29, 2015 7:16 pm
by JW0914
Traffic wrote:JW0914 wrote:What is .101 pointing to, as in your config is listed as NTP server?
answered your own question there
You listed a forwarding rule to that address... I can't replicate that rule without knowing what it's pointing to. In other words, it's pointing to an interface or device on your network.
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Sun Mar 29, 2015 7:19 pm
by Traffic
JW0914 wrote:I can't replicate that rule without knowing what it's pointing to
sure you can .. use a pc on your network.
JW0914 wrote: In other words, it's pointing to an interface or device on your network.
Traffic wrote:OpenWRT ifconfig:
Code:
Code: Select all
eth0 Link encap:Ethernet HWaddr 08:00:27:C7:3D:C3
inet addr:10.1.101.22 Bcast:10.1.101.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fec7:3dc3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:25021 errors:0 dropped:0 overruns:0 frame:0
TX packets:25367 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2352906 (2.2 MiB) TX bytes:12881206 (12.2 MiB)
eth1 Link encap:Ethernet HWaddr 08:00:27:7C:58:A2
inet addr:172.17.2.22 Bcast:172.17.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe7c:58a2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3537 errors:0 dropped:0 overruns:0 frame:0
TX packets:1306 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:310351 (303.0 KiB) TX bytes:173020 (168.9 KiB)
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Sun Mar 29, 2015 7:31 pm
by JW0914
Traffic wrote:sure you can .. use a pc on your network.
I interpreted your post to mean that forwarding rule was required to make the local directive work, perhaps that's not what you meant?
As it stands, those rules do not allow for a vpn client to connect to the vpn server while the local directive is set with a value of the LAN IP at eth0. I've verified it's not the file transfer, as removing the local directive permits traffic, while re-adding it blocks traffic.
Sun Mar 29 14:30:16 2015 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
This does appear to be an issue with the way iptables routes data on openwrt, as openwrt (at least with kernel 3.18 on CC) doesn't use an actual iptables configuration file to set rules; it simplifies rule making my taking the rules set within the gui and applies them retroactively, flushing all iptables values upon router reboot or firewall restart (which is why all custom iptables commands must be saved in the firewall.user file which is applied every time the firewall is started or restarted).
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Sun Mar 29, 2015 7:44 pm
by Traffic
JW0914 wrote:I interpreted your post to mean that forwarding rule was required to make the local directive work, perhaps that's not what you meant?
Read it again .. that rule is an example of a working port-forward only.
With explanation and example as to why a
local port-forward does
not work ..
If you have a
vanilla install of OpenWRT Barrier Breaker (
which you do not)
that custom rule (
customised for your own personal LAN)
will allow you to use --
local lan.ip.address in
OpenVPN.
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Sun Mar 29, 2015 7:57 pm
by JW0914
This thread was never about BB, but CC... That comment is like saying "well such and such worked on Windows Vista" while talking about Windows 8.
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Sun Mar 29, 2015 8:20 pm
by Traffic
This forum is for openVPN
not openWRT ..
That custom command is for
iptables ..
not opwnWRT ..
I have also explained that openWRT does something unexpected ..
I have provided the example for you to replicate the check for yourself ..
Traffic wrote:Code:
root@OpenWrt22:~# /etc/init.d/firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @redirect[0] (OVPN_PFWD_U64022) refers to a destination address on this router, assuming port redirection
JW0914 wrote:This thread was never about BB, but CC
which you only realised after I
politely asked you ..
Traffic wrote:I am using openwrt x86-generic-ext4 (VM)
You are using ARM ...
I need to confirm: which version of openwrt you use .. AA or BB ?
thanks
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Sun Mar 29, 2015 8:22 pm
by JW0914
I'm not going to argue with you.
Have a great day
Please close the thread
Re: [Solved]Followed OpenWRT tutorials OpenWRT refuse connec
Posted: Sun Mar 29, 2015 8:27 pm
by Traffic
Please read and understand the information provided:
post50818.html#p50818
This is what you need to Port-forward OpenWRT-BB: WAN->LAN
Which allows the use of OpenVPN with --local lan.ip.add
Note: Michael found the
work around to your problem ..