[Solved]Followed OpenWRT tutorials OpenWRT refuse connection

[JW0914]

Possibly .. but I tried a backup AA / restore to BB = Brick (not surprising) restore settings at your own risk !

The WRT 1900ac is only compatible with Chaos Calmer (it was only 3 months ago that Linksys [Belkin] finally released the opensource radio drivers (only a year after launch).

I suspect, if you NAT correctly to the internet you should be ok .. but I would prefer it be on the LAN not WAN.

I am sure there must be a way to configure using openwrt GUI to do a port-forward (not a port redirect).

I would prefer it to be on the LAN as well. For advanced firewall rules, I prefer uci to be able to use iptables, and will try adding the AA rule tonight to see if it makes a difference

[Traffic]

Notice how considerable a change this is:

AA: Network=Firewall=Port.Forwards (Forward an external port to another host)

• eg: -A zone_wan_prerouting -p udp -j DNAT --to-destination 10.1.101.21:64021

BB: Network=Firewall=Port.Forwards (Only forward a port to another port on this host)

• eg: -A zone_wan_prerouting -p udp -m udp --dport 64022 -m comment --comment OVPN-PFWD-U64022 -j REDIRECT --to-ports 64022
  
  Note: -j REDIRECT

  • Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table. It is also valid within user-defined chains that are only called from those chains, and nowhere else. The REDIRECT target takes only one option, as described below.

    https://www.frozentux.net/iptables-tuto ... RECTTARGET

    Table 11-13. REDIRECT target options

    • Option --to-ports

    BB: Network=Firewall=Port.Forwards != PortForward and cannot due to limitation of iptables.
    
    May be frozentux is wrong ..

No doubt there is a simple(ish) fix using custom iptables rules but Port-Forward is a internet basic
and openwrt:BB has totally (and possibly deliberately) bugged it up.

[Traffic]

hmm ..


BB

Now iptables shows this:

Code: Select all

root@OpenWrt22:~# iptables-save|grep 640 # same as before
-A PREROUTING -i eth1 -p udp -m udp --dport 64022 -j DNAT --to-destination 10.1.101.22:64022
-A zone_wan_prerouting -p udp -m comment --comment OVPN-PFWD-U64022 -j REDIRECT --to-ports 64022
-A FORWARD -d 10.1.101.22/32 -p udp -m udp --dport 64022 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
root@OpenWrt22:~#

inexplicably

and openvpn has connected on the LAN ip via port-forward ..

FYI:

Code: Select all

root@OpenWrt22:~#
root@OpenWrt22:~# uci show
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded=1
dhcp.@dnsmasq[0].boguspriv=1
dhcp.@dnsmasq[0].filterwin2k=0
dhcp.@dnsmasq[0].localise_queries=1
dhcp.@dnsmasq[0].rebind_protection=1
dhcp.@dnsmasq[0].rebind_localhost=1
dhcp.@dnsmasq[0].local=/lan/
dhcp.@dnsmasq[0].domain=lan
dhcp.@dnsmasq[0].expandhosts=1
dhcp.@dnsmasq[0].nonegcache=0
dhcp.@dnsmasq[0].authoritative=1
dhcp.@dnsmasq[0].readethers=1
dhcp.@dnsmasq[0].leasefile=/tmp/dhcp.leases
dhcp.@dnsmasq[0].resolvfile=/tmp/resolv.conf.auto
dhcp.lan=dhcp
dhcp.lan.interface=lan
dhcp.lan.start=100
dhcp.lan.limit=150
dhcp.lan.leasetime=12h
dhcp.wan=dhcp
dhcp.wan.interface=wan
dhcp.wan.ignore=1
dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].PasswordAuth=on
dropbear.@dropbear[0].Interface=lan
dropbear.@dropbear[0].Port=22
firewall.@rule[0]=rule
firewall.@rule[0].name=Allow-DHCP-Renew
firewall.@rule[0].src=wan
firewall.@rule[0].proto=udp
firewall.@rule[0].dest_port=68
firewall.@rule[0].target=ACCEPT
firewall.@rule[0].family=ipv4
firewall.@rule[1]=rule
firewall.@rule[1].name=Allow-Ping
firewall.@rule[1].src=wan
firewall.@rule[1].proto=icmp
firewall.@rule[1].icmp_type=echo-request
firewall.@rule[1].family=ipv4
firewall.@rule[1].target=ACCEPT
firewall.@rule[2]=rule
firewall.@rule[2].name=Allow-DHCPv6
firewall.@rule[2].src=wan
firewall.@rule[2].proto=udp
firewall.@rule[2].src_ip=fe80::/10
firewall.@rule[2].src_port=547
firewall.@rule[2].dest_ip=fe80::/10
firewall.@rule[2].dest_port=546
firewall.@rule[2].family=ipv6
firewall.@rule[2].target=ACCEPT
firewall.@rule[3]=rule
firewall.@rule[3].name=Allow-ICMPv6-Input
firewall.@rule[3].src=wan
firewall.@rule[3].proto=icmp
firewall.@rule[3].icmp_type=echo-request echo-reply destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type router-solicitation neighbour-solicitation router-advertisement neighbour-advertisement
firewall.@rule[3].limit=1000/sec
firewall.@rule[3].family=ipv6
firewall.@rule[3].target=ACCEPT
firewall.@rule[4]=rule
firewall.@rule[4].name=Allow-ICMPv6-Forward
firewall.@rule[4].src=wan
firewall.@rule[4].dest=*
firewall.@rule[4].proto=icmp
firewall.@rule[4].icmp_type=echo-request echo-reply destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type
firewall.@rule[4].limit=1000/sec
firewall.@rule[4].family=ipv6
firewall.@rule[4].target=ACCEPT
firewall.@rule[5]=rule
firewall.@rule[5].target=ACCEPT
firewall.@rule[5].src=wan
firewall.@rule[5].proto=udp
firewall.@rule[5].dest_port=64022
firewall.@rule[5].name=OVPN_OPEN
firewall.@rule[5].family=ipv4
firewall.@rule[5].dest=wan
firewall.@rule[5].dest_ip=172.17.2.22
firewall.@rule[5].enabled=0
firewall.@rule[6]=rule
firewall.@rule[6].name=OVPN_FRWD
firewall.@rule[6].dest_ip=10.1.101.22
firewall.@rule[6].dest_port=64022
firewall.@rule[6].family=ipv4
firewall.@rule[6].proto=udp
firewall.@rule[6].src=*
firewall.@rule[6].dest=*
firewall.@rule[6].target=ACCEPT
firewall.@rule[6].enabled=0
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood=1
firewall.@defaults[0].input=ACCEPT
firewall.@defaults[0].output=ACCEPT
firewall.@defaults[0].forward=ACCEPT
firewall.@zone[0]=zone
firewall.@zone[0].name=lan
firewall.@zone[0].network=lan
firewall.@zone[0].input=ACCEPT
firewall.@zone[0].output=ACCEPT
firewall.@zone[0].family=ipv4
firewall.@zone[0].log=1
firewall.@zone[0].forward=ACCEPT
firewall.@zone[1]=zone
firewall.@zone[1].name=wan
firewall.@zone[1].network=wan
firewall.@zone[1].output=ACCEPT
firewall.@zone[1].mtu_fix=1
firewall.@zone[1].family=ipv4
firewall.@zone[1].log=1
firewall.@zone[1].input=ACCEPT
firewall.@zone[1].forward=ACCEPT
firewall.@include[0]=include
firewall.@include[0].path=/etc/firewall.user
firewall.@redirect[0]=redirect
firewall.@redirect[0].target=DNAT
firewall.@redirect[0].src=wan
firewall.@redirect[0].dest=lan
firewall.@redirect[0].proto=udp
firewall.@redirect[0].dest_ip=10.1.101.22
firewall.@redirect[0].name=OVPN-PFWD-U64022
firewall.@redirect[0].dest_port=64022
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest=lan
firewall.@forwarding[0].src=wan
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest=wan
firewall.@forwarding[1].src=lan
luci.main=core
luci.main.lang=auto
luci.main.resourcebase=/luci-static/resources
luci.main.mediaurlbase=/luci-static/bootstrap
luci.flash_keep=extern
luci.flash_keep.uci=/etc/config/
luci.flash_keep.dropbear=/etc/dropbear/
luci.flash_keep.openvpn=/etc/openvpn/
luci.flash_keep.passwd=/etc/passwd
luci.flash_keep.opkg=/etc/opkg.conf
luci.flash_keep.firewall=/etc/firewall.user
luci.flash_keep.uploads=/lib/uci/upload/
luci.languages=internal
luci.sauth=internal
luci.sauth.sessionpath=/tmp/luci-sessions
luci.sauth.sessiontime=3600
luci.ccache=internal
luci.ccache.enable=1
luci.themes=internal
luci.themes.Bootstrap=/luci-static/bootstrap
network.loopback=interface
network.loopback.ifname=lo
network.loopback.proto=static
network.loopback.ipaddr=127.0.0.1
network.loopback.netmask=255.0.0.0
network.lan=interface
network.lan.ifname=eth0
network.lan.proto=dhcp
network.lan.defaultroute=0
network.lan.delegate=0
network.wan=interface
network.wan.proto=dhcp
network.wan.ifname=eth1
network.wan.delegate=0
openvpn.custom_config=openvpn
openvpn.custom_config.enabled=1
openvpn.custom_config.config=/etc/openvpn/simples/simples22.conf
openvpn.sample_server=openvpn
openvpn.sample_server.enabled=0
openvpn.sample_server.port=1194
openvpn.sample_server.proto=udp
openvpn.sample_server.dev=tun
openvpn.sample_server.ca=/etc/openvpn/ca.crt
openvpn.sample_server.cert=/etc/openvpn/server.crt
openvpn.sample_server.key=/etc/openvpn/server.key
openvpn.sample_server.dh=/etc/openvpn/dh1024.pem
openvpn.sample_server.server=10.8.0.0 255.255.255.0
openvpn.sample_server.ifconfig_pool_persist=/tmp/ipp.txt
openvpn.sample_server.keepalive=10 120
openvpn.sample_server.comp_lzo=yes
openvpn.sample_server.persist_key=1
openvpn.sample_server.persist_tun=1
openvpn.sample_server.status=/tmp/openvpn-status.log
openvpn.sample_server.verb=3
openvpn.sample_client=openvpn
openvpn.sample_client.enabled=0
openvpn.sample_client.client=1
openvpn.sample_client.dev=tun
openvpn.sample_client.proto=udp
openvpn.sample_client.remote=my_server_1 1194
openvpn.sample_client.resolv_retry=infinite
openvpn.sample_client.nobind=1
openvpn.sample_client.persist_key=1
openvpn.sample_client.persist_tun=1
openvpn.sample_client.ca=/etc/openvpn/ca.crt
openvpn.sample_client.cert=/etc/openvpn/client.crt
openvpn.sample_client.key=/etc/openvpn/client.key
openvpn.sample_client.comp_lzo=yes
openvpn.sample_client.verb=3
system.@system[0]=system
system.@system[0].zonename=UTC
system.@system[0].timezone=GMT0
system.@system[0].conloglevel=8
system.@system[0].cronloglevel=8
system.@system[0].hostname=OpenWrt22
system.ntp=timeserver
system.ntp.enabled=1
system.ntp.server=10.1.101.101
ucitrack.@network[0]=network
ucitrack.@network[0].init=network
ucitrack.@network[0].affects=dhcp radvd
ucitrack.@wireless[0]=wireless
ucitrack.@wireless[0].affects=network
ucitrack.@firewall[0]=firewall
ucitrack.@firewall[0].init=firewall
ucitrack.@firewall[0].affects=luci-splash qos miniupnpd
ucitrack.@olsr[0]=olsr
ucitrack.@olsr[0].init=olsrd
ucitrack.@dhcp[0]=dhcp
ucitrack.@dhcp[0].init=dnsmasq
ucitrack.@dropbear[0]=dropbear
ucitrack.@dropbear[0].init=dropbear
ucitrack.@httpd[0]=httpd
ucitrack.@httpd[0].init=httpd
ucitrack.@fstab[0]=fstab
ucitrack.@fstab[0].init=fstab
ucitrack.@qos[0]=qos
ucitrack.@qos[0].init=qos
ucitrack.@system[0]=system
ucitrack.@system[0].init=led
ucitrack.@system[0].affects=luci_statistics
ucitrack.@luci_splash[0]=luci_splash
ucitrack.@luci_splash[0].init=luci_splash
ucitrack.@upnpd[0]=upnpd
ucitrack.@upnpd[0].init=miniupnpd
ucitrack.@ntpclient[0]=ntpclient
ucitrack.@ntpclient[0].init=ntpclient
ucitrack.@samba[0]=samba
ucitrack.@samba[0].init=samba
ucitrack.@tinyproxy[0]=tinyproxy
ucitrack.@tinyproxy[0].init=tinyproxy
uhttpd.main=uhttpd
uhttpd.main.listen_http=0.0.0.0:80
uhttpd.main.listen_https=0.0.0.0:443
uhttpd.main.home=/www
uhttpd.main.rfc1918_filter=1
uhttpd.main.max_requests=3
uhttpd.main.max_connections=100
uhttpd.main.cert=/etc/uhttpd.crt
uhttpd.main.key=/etc/uhttpd.key
uhttpd.main.cgi_prefix=/cgi-bin
uhttpd.main.script_timeout=60
uhttpd.main.network_timeout=30
uhttpd.main.http_keepalive=20
uhttpd.main.tcp_keepalive=1
uhttpd.main.ubus_prefix=/ubus
uhttpd.px5g=cert
uhttpd.px5g.days=730
uhttpd.px5g.bits=1024
uhttpd.px5g.country=DE
uhttpd.px5g.state=Berlin
uhttpd.px5g.location=Berlin
uhttpd.px5g.commonname=OpenWrt
root@OpenWrt22:~#

[Traffic]

This is what you need to Port-forward WAN->LAN to OpenVPN with --local lan.ip.add:

• OpenWRT ifconfig:

  • Code: Select all

    eth0      Link encap:Ethernet  HWaddr 08:00:27:C7:3D:C3
              inet addr:10.1.101.22  Bcast:10.1.101.255  Mask:255.255.255.0
              inet6 addr: fe80::a00:27ff:fec7:3dc3/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:25021 errors:0 dropped:0 overruns:0 frame:0
              TX packets:25367 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:2352906 (2.2 MiB)  TX bytes:12881206 (12.2 MiB)
    
    eth1      Link encap:Ethernet  HWaddr 08:00:27:7C:58:A2
              inet addr:172.17.2.22  Bcast:172.17.2.255  Mask:255.255.255.0
              inet6 addr: fe80::a00:27ff:fe7c:58a2/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:3537 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1306 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:310351 (303.0 KiB)  TX bytes:173020 (168.9 KiB)

  OpenVPN server config:

  • Code: Select all

    local 10.1.101.22
    proto udp
    port 64022

  Firewall - Custom Rules:

  • Code: Select all

    iptables -t nat -A PREROUTING -p udp -i eth1 --dport 64022 -j DNAT --to-destination 10.1.101.22:64022

This is why the normal Port Forward does not work:

• • Code: Select all

    root@OpenWrt22:~# uci show firewall.@redirect[0]
    firewall.cfg183837=redirect
    firewall.cfg183837.target=DNAT
    firewall.cfg183837.src=wan
    firewall.cfg183837.dest=lan
    firewall.cfg183837.proto=udp
    firewall.cfg183837.src_dport=64022
    firewall.cfg183837.dest_ip=10.1.101.22
    firewall.cfg183837.dest_port=64022
    firewall.cfg183837.name=OVPN_PFWD_U64022
    

    Code: Select all

    root@OpenWrt22:~# /etc/init.d/firewall restart
    Warning: Unable to locate ipset utility, disabling ipset support
    Warning: Section @redirect[0] (OVPN_PFWD_U64022) refers to a destination address on this router, assuming port redirection
    

  This Port Forward rule works:

  • Code: Select all

    root@OpenWrt22:~# uci show firewall.@redirect[1]
    firewall.cfg1a3837=redirect
    firewall.cfg1a3837.target=DNAT
    firewall.cfg1a3837.src=wan
    firewall.cfg1a3837.dest=lan
    firewall.cfg1a3837.proto=udp
    firewall.cfg1a3837.src_dport=64023
    firewall.cfg1a3837.dest_ip=10.1.101.101
    firewall.cfg1a3837.dest_port=64023
    firewall.cfg1a3837.name=OVPN_PFWD_U64023
    

I would say that is solved

[JW0914]

I can't verify for sure yet as I think the connection is being refused due to a large data transfer that I'm currently doing between my PC and NAS server (~1.5TB).

The exact error I'm getting with UDP is:

Connection reset by peer (WSAECONNRESET) (code=10054)

A few posts I've come across referencing that error code say it's due to a bad connection, and I've been having timeout issues with Xbox Live and utilizing LuCI and uci during the this transfer.

More likely that not, due to the slower write speed with ZFS10, the transfer probably won't complete until tomorrow. Will post whether I'm able to get this to work when transfer is done.

[JW0914]

This Port Forward rule works:
root@OpenWrt22:~# uci show firewall.@redirect[1]
firewall.cfg1a3837=redirect
firewall.cfg1a3837.target=DNAT
firewall.cfg1a3837.src=wan
firewall.cfg1a3837.dest=lan
firewall.cfg1a3837.proto=udp
firewall.cfg1a3837.src_dport=64023
firewall.cfg1a3837.dest_ip=10.1.101.101
firewall.cfg1a3837.dest_port=64023
firewall.cfg1a3837.name=OVPN_PFWD_U64023

What is .101 pointing to, as in your config is listed as NTP server?

[Traffic]

What is .101 pointing to, as in your config is listed as NTP server?

answered your own question there

[JW0914]

What is .101 pointing to, as in your config is listed as NTP server?

answered your own question there

You listed a forwarding rule to that address... I can't replicate that rule without knowing what it's pointing to. In other words, it's pointing to an interface or device on your network.

[Traffic]

I can't replicate that rule without knowing what it's pointing to

sure you can .. use a pc on your network.

In other words, it's pointing to an interface or device on your network.

OpenWRT ifconfig:

Code:

Code: Select all

eth0      Link encap:Ethernet  HWaddr 08:00:27:C7:3D:C3
              inet addr:10.1.101.22  Bcast:10.1.101.255  Mask:255.255.255.0
              inet6 addr: fe80::a00:27ff:fec7:3dc3/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:25021 errors:0 dropped:0 overruns:0 frame:0
              TX packets:25367 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:2352906 (2.2 MiB)  TX bytes:12881206 (12.2 MiB)

    eth1      Link encap:Ethernet  HWaddr 08:00:27:7C:58:A2
              inet addr:172.17.2.22  Bcast:172.17.2.255  Mask:255.255.255.0
              inet6 addr: fe80::a00:27ff:fe7c:58a2/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:3537 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1306 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:310351 (303.0 KiB)  TX bytes:173020 (168.9 KiB)

[JW0914]

sure you can .. use a pc on your network.

I interpreted your post to mean that forwarding rule was required to make the local directive work, perhaps that's not what you meant?

As it stands, those rules do not allow for a vpn client to connect to the vpn server while the local directive is set with a value of the LAN IP at eth0. I've verified it's not the file transfer, as removing the local directive permits traffic, while re-adding it blocks traffic.

Sun Mar 29 14:30:16 2015 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)

This does appear to be an issue with the way iptables routes data on openwrt, as openwrt (at least with kernel 3.18 on CC) doesn't use an actual iptables configuration file to set rules; it simplifies rule making my taking the rules set within the gui and applies them retroactively, flushing all iptables values upon router reboot or firewall restart (which is why all custom iptables commands must be saved in the firewall.user file which is applied every time the firewall is started or restarted).

[Traffic]

I interpreted your post to mean that forwarding rule was required to make the local directive work, perhaps that's not what you meant?

Read it again .. that rule is an example of a working port-forward only.
With explanation and example as to why a local port-forward does not work ..

If you have a vanilla install of OpenWRT Barrier Breaker (which you do not)
that custom rule (customised for your own personal LAN)
will allow you to use --local lan.ip.address in OpenVPN.

[JW0914]

This thread was never about BB, but CC... That comment is like saying "well such and such worked on Windows Vista" while talking about Windows 8.

[Traffic]

This forum is for openVPN not openWRT ..

That custom command is for iptables .. not opwnWRT ..

I have also explained that openWRT does something unexpected ..
I have provided the example for you to replicate the check for yourself ..

Code:
root@OpenWrt22:~# /etc/init.d/firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @redirect[0] (OVPN_PFWD_U64022) refers to a destination address on this router, assuming port redirection

This thread was never about BB, but CC

which you only realised after I politely asked you ..

I am using openwrt x86-generic-ext4 (VM)
You are using ARM ...

I need to confirm: which version of openwrt you use .. AA or BB ?

thanks

[JW0914]

I'm not going to argue with you.

Have a great day

Please close the thread

[Traffic]

Please read and understand the information provided:
post50818.html#p50818

This is what you need to Port-forward OpenWRT-BB: WAN->LAN

Which allows the use of OpenVPN with --local lan.ip.add

Note: Michael found the work around to your problem ..

[JW0914]

Don't come to any forum and patronize people, its rude and quite irritating. Yes this is an OpenVPN forum, however THIS THREAD was about OpenVPN on a WRT1900ac that was running OpenWRT.

BB already worked with the local directive, as tens of tutorials online had already shown since at least 2012.

I've stated multiple times I am on CC and the local directive prevented a VPN connection on my WRT1900ac.

Yes Michael found a workaround, however then you stated you investigate further, as the local directive should not prevent a VPN connection from succeeding, and is why I asked Michael to leave the thread open for a few more days.

[Traffic]

Flame war aside ..

If you "stop" openvpn via your GUI . does it work ?

IE: does it termininate the openvpn process ?

[JW0914]

No... I've tried it both via Luci and via uci, neither causes a different result. There's obviously something different in how iptables either routes traffic in CC, or how it compiles its rules from uci.... As even forwarding the WAN zone directly doesn't allow traffic to flow to the VPN

[Traffic]

No... I've tried it both via Luci and via uci, neither causes a different result

openWRT version of openVPN is a customised version .. for a start (openWRT:BB) does not support --management ..
I have no idea in what way openWRT configures iptables except that it assumes a port-redirect (as shown above) for local interfaces.

As I do not have access to openWRT:CC I can offer no further help.

[JW0914]

Thanks for taking the time =]