DD-WRT :: View topic - port forwarding with openvpn client enabled

port forwarding with openvpn client enabled

DD-WRT Forum Index -> Advanced Networking

Goto page Previous 1, 2

View previous topic :: View next topic

Author

Message

forerunnert
DD-WRT Novice

Joined: 12 Jan 2017
Posts: 17

Posted: Thu Jan 19, 2017 21:49 Post subject:

It's a nice tool when accessing WAN means you have to actually get outside the house and travel a long distance, saves time Smile

Anyway, after enabling VPN and startup/FW scripts the results are the same: no access

Interestingly I also tried with VPN/scripts disabled but with LAN to WAN access to my ISP modem enabled:

Code:

startup:
ifconfig `nvram get wan_ifname`:0 192.168.10.2 netmask 255.255.255.0

firewall:
iptables -t nat -I POSTROUTING -o `nvram get wan_ifname` -j MASQUERADE

That functionality works without but also breaks after enabling VPN

Sponsor

forerunnert
DD-WRT Novice

Joined: 12 Jan 2017
Posts: 17

Posted: Thu Jan 19, 2017 22:03 Post subject:

it seems it does:

Code:

root@DD-WRT:~# iptables -t mangle -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 60331 packets, 31M bytes)
pkts bytes target prot opt in out source destination
22 1320 MARK tcp -- br0 * 192.168.1.10 0.0.0.0/0 tcp spt:22 MARK set 0x1

forerunnert
DD-WRT Novice

Joined: 12 Jan 2017
Posts: 17

Posted: Thu Jan 19, 2017 22:18 Post subject:

To be clear: my table 100 is empty if I don't manually enter the commands, so something is going on there..

If I paste the script in the web IF and execute it:

Code:

sh: eval: line 6: syntax error: unexpected word

line 6 is 'done' here

removed 'done':

Code:

sh: eval: line 25: syntax error: unexpected word (expecting

line 25 is 'done' again

removed 'done':

Code:

sh: eval: line 28: syntax error: unexpected end of file (expecting `w¿SHwdonet;

So it doesn't like 'done'?

The script worked for phatbob right? Seems the syntax is the same with me.

forerunnert
DD-WRT Novice

Joined: 12 Jan 2017
Posts: 17

Posted: Thu Jan 19, 2017 22:23 Post subject:

for completeness here is what I'm running now:

startup:

Code:

# allow modem config
ifconfig `nvram get wan_ifname`:0 192.168.10.2 netmask 255.255.255.0

# VPN setup
<VPN magic>

# allow WAN to LAN access
#########################
sleep 10
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun1".
#
#

ip route show table main | grep -Ev ^default | grep -Ev tun1 | while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

and firewall:

Code:

# Allow WAN to LAN access
iptables -t mangle -F PREROUTING

# allow modem config
iptables -t nat -I POSTROUTING -o `nvram get wan_ifname` -j MASQUERADE

# SSH Traffic: Bypass VPN
#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
iptables -t mangle -A PREROUTING -i br0 -p tcp -s 192.168.1.10 --sport 22 -j MARK --set-mark 1

# VPN killswitch
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset

The 2 'done's in startup is what is preventing execution it seems.

forerunnert
DD-WRT Novice

Joined: 12 Jan 2017
Posts: 17

Posted: Thu Jan 19, 2017 22:46 Post subject:

It seems to work now, nice!

firewall script:

Code:

I'll confirm tomorrow with a real ssh client after my daily migration from LAN to WAN (I never referred to my work like that before Smile

)
For now I tested with http://www.infobyip.com/sshservertest.php and # tcpdump -n host 45.79.3.202 on 192.168.1.10

Can't thank you enough for the help, much appreciated!

vibit
DD-WRT Novice

Joined: 21 Apr 2016
Posts: 2

Posted: Sun Feb 05, 2017 4:21 Post subject:
Hello, am trying to do the same thing but with port 5900 and port 8000, can you make a step by step guide of what you do to work. thx for the help.

tsht
DD-WRT Novice

Joined: 25 Dec 2010
Posts: 3

Posted: Fri May 15, 2020 11:04 Post subject:

Hello.
I'm trying to do this now, but if I understand well
iptables -t mangle -F PREROUTING will flush mangle table for PREROUTING...

But in Mangle I have this :

Code:

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK 0 -- anywhere 192.168.XX.XX MARK or 0x80000000
CONNMARK 0 -- anywhere anywhere CONNMARK save

Where 192.168.XX.XX is my ISP router I guess.
I don't know why this MARK would be necessary, the same for tne CONNMARK...
I would rather know what I'm doing ^^
So why do you think I would need to flush the prerouting ?

Goto page Previous 1, 2

Display posts from previous:

Page 2 of 2

DD-WRT Forum Index -> Advanced Networking

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Log in

port forwarding with openvpn client enabled

Quick Links

Log in