Posted: Fri Jun 22, 2018 17:36 Post subject: OpenVPN - TUNNEL & BRIDGE Question
I have a Hobby Garden and I tried to make VPN connection between my Garden and Home but I need help. Here is the my network:
I used to make OpenVPN TAP connection and I can easily rich to my webcam from internet via NAT like that:
MY_HOME_STATIC_IP:1024 ---> GARDEN WEBCAM
But I got some TLS Handshake problems on OpenVPN. I research a lot and I found our with static.key I can get rid of TLS handshake problems.
I changed my OpenVPN structure. From TAP to TUN with static.key. I have perfect connection. Routing is OK.
I can ping from RaspberryPi to My laptop or vice versa. Each device can ping each other. I can connect my Garden via telnet on my Laptop. But problem is bro Bridge I guess.
There is no access from internet to Garden Camera. How can I make connection like MY_HOME_STATIC_IP:1024 ---> GARDEN WEBCAM.
If I understand you correctly, what you're really asking for is a bi-directional (aka site-to-site) tunnel. This is where using an OpenVPN routed (tun) tunnel is more complicated than a bridged (tap) tunnel.
Rather than repeat myself, consider what I recently wrote on the topic over at the SNB forums. The same principles apply to every platform that supports OpenVPN.
Hi, Thanks for reply. Actually my OpenVPN connection is OK. Each device see each other. Tunnel runs perfectly. Problem is PORT FORWARDING from WAN side on HOME router. Home router has a bridge (br0) and OpenVPN tunnel tun0 is not in this bridge. It is tunnel I cannot add this tunnel to bridge. I guess problem related with this. Or if somebodt nows iptables very well maybe they can help me to write correct rules. I already redirect some ports via DDWRT GUI. But it doesn't work. On the other hand I have a access to my webcam on my LAN. But from WAN side no access TCP 1024. _________________ Kaan's World | @mkaand | PLEX Archive | Trakt.tv
This isn't a bridging problem. It's a routing problem.
The problem is that your remote access over the WAN to that tunnel is from a public IP. Assuming it gets routed over the OpenVPN server's network interface (and I'm going to assume that's the case since you say bi-directional access is working), by the time it gets to the other side, the OpenVPN client's routing table will likely direct the replies out its own WAN! What you need to do is NAT the OpenVPN server's network interface for that specific traffic so that it appears to be coming from the OpenVPN server's IP address on its side of the tunnel. Now it will route it back over the tunnel.
Add the following to the firewall script on the OpenVPN server side.
IOW, if the traffic coming into the tunnel from the OpenVPN server side is NOT from the local IP network on that same side (mostly likely internet traffic), then replace the source IP of those packets w/ the IP assigned on the OpenVPN tunnel on that same side.
You are the man! Thank you very much. What I did:
Simple I connect to my HOME router via telnet and add this:
I think I have another problem maybe you can help me. Ports open for world this is what I want but it seems connection between two VPN sides extremely slow after your firewall command. Maybe we need to do something about loopback. It looks like loops. And Camera's UDP ports cannot open to internet, I mean I need to open RTSP port which is UDP 554. I check from my VPS server via this command:
sudo nmap -sU -p 554 XXX.XXX.XXX.XXX it says closed. I disabled SP1 firewall on HOME router. And TCP connectians are extremely slow. I cannot open GARDEN router GUI _________________ Kaan's World | @mkaand | PLEX Archive | Trakt.tv
iptables -t nat -I POSTROUTING -s ! 192.168.20.0/24 -o tun0 -m state --state NEW -j MASQUERADE
Before I try this I discovered something about my problem maybe it is a good tip. First I fixed slow network speed problem with adding these to both OpenVPN ends (server and client)
I understand the MTU fix, but what I don't understand is why you didn't have the problem (apparently) until you added the NAT rule. Or else you didn't notice until now. I couldn't imagine how that rule (which only affects remote access from the internet anyway) could be the culprit.
I don't understand either. My former configuration was TAP network and I was using same port for OpenVPN UDP 1194. But I think they change something in GARDEN side (I use public WIFI for OpenVPN Client) I recived TLS Handshake errors.
I research deeply and I discovered static.key. But I should use TUN instead of TAP if connection made by static.key
Anyway I successfully made connection and added correct routes. Now there is no problem between HOME side and GARDEN side. Thanks to you we open some ports to WAN side but all TCP not UDP. I need RTSP port for camera.
I changed the firewall rule (your last advice). Nothing changed. I changed RTSP port on camera 554 to 1055, I changed all NAT rules from 554 to 1055 nothing change. But If I open this link with Media Player CLassic on my laptop:
doesn't work. BOTH SIDES SP1 firewall disabled. But I discovered something weird. If there is no VPN connection and scan my 554 UDP port it says filtered or open but when my VPN Client up it say closed. Maybe this tip gives you idea. You successfully fixed TCP ports. I fixed the MTU problem but UDP 554 still headache. Any idea? I can try. _________________ Kaan's World | @mkaand | PLEX Archive | Trakt.tv
Maybe my client and server config files can help you to find problem. I stopped openvpn service and start with my created config files. Because I couldn't make OpenVPN connection with static.key.
Server Config:
Code:
port 1194
proto udp4
ifconfig 10.8.0.1 10.8.0.2
push "redirect-gateway def1"
dev tun0
push "route 192.168.20.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
user nobody
group nobody
secret /tmp/mnt/sda1/Backups/jffs/openvpn/static.key
daemon
mssfix 1430
tun-mtu 1430
Joined: 13 Aug 2013 Posts: 6867 Location: Romerike, Norway
Posted: Sat Jun 23, 2018 1:07 Post subject:
push "redirect-gateway def1"
Why do you have this? It will redirect the default gateway. To communicate site to site, only the networks at both sides need to be propagated. Remove it and you can also remove the NAT.
This is the cause of the port forward failing because default route goes over the tunnel instead of out of the WAN.
Thank you very much guys. I fixed it before I read your messages but I agree with you about redirect the default gateway. I fixed last night lately (5 AM, but I couldn't have a chance to tell you) I made several changes for this reason I don't know which changes fixed the problem. We can review together one by one.
1. I was testing my RTSP UDP port via my VPS with nmap command. But it seems testing UDP ports doesn't meaningful. Because still it says my 1055 UDP port closed but ipcamlive perfectly access my camera RTSP stream. Check it you will see my Garden:
I believe 3rd one fixed the problem. For understand which changes made different I still testing. I will remove default gateway line. Thank you very much. Now my smart TV also has access to my Garden.
I tested all option but still I cannot find what cause the problem for my RTSP port. I disabled SP1 firewall on HOME side + I commented bold lines on firewall rules. Nothing changed. Still IpCamlive have access to my stream. Problem fixed but I don't know how. Anyway I follow Murphy's law. IF something is working DON'T TOUCH
Thank you guys. If I see any problem I will send to this topic. But looks like it is OK. My bold lines on firewall I think doesn't necessary. I will remove them. SP1 firewall should be enabled. I already removed default gateway line on OpenVPN Server config. Maybe problem was related with ipcamlive server. My cam was offline since Feb. It doesn't online immediately on ipcamlive system. We fixed it but we don't know how. _________________ Kaan's World | @mkaand | PLEX Archive | Trakt.tv