[amikot]

I have installed and running Zerotier client on my router.
Router is connecting to my Zerotier network, and is visible as logged into it.
From router's shell I can ping any of other devices connected to Zerotier network, but I cant ping router from other devices.
It looks that all ports of Zerotier IP are closed by default.

On google there is many answers how to bridge zerotier network with real subnet, but I don't want to do that.
I just want to use Zerotier to access my DD-WRT NAS, Media-server and Router WEB-UI.

When installed zerotier client on ubuntu, there was no problem with access, so it must be something that blocks everything but br0 (or something like that).

Here is my ifconfig (I ripped ipv6 lines off - as it doesn't matter) :

[amikot]

Today I installed OpenVPN server and successfully connected 2 clients to it.
Successfully means that devices are getting connected, but unfortunately router is isolated also from OpenVPN.

So basically all router services that are not accessible from WAN, are also blocked for everything but LAN.

So it is dd-wrt issue, not zerotier nor openvpn.

It is completely strange.
I did even try something that works for WAN - port forwarding.
I forwarded all Samba ports from OpenVPN network 10.1.1.0/24 to identical ports of my router LAN IP

For WAN it works (of course I didn't forward samba ports on WAN - its was something else) - for TUN it doesn't.

[egc]

A lot of us are running an Open VPN server on our DDWRT routers and can connect to the router and to the clients on the subnet.
So maybe have a look at your OpenVPN server configuration.
Have you enabled Redirect Default gateway? If not, did you push a route to the clients?
Assuming you have a TUN setup are server and clients (and VPN subnet) different?
Did you test from outside i.e. via cellular?

[amikot]

I restored old router settings and cancelled everything.

I need just simple access to my files, so I will just set SFPT to be accessible from outside.
If I will use secure key authentication - should be safe, and I'm sure it will work as I need.

[Per Yngve Berg]

There shouldn't be any NAT from the OpenVPN client's network to the LAN, so not port forwarding is applicable.

Use SSH keys and turn off password authentication.

[amikot]

Heh, I'm playing with linux since 2000, since 2010 its my main OS, but DD-WRT is so cropped even in giga build, that everything is difficult to get:

1. Zerotier - isolated and cant access router services.
2. OpenVPN - the same - maybe using TAP instead of TUN would help, but TAP is unsafe.
3. SoftEther - works great!, however Android Client need to run on rooted device - and I don't want to root my phone, as its unsafe, and some banking software may deny to run on rooted device.
4 SFTP - service ripped off from SSH service - so to get SFTP work, you have to switch built in SSH off and than install Optware version, but configuring it is pain in ...

Generally I'm disappointed with dd-wrt.

[egc]

DDWRT is light weight so it is stripped, but on an powerfull router you can load all kind of additional packages.
That said OpenVPN works right out of the box, I (among thousands of others) are using an OpenVPN server (TUN setup as indeed TAP is not that safe) which is working great with all sorts of clients e.g. Windows, Apple, Android and other DDWRT routers as clients.

Attached my notes for setting up an OpenVPN server on a DDWRT router and for setting up different sort of clients

Mind you OpenVPN is resource intensive you need a modern router with a recent build, I am using a Netgear R6400v2 with the latest Kong build at the moment for my VPN server and throughput is around 50 Mb/s on VPN
If you need more, than you have to invest in a more powerfull router (like a Netgear R7800)

[Per Yngve Berg]

You don't mention what router model and build you are using.

I can SFTP into my R7800 with Kong build R37845M. Routers with smaller flash space may have some functions removed.

The username is "root" and the same password as for the GUI.

[amikot]

I'm using Netgear WNDR4500v1 and giga build (R37860).

Yesterday I spent some time on #debian irc channel, and some people helped me to discover the problem.

Basically Zerotier/OpenVPN network interface is treated as WAN, not LAN - so its behind SPI firewall, wchich blocks everything even if I add rules to IPTables, SPI will treat all connections as threat/danger.
So basically I need to set rules for IPTables, and somehow make SPI to switch filtering off for packets coming from VPN. Somehow is the key word, as I don't know how.
Or maybe there is another way ?

BTW. Dont know why VPN became synonym of anonymous networking, or networkingh with fake location.
This may by nice feature, but we shouldn't forget that VPN is for Virtual Private Network - Not Virtual Global Network or something. So it shouldn't me treated as WAN.
I don't know if there is any feature request forum, but I wish to see zerotier built into the firmware as an option - witch all settings to do (firewall it or not etc.)

[amikot]

[egc]

Luckily the VPN interface is treated as a WAN interface, a lot of VPN providers do not use any firewall at all, so if the interface was not treated as a WAN interface you would be totally exposed.
Now you can at least switch the firewall on or off (via a setting in the GUI although there is a bug and the firewall is not working as intended, but that is another story)

[amikot]

I don't agree that its good.
I don't want to switch SPI for my Internet connection, I want to switch it off only for VPN.
If I would use proxy VPN I would agree that in that case it would be usefull, but otherwise - when I'm using VPN as small LAN for personal use - I don't want to filter anything in that network.

But, If I already know what exactly the problem is, can someone help me to set the things up? how to switch SPI off only for VPN or at least how to redirect packets to be seen by router as coming from LAN network (I guess this may be complicated).
Thanks

[egc]

The VPN is your connection to the internet (at least in a lot of use cases where you use your VPN client to route to a commercial VPN provider to get to the internet).
Therefore a firewall is not a bad idea.

You can switch the VPN Client's firewall off in the VPN GUI (enable Advanced Options) (actually, I think, it is always off in a lot of builds due to a bug).

The Firewall for the WAN interface will stay on off course.

Furthermore depending on your setup you can disable NAT and that is maybe what you are referring to when you talk about coming from LAN.

I do not know anything about zerotier, but I do know a little about OpenVPN client, OpenVPN server, firewall and routing

[amikot]

I don't need to route to internet through VPN.

Zerotier is simple in set up - you install on anything you want to have in your virtual LAN and you join them to network that you managing on your zerotier account.
Basically its like chat group where users are devices and chatroom is network.

Normally LAN is limited to your location, but with zerotier works anywhere on almost any device.
That's the idea.

So there is no routing internet trough zerotier network.

There is no danger, but it is still blocked.
And I cant switch filtering off just for zerotier, because its optware - not managed in GUI.