Author
Message
paegus DD-WRT Novice Joined: 18 May 2019 Posts: 6
Posted: Sun May 19, 2019 8:30 Post subject: Not routing traffic over tun0
Original thread
paegus wrote: I have installed OpenConnect via Entware-NG and it runs normally, creating a tun0 interface. I can ping, traceroute and ssh to devices on the VPN network from the router's console.
I cannot do this from other machines on the LAN. No traffic is routed over the VPN from any LAN devices.
I have to bounce off the router via... Code: ssh -t root@router "ssh user@remote-host"
...which is less than ideal.
Do I need to do something console or UI side to route traffic destined for that domain over the tun0 interface, to that network?
Do I need to craft iptables rules? Can you do this for an entire domain?
Per Yngve Berg wrote: What is the VPN tunnel connected to?
Is it site-site or a site-Internet(commercial provider)?
The network behind the server needs a route to the network used on your LAN:
PS. VPN is discussed in the Advanced Networking Forum.
It is connecting to a University network. It has its own internet access but I dont want or need to use it for anything other than accessing devices on that network that are not directly accessible from the internet.
I would call it Site-to-Site.
eibgrad wrote: Sound like you didn't NAT the tunnel.
Code: iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
I have added that rule but nothing changes. I am still able to connect only by bouncing off the route directly.
Verbose connection log:
Code: POST https://SITE/ssl
Attempting to connect to server IP1.ADD.247.32:443
SSL negotiation with SITE
Server certificate verify failed: signer not found
Connected to HTTPS on SITE
Got HTTP response: HTTP/1.0 302 Temporary moved
Set-Cookie: tg=HASH; path=/; secure
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Sun, 19 May 2019 08:15:25 GMT
X-Frame-Options: SAMEORIGIN
Location: /+webvpn+/index.html
HTTP body length: (0)
GET https://SITE/ssl
Attempting to connect to server IP1.ADD.247.32:443
SSL negotiation with SITE
Server certificate verify failed: signer not found
Connected to HTTPS on SITE
Got HTTP response: HTTP/1.0 302 Temporary moved
Set-Cookie: tg=HASH; path=/; secure
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Sun, 19 May 2019 08:15:25 GMT
X-Frame-Options: SAMEORIGIN
Location: /+webvpn+/index.html
HTTP body length: (0)
GET https://SITE/+webvpn+/index.html
SSL negotiation with SITE
Server certificate verify failed: signer not found
Connected to HTTPS on SITE
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
Please enter your username and password.
POST https://SITE/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc= STUFF
Set-Cookie: webvpnx=
Set-Cookie: webvpnaac=1; path=/; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
X-CSTP-Address: IP1.ADD.141.129
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Hostname: SITE
X-CSTP-DNS: IP1.ADD.64.1
X-CSTP-DNS: IP1.ADD.64.3
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Default-Domain: site.edu
X-CSTP-Split-Include: IP1.ADD.0.0/255.255.0.0
X-CSTP-Split-Include: IP2.0.0.0/255.0.0.0
X-CSTP-Split-DNS: site.edu
X-CSTP-Split-DNS: site2.edu
X-CSTP-Split-DNS: site3.edu
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: true
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-Banner: BANNER
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: HASH
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1406
X-DTLS-CipherSuite: AES256-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-Client-Bypass-Protocol: false
X-CSTP-TCP-Keepalive: true
CSTP connected. DPD 30, Keepalive 20
CSTP Ciphersuite: (TLS1.0)-(RSA)-(AES-256-CBC)-(SHA1)
Connect Banner: | BANNER|
DTLS option X-DTLS-Session-ID : HASH
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-CipherSuite : AES256-SHA
DTLS initialised. DPD 30, Keepalive 20
Connected tun0 as IP1.ADD.141.129, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1).
Send CSTP Keepalive
Send DTLS Keepalive
Send CSTP DPD
Got CSTP DPD response
Send CSTP Keepalive
Send CSTP DPD
Got CSTP DPD response
Send DTLS DPD
Got DTLS DPD response
Back to top
Sponsor
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Sun May 19, 2019 9:25 Post subject:
I have no experience with OpenConnect, but for the "normal" OpenVPN client DDWRT creates the necessary firewall rules.
I assume you have to do it yourself?
Besides the NAT rule you need rules to FORWARD traffic and INPUT traffic.
Try something like this (this is for bidirectional as in site to site, so no firewall):
iptables -I INPUT -i tun0 –j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read): https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top
paegus DD-WRT Novice Joined: 18 May 2019 Posts: 6
Posted: Mon May 20, 2019 9:00 Post subject:
egc wrote: iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
Thank you very much. Adding these rules allows me to connect to remote devices on the other side of tun0 from local devices on my LAN.
Unfortunately it is by IP address only.
IP and hostname lookup work fine from the router itself.
So I need to forward non-router sourced dns lookups from my LAN through tun0 as well.
I don't want do forward ALL dns lookups (port 53), only those pertaining to site.edu
Can this be done with iptables as well?
Back to top
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Mon May 20, 2019 15:25 Post subject:
You can tell DNSMasq to use a specific server for a specific domain, I think it is done with (in Additional DNSMasq Options):
Code: server=/site.edu/a.b.c.d
for a.b.c.d you enter the IP address of the DNS server from the site.edu, I assume that that is doing the local DNS resolution.
Priobably this server does not have a public IP so it is not reachable via the WAN but only via the tunnel.
In that case you have to set a static route unless your default gateway is already through the tunnel.
For OpenVPN it is really simple you can just tell openVPN to route a specific IP via the tunnel, in Additional config:
Code: route a.b.c.d vpn_gateway
No idea if this is possible with OpenConnect _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read): https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top