Not routing traffic over tun0

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
paegus
DD-WRT Novice


Joined: 18 May 2019
Posts: 6
PostPosted: Sun May 19, 2019 8:30    Post subject: Not routing traffic over tun0 Reply with quote
Original thread

paegus wrote:
I have installed OpenConnect via Entware-NG and it runs normally, creating a tun0 interface. I can ping, traceroute and ssh to devices on the VPN network from the router's console.

I cannot do this from other machines on the LAN. No traffic is routed over the VPN from any LAN devices.

I have to bounce off the router via...
Code:
ssh -t root@router "ssh user@remote-host"
...which is less than ideal.

Do I need to do something console or UI side to route traffic destined for that domain over the tun0 interface, to that network?

Do I need to craft iptables rules? Can you do this for an entire domain?


Per Yngve Berg wrote:
What is the VPN tunnel connected to?

Is it site-site or a site-Internet(commercial provider)?

The network behind the server needs a route to the network used on your LAN:

PS. VPN is discussed in the Advanced Networking Forum.


It is connecting to a University network. It has its own internet access but I dont want or need to use it for anything other than accessing devices on that network that are not directly accessible from the internet.

I would call it Site-to-Site.

eibgrad wrote:
Sound like you didn't NAT the tunnel.

Code:
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE


I have added that rule but nothing changes. I am still able to connect only by bouncing off the route directly.

Verbose connection log:
Code:
POST https://SITE/ssl
Attempting to connect to server IP1.ADD.247.32:443
SSL negotiation with SITE
Server certificate verify failed: signer not found
Connected to HTTPS on SITE
Got HTTP response: HTTP/1.0 302 Temporary moved
Set-Cookie: tg=HASH; path=/; secure
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Sun, 19 May 2019 08:15:25 GMT
X-Frame-Options: SAMEORIGIN
Location: /+webvpn+/index.html
HTTP body length:  (0)
GET https://SITE/ssl
Attempting to connect to server IP1.ADD.247.32:443
SSL negotiation with SITE
Server certificate verify failed: signer not found
Connected to HTTPS on SITE
Got HTTP response: HTTP/1.0 302 Temporary moved
Set-Cookie: tg=HASH; path=/; secure
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Sun, 19 May 2019 08:15:25 GMT
X-Frame-Options: SAMEORIGIN
Location: /+webvpn+/index.html
HTTP body length:  (0)
GET https://SITE/+webvpn+/index.html
SSL negotiation with SITE
Server certificate verify failed: signer not found
Connected to HTTPS on SITE
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
Please enter your username and password.
POST https://SITE/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc= STUFF
Set-Cookie: webvpnx=
Set-Cookie: webvpnaac=1; path=/; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
X-CSTP-Address: IP1.ADD.141.129
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Hostname: SITE
X-CSTP-DNS: IP1.ADD.64.1
X-CSTP-DNS: IP1.ADD.64.3
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Default-Domain: site.edu
X-CSTP-Split-Include: IP1.ADD.0.0/255.255.0.0
X-CSTP-Split-Include: IP2.0.0.0/255.0.0.0
X-CSTP-Split-DNS: site.edu
X-CSTP-Split-DNS: site2.edu
X-CSTP-Split-DNS: site3.edu
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: true
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-Banner: BANNER
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: HASH
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1406
X-DTLS-CipherSuite: AES256-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-Client-Bypass-Protocol: false
X-CSTP-TCP-Keepalive: true
CSTP connected. DPD 30, Keepalive 20
CSTP Ciphersuite: (TLS1.0)-(RSA)-(AES-256-CBC)-(SHA1)
Connect Banner: | BANNER|

DTLS option X-DTLS-Session-ID : HASH
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-CipherSuite : AES256-SHA
DTLS initialised. DPD 30, Keepalive 20
Connected tun0 as IP1.ADD.141.129, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1).
Send CSTP Keepalive
Send DTLS Keepalive
Send CSTP DPD
Got CSTP DPD response
Send CSTP Keepalive
Send CSTP DPD
Got CSTP DPD response
Send DTLS DPD
Got DTLS DPD response
Back to top View user's profile Send private message
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12884
Location: Netherlands
PostPosted: Sun May 19, 2019 9:25    Post subject: Reply with quote
I have no experience with OpenConnect, but for the "normal" OpenVPN client DDWRT creates the necessary firewall rules.
I assume you have to do it yourself?

Besides the NAT rule you need rules to FORWARD traffic and INPUT traffic.

Try something like this (this is for bidirectional as in site to site, so no firewall):

iptables -I INPUT -i tun0 –j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
paegus
DD-WRT Novice


Joined: 18 May 2019
Posts: 6
PostPosted: Mon May 20, 2019 9:00    Post subject: Reply with quote
egc wrote:
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE


Thank you very much. Adding these rules allows me to connect to remote devices on the other side of tun0 from local devices on my LAN.

Unfortunately it is by IP address only.

IP and hostname lookup work fine from the router itself.

So I need to forward non-router sourced dns lookups from my LAN through tun0 as well.

I don't want do forward ALL dns lookups (port 53), only those pertaining to site.edu

Can this be done with iptables as well?
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12884
Location: Netherlands
PostPosted: Mon May 20, 2019 15:25    Post subject: Reply with quote
You can tell DNSMasq to use a specific server for a specific domain, I think it is done with (in Additional DNSMasq Options):
Code:
server=/site.edu/a.b.c.d

for a.b.c.d you enter the IP address of the DNS server from the site.edu, I assume that that is doing the local DNS resolution.

Priobably this server does not have a public IP so it is not reachable via the WAN but only via the tunnel.

In that case you have to set a static route unless your default gateway is already through the tunnel.

For OpenVPN it is really simple you can just tell openVPN to route a specific IP via the tunnel, in Additional config:
Code:
route a.b.c.d vpn_gateway


No idea if this is possible with OpenConnect
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum