What do I need to put in my iptables to be able to get to the management console. I have this:
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT
that I got from the v24+ easy way docs and I get to all clients except the router.
yes, I used to be able to get to the router from the outside. If I connected from my phone, I could previously get to the interface by using the router's IP when I was on the VPN. 192.168.2.1 would bring up the ddwrt UI. Now, I can get to everything on the network except the router. I even have another router on the LAN and can get its UI to come up. Just not the one running openvpn.
This is a new router (R7800) running Kong R37495M. I have this set up using the 'old' openvpn instructions and have been using this for years.
https://wiki.dd-wrt.com/wiki/index.php/VPN_(the_easy_way)_v24+
I copied and pasted many of the settings from my nvram backup and have it mostly working.
It works and I can connect to devices on my network but I can no longer get to the router management page remotely.
From my 'ovpn additional config'
push "route 192.168.2.0 255.255.255.0"
push "dhcp-option DNS 192.168.66.1"
server 192.168.66.0 255.255.255.0
Good advice. I, basically, did that. Started fresh with the R7800 clean ram set up the WAN and LAN settings then opened the old router's nvram in a text editor and copied over only the certificates and the config for ovpn from the old nvram dump. This allowed me to get ovpn back up. It works, I can connect form the phone and from work to all devices on the LAN, but cannot see the ddwrt UI nor can I ssh to the router when I am logged in. I can get to the router by first logging into another machine then sshing to the router from inside the LAN.
I will spend the time to go through your setup instructions, but cannot right now. I notice that your instructions are to set it up as Server versus Daemon.
For the time being, is there anything I can do to my firewall rules or pass thrus to be able to get to the router IP when I am connected to my OVPN, though? I do not have my router set up for connections from the WAN side. This is what it reports from iptables:
Code:
#iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT 0 -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:route
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT udp -- anywhere anywhere udp dpt:route
ACCEPT ipv6 -- anywhere anywhere
DROP icmp -- anywhere anywhere
DROP igmp -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
ACCEPT 0 -- anywhere anywhere state NEW
DROP 0 -- anywhere anywhere
Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Mon Jun 03, 2019 15:24 Post subject:
If you want access simply follow my advice
To setup an OpenVPN server on a recent build you need only one firewall rule to NAT traffic out and NOTHING in the additinal config (unless you do not use Redirect default gateway, in that cdase push a route to the routers subnet)
Mistake most often made is adding unnecessary firewall rules and unnecessary directives in the additional config (especially troublesome is the adding of dev tunx)
I am using "dev tun0". Always have as this is what is on the 'easy way v24+' instructions that I followed years ago. I will see if I can get time to reconfigure ovpn to be a server instead of daemon according to your instructions. Maybe this coming weekend.
To get to the router while connected to the vpn, Under 'Remote Access' I have to enable 'Web GUI Management' on the Admin page. Even though it says I should use 8080, it connects on the regular https://192.168.2.1/ address. I can now connect to the router, again!
external port scans show 8080 closed and 80 closed. It is a bit confusing that I need this enabled to access the UI from the vpn. I do not know if it is needed, but I filled the allowed remote IP range with my vpn IP range.