how to connect to router management from OVPN

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
keithg
DD-WRT User


Joined: 07 Jan 2011
Posts: 53

PostPosted: Sun Jun 02, 2019 0:39    Post subject: how to connect to router management from OVPN Reply with quote
Sponsor
keithg
DD-WRT User


Joined: 07 Jan 2011
Posts: 53

PostPosted: Sun Jun 02, 2019 0:44    Post subject: Reply with quote
typed post and nothing shows up...
keithg
DD-WRT User


Joined: 07 Jan 2011
Posts: 53

PostPosted: Sun Jun 02, 2019 0:49    Post subject: Reply with quote
typed a long post that shows up blank...

What do I need to put in my iptables to be able to get to the management console. I have this:
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT

that I got from the v24+ easy way docs and I get to all clients except the router.
keithg
DD-WRT User


Joined: 07 Jan 2011
Posts: 53

PostPosted: Sun Jun 02, 2019 5:05    Post subject: Reply with quote
yes, I used to be able to get to the router from the outside. If I connected from my phone, I could previously get to the interface by using the router's IP when I was on the VPN. 192.168.2.1 would bring up the ddwrt UI. Now, I can get to everything on the network except the router. I even have another router on the LAN and can get its UI to come up. Just not the one running openvpn.

This is a new router (R7800) running Kong R37495M. I have this set up using the 'old' openvpn instructions and have been using this for years.

https://wiki.dd-wrt.com/wiki/index.php/VPN_(the_easy_way)_v24+
I copied and pasted many of the settings from my nvram backup and have it mostly working.
It works and I can connect to devices on my network but I can no longer get to the router management page remotely.

From my 'ovpn additional config'
push "route 192.168.2.0 255.255.255.0"
push "dhcp-option DNS 192.168.66.1"
server 192.168.66.0 255.255.255.0

My firewall settings are:
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT

My remote ovpn addresses are 192.168.66.x and my home domain is 192.168.2.x

I am guessing I need something elsewhere set so I can get to the ddwrt UI web page but have tried a number of things and am lost.

Thanks!

Keith
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Jun 02, 2019 6:13    Post subject: Reply with quote
When you are using a new router start fresh, telnet to your router and do: nvram erase && reboot
Put settings in manually

See my signature at the bottom of this post how to setup an OVPN server.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
keithg
DD-WRT User


Joined: 07 Jan 2011
Posts: 53

PostPosted: Mon Jun 03, 2019 14:38    Post subject: Reply with quote
@egc,

Good advice. I, basically, did that. Started fresh with the R7800 clean ram set up the WAN and LAN settings then opened the old router's nvram in a text editor and copied over only the certificates and the config for ovpn from the old nvram dump. This allowed me to get ovpn back up. It works, I can connect form the phone and from work to all devices on the LAN, but cannot see the ddwrt UI nor can I ssh to the router when I am logged in. I can get to the router by first logging into another machine then sshing to the router from inside the LAN.

I will spend the time to go through your setup instructions, but cannot right now. I notice that your instructions are to set it up as Server versus Daemon.

For the time being, is there anything I can do to my firewall rules or pass thrus to be able to get to the router IP when I am connected to my OVPN, though? I do not have my router set up for connections from the WAN side. This is what it reports from iptables:
Code:
#iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:openvpn
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc
ACCEPT     udp  --  anywhere             anywhere            udp dpt:openvpn
ACCEPT     0    --  anywhere             anywhere
DROP       udp  --  anywhere             anywhere            udp dpt:route
DROP       udp  --  anywhere             anywhere            udp dpt:route
ACCEPT     udp  --  anywhere             anywhere            udp dpt:route
ACCEPT     ipv6 --  anywhere             anywhere
DROP       icmp --  anywhere             anywhere
DROP       igmp --  anywhere             anywhere
ACCEPT     0    --  anywhere             anywhere            state NEW
ACCEPT     0    --  anywhere             anywhere            state NEW
DROP       0    --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     0    --  192.168.66.0/24      anywhere
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     gre  --  192.168.2.0/24       anywhere
ACCEPT     tcp  --  192.168.2.0/24       anywhere            tcp dpt:1723
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jun 03, 2019 15:24    Post subject: Reply with quote
If you want access simply follow my advice Smile

To setup an OpenVPN server on a recent build you need only one firewall rule to NAT traffic out and NOTHING in the additinal config (unless you do not use Redirect default gateway, in that cdase push a route to the routers subnet)

Mistake most often made is adding unnecessary firewall rules and unnecessary directives in the additional config (especially troublesome is the adding of dev tunx)

We can better judge firewall rules if you do:
Code:
iptables -vnL

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
keithg
DD-WRT User


Joined: 07 Jan 2011
Posts: 53

PostPosted: Mon Jun 03, 2019 17:03    Post subject: Reply with quote
I am using "dev tun0". Always have as this is what is on the 'easy way v24+' instructions that I followed years ago. I will see if I can get time to reconfigure ovpn to be a server instead of daemon according to your instructions. Maybe this coming weekend.

My current iptable response is attached.

My firewall command is 2 lines:
Code:
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT
keithg
DD-WRT User


Joined: 07 Jan 2011
Posts: 53

PostPosted: Fri Jun 14, 2019 1:27    Post subject: Reply with quote
To get to the router while connected to the vpn, Under 'Remote Access' I have to enable 'Web GUI Management' on the Admin page. Even though it says I should use 8080, it connects on the regular https://192.168.2.1/ address. I can now connect to the router, again!

external port scans show 8080 closed and 80 closed. It is a bit confusing that I need this enabled to access the UI from the vpn. I do not know if it is needed, but I filled the allowed remote IP range with my vpn IP range.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum