Posted: Wed Jul 24, 2019 10:35 Post subject: Allow firewall to route WAN to TUN for VPN setup
Hello everyone!
I started to work with dd-wrt (TP-Link TL-WDR3600 v1) and I am pretty amazed about the possibilities. Besides a PiHole on a BananaPi I managed to run a payed VPN client (Mullvad) on the router and in addition a PiVPN on a second BananaPi in my network as a VPN server. So I'm running in the known issue, that both systems will not work together (client and server). Reading this thread:
told me my router firewall is blocking the data to go from my WAN (from my smartphone over my PiVPN with OpenVPN) to my VPN when the tunnel to the outside world is active. Like eibgrad wrote:
WAN in, WAN out ... is allowed
WAN in, VPN out ... is denied
VPN in, VPN out ... is allowed
VPN in, WAN out ... is denied
Okay, got it. So I see the possibilities to use these complex scripts to switch between WAN and VPN or use port forwarding via VPN (what would force me to use the VPN app from Mullvad on my smartphone).
But I do not get one point. Why I can not simply allow my firewall to allow this? Is it not possible to write a iptables rule to allow all traffic coming to my VPN port (1194) over WAN to go out over Mullvad VPN? I ask, because if I disable my Firewall everything works (and my IP changes also on my smartphone to the Mullvad one), so that tells me that it's definately the firewall, exactly as described. I can not see security issues here, because to contact my PiVPN you need a certificate and it would be the only port to be allowed. So nobody could hack that easily.
Can somebody explain me why this is not an option or if yes, how it could be realized? I just started with iptables and are pretty concerned to stop all traffic.
I am pretty interested in this setup because this would allow me to use my PiHole DNS in combination with Mullvad also from abroad.
Thank you a lot for your help! Please be lenient, this is my first post in this forum.
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Wed Jul 24, 2019 11:54 Post subject:
Well first of all welcome to DDWRT
For these questions you get better answers in the Advanced Routing forum, maybe one of the moderators will move this thread?
What you want (port based routing) is exactly what (some of) the scripts are doing
If you do not want that use Policy Based Routing, this gets your router of the VPN and back to the WAN and in the PBR field you enter all the clients you want to use the VPN (but never the routers IP and of course not the VPN server.
Use CIDR notation: https://www.ipaddressguide.com/cidr
But if you need the VPN server to also use the VPN for some applications then you must use port based routing and use one of @eibgrad's advanced scripts.
I have used those to setup for someone who had the VPN server on his NAS but also had Transmission on his NAS for which he wanted to use the VPN.
Thank you a lot! I am not sure if I got it all right.
Quote:
If you do not want that use Policy Based Routing, this gets your router of the VPN and back to the WAN and in the PBR field you enter all the clients you want to use the VPN (but never the routers IP and of course not the VPN server.
Use CIDR notation: https://www.ipaddressguide.com/cidr
This is was I did so far. I excluded my router, the Pi with the PiHole (DNS/DHCP server) and the Pi with the VPN server from the usage of the VPN client (Mullvad) by using CIDR for all DHCP clients (all other). This is working, but not what I want. When surfing from abroad my goal is to use the VPN client as well. So I want connecting with my PiVPN, but from there route the outgoing traffic over the payed VPN in the world.
Quote:
But if you need the VPN server to also use the VPN for some applications then you must use port based routing and use one of @eibgrad's advanced scripts.
I have used those to setup for someone who had the VPN server on his NAS but also had Transmission on his NAS for which he wanted to use the VPN.
I thought about this, but is this really necessary? For me (a beginner) these scripts seem quite complex and I ask myself why it is not a simple firewall expression to have one device in my network (the Pi with the PiVPN server running) always to route from WAN to VPN. I'm pretty sure, that these scripts can handle that, but correct me if I'm wrong, they seem to do a lot more, then one single routing accept command. Where am I wrong here? I am not even sure if I really need port based routing, since the connection from this Pi in my network to the VPN client is the problem in my eyes. Would it not be enough to route all traffic coming into the PiVPN from my smartphone (specific IP in my network) into the VPN client output?
Quote:
Script looks complicated but is not hard to setup Wink
I will try to handle this, if there is no option more simple.
Quote:
Oh, almost forgot, always state router (you did) and build number so that we can better tailor our advice
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Wed Jul 24, 2019 18:28 Post subject:
Question for @eibgrad, I know it will work (I am using it) but strange that including the IP address of the OVPN server itself (10.8.0.1) does not play havoc? Especially as there are no local routes in the alternate routing table (unless using your table-10-fix script or my PBR script )
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Wed Jul 24, 2019 21:25 Post subject:
Yes you are right, it is a nasty bug.
But even without the fix i.e copying of local routes the whole subnet of the vpn server can be set to use the alternate routing table including 10.8.0.1. I honestly thought that was not possible (we know what happens if we put the router itself on the PBR without the fix), but it is and I do not have a good explanation other than that the OVPN server is not actually bonded to the IP address? _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Thank you both very much! I guess I understood a lot more now. It's great, that people in this forum really like to help, I really appreciate this!
Quote:
If you want remote OpenVPN clients of your local OpenVPN server to use the local OpenVPN client, then simply add the OpenVPN server's tunnel network to the PBR field (e.g., 10.8.0.0/24, or whatever private IP space you specified on the OpenVPN server config). It's just that simple.
Yes, this is it! I want my clients of my server to use the payed client! So when I read this I was pretty euphoric!
Unfortunately it did not work. I checked my Android app which IP it gets and it was 10.8.0.2 indeed. I added this IP to the PBR list and nothing happened (still old IP when checking Mullvad status page). Reboot: same. So I added the iptables rule.
iptables -t nat -I POSTROUTING -s 10.8.0.2 -o tun1 -j MASQUERADE
Still same. Reboot: same. Reconnect from smartphone to server also changes nothing.
Seems I'm doing something wrong. Might this be a OpenVPN server configuration issue? I am not 100% sure how the IP is given by the server (I have to check this), but as long as I always get the 10.8.0.2 I am not really concerned that the IP might be wrong. Any more ideas?[/quote]