See the link to The open VPN server setup guide in my signature.
This is quite a bit different than my original config. After making changes in the openvpn server config webgui, setting up firewall rules and rebooting, the clients connected but couldn't pass traffic. Continuing reading the server setup, it seems that I need to make additional config for things like routes and ccd files. Too much config to do for this. My understanding is that these firewall rules were suppose to allow traffic to flow with the the cve mitigation enabled:
iptables -t nat -A POSTROUTING -s #.#.#.#/24 -o eth0 -j MASQUERADE
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j
MASQUERADE
Here is an example what I had done for ccd which has worked out OK for a long time.
See the link to The open VPN server setup guide in my signature.
This is quite a bit different than my original config. After making changes in the openvpn server config webgui, setting up firewall rules and rebooting, the clients connected but couldn't pass traffic. Continuing reading the server setup, it seems that I need to make additional config for things like routes and ccd files. Too much config to do for this. My understanding is that these firewall rules were suppose to allow traffic to flow with the the cve mitigation enabled:
iptables -t nat -A POSTROUTING -s #.#.#.#/24 -o eth0 -j MASQUERADE
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j
MASQUERADE
Here is an example what I had done for ccd which has worked out OK for a long time.
I forgot to mention that I can't connect to devices on the LAN, either, as well as from the WAN. Turning off the CVE mitigation allows the VPN to work. I'm going over this again but it looks like this should work with the recommended changes. There were a couple of things that I left as-is, such as AES-256-GCM and the TLS Cipher and TLS-Auth, because the clients connect OK with those settings and work fine without the CVE mitigation. So I believe my issue is with the firewall. But, I could be wrong. Also, I decided to stay with the dh key instead of the elliptical key since I already had the dh key created.
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Thu Feb 27, 2020 17:07 Post subject:
some quick words about this (for a longer explanation see the guide)
The CVE 14899 patch breaks local LAN access for clients connection to your VPN server.
There several ways to deal with this:
Disable the patch (I had to fight long and hard to have a choice to disable it, I will spare you the details ).
I personally have it disabled, but it is a security risk and if you are a high level government target maybe keep it enabled.
Second you can use this firewall rule:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE
This is the one you are using and for normal setup this should work, if not post your firewall rules (iptables -vnL -t raw, iptables -vnL, iptables -vnL -t nat)
Third, the following firewall rule should also work but it has a slight security risk:
iptables -t raw -I PREROUTING -i br0 -d $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j ACCEPT
This is strange. I solved part of the problem when I found a firewall rule copy/paste was bad. That fix enabled me to connect to the server from the WAN side and traffic was OK. But it broke the wifi connections on the WAP but it's strange that all the WDS connections came up OK but only one 5 GHz client connected OK but none of the others. Even the 2.4 GHz AP wouldn't work. It looks like it's an issue with getting a LAN IP address from the LAN DHCP server. Rebooting didn't help. It's the CVE patch that messed things up since disabling it made everything work again. I'm leaving it turned off and wait for a better fix and hope for the best (security-wise).
Joined: 08 May 2018 Posts: 14125 Location: Texas, USA
Posted: Thu Feb 27, 2020 21:28 Post subject:
Copying and pasting into the webUI doesn't always work as expected. Only ways I have found it to work without a hitch is using vi/vim or pico/nano on OSX or Linux. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net