Posted: Thu Jul 02, 2020 1:45 Post subject: OpenVPN blocking external ping, caused by the SPI firewall
Hi all,
Here's an issue I've had since I have setup my site2site VPN, using OpenVPN, for which I hope I can get your help!
I've successfully connected SiteA (192.168.1.0/24) to SiteB (192.168.2.0/24) using a OpenVPN TUN. The server is an AsusWRT Merlin and the client is DD-WRT (Build 41113). SiteB (the client) is able to communicate with SiteA (the server) using Ping, SSH, everything... but when it comes to SiteA communicating with SiteB, everything works with the exception of communication with my router . From SiteA, I cannot ping nor ssh to my dd-wrt machine (192.168.2.1 in my current setup) but pinging any other machine from SiteA to SiteB works (from 192.168.2.2 to 192.168.2.254). I've done some testing as to understand what's happenning and while playing with my dd-wrt config, I found out that disabling the SPI firewall fixes the issue. When disabled, I'm able to ping and ssh to by router from SiteA to SiteB. Now I know what the SPI firewall is for and, as my dd-wrt acts as a WAN facing gateway, I would rather keep the SPI firewall active to keep all ports stealth. Is there any special config I could use to enable access to 192.168.2.1 from my SiteA range (192.168.1.0/24)?
Note: the dd-wrt client is not using the WebGUI for configuration but rather a config file that I've pushed and is executed by the command line. I don't know if it changes anything (maybe using the WebGUI does some magic with the SPI firewall to enable ping and communication) but I wanted to be transparent in my post.
Anyone with good knowledge on what could be my issue?
Joined: 08 May 2018 Posts: 14208 Location: Texas, USA
Posted: Thu Jul 02, 2020 2:07 Post subject:
You may save yourself some of your headaches by upgrading to 43516 and reconfiguring your DD client. I don't even remember if your build was in the middle of the muckery with the mitigation that broke things all to hell, I would have to back-track and check. But my advice is to upgrade to the latest release. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Joined: 08 May 2018 Posts: 14208 Location: Texas, USA
Posted: Thu Jul 02, 2020 2:21 Post subject:
One thing to check on either build is the CVE-xxxx mitigation, whether or not it is enabled. That may also cause issues. I am not the VPN guru by any means, but I follow development and issue tracking closely. Your current build is pre-mitigation patches and fun, as I just confirmed, but there were issues with VPN at that point anyway, if memory serves. You may need to post more information if the upgrade doesn't fix things. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Joined: 08 May 2018 Posts: 14208 Location: Texas, USA
Posted: Thu Jul 02, 2020 2:38 Post subject:
Syslog, firewall log if it is set up; output of iptables -vnL; perhaps the actual manual config details you are using. If you have the "block anonymous wan requests (ping)" enabled on the firewall, that may be screwy. I think that was part of my not being able to ping across my lan on my E4200 a while back. I haven't mucked with it in months, so I would have to look into it at some point. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
As said earlier, as soon as I disable the SPI firewall, I can ping my router from SiteA which leads me to think it is a firewall issue. Is there a correlation between the SPI firewall and IPTables?
Joined: 08 May 2018 Posts: 14208 Location: Texas, USA
Posted: Thu Jul 02, 2020 3:42 Post subject:
Yes. The SPI firewall uses iptables, that is the actual command used. Try enabling the firewall, but leave "block anonymous wan requests (ping)" disabled / unchecked, reboot the router and test that. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Thu Jul 02, 2020 7:50 Post subject: Re: OpenVPN blocking external ping, caused by the SPI firewa
DarkAngel88 wrote:
Hi all,
Here's an issue I've had since I have setup my site2site VPN, using OpenVPN, for which I hope I can get your help!
Note: the dd-wrt client is not using the WebGUI for configuration but rather a config file that I've pushed and is executed by the command line. I don't know if it changes anything (maybe using the WebGUI does some magic with the SPI firewall to enable ping and communication) but I wanted to be transparent in my post.
Anyone with good knowledge on what could be my issue?
Interresting egc... I wasn't sure it was the case but now with your comment.
Is there a way to import a specific .conf file from openvpn? It would be easier this way and my little pinky tells me it won't be possible... but maybe you could tell me otherwise! I've tried using the same conf but I have to way to debug my openvpn Client (yes, syslog are enabled ).
If I'm unable to import my conf file, is there an easy way to debug my openvpn client config?
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Thu Jul 02, 2020 15:41 Post subject:
DarkAngel88 wrote:
Interresting egc... I wasn't sure it was the case but now with your comment.
Is there a way to import a specific .conf file from openvpn? It would be easier this way and my little pinky tells me it won't be possible... but maybe you could tell me otherwise! I've tried using the same conf but I have to way to debug my openvpn Client (yes, syslog are enabled ).
If I'm unable to import my conf file, is there an easy way to debug my openvpn client config?
Thanks!
No you cannot use your own conf file in the regular builds (I am running an experimental build which has that possibility but BS is kind of reluctant on this matter)
You can try to add all of your conf file in the Additional Config so that it will be added to the DDWRT conf file this sometimes works.
This is a recurring problem, many VPN providers just give you a conf file or users using pfsens servers or other servers only have a conf file and it is normally fairly easy to translate the conf to the GUI.
So if just adding your conf file to the Additional Config does not work you can post (or PM me) your conf file I will see if I can translate it to the GUI.
Yes, you're right about the part where VPN providers often give conf file that now, needs to be translated to the right settings.
I was able to translate most of my conf file (thanks for the help BTW) but I'm unable to test it properly. Can you tell me where the conf file is located on dd-wrt? It will give me a better idea as of if I've translated the conf file properly.
Also, is it normal that I don't verbose openvpn logs inside /var/log/messages? I've applied the openvpn config file but the only error I see is the following:
Code:
Options error: specify only one of --tls-server, --tls-client, or --secret
Granted, I'm using a static key but I don't see any option to force the usage of only a static key. From reading the dd-wrt wiki about openvpn, it seem like it always uses the certificate paths when generating the config file for openvpn and, as a result, I'm getting a conflict error when trying to start the openvpn client.
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Thu Jul 02, 2020 18:41 Post subject:
DarkAngel88 wrote:
Yes, you're right about the part where VPN providers often give conf file that now, needs to be translated to the right settings.
I was able to translate most of my conf file (thanks for the help BTW) but I'm unable to test it properly. Can you tell me where the conf file is located on dd-wrt? It will give me a better idea as of if I've translated the conf file properly.
Also, is it normal that I don't verbose openvpn logs inside /var/log/messages? I've applied the openvpn config file but the only error I see is the following:
Code:
Options error: specify only one of --tls-server, --tls-client, or --secret
Granted, I'm using a static key but I don't see any option to force the usage of only a static key. From reading the dd-wrt wiki about openvpn, it seem like it always uses the certificate paths when generating the config file for openvpn and, as a result, I'm getting a conflict error when trying to start the openvpn client.
Well if you give enough information we come to the heart of the story
From the server setup guide:
Quote:
Due to an incompatibility in DDWRT it is not possible to setup with a static key only (both server and client) for a workaround see the paragraph "Running from the command line"
So if you want to use a static key only you have to setup via the command line.
