[SOLVED]OpenVPN Server Packets from br0 (LAN) dropped

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
modellbahnFreak
DD-WRT Novice


Joined: 31 May 2021
Posts: 2

PostPosted: Wed Jun 02, 2021 5:56    Post subject: [SOLVED]OpenVPN Server Packets from br0 (LAN) dropped Reply with quote
Hi,

I'm currently trying to (re-)set up OpenVPN on my NETGEAR R7000 (which serves as my main network router and WiFi AP but not as HCP or DNS Server which is done by a Windows DC) on which I just recently updated the DD-WRT Firmware to DD-WRT v3.0-r46816 std (05/30/21) (which - according to the build thread - introduces policy based routing and some other features for OpenVPN, but if I understand correctly, they have no influence on the problem).
The clients can connect to the server withot a problem and - if enabled (as I won't be using it) - "Redirect default gateway" does its job and allows the client to use the internet connection of the Server.
However no matter what I try I can't get access to the LAN (br0 interface) from the VPN-Subnet (tun2 interface) running.
From my tests I can conclude that the issue is, that DD-WRT seems to drop (not block) all traffic from br0 to tun2 no matter of the firewall config or the static routes set. (Note: CVE-2019-14899 Mitigation ist enabled as described in the troubleshooting guide)

How I came to that conclusion:
Setup:
- Connecting a Computer on another internet connection (on a different subnet than the VPN and LAN subnets of course) to the VPN (VPN-PC)
- Pinging and trying to connect via tcp (using nc) to a computer on the LAN (LAN-PC) and vice versa
- Capturing Packets using tcpdump on the computer on the VPN, on the computer on the LAN and on the DD-WRT Router (seperate on interfaces tun2 and br0)
Results:
- The packets going out of the VPN-PC reach the LAN-PC without any trouble (as expected, as I have added a 'push "route 192.168.0.0 255.255.255.0 vpn_gateway"' for the LAN Subnet to the OpenVPN-Server-Config which is successfully set in the routes in the VPN-PC) and is captured by all four capturing instances
- The packets from the LAN-PC to the VPN-PC (no matter if the're replys or originating packets) are only captured on the LAN-PC and on the br0 interface on the DD-WRT router but not on the tun2 interface or the VPN-PC meaning the packes are dropped (as no rejection is sent) between the br0 and tun2 interface
- Pinging the DD-WRT router VPN interface's IP address from within the router's ssh interface also results in packet loss but pinging any other interface's IP (e.g. br0 or vlan2 [WAN]) works

Further things I've tried which didn't change anything:
- Added the followig firewall rules: "iptables -I FORWARD -i tun2 -o br0 -j ACCEPT" and "iptables FORWARD -i br0 -o tun2 -j ACCEPT"
- Completly disabling the firewall (both from the GUI and by adding the rules "iptables -I FORWARD -j ACCEPT" and "iptables -I INPUT -j ACCEPT")
- Changed SFE to all possible modes (I haven't really undestood why disabling it could potentially help, but I tried it anyway as is was recommended in on a similar issue)
- Adding/Manipuating the static route to the VPN net (both by putting the "route 10.8.0.0 255.255.255.0 tun2" into the OpenVPN Server config as well as manually changing the route using "ip route" to match the other routes to subnets the router is connected to)
- Following the OpenVPN setup guide and all troubleshooting steps that seemed relevant (https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1157344)
- Different VPN Clients (OpenVPN on Windows, the included implementation on Manjaro Linux, the Android Client)

What worked but not like I hoped:
- NATing the traffic ("iptables -t nat -I POSTROUTING -o br0 -s 10.8.0.0/24 -j MASQUERADE") => works for communication from VPN-PC to LAN PC but I would REALLY like to avoid it as I want VPN and LAN clients to be able to communicate with each other in both directions without the need for port forwards etc.

What I didn' try:
- Changing the VPN to bridged mode as I want to use the VPN on clients which polssibly don't support bridged and as far as it's described in varius guides, bridged mode is an even bigger hassle to set up than I already have with tunneled mode

Setup (public IPs etc. replaced by [...]):
LAN-Subnet: 192.168.0.0/24
VPN-Subnet: 10.8.0.0/24 (same as in OpenVPN setup guide)
OpenVPN-Server-Config (as generated by DD-WRT):
Code:

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port [...]
proto udp4
cipher CHACHA20-POLY1305
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
tls-server
client-to-client
fast-io
tun-mtu 1400
mtu-disc yes
server 10.8.0.0 255.255.255.0
dev tun2
tls-auth /tmp/openvpn/ta.key 0
route-up /tmp/openvpn/route-up.sh
route-pre-down /tmp/openvpn/route-down.sh
persist-key
persist-tun
verb 3
#data-ciphers-fallback AES-256-CBC
push "dhcp_option DNS 192.168.0.1"
push "route 192.168.0.0 255.255.255.0 vpn_gateway"

OpenVPN-Client-Config:
Code:

ca ca.crt
cert client.crt
key client.key
client
dev tun
proto udp
remote [...] [...]
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
remote-cert-tls server
tls-auth taStr.key 1
#data-ciphers AES-256-GCM
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM
data-ciphers-fallback CHACHA20-POLY1305
verb 3


I haven't found anything on this particular problem of packets getting dropped on the way from LAN to VPN (but not from WAN to VPN as described above) anywhere on the forum or in other documentation. Does anyone have an idea what might be causing the issue and how to solve it?

Greetings,
Georg

(sorry if this is posted in the wrong place or too long; it's my first post on the forum)
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Wed Jun 02, 2021 15:07    Post subject: Reply with quote
I did not read all of it (will do later)

But if this router is in normal gateway mode so its WAN connected to the Modem/internet then you should Disable CVE mitigation.

The rule:
iptables -t nat -I POSTROUTING -o br0 -s 10.8.0.0/24 -j MASQUERADE
is one of the things you can do if you want to keep it enabled.

See page 10 of the OpenVPN server setup guide

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
modellbahnFreak
DD-WRT Novice


Joined: 31 May 2021
Posts: 2

PostPosted: Mon Jun 07, 2021 22:03    Post subject: Reply with quote
Thanks for your quick response and sorry for not replying in the last days - I was busy with other things.

egc wrote:
you should Disable CVE mitigation


I tried that and removed the NAT rule and it seems to work now. I must have misread the tutorial.

Thank you very much,
Georg
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Tue Jun 08, 2021 8:27    Post subject: Reply with quote
Glad it is solved Smile
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum