Posted: Wed Jun 02, 2021 5:56 Post subject: [SOLVED]OpenVPN Server Packets from br0 (LAN) dropped
Hi,
I'm currently trying to (re-)set up OpenVPN on my NETGEAR R7000 (which serves as my main network router and WiFi AP but not as HCP or DNS Server which is done by a Windows DC) on which I just recently updated the DD-WRT Firmware to DD-WRT v3.0-r46816 std (05/30/21) (which - according to the build thread - introduces policy based routing and some other features for OpenVPN, but if I understand correctly, they have no influence on the problem).
The clients can connect to the server withot a problem and - if enabled (as I won't be using it) - "Redirect default gateway" does its job and allows the client to use the internet connection of the Server.
However no matter what I try I can't get access to the LAN (br0 interface) from the VPN-Subnet (tun2 interface) running.
From my tests I can conclude that the issue is, that DD-WRT seems to drop (not block) all traffic from br0 to tun2 no matter of the firewall config or the static routes set. (Note: CVE-2019-14899 Mitigation ist enabled as described in the troubleshooting guide)
How I came to that conclusion:
Setup:
- Connecting a Computer on another internet connection (on a different subnet than the VPN and LAN subnets of course) to the VPN (VPN-PC)
- Pinging and trying to connect via tcp (using nc) to a computer on the LAN (LAN-PC) and vice versa
- Capturing Packets using tcpdump on the computer on the VPN, on the computer on the LAN and on the DD-WRT Router (seperate on interfaces tun2 and br0)
Results:
- The packets going out of the VPN-PC reach the LAN-PC without any trouble (as expected, as I have added a 'push "route 192.168.0.0 255.255.255.0 vpn_gateway"' for the LAN Subnet to the OpenVPN-Server-Config which is successfully set in the routes in the VPN-PC) and is captured by all four capturing instances
- The packets from the LAN-PC to the VPN-PC (no matter if the're replys or originating packets) are only captured on the LAN-PC and on the br0 interface on the DD-WRT router but not on the tun2 interface or the VPN-PC meaning the packes are dropped (as no rejection is sent) between the br0 and tun2 interface
- Pinging the DD-WRT router VPN interface's IP address from within the router's ssh interface also results in packet loss but pinging any other interface's IP (e.g. br0 or vlan2 [WAN]) works
Further things I've tried which didn't change anything:
- Added the followig firewall rules: "iptables -I FORWARD -i tun2 -o br0 -j ACCEPT" and "iptables FORWARD -i br0 -o tun2 -j ACCEPT"
- Completly disabling the firewall (both from the GUI and by adding the rules "iptables -I FORWARD -j ACCEPT" and "iptables -I INPUT -j ACCEPT")
- Changed SFE to all possible modes (I haven't really undestood why disabling it could potentially help, but I tried it anyway as is was recommended in on a similar issue)
- Adding/Manipuating the static route to the VPN net (both by putting the "route 10.8.0.0 255.255.255.0 tun2" into the OpenVPN Server config as well as manually changing the route using "ip route" to match the other routes to subnets the router is connected to)
- Following the OpenVPN setup guide and all troubleshooting steps that seemed relevant (https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1157344)
- Different VPN Clients (OpenVPN on Windows, the included implementation on Manjaro Linux, the Android Client)
What worked but not like I hoped:
- NATing the traffic ("iptables -t nat -I POSTROUTING -o br0 -s 10.8.0.0/24 -j MASQUERADE") => works for communication from VPN-PC to LAN PC but I would REALLY like to avoid it as I want VPN and LAN clients to be able to communicate with each other in both directions without the need for port forwards etc.
What I didn' try:
- Changing the VPN to bridged mode as I want to use the VPN on clients which polssibly don't support bridged and as far as it's described in varius guides, bridged mode is an even bigger hassle to set up than I already have with tunneled mode
Setup (public IPs etc. replaced by [...]):
LAN-Subnet: 192.168.0.0/24
VPN-Subnet: 10.8.0.0/24 (same as in OpenVPN setup guide)
OpenVPN-Server-Config (as generated by DD-WRT):
ca ca.crt
cert client.crt
key client.key
client
dev tun
proto udp
remote [...] [...]
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
remote-cert-tls server
tls-auth taStr.key 1
#data-ciphers AES-256-GCM
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM
data-ciphers-fallback CHACHA20-POLY1305
verb 3
I haven't found anything on this particular problem of packets getting dropped on the way from LAN to VPN (but not from WAN to VPN as described above) anywhere on the forum or in other documentation. Does anyone have an idea what might be causing the issue and how to solve it?
Greetings,
Georg
(sorry if this is posted in the wrong place or too long; it's my first post on the forum)