Given FTP is completely insecure (everything is in the clear, data and username/password), you should never expose it directly to the WAN anyway. You should be using a VPN (e.g., OpenVPN or WireGuard).
Joined: 18 Oct 2016 Posts: 96 Location: Copenhagen, Denmark
Posted: Thu Jan 20, 2022 21:32 Post subject:
eibgrad wrote:
Given FTP is completely insecure (everything is in the clear, data and username/password), you should never expose it directly to the WAN anyway. You should be using a VPN (e.g., OpenVPN or WireGuard).
What I'm not quite sure about is whether the target device is actually hosting the OpenVPN client itself and using PBR there, or the OpenVPN client is on the router, and is being routed over the VPN due to PBR on the router. Your description was a bit ambiguous (at least to my eyes).
The VPN is on the router and the device is routed through the tunnel using PBR on the router.
I may block FTP but as I wrote, I have other services that I want to access from WAN.
How can I route specific ports to this device given VPN - I'm pretty sure I can put something in the firewall/commands that will get the devices VPN IP and route traffic that way...?
I believe @egc updated PBR in the OpenVPN client to allow port-based support, rather than just source IP. But I haven't used it myself. Check the stickies in this forum for latest OpenVPN documents by @egc.
The other option is to use my own advanced PBR script (see my signature).
1) If you know the public IP(s) from which you'll be accessing the remote device over the WAN (workplace, school, favorite wifi cafe, etc.), you can simply bind those public IPs (or the class C networks to which they belong) to the WAN w/ static routing (i.e., route directives in the Additional Config field of the OpenVPN client).
Static routing will always take precedence over the default gateway. And it's the default gateway and whether it points to the WAN or VPN that causes the split tunneling (PBR). Of course, if you're truly roaming, then this strategy won't work since you won't know w/ any certainty what those public IPs will be.
Joined: 18 Oct 2016 Posts: 96 Location: Copenhagen, Denmark
Posted: Fri Jan 21, 2022 11:27 Post subject:
eibgrad wrote:
P.S. A few other options to consider.
1) If you know the public IP(s) from which you'll be accessing the remote device over the WAN (workplace, school, favorite wifi cafe, etc.), you can simply bind those public IPs (or the class C networks to which they belong) to the WAN w/ static routing (i.e., route directives in the Additional Config field of the OpenVPN client).
Static routing will always take precedence over the default gateway. And it's the default gateway and whether it points to the WAN or VPN that causes the split tunneling (PBR). Of course, if you're truly roaming, then this strategy won't work since you won't know w/ any certainty what those public IPs will be.
Joined: 18 Oct 2016 Posts: 96 Location: Copenhagen, Denmark
Posted: Fri Jan 21, 2022 12:19 Post subject:
egc wrote:
Recent builds (currently 48141) support all ip rules e.g. sport.
To route a specific source port.
The Openvpn client setup guide, link in my signature, has a paragraph about that.
But all @eibgrads excellent suggestions of course will also work
Thanks egc, looking into your guide right now.
I tried using sport - is it not supposed to route specific ports from WAN to LAN?
Say I want to reach the device behind VPN hosting FTP - I would use my public IP adress (not VPN IP) and external port number. Port forwarding will take care of the correct local IP and port number, right?
This does not seem to work with r47665 - maybe I need to upgrade to latest build.
Joined: 18 Oct 2016 Posts: 96 Location: Copenhagen, Denmark
Posted: Fri Jan 21, 2022 12:25 Post subject:
egc wrote:
Yes you can e.g.:
route ipchicken.com 255.255.255.255 net_gateway
Note domains only support /32 aka 255.255.255.255
If you read the OpenVPN Client setup guide it is all there
Read that in the guide but thought it only worked the other way - outbound traffic from behind the router would go through WAN and not VPN to that specific IP/domain...
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Fri Jan 21, 2022 12:51 Post subject:
Regarding the use of sport, you should be able to just add in the PBR field :
sport 21
But you have to choose "Route selected sources via WAN"
You can add more things like ip addresses etc which are also then routed via the WAN, everything else is routed via the VPN.
As queries for the FTP server are coming in via the WAN they also have to go back via the WAN otherwise the firewall will block it.
I have tested it with an OpenVPN server but with an FTP server it is also supposed to work the same.
Of course you can enter the IP address of the FTP server but then everything from this server will go out via the WAN.
But indeed you should upgrade, the latest build as of now is 48141.
I am running that as we speak, a reset should not be necessary, just upgrade.
Joined: 18 Oct 2016 Posts: 96 Location: Copenhagen, Denmark
Posted: Tue Jan 25, 2022 9:21 Post subject: WG server...
egc wrote:
Regarding the use of sport, you should be able to just add in the PBR field :
sport 21
But you have to choose "Route selected sources via WAN"
You can add more things like ip addresses etc which are also then routed via the WAN, everything else is routed via the VPN.
As queries for the FTP server are coming in via the WAN they also have to go back via the WAN otherwise the firewall will block it.
I have tested it with an OpenVPN server but with an FTP server it is also supposed to work the same.
Of course you can enter the IP address of the FTP server but then everything from this server will go out via the WAN.
But indeed you should upgrade, the latest build as of now is 48141.
I am running that as we speak, a reset should not be necessary, just upgrade.
But otherwise the solutions proposed by @eibgrad are also excellent choices (actually DDWRT VPN's are inspired and guided by his work, if I am lost I ask him for help )
Hey Eric!
I hate to bother you with this but I tried several things with port forwarding and came to the conclusion that I need a VPN server. Better and safer. Port forwarding introduced more problems than it solved.
I followed your Wireguard server guide (v42) but cannot get a handshake with my Android WG client (added with QR code). I try to access the router via afraid.org (DDNS) but have also tried directly (WAN IP).
I have a OVPN running on tun1 and a WG client on oet1. OVPN gave me all sort of trouble (in the end, the problem was a leading hashtag in the PBR window). I tried disabling both tun1 and oet1 but still don't get a handshake on oet2.
Could you point me in a new direction here?
Your guide mentions things to do in the firewall - but since I can get it working on port 51515 (oet1 WG client/piHole) I don't see why it won't work on port 51810. I haven't put anything in my firewall yet.
As far as I can tell, this is not a port forwarding problem since WG is listening on port 51810 on the router itself.
Could this be a problem with my cell phone company blocking certain ports or traffic? The VPN does not work on LAN either...
I tried several DNS servers as well and checked the routing tables according to your troubleshooting guide.
I have enclosed my settings and they should be set as per your guide.
The phone sends data and receives very little after a while. The WG server says "waiting for connection". At some point I got a connection from an unknown IP:port (at which point I suspected the VPN messing up something as you mention in your guide).
Tried upgrading to r48141 but that introduced another problem with deleted static IP entries on reboot...
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Tue Jan 25, 2022 16:21 Post subject:
First some tips about the static leases.
The static leases have changed but it could be that a simple refresh of your browser cache (CTRL+F5) will solve that.
That said most of us do not use the static leases box.
You can simply add the static leases in the Additional DNSMasq options like:
dhcp-host=00:08:9B:XX:XX:XX,192.168.0.91,QNAP453,1440m
dhcp-host=00:1B:XX:XX:XX:XX,192.168.0.99,Printer_HL2150,1440m
So that you can copy paste that list and add /sort delete in a text file.
You can retrieve your current leases from /tmp/dnsmasq.conf
Now on to your WG server.
To test disable the WG client tunnel and the OVPN tunnel so that you only have the WG server tunnel running. Make sure you also delete any scripts (e.g kill scripts)
The WG server should have an IP address of 10.4.0.1/24 check that
On first glance the setup looks OK.
You can use any port you want as long as it is not used elsewhere so the other WG tunnel can not use that port or you can also not use a port forward with that port!
51810 is the local listen port, that port is automatically opened on the server, the client must use that same port as endpoint and also as its local listen port (theoretically that is not necessary but if not it could get blocked)
so check that on the client (your phone).
Also check on the client that Keepalive is set to 20 (or 25) and that you use a publicly available DNs server e.g. 8.8.8.8.
It helps if you post the client config file (or you can PM it to me)
Newest version has a more elaborate config file option, to set DDNS etc.
Your MTU 1428 does not look OK, if you are using PPPoE use 1412 (set the same on the client).
As always test from outside with your phone on cellular.
If that does not help I need more troubleshooting information i.e. from CLI (telnet/Putty):
wg
wg showconf oet1
ip route show
iptables -vnL FORWARD | grep oet
iptables -vnL INPUT
iptables -vnL -t nat
iptables -vnL -t raw
nvram show | grep oet
grep -E -i 'oet|wireguard' /var/log/messages _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Joined: 18 Oct 2016 Posts: 96 Location: Copenhagen, Denmark
Posted: Tue Jan 25, 2022 21:18 Post subject:
Thanks Eric!
Have sent you PB - two in fact.
Regarding static leases - I have my setup in a file already, just find it odd that they are deleted on boot. Refresh does not help - they're all gone except the first entry...
)