port forwarding with openvpn client enabled

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
forerunnert
DD-WRT Novice


Joined: 12 Jan 2017
Posts: 17

PostPosted: Thu Jan 19, 2017 21:49    Post subject: Reply with quote
It's a nice tool when accessing WAN means you have to actually get outside the house and travel a long distance, saves time Smile

Anyway, after enabling VPN and startup/FW scripts the results are the same: no access

Interestingly I also tried with VPN/scripts disabled but with LAN to WAN access to my ISP modem enabled:

Code:

startup:
ifconfig `nvram get wan_ifname`:0 192.168.10.2 netmask 255.255.255.0

firewall:
iptables -t nat -I POSTROUTING -o `nvram get wan_ifname` -j MASQUERADE


That functionality works without but also breaks after enabling VPN
Sponsor
forerunnert
DD-WRT Novice


Joined: 12 Jan 2017
Posts: 17

PostPosted: Thu Jan 19, 2017 22:03    Post subject: Reply with quote
it seems it does:

Code:
root@DD-WRT:~# iptables -t mangle -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 60331 packets, 31M bytes)
 pkts bytes target     prot opt in     out     source               destination         
   22  1320 MARK       tcp  --  br0    *       192.168.1.10          0.0.0.0/0           tcp spt:22  MARK set 0x1
forerunnert
DD-WRT Novice


Joined: 12 Jan 2017
Posts: 17

PostPosted: Thu Jan 19, 2017 22:18    Post subject: Reply with quote
To be clear: my table 100 is empty if I don't manually enter the commands, so something is going on there..

If I paste the script in the web IF and execute it:
Code:
sh: eval: line 6: syntax error: unexpected word

line 6 is 'done' here

removed 'done':
Code:
sh: eval: line 25: syntax error: unexpected word (expecting


line 25 is 'done' again

removed 'done':
Code:
sh: eval: line 28: syntax error: unexpected end of file (expecting `w¿SHwdonet;


So it doesn't like 'done'?

The script worked for phatbob right? Seems the syntax is the same with me.
forerunnert
DD-WRT Novice


Joined: 12 Jan 2017
Posts: 17

PostPosted: Thu Jan 19, 2017 22:23    Post subject: Reply with quote
for completeness here is what I'm running now:

startup:
Code:

# allow modem config
ifconfig `nvram get wan_ifname`:0 192.168.10.2 netmask 255.255.255.0

# VPN setup
<VPN magic>

# allow WAN to LAN access
#########################
sleep 10
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun1".
#
#

ip route show table main | grep -Ev ^default | grep -Ev tun1 | while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache


and firewall:

Code:
# Allow WAN to LAN access
iptables -t mangle -F PREROUTING

# allow modem config
iptables -t nat -I POSTROUTING -o `nvram get wan_ifname` -j MASQUERADE

# SSH Traffic: Bypass VPN
#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
iptables -t mangle -A PREROUTING -i br0 -p tcp -s 192.168.1.10 --sport 22  -j MARK --set-mark 1


# VPN killswitch
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset


The 2 'done's in startup is what is preventing execution it seems.
forerunnert
DD-WRT Novice


Joined: 12 Jan 2017
Posts: 17

PostPosted: Thu Jan 19, 2017 22:46    Post subject: Reply with quote
It seems to work now, nice!

firewall script:

Code:
# Allow WAN to LAN access
iptables -t mangle -F PREROUTING

# allow modem config
iptables -t nat -I POSTROUTING -o `nvram get wan_ifname` -j MASQUERADE

# SSH Traffic: Bypass VPN
#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
iptables -t mangle -A PREROUTING -i br0 -p tcp -s 192.168.1.10 --sport 22  -j MARK --set-mark 1


# VPN killswitch
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -s 192.168.1.10 --sport 22 -j ACCEPT


I'll confirm tomorrow with a real ssh client after my daily migration from LAN to WAN (I never referred to my work like that before Smile )
For now I tested with http://www.infobyip.com/sshservertest.php and # tcpdump -n host 45.79.3.202 on 192.168.1.10

Can't thank you enough for the help, much appreciated!
vibit
DD-WRT Novice


Joined: 21 Apr 2016
Posts: 2

PostPosted: Sun Feb 05, 2017 4:21    Post subject: Reply with quote
Hello, am trying to do the same thing but with port 5900 and port 8000, can you make a step by step guide of what you do to work.

thx for the help.
tsht
DD-WRT Novice


Joined: 25 Dec 2010
Posts: 2

PostPosted: Fri May 15, 2020 11:04    Post subject: Reply with quote
Hello.
I'm trying to do this now, but if I understand well
iptables -t mangle -F PREROUTING will flush mangle table for PREROUTING...

But in Mangle I have this :
Code:
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
MARK       0    --  anywhere             192.168.XX.XX         MARK or 0x80000000
CONNMARK   0    --  anywhere             anywhere            CONNMARK save


Where 192.168.XX.XX is my ISP router I guess.
I don't know why this MARK would be necessary, the same for tne CONNMARK...
I would rather know what I'm doing ^^
So why do you think I would need to flush the prerouting ?
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum