Allow firewall to route WAN to TUN for VPN setup

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions
Author Message
MaxBPM
DD-WRT Novice


Joined: 24 Jul 2019
Posts: 3

PostPosted: Wed Jul 24, 2019 10:35    Post subject: Allow firewall to route WAN to TUN for VPN setup Reply with quote
Hello everyone!

I started to work with dd-wrt (TP-Link TL-WDR3600 v1) and I am pretty amazed about the possibilities. Besides a PiHole on a BananaPi I managed to run a payed VPN client (Mullvad) on the router and in addition a PiVPN on a second BananaPi in my network as a VPN server. So I'm running in the known issue, that both systems will not work together (client and server). Reading this thread:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1129398

told me my router firewall is blocking the data to go from my WAN (from my smartphone over my PiVPN with OpenVPN) to my VPN when the tunnel to the outside world is active. Like eibgrad wrote:

WAN in, WAN out ... is allowed
WAN in, VPN out ... is denied
VPN in, VPN out ... is allowed
VPN in, WAN out ... is denied

Okay, got it. So I see the possibilities to use these complex scripts to switch between WAN and VPN or use port forwarding via VPN (what would force me to use the VPN app from Mullvad on my smartphone).

But I do not get one point. Why I can not simply allow my firewall to allow this? Is it not possible to write a iptables rule to allow all traffic coming to my VPN port (1194) over WAN to go out over Mullvad VPN? I ask, because if I disable my Firewall everything works (and my IP changes also on my smartphone to the Mullvad one), so that tells me that it's definately the firewall, exactly as described. I can not see security issues here, because to contact my PiVPN you need a certificate and it would be the only port to be allowed. So nobody could hack that easily.

Can somebody explain me why this is not an option or if yes, how it could be realized? I just started with iptables and are pretty concerned to stop all traffic.

I am pretty interested in this setup because this would allow me to use my PiHole DNS in combination with Mullvad also from abroad.

Thank you a lot for your help! Please be lenient, this is my first post in this forum. Embarassed
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3793
Location: Netherlands

PostPosted: Wed Jul 24, 2019 11:54    Post subject: Reply with quote
Well first of all welcome to DDWRT Smile

For these questions you get better answers in the Advanced Routing forum, maybe one of the moderators will move this thread?

What you want (port based routing) is exactly what (some of) the scripts are doing

If you do not want that use Policy Based Routing, this gets your router of the VPN and back to the WAN and in the PBR field you enter all the clients you want to use the VPN (but never the routers IP and of course not the VPN server.
Use CIDR notation: https://www.ipaddressguide.com/cidr

But if you need the VPN server to also use the VPN for some applications then you must use port based routing and use one of @eibgrad's advanced scripts.

I have used those to setup for someone who had the VPN server on his NAS but also had Transmission on his NAS for which he wanted to use the VPN.

Script looks complicated but is not hard to setup Wink

Oh, almost forgot, always state router (you did) and build number so that we can better tailor our advice

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
MaxBPM
DD-WRT Novice


Joined: 24 Jul 2019
Posts: 3

PostPosted: Wed Jul 24, 2019 17:28    Post subject: Reply with quote
Thank you a lot! I am not sure if I got it all right.

Quote:
If you do not want that use Policy Based Routing, this gets your router of the VPN and back to the WAN and in the PBR field you enter all the clients you want to use the VPN (but never the routers IP and of course not the VPN server.
Use CIDR notation: https://www.ipaddressguide.com/cidr


This is was I did so far. I excluded my router, the Pi with the PiHole (DNS/DHCP server) and the Pi with the VPN server from the usage of the VPN client (Mullvad) by using CIDR for all DHCP clients (all other). This is working, but not what I want. When surfing from abroad my goal is to use the VPN client as well. So I want connecting with my PiVPN, but from there route the outgoing traffic over the payed VPN in the world.

Quote:
But if you need the VPN server to also use the VPN for some applications then you must use port based routing and use one of @eibgrad's advanced scripts.
I have used those to setup for someone who had the VPN server on his NAS but also had Transmission on his NAS for which he wanted to use the VPN.

I thought about this, but is this really necessary? For me (a beginner) these scripts seem quite complex and I ask myself why it is not a simple firewall expression to have one device in my network (the Pi with the PiVPN server running) always to route from WAN to VPN. I'm pretty sure, that these scripts can handle that, but correct me if I'm wrong, they seem to do a lot more, then one single routing accept command. Where am I wrong here? I am not even sure if I really need port based routing, since the connection from this Pi in my network to the VPN client is the problem in my eyes. Would it not be enough to route all traffic coming into the PiVPN from my smartphone (specific IP in my network) into the VPN client output?

Quote:
Script looks complicated but is not hard to setup Wink

I will try to handle this, if there is no option more simple.

Quote:
Oh, almost forgot, always state router (you did) and build number so that we can better tailor our advice

Alright, thanks for the hint: it's

Firmware: DD-WRT v3.0-r37305 std (10/10/1Cool
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3793
Location: Netherlands

PostPosted: Wed Jul 24, 2019 17:38    Post subject: Reply with quote
I have an OVPN server and client running on the same router with PBR,

It is quite possible to route outgoing traffic from the VPN server via the VPN client (I do it)

Inlcude the IP addresses of the VPN client i.e. 10.8.0.2 on the PBR list.

See my signature for an OVPN server setup guide there is also a chapter for running a server and client on the same router explaining this. Have fun Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed Jul 24, 2019 18:10    Post subject: Reply with quote
Quote:
But I do not get one point. Why I can not simply allow my firewall to allow this? Is it not possible to write a iptables rule to allow all traffic coming to my VPN port (1194) over WAN to go out over Mullvad VPN? I ask, because if I disable my Firewall everything works (and my IP changes also on my smartphone to the Mullvad one), so that tells me that it's definately the firewall, exactly as described. I can not see security issues here, because to contact my PiVPN you need a certificate and it would be the only port to be allowed. So nobody could hack that easily.


Whether this is possible on a per client basis, I don't know. But I've never seen it done. AFAIK, it's an all or nothing option. If you want the ability to use different network interfaces for incoming and outgoing, you need to disable the SPI firewall, which is something I do NOT recommend. That firewall is not just protecting the VPN's network interface, but all the other network interfaces too, like the WAN!!

Quote:
This is was I did so far. I excluded my router, the Pi with the PiHole (DNS/DHCP server) and the Pi with the VPN server from the usage of the VPN client (Mullvad) by using CIDR for all DHCP clients (all other). This is working, but not what I want. When surfing from abroad my goal is to use the VPN client as well. So I want connecting with my PiVPN, but from there route the outgoing traffic over the payed VPN in the world.


If you want remote OpenVPN clients of your local OpenVPN server to use the local OpenVPN client, then simply add the OpenVPN server's tunnel network to the PBR field (e.g., 10.8.0.0/24, or whatever private IP space you specified on the OpenVPN server config). It's just that simple.

One caveat. I don't recall if dd-wrt NAT's everything over the local OpenVPN client's network interface (tun1) by default. If not, you might have to add the following to the firewall script.

Code:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o tun1 -j MASQUERADE


I would first try it without the NAT rule, and if it doesn't work, then add the NAT rule and try again.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3793
Location: Netherlands

PostPosted: Wed Jul 24, 2019 18:18    Post subject: Reply with quote
The openVPN client NAT's everything out on the tunnel so no need to add an extra NAT rule Smile

Code:
Chain POSTROUTING (policy ACCEPT 18 packets, 1958 bytes)
 pkts bytes target     prot opt in     out     source               destination
   62 22172 MASQUERADE  0    --  *      tun1    0.0.0.0/0            0.0.0.0/0
    0     0 SNAT       0    --  *      eth0    192.168.2.0/24       0.0.0.0/0           to:192.168.0.4
    0     0 MASQUERADE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x80000000/0x80000000
    0     0 MASQUERADE  0    --  *      eth0    10.8.0.0/24          0.0.0.0/0
root@R7800:~#

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3793
Location: Netherlands

PostPosted: Wed Jul 24, 2019 18:28    Post subject: Reply with quote
Question for @eibgrad, I know it will work (I am using it) but strange that including the IP address of the OVPN server itself (10.8.0.1) does not play havoc? Especially as there are no local routes in the alternate routing table (unless using your table-10-fix script or my PBR script Smile)

I think I know part of the answer, the OVPN server actually has no IP address binded to it I think?

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed Jul 24, 2019 18:48    Post subject: Reply with quote
egc wrote:
Question for @eibgrad, I know it will work (I am using it) but strange that including the IP address of the OVPN server itself (10.8.0.1) does not play havoc? Especially as there are no local routes in the alternate routing table (unless using your table-10-fix script or my PBR script Smile)

I think I know part of the answer, the OVPN server actually has no IP address binded to it I think?


Technically, there's no problem in specifying the router's LAN ip, either explicitly (e.g., 192.168.1.1) or implicitly (e.g., 192.168.1.0/24) in PBR. The problem comes from dd-wrt NOT copying all the routes from the main routing table into the alternate routing table!

https://svn.dd-wrt.com/ticket/5690

If you apply the fix indicated in the above bug report, you *can* specify the router's LAN ip in PBR.

The failure to copy the routes creates the same problem for the router as it does for any other client on the LAN using PBR. But in the case of the router, it's particularly disastrous because those same clients are heavily dependent on the router (via its LAN ip) for services (httpd, dhcpd, dns, etc.). When the router gets placed in PBR and doesn't have the routes it needs, the whole network essentially falls apart. That is why I've always recommended you do NOT specify the router's LAN ip in PBR. But that recommendation came long before I created that fix. Again, with the fix applied, it should work.

That's why this particular bug needs to be fixed; it creates all kinds of problems. But as you well know, it nevers gets any love. It's been sitting there for three (3) years!

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3793
Location: Netherlands

PostPosted: Wed Jul 24, 2019 21:25    Post subject: Reply with quote
Yes you are right, it is a nasty bug.
But even without the fix i.e copying of local routes the whole subnet of the vpn server can be set to use the alternate routing table including 10.8.0.1. I honestly thought that was not possible (we know what happens if we put the router itself on the PBR without the fix), but it is and I do not have a good explanation other than that the OVPN server is not actually bonded to the IP address?

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
MaxBPM
DD-WRT Novice


Joined: 24 Jul 2019
Posts: 3

PostPosted: Fri Jul 26, 2019 9:00    Post subject: Reply with quote
Thank you both very much! I guess I understood a lot more now. It's great, that people in this forum really like to help, I really appreciate this!

Quote:
If you want remote OpenVPN clients of your local OpenVPN server to use the local OpenVPN client, then simply add the OpenVPN server's tunnel network to the PBR field (e.g., 10.8.0.0/24, or whatever private IP space you specified on the OpenVPN server config). It's just that simple.


Yes, this is it! I want my clients of my server to use the payed client! So when I read this I was pretty euphoric! Very Happy
Unfortunately it did not work. I checked my Android app which IP it gets and it was 10.8.0.2 indeed. I added this IP to the PBR list and nothing happened (still old IP when checking Mullvad status page). Reboot: same. So I added the iptables rule.
iptables -t nat -I POSTROUTING -s 10.8.0.2 -o tun1 -j MASQUERADE
Still same. Reboot: same. Reconnect from smartphone to server also changes nothing.

Seems I'm doing something wrong. Might this be a OpenVPN server configuration issue? I am not 100% sure how the IP is given by the server (I have to check this), but as long as I always get the 10.8.0.2 I am not really concerned that the IP might be wrong. Any more ideas?[/quote]
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum