Posted: Sat Mar 18, 2017 13:46 Post subject: VPN to DDwrt behind ISP modem
Hi I have been trying to set up a vpn, so that I can access the web on my phone through my home internet. The reason for this is that I filter ad servers using a host file on my ddwrt router at home.
My set up looks like this:
ISP modem (192.168.0.1)
DDwrt router (192.168.0.46 on wan, 192.168.1.1 on wifi/lan, and 10.8.0.1 on VPN)
WIFI/lan devices (192.168.1.*)
VPN devices (10.8.0.*)
the DDwrt router works as a DNS using DNSmasq and sends requests to adservers on my host file to 0.0.0.0 (for all other requests it uses my ISP DNS). this filtering works fine on on the wifi/Lan.
I can connect to the VPN from inside my network (ie a device connected to the DDwrt wifi/Lan), and here the above scheme works fine. I can also connect to the VPN from the outside, for example using my phone. However i can not access the the outside (ie ping google) when i connect from the outside.
I can ping 10.8.0.1 and 192.168.0.1 but not 192.168.1.1 (Which runs the DNS)
and I can not ping google.
my iptable looks like this
Code:
iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:1194
856 945K ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 DROP udp -- vlan2 any anywhere anywhere udp dpt:route
0 0 DROP udp -- br0 any anywhere anywhere udp dpt:route
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:route
0 0 ACCEPT tcp -- vlan2 any anywhere DD-WRT tcp dpt:ssh
0 0 DROP icmp -- vlan2 any anywhere anywhere
28 1008 DROP igmp -- any any anywhere anywhere
4 262 ACCEPT 0 -- lo any anywhere anywhere state NEW
363 30876 ACCEPT 0 -- br0 any anywhere anywhere state NEW
36 8102 DROP 0 -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- tun0 any anywhere anywhere
0 0 ACCEPT 0 -- any tun0 anywhere anywhere
0 0 ACCEPT 0 -- any any 10.8.0.0/24 anywhere
403K 388M ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT gre -- any vlan2 192.168.1.0/24 anywhere
0 0 ACCEPT tcp -- any vlan2 192.168.1.0/24 anywhere tcp dpt:1723
2576 161K lan2wan 0 -- any any anywhere anywhere
0 0 ACCEPT 0 -- br0 br0 anywhere anywhere
0 0 TRIGGER 0 -- vlan2 br0 anywhere anywhere TRIGGER type:in match:0 relate:0
2576 161K trigger_out 0 -- br0 any anywhere anywhere
2170 140K ACCEPT 0 -- br0 any anywhere anywhere state NEW
406 20764 DROP 0 -- any any anywhere anywhere
my VPN server script looks like this:
Code:
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"
server 10.8.0.0 255.255.255.0
dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
management localhost 5001
I guess the main problem is that I cannot access the DNS on my ddwrt on 192.168.1.1 when I connect to the vpn from the out side, but I cannot figure out why.
Im not very familiar with routing using iptable so i'm more or less using the default values.
I hope you can point in the right direction
Best regards
m
I have now updated my settings according to your recommendations, and I can now correctly resolve ip's from the DNS. When i ping google.com i get the correct ip, but it times out so the connection is blocked somewhere. Now I cant ping the ddwrt router on the vpn (ie 10.8.0.1) and i cant ping ISP modem at 192.168.0.1 either, so i guess that my forwarding is not correctly setup. My ip tables now look like this:
Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1412 993K ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
1 42 ACCEPT udp -- any any anywhere anywhere udp dpt:1194
0 0 ACCEPT 0 -- tun2 any anywhere anywhere
0 0 DROP udp -- vlan2 any anywhere anywhere udp dpt:route
0 0 DROP udp -- br0 any anywhere anywhere udp dpt:route
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:route
0 0 ACCEPT tcp -- vlan2 any anywhere DD-WRT tcp dpt:ssh
0 0 DROP icmp -- vlan2 any anywhere anywhere
1 36 DROP igmp -- any any anywhere anywhere
4 262 ACCEPT 0 -- lo any anywhere anywhere state NEW
229 20645 ACCEPT 0 -- br0 any anywhere anywhere state NEW
99 10290 DROP 0 -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1676 502K ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT gre -- any vlan2 192.168.1.0/24 anywhere
0 0 ACCEPT tcp -- any vlan2 192.168.1.0/24 anywhere tcp dpt:1723
0 0 ACCEPT 0 -- tun2 any anywhere anywhere
0 0 ACCEPT 0 -- any tun2 anywhere anywhere
59 3728 lan2wan 0 -- any any anywhere anywhere
0 0 ACCEPT 0 -- br0 br0 anywhere anywhere
0 0 TRIGGER 0 -- vlan2 br0 anywhere anywhere TRIGGER type:in match:0 relate:0
59 3728 trigger_out 0 -- br0 any anywhere anywhere
59 3728 ACCEPT 0 -- br0 any anywhere anywhere state NEW
0 0 DROP 0 -- any any anywhere anywhere
my openvpn Additional Config:
Code:
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 192.168.1.1"
After I implemented you suggestions it seemed to get a bit worse. I can still conect to the VPN, but when I connect to the vpn from the outside (through my phones data connection) I can't ping any machine on the network (192.168.1.1 DDwrt router on the lan/wifi, 10.8.0.1 DDwrt router on the VPN or 192.168.0.1 ISP modem on DDwrt wan). Does the iptables give any hint to why this is? As i mentioned, Im not very familiar with IPtables but im trying to read up on the subject in order to understand what they mean.
I appreciate the quick replies
best regards
m
best