DD-WRT :: View topic - All client traffic through the VPN not working (Buffalo)

All client traffic through the VPN not working (Buffalo)

DD-WRT Forum Index -> Advanced Networking

View previous topic :: View next topic

Author

Message

dstrigl
DD-WRT Novice

Joined: 07 Sep 2017
Posts: 5

Posted: Thu Sep 07, 2017 9:55 Post subject: All client traffic through the VPN not working (Buffalo)

Hi,

I have a "Buffalo WZR-HP-G300NH" router running DD-WRT.

Now, I have configured the OpenVPN server inside DD-WRT so that all client traffic should go through the VPN.
Connecting from my mobile phone (Android) and my Ubuntu notebook to any IP-adress inside my local network at home works fine,
but connecting any other web side outside my local network at home (e.g. google.com, ...) will fail.

Here is the OpenVPN server config file:

Code:

port 1194
proto udp
dev tun0
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.11.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
cipher AES-256-CBC
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3

And here the client config file:

Code:

client
dev tun
proto udp
remote mynet.ddns.net 1194
persist-key
ca ca.crt
cert galaxy.crt
key galaxy.key
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 4
log /tmp/openvpn.log

And here the iptables rules:

Code:

iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I INPUT 3 -i tun0 -j ACCEPT
iptables -I FORWARD 3 -i tun0 -o tun0 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

And here is the OpenVPN log:

Code:

root@DD-WRT:~# tail /tmp/openvpn.log -f
Wed Sep 6 22:53:47 2017 us=688069 TUN/TAP TX queue length set to 100
Wed Sep 6 22:53:47 2017 us=688415 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Wed Sep 6 22:53:47 2017 us=697775 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Wed Sep 6 22:53:47 2017 us=735199 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Sep 6 22:53:47 2017 us=736731 Socket Buffers: R=[114688->131072] S=[114688->131072]
Wed Sep 6 22:53:47 2017 us=737084 UDPv4 link local (bound): [undef]:1194
Wed Sep 6 22:53:47 2017 us=737207 UDPv4 link remote: [undef]
Wed Sep 6 22:53:47 2017 us=737333 MULTI: multi_init called, r=256 v=256
Wed Sep 6 22:53:47 2017 us=737960 IFCONFIG POOL: base=10.8.0.4 size=62
Wed Sep 6 22:53:47 2017 us=738273 Initialization Sequence Completed
Wed Sep 6 22:55:09 2017 us=415961 MULTI: multi_create_instance called
Wed Sep 6 22:55:09 2017 us=416378 213.162.68.133:43158 Re-using SSL/TLS context
Wed Sep 6 22:55:09 2017 us=416532 213.162.68.133:43158 LZO compression initialized
Wed Sep 6 22:55:09 2017 us=417727 213.162.68.133:43158 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Sep 6 22:55:09 2017 us=417933 213.162.68.133:43158 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Sep 6 22:55:09 2017 us=418342 213.162.68.133:43158 TLS: Initial packet from 213.162.68.133:43158, sid=3c6eaf01 c7ed39ad
Wed Sep 6 22:55:10 2017 us=75942 213.162.68.133:43158 VERIFY OK: depth=1, /C=AT/ST=Bundesland/L=Ort/O=MyOrg/OU=changeme/CN=Zuhause/name=changeme/emailAddress=mein.mail_mail.com
Wed Sep 6 22:55:10 2017 us=79311 213.162.68.133:43158 VERIFY OK: depth=0, /C=AT/ST=Bundesland/L=Ort/O=MyOrg/OU=changeme/CN=MeinHandy/name=changeme/emailAddress=mein.mail_mail.com
Wed Sep 6 22:55:10 2017 us=259048 213.162.68.133:43158 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Sep 6 22:55:10 2017 us=259263 213.162.68.133:43158 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Sep 6 22:55:10 2017 us=259413 213.162.68.133:43158 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Sep 6 22:55:10 2017 us=259559 213.162.68.133:43158 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Sep 6 22:55:10 2017 us=308175 213.162.68.133:43158 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
Wed Sep 6 22:55:10 2017 us=308482 213.162.68.133:43158 [MeinHandy] Peer Connection Initiated with 213.162.68.133:43158
Wed Sep 6 22:55:10 2017 us=309199 MeinHandy/213.162.68.133:43158 MULTI: Learn: 10.8.0.6 -> MeinHandy/213.162.68.133:43158
Wed Sep 6 22:55:10 2017 us=309366 MeinHandy/213.162.68.133:43158 MULTI: primary virtual IP for MeinHandy/213.162.68.133:43158: 10.8.0.6
Wed Sep 6 22:55:10 2017 us=311472 MeinHandy/213.162.68.133:43158 PUSH: Received control message: 'PUSH_REQUEST'
Wed Sep 6 22:55:10 2017 us=312171 MeinHandy/213.162.68.133:43158 SENT CONTROL [MeinHandy]: 'PUSH_REPLY,route 192.168.11.0 255.255.255.0,redirect-gateway def1,dhcp-option DNS 8.8.8.8,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Wed Sep 6 22:56:03 2017 us=886218 read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
Wed Sep 6 22:56:14 2017 us=42320 read UDPv4 [ECONNREFUSED]: Connection refused (code=146)

Is there anything I have done wrong?

Thanks and regards,
Daniel.

Sponsor

Per Yngve Berg
DD-WRT Guru

Joined: 13 Aug 2013
Posts: 6868
Location: Romerike, Norway

Posted: Thu Sep 07, 2017 11:24 Post subject:
NAT traffic going out of the WAN intrtface iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE[/quote]

dstrigl
DD-WRT Novice

Joined: 07 Sep 2017
Posts: 5

Posted: Thu Sep 07, 2017 19:55 Post subject:

Per Yngve Berg wrote:

NAT traffic going out of the WAN intrtface

iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE

Sorry, but doesn't work Sad

Here is my current firewall setting:

Code:

I think it's a problem with the firewall settings, because I found the following DROPS in the log:

Code:

...
Sep 7 21:49:40 DD-WRT user.warn kernel: DROP IN=tun0 OUT=ppp0 SRC=10.8.0.6 DST=8.8.8.8 LEN=72 TOS=0x00 PREC=0x00 TTL=63 ID=56007 DF PROTO=UDP SPT=54656 DPT=53 LEN=52
Sep 7 21:49:40 DD-WRT user.warn kernel: DROP IN=tun0 OUT=ppp0 SRC=10.8.0.6 DST=8.8.8.8 LEN=72 TOS=0x00 PREC=0x00 TTL=63 ID=56008 DF PROTO=UDP SPT=14320 DPT=53 LEN=52
Sep 7 21:49:40 DD-WRT user.warn kernel: DROP IN=tun0 OUT=ppp0 SRC=10.8.0.6 DST=8.8.8.8 LEN=59 TOS=0x00 PREC=0x00 TTL=63 ID=56009 DF PROTO=UDP SPT=19952 DPT=53 LEN=39
Sep 7 21:49:40 DD-WRT user.warn kernel: DROP IN=tun0 OUT=ppp0 SRC=10.8.0.6 DST=8.8.8.8 LEN=59 TOS=0x00 PREC=0x00 TTL=63 ID=56010 DF PROTO=UDP SPT=2357 DPT=53 LEN=39
Sep 7 21:49:40 DD-WRT user.warn kernel: DROP IN=tun0 OUT=ppp0 SRC=10.8.0.6 DST=8.8.8.8 LEN=66 TOS=0x00 PREC=0x00 TTL=63 ID=56011 DF PROTO=UDP SPT=48013 DPT=53 LEN=46
Sep 7 21:49:40 DD-WRT user.warn kernel: DROP IN=tun0 OUT=ppp0 SRC=10.8.0.6 DST=8.8.8.8 LEN=66 TOS=0x00 PREC=0x00 TTL=63 ID=56012 DF PROTO=UDP SPT=10259 DPT=53 LEN=46
Sep 7 21:49:40 DD-WRT user.warn kernel: DROP IN=tun0 OUT=ppp0 SRC=10.8.0.6 DST=8.8.8.8 LEN=61 TOS=0x00 PREC=0x00 TTL=63 ID=56013 DF PROTO=UDP SPT=1549 DPT=53 LEN=41
Sep 7 21:49:40 DD-WRT user.warn kernel: DROP IN=tun0 OUT=ppp0 SRC=10.8.0.6 DST=8.8.8.8 LEN=61 TOS=0x00 PREC=0x00 TTL=63 ID=56014 DF PROTO=UDP SPT=22218 DPT=53 LEN=41
...

I think it drops the DNS requests to 8.8.8.8 ...

dstrigl
DD-WRT Novice

Joined: 07 Sep 2017
Posts: 5

Posted: Thu Sep 07, 2017 20:11 Post subject:

Now I added the following line

Code:

iptables -I FORWARD -i tun0 -o `get_wanface` -j ACCEPT

and now it works!

Is the line above correct? Or has it some side effects?

dstrigl
DD-WRT Novice

Joined: 07 Sep 2017
Posts: 5

Posted: Fri Sep 08, 2017 5:52 Post subject:

Now, with the following OpenVPN config

Code:

port 1194
proto udp
dev tun0
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.11.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 85.214.20.141"
cipher AES-256-CBC
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3
;log /tmp/openvpn.log

and firewall rules it works fine

Code:

# Enable OpenVPN connections from internet
iptables -I INPUT -i `get_wanface` -p udp --dport 1194 -j ACCEPT

# Enable DNS lookups from OpenVPN clients
#iptables -I INPUT 1 -i tun0 -p tcp --dport 53 -j ACCEPT
#iptables -I INPUT 1 -i tun0 -p udp --dport 53 -j ACCEPT

# Forward anything coming from OpenVPN clients
iptables -I FORWARD 1 --source 10.8.0.0/24 -j ACCEPT

# Forward traffic from LAN to OpenVPN clients
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT

# Magic for OpenVPN clients to access internet
iptables -t nat -A POSTROUTING -j MASQUERADE

Thanks,
Daniel.

Per Yngve Berg
DD-WRT Guru

Joined: 13 Aug 2013
Posts: 6868
Location: Romerike, Norway

Posted: Fri Sep 08, 2017 7:33 Post subject:
The NAT is to broad. Use -o `get_wanface` to not affect VPN client to LAN.

dstrigl
DD-WRT Novice

Joined: 07 Sep 2017
Posts: 5

Posted: Fri Sep 08, 2017 12:44 Post subject:

You mean

Code:

iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE

Display posts from previous:

Page 1 of 1

DD-WRT Forum Index -> Advanced Networking

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Log in

All client traffic through the VPN not working (Buffalo)

Quick Links

Log in