OpenWRT: Forward traffic to non private IP address space through VPN
Solution 1
First, though I'm not familiar with UCI, the OpenWrt Wiki informs me it can accommodate manual iptables rules using an external file. You've defined one already: '/etc/firewall.user', so the solution you referred to in your comment may still be viable.
Your routes allow the 192.168.178.0/24 subnet to be reached just fine, assuming that the interface your router uses for that is in fact 'br-wan' and you just failed to copy the last character into your question. It would appear to be a firewall issue.
The output of iptables -L
shows something peculiar. The rules that allow traffic from LAN to VPN are:
Chain FORWARD (policy DROP)
delegate_forward all -- anywhere anywhere
Chain delegate_forward (1 references)
zone_lan_forward all -- anywhere anywhere
Chain zone_lan_forward (1 references)
zone_ipr_dest_ACCEPT all -- anywhere anywhere /* forwarding lan -> ipr */
Chain zone_ipr_dest_ACCEPT (2 references)
ACCEPT all -- anywhere anywhere
The '--verbose' flag would be required to be certain, but based on the comments and names of these chains, it seems these rules apply only to traffic forwarded to the 'tun1337' interface. Your iptables has no equivalent rules for 'br-wan'. Traffic forwarded to the internet router's subnet is eventually rejected.
To do this without manually adding rules, append the following lines to '/etc/config/firewall':
config forwarding
option src lan
option dest wan
Traffic from behind the OpenWrt router should now arrive at the 192.168.178.0/24 subnet, but there will be no response; the machines behind the internet router do not know how to route packets with a destination in the range 192.168.1.0/24. The easiest way to deal solve this problem is to have the OpenWrt router perform NAT. Using iptables:
iptables -t nat -A POSTROUTING -i br-lan -i br-wan -j MASQUERADE
My educated guess would be a similar rule will be created automatically by inserting the line option masq 1
in the wan zone configuration in '/etc/config/firewall'.
There are some disadvantages to using NAT. All traffic forwarded in this way will appear to machines behind the internet router to have 192.168.178.20 as a source. Moreover, you will need to set up port forwards to initiate connections from the WAN side of the OpenWrt router.
Avoiding NAT will require further changes to the firewall and the routing table on the internet router. You would need to add the route '192.168.1.0/24 via 192.168.178.20'. If the router does not allow the routing table to be configured manually, you would have to add them to machines on the 192.168.178.0/24 subnet individually. Also, the following lines would have to be appended to '/etc/config/firewall' on the OpenWrt router:
config forwarding
option src wan
option dest lan
Solution 2
All you need to do is to add the follwoing route to the OpenWRT routing table,
ip ro add 192.168.78.0/24 via 192.168.78.1 dev your_WAN_interface
where your_WAN_interface stands for the OpenWRT router's WAN interface NIC. Also you will the follwoing iptables rule:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.78.0/24 -j MASQUERADE
Related videos on Youtube
jelhan
I'm a full-stack web developer. My preferred stack is currently Ember.js and Laravel (PHP) with a pinch of Node.js. I enjoy working with GitLab, which is an amazing development platform in my opinion. It's not only providing source control but also including one of the bests CI/CD tools available. Reinventing the wheel and bikeshedding are one of the main blockers for a high productivity. Developers time is too precious to be waste on problems that already have been solved by others. Therefore I encourage existing standards like JSON:API specification. The combination of test-driven development, conventions over configuration and DevOps unlocks an amazing productivity while ensuring good code quality at the same time. It's a key factor to success - not only but especially for enterprise applications.
Updated on September 18, 2022Comments
-
jelhan over 1 year
I am running an OpenWRT router which establishes an VPN connection via OpenVPN and routes all traffic through the VPN. The OpenWRT router is behind another router, which establish the internet connection. This all works fine but now I like to access other devices in the private network but not connected to OpenWRT router.
The network configuration looks like this:
- A internet router which establishing connection to internet and providing a network at 192.168.178.0/24. It's ip address is 192.168.178.1.
- A vpn router running OpenWRT which is connected via lan cable with internet router. It is providing a network at 192.168.1.0/24. It's ip address is 192.168.1.1. It establish an VPN connection to a server in internet and routes all traffic from his private network (192.168.1.0/24) through VPN.
The goal:
- A device connected to vpn router should have access to a device in network of internet router. For example a network printer connected via lan to internet router with ip address 192.168.178.2 should be useable from a device connected to vpn router with ip address 192.168.1.2.
I configured the OpenWRT router with UCI (unified configuration interface). The configuration looks like following:
/etc/config/network
config interface 'loopback' option ifname 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config globals 'globals' option ula_prefix 'fd6a:fb7c:0d05::/48' config interface 'lan' option ifname 'eth0.1' option type 'bridge' option proto 'static' option ipaddr '192.168.1.1' option netmask '255.255.255.0' option ip6assign '60' option macaddr 'f8:1a:67:5a:a6:22' config interface 'wan' option ifname 'eth0.2' option macaddr 'f8:1a:67:5a:a6:25' option netmask '255.255.255.0' option proto 'dhcp' option type 'bridge' config interface 'wan6' option ifname '@wan' option proto 'dhcpv6' config interface 'IPredator' option ifname 'tun1337' option proto 'none' config switch option name 'switch0' option reset '1' option enable_vlan '1' config switch_vlan option device 'switch0' option vlan '1' option ports '0t 2 3 4 5' config switch_vlan option device 'switch0' option vlan '2' option ports '0t 1'
/etc/config/firewall
config defaults option syn_flood 1 option input ACCEPT option output ACCEPT option forward REJECT # Uncomment this line to disable ipv6 rules # option disable_ipv6 1 config zone option name lan list network 'lan' option input ACCEPT option output ACCEPT option forward REJECT config zone option name wan list network 'wan' list network 'wan6' option input ACCEPT option output ACCEPT option forward REJECT config zone option name ipr option input REJECT option output ACCEPT option forward REJECT option masq 1 option mtu_fix 1 list network 'IPredator' config forwarding option src lan option dest ipr # We need to accept udp packets on port 68, # see https://dev.openwrt.org/ticket/4108 config rule option name Allow-DHCP-Renew option src wan option proto udp option dest_port 68 option target ACCEPT option family ipv4 # Allow IPv4 ping config rule option name Allow-Ping option src wan option proto icmp option icmp_type echo-request option family ipv4 option target ACCEPT # Allow DHCPv6 replies # see https://dev.openwrt.org/ticket/10381 config rule option name Allow-DHCPv6 option src wan option proto udp option src_ip fe80::/10 option src_port 547 option dest_ip fe80::/10 option dest_port 546 option family ipv6 option target ACCEPT # Allow essential incoming IPv6 ICMP traffic config rule option name Allow-ICMPv6-Input option src wan option proto icmp list icmp_type echo-request list icmp_type echo-reply list icmp_type destination-unreachable list icmp_type packet-too-big list icmp_type time-exceeded list icmp_type bad-header list icmp_type unknown-header-type list icmp_type router-solicitation list icmp_type neighbour-solicitation list icmp_type router-advertisement list icmp_type neighbour-advertisement option limit 1000/sec option family ipv6 option target ACCEPT # Allow essential forwarded IPv6 ICMP traffic config rule option name Allow-ICMPv6-Forward option src wan option dest * option proto icmp list icmp_type echo-request list icmp_type echo-reply list icmp_type destination-unreachable list icmp_type packet-too-big list icmp_type time-exceeded list icmp_type bad-header list icmp_type unknown-header-type option limit 1000/sec option family ipv6 option target ACCEPT # include a file with users custom iptables rules config include option path /etc/firewall.user
**ifconfig -a **
root@OpenWrt:~# ifconfig -a br-lan Link encap:Ethernet HWaddr F8:1A:67:5A:A6:22 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::fa1a:67ff:fe5a:a622/64 Scope:Link inet6 addr: fd6a:fb7c:d05::1/60 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:93532 errors:0 dropped:0 overruns:0 frame:0 TX packets:115912 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:56145012 (53.5 MiB) TX bytes:123691502 (117.9 MiB) br-wan Link encap:Ethernet HWaddr F8:1A:67:5A:A6:25 inet addr:192.168.178.20 Bcast:192.168.178.255 Mask:255.255.255.0 inet6 addr: fe80::fa1a:67ff:fe5a:a625/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:115908 errors:0 dropped:0 overruns:0 frame:0 TX packets:92434 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:130982133 (124.9 MiB) TX bytes:16794507 (16.0 MiB) eth0 Link encap:Ethernet HWaddr 00:04:9F:EF:01:01 inet6 addr: fe80::204:9fff:feef:101/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:205419 errors:0 dropped:0 overruns:0 frame:0 TX packets:203843 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:192549225 (183.6 MiB) TX bytes:137710000 (131.3 MiB) Base address:0x4000 eth0.1 Link encap:Ethernet HWaddr 00:04:9F:EF:01:01 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:89286 errors:0 dropped:0 overruns:0 frame:0 TX packets:111404 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:55392304 (52.8 MiB) TX bytes:120099623 (114.5 MiB) eth0.2 Link encap:Ethernet HWaddr 00:04:9F:EF:01:01 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:115908 errors:0 dropped:0 overruns:0 frame:0 TX packets:92434 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:130982133 (124.9 MiB) TX bytes:16794507 (16.0 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2232 (2.1 KiB) TX bytes:2232 (2.1 KiB) tun1337 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:46.246.43.203 P-t-P:46.246.43.203 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:114743 errors:0 dropped:0 overruns:0 frame:0 TX packets:91993 errors:0 dropped:351 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:121822466 (116.1 MiB) TX bytes:55995093 (53.4 MiB) wlan0 Link encap:Ethernet HWaddr F8:1A:67:5A:A6:24 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:122 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:22643 (22.1 KiB) wlan1 Link encap:Ethernet HWaddr F8:1A:67:5A:A6:23 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4244 errors:0 dropped:0 overruns:0 frame:0 TX packets:4750 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:812112 (793.0 KiB) TX bytes:3727774 (3.5 MiB)
route
root@OpenWrt:~# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default anon-43-1.vpn.i 128.0.0.0 UG 0 0 0 tun1337 default 192.168.178.1 0.0.0.0 UG 0 0 0 br-wan 46.246.43.0 * 255.255.255.0 U 0 0 0 tun1337 46.246.43.130 192.168.178.1 255.255.255.255 UGH 0 0 0 br-wan 128.0.0.0 anon-43-1.vpn.i 128.0.0.0 UG 0 0 0 tun1337 192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan 192.168.178.0 * 255.255.255.0 U 0 0 0 br-wan
iptables -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 403 172K delegate_input all -- any any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 358 169K delegate_forward all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 317 84722 delegate_output all -- any any anywhere anywhere Chain delegate_forward (1 references) pkts bytes target prot opt in out source destination 358 169K forwarding_rule all -- any any anywhere anywhere /* user chain for forwarding */ 340 167K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 18 2048 zone_lan_forward all -- br-lan any anywhere anywhere 0 0 zone_wan_forward all -- br-wan any anywhere anywhere 0 0 zone_ipr_forward all -- tun1337 any anywhere anywhere 0 0 reject all -- any any anywhere anywhere Chain delegate_input (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 403 172K input_rule all -- any any anywhere anywhere /* user chain for input */ 145 13909 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 5 268 syn_flood tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN 11 766 zone_lan_input all -- br-lan any anywhere anywhere 243 157K zone_wan_input all -- br-wan any anywhere anywhere 4 208 zone_ipr_input all -- tun1337 any anywhere anywhere Chain delegate_output (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any lo anywhere anywhere 317 84722 output_rule all -- any any anywhere anywhere /* user chain for output */ 129 27577 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 zone_lan_output all -- any br-lan anywhere anywhere 186 56993 zone_wan_output all -- any br-wan anywhere anywhere 2 152 zone_ipr_output all -- any tun1337 anywhere anywhere Chain forwarding_ipr_rule (1 references) pkts bytes target prot opt in out source destination Chain forwarding_lan_rule (1 references) pkts bytes target prot opt in out source destination Chain forwarding_rule (1 references) pkts bytes target prot opt in out source destination Chain forwarding_wan_rule (1 references) pkts bytes target prot opt in out source destination Chain input_ipr_rule (1 references) pkts bytes target prot opt in out source destination Chain input_lan_rule (1 references) pkts bytes target prot opt in out source destination Chain input_rule (1 references) pkts bytes target prot opt in out source destination Chain input_wan_rule (1 references) pkts bytes target prot opt in out source destination Chain output_ipr_rule (1 references) pkts bytes target prot opt in out source destination Chain output_lan_rule (1 references) pkts bytes target prot opt in out source destination Chain output_rule (1 references) pkts bytes target prot opt in out source destination Chain output_wan_rule (1 references) pkts bytes target prot opt in out source destination Chain reject (4 references) pkts bytes target prot opt in out source destination 4 208 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable Chain syn_flood (1 references) pkts bytes target prot opt in out source destination 5 268 RETURN tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 0 0 DROP all -- any any anywhere anywhere Chain zone_ipr_dest_ACCEPT (2 references) pkts bytes target prot opt in out source destination 20 2200 ACCEPT all -- any tun1337 anywhere anywhere Chain zone_ipr_forward (1 references) pkts bytes target prot opt in out source destination 0 0 forwarding_ipr_rule all -- any any anywhere anywhere /* user chain for forwarding */ 0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* Accept port forwards */ 0 0 zone_ipr_src_REJECT all -- any any anywhere anywhere Chain zone_ipr_input (1 references) pkts bytes target prot opt in out source destination 4 208 input_ipr_rule all -- any any anywhere anywhere /* user chain for input */ 0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* Accept port redirections */ 4 208 zone_ipr_src_REJECT all -- any any anywhere anywhere Chain zone_ipr_output (1 references) pkts bytes target prot opt in out source destination 2 152 output_ipr_rule all -- any any anywhere anywhere /* user chain for output */ 2 152 zone_ipr_dest_ACCEPT all -- any any anywhere anywhere Chain zone_ipr_src_REJECT (2 references) pkts bytes target prot opt in out source destination 4 208 reject all -- tun1337 any anywhere anywhere Chain zone_lan_dest_ACCEPT (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any br-lan anywhere anywhere Chain zone_lan_forward (1 references) pkts bytes target prot opt in out source destination pkts bytes target prot opt in out source destination 18 2048 forwarding_lan_rule all -- any any anywhere anywhere /* user chain for forwarding */ 18 2048 zone_ipr_dest_ACCEPT all -- any any anywhere anywhere /* forwarding lan -> ipr */ 0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* Accept port forwards */ 0 0 zone_lan_src_REJECT all -- any any anywhere anywhere Chain zone_lan_input (1 references) pkts bytes target prot opt in out source destination 11 766 input_lan_rule all -- any any anywhere anywhere /* user chain for input */ 0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* Accept port redirections */ 11 766 zone_lan_src_ACCEPT all -- any any anywhere anywhere Chain zone_lan_output (1 references) pkts bytes target prot opt in out source destination 0 0 output_lan_rule all -- any any anywhere anywhere /* user chain for output */ 0 0 zone_lan_dest_ACCEPT all -- any any anywhere anywhere Chain zone_lan_src_ACCEPT (1 references) pkts bytes target prot opt in out source destination 11 766 ACCEPT all -- br-lan any anywhere anywhere Chain zone_lan_src_REJECT (1 references) pkts bytes target prot opt in out source destination 0 0 reject all -- br-lan any anywhere anywhere Chain zone_wan_dest_ACCEPT (1 references) pkts bytes target prot opt in out source destination 186 56993 ACCEPT all -- any br-wan anywhere anywhere Chain zone_wan_forward (1 references) pkts bytes target prot opt in out source destination 0 0 forwarding_wan_rule all -- any any anywhere anywhere /* user chain for forwarding */ 0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* Accept port forwards */ 0 0 zone_wan_src_REJECT all -- any any anywhere anywhere Chain zone_wan_input (1 references) pkts bytes target prot opt in out source destination 243 157K input_wan_rule all -- any any anywhere anywhere /* user chain for input */ 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:bootpc /* Allow-DHCP-Renew */ 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request /* Allow-Ping */ 0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* Accept port redirections */ 243 157K zone_wan_src_ACCEPT all -- any any anywhere anywhere Chain zone_wan_output (1 references) pkts bytes target prot opt in out source destination 186 56993 output_wan_rule all -- any any anywhere anywhere /* user chain for output */ 186 56993 zone_wan_dest_ACCEPT all -- any any anywhere anywhere Chain zone_wan_src_ACCEPT (1 references) pkts bytes target prot opt in out source destination 243 157K ACCEPT all -- br-wan any anywhere anywhere Chain zone_wan_src_REJECT (1 references) pkts bytes target prot opt in out source destination 0 0 reject all -- br-wan any anywhere anywhere
I am not so used to network configuration. So I really would appreciate your help.
-
jelhan over 10 yearsI would really like to accomplish the task with UCI, so the solution here is not an option: superuser.com/questions/684370/…
-
jelhan over 10 yearsI applied the config forwarding from lan to wan in my /etc/config/firewall. Afterwards iptables -L are showing similiar rules to what you posted for wan. But the local network on 192.168.178.0/24 (local network with OpenWRT Router as a client) is still not reachable from 192.168.1.0/24 (local network behind OpenWRT router). Do you have any idea?
-
jelhan over 10 yearsI updated the questition with output of
iptables -L --verbose
. It is in state without applying your suggestion. Hope that helps. -
jelhan over 10 yearsMy OpenWRT doesn't have ip package. I tried to apply your command on route like this
route add 192.168.178.0/24 gw 192.168.178.1 dev br-wan
but this fails withroute: netmask 000000ff and host route conflict
. I could apply your iptables route with correcting destination ip address space to 192.168.178.0/24 but afterwards 192.168.178.0/24 is still not accessible from behind vpn router. Also I would really like to stay with UCI configuration. -
Marcks Thomas over 10 years@jelhan: As MariusMatutiae's answer reminded me, I missed the part where the machines on 192.168.178.0/24 need to reply via the OpenWrt router. I've expanded my answer with a few recommendations.
-
MariusMatutiae over 10 years@jelhan the correct command is route add -net 192.168.178.0/24 gw 192.168.178.1 ...: you need the net flag.
-
jelhan over 10 yearsWorking now fine also with
option masq 1
so I could configure all in UCI. Thank you very much. One last question, just for interest: On which rule does the vpn router now decide which package should be passed through VPN? -
Marcks Thomas over 10 years@jelhan: With some trickery, OpenVPN creates a default route via 'anon-43-130.vpn.ipredator.se' on tun1337. All destinations not matching a specific route are forwarded over VPN. '46.246.43.130 on br-wan' is one such route (you use the regular internet connection to contact the VPN server itself), as is 192.168.178.0/24. You can add more if you don't want to use VPN for specific IPs.