1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenVPN - routing WAN port forwarded connections through VPN

Discussion in 'Tomato Firmware' started by Morac, Jan 2, 2014.

  1. Morac

    Morac Network Guru Member

    I have an iOS device with OpenVPN installed and set up the Toastman VPN tomato build on my E3000 to allow OpenVPN connections such that all VPN traffic gets routed through the VPN. That works fine for Internet traffic, but it doesn't work if I attempt to connect to a WAN side port forwarded port.

    For example, I have a port forwarded to an internal machine on my network. If I access that port on the WAN, it bypasses the VPN and makes a direct connection to the port.

    I know I could just reference the internal ip address, which should go through the VPN, but I have the connection info set up in an app and sometimes do connect via WAN (mostly over 4G/LTE) and don't want to have two setups: one for LAN and one for WAN.

    Is there a way to have all connections, even port forwarded ones go through the VPN?
     
    Kiavash Mailbox likes this.
  2. Kiavash Mailbox

    Kiavash Mailbox Network Newbie Member

    EDIT: Again post #9 ;)
     
    Last edited: Jan 11, 2015
  3. Morac

    Morac Network Guru Member

    No, I never found a solution. I just use the LAN IP address and port.
     
  4. Kiavash Mailbox

    Kiavash Mailbox Network Newbie Member

    EDIT: Post #9 was the solution to only open 1 port on the firewall.

    It is a bummer, I could confirm disabling the full firewall helps but I certainly prefer not to expose the internal network to the WAN.

    iptables -F
    iptables -F -t nat
    iptables -F -t mangle
    iptables -X
    iptables -X -t nat
    iptables -X -t mangle
    iptables -Z
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT​
     
    Last edited: Jan 11, 2015
  5. eibgrad

    eibgrad Addicted to LI Member

    Guys, help me out here. I need a picture/diagram. I must have read both these posts a dozen times, and I still can't figure out what's the issue here. I can't even tell (esp. w/ the OP) if we're talking about OpenVPN server, OpenVPN client, the path of the traffic, etc. Please, please, ALWAYS specify client or server, otherwise things just become ambiguous. Statements like "allow OpenVPN connections such that all VPN traffic gets routed through the VPN" have my head spinning. A picture/diagram will just make things simpler.
     
  6. Morac

    Morac Network Guru Member

    It's fairly simple. If the OpenVPN server configuration is set up to route all traffic (including non-LAN traffic) over the VPN connection, it won't correctly route traffic directed at the WAN side IP address that's port forwarded to a LAN side IP address. Port forwarded traffic is simply dropped. This differs from what happens when actually on the LAN where it's possible to connect to the WAN side IP address from a LAN IP. My guess is that what redirect is applied to allow connecting to the WAN side IP address from the LAN doesn't occur from the VPN IP address.

    See https://openvpn.net/index.php/open-source/documentation/howto.html#redirect
     
  7. Kiavash Mailbox

    Kiavash Mailbox Network Newbie Member

    EDIT: For people with the same issue, the port on the Firewall needed to be opened.

    -------------------
    Oops, Good point ;) Thanks for suggesting to help out.

    This the setup that works (when client is inside the LAN)

    WAN (192.168.0.1) <----> Tomato Router (WAN:192.168.0.248, LAN:192.168.2.1) with OpenVPN server (10.8.1.1) <----> Client (LAN:192.168.2.10 and 10.8.1.6 by openvpn)

    and this is the setup that openVPN doesn't see any connection attempts coming from the client

    +---> Client (WAN: 192.168.0.235)
    |
    WAN (192.168.0.1) <----> Tomato Router (WAN:192.168.0.248, LAN:192.168.2.1) with OpenVPN server (10.8.1.1)


    Simply using the same OpenVPN server installed on the Tomato router, if the OpenVPN client is a road warrior and trying to connect to the OpenVPN server (using its WAN ip address) from the outside, it will not be successful, it will not reach any openVPN server. However if the same client is inside, it can connect to the OpenVPN server using its LAN ip address.
     
    Last edited: Jan 11, 2015
  8. Grimson

    Grimson Networkin' Nut Member

    Why aren't you using the included OpenVPN.



    Looks like you are behind another router, does this router forward the required ports for OpenVPN? If not you won't be able to connect from the WAN.

    Btw. I see you are using port 443, if the router on the 192.168.0.0 network is using that port for itself (remote access or another port forward to a different machine) it won't be available for OpenVPN.
     
  9. Kiavash Mailbox

    Kiavash Mailbox Network Newbie Member

    I read my own setup one more time and got this iptables rule to solve the problem. I needed to punch a hole in the firewall

    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
     
  10. Kiavash Mailbox

    Kiavash Mailbox Network Newbie Member

    Please refer to post #9. The firewall needs to be modified.
     
    Last edited: Jan 11, 2015

Share This Page