New Note 86 I've been trying to follow the setup at http://wiki.openwrt.org/doc/howto/vpn.client.openvpn.tap#routing.traffic.over.natbut using the n2n interface instead. I've got every part of an n2n setup working except for the final one: actually using resources behind the firewall through the VPN. This is the setup:
I have a LAN (192.168.200.0/24). This LAN has a gateway router (192.168.200.1) that gives the LAN access to the Internet at large. On this LAN I have a resource (a web server at 192.168.200.5). Every device on the LAN can access the resource as expected. I have an OpenWRT router whose Ethernet port (eth0) is connected to the LAN. Its address is provided by DHCP (currently 192.168.200.4). It also has a WiFi radio (wlan0) that provides WLAN services for 192.168.5.0/24, setting itself up as the gateway router at 192.168.5.1. This setup works and allows, for example, anybody connected via WiFi—a notebook at 192.168.5.100, for example—to access anything in the WLAN, anything in the LAN (including the web server at 192.168.200.5) and anything on the Internet. Where this all falls down is with the VPN. That same OpenWRT router that works at providing the LAN services and the WLAN services and in bridging them together (and routing them appropriately for Internet services) falls down with the VPN. The router provides a TAP interface (edge0) at 192.168.100.3. Another device sits at 192.168.100.21. That latter device can ping 192.168.100.3 (or anything else in 192.168.100.0/24). It can even ssh in to that router using that address without any trouble. The end-to-end portion of the connection is fine. What's not fine is that nothing on 192.168.100.0/24 can access anything on the LAN (192.168.200.0/24) nor on the WLAN (192.168.5.0/24), and I simply cannot fathom the reasons why. I'm guessing that I've screwed up the firewall or the network settings, but I have no idea how or why. Here are the relevant config files, modified (without success) according to details provided at http://wiki.openwrt.org/doc/howto/vpn.client.openvpn.tap#routing.traffic.over.nat: # /etc/config/n2n -- this works, sensitive details elided config edge option ipaddr '192.168.100.3' option supernode '<...>' option port '6781' option community '<...>' option key '<...>' option route '1' option mtu '1200' option reresolve '1' # /etc/config/network -- this works for everything except the n2n portions config interface 'loopback' option ifname 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config globals 'globals' option ula_prefix 'fd8b:cc75:5289::/48' config interface 'lan' option type 'bridge' option proto 'static' option ipaddr '192.168.5.1' option netmask '255.255.255.0' option ip6assign '60' config interface 'wan' option ifname 'eth0' option proto 'dhcp' config interface 'n2n' option proto 'none' option ifname 'edge0' # /etc/config/wireless -- this all works, sensitive details elided config wifi-device 'radio0' list ht_capab 'SHORT-GI-20' list ht_capab 'SHORT-GI-40' list ht_capab 'RX-STBC1' list ht_capab 'DSSS_CCK-40' option type 'mac80211' option channel 'auto' option hwmode '11ng' option path 'platform/ar933x_wmac' option htmode 'HT20' option disabled '0' config wifi-iface option device 'radio0' option network 'lan' option mode 'ap' option ssid '<...>' option encryption 'psk2' option key '<...>' # /etc/config/firewall -- modifications tagged with # MOD BEGIN/END config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' option disable_ipv6 '0' config zone option name 'lan' list network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' config zone option name 'wan' list network 'wan' list network 'wan6' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' config forwarding option src 'lan' option dest 'wan' # MOD BEGIN config zone option name 'n2n' option masq '1' option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT' option network 'n2n' config forwarding option dest 'n2n' option src 'wan' # MOD END # We need to accept udp packets on port 68, # see https://dev.openwrt.org/ticket/4108 config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' # Allow IPv4 ping config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT' # Allow DHCPv6 replies # see https://dev.openwrt.org/ticket/10381 config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fe80::/10' option src_port '547' option dest_ip 'fe80::/10' option dest_port '546' option family 'ipv6' option target 'ACCEPT' # Allow essential incoming IPv6 ICMP traffic config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' # Allow essential forwarded IPv6 ICMP traffic config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' # include a file with users custom iptables rules config include option path '/etc/firewall.user' -- "Perhaps people don't believe this, but throughout all of the discussions of entering China our focus has really been what's best for the Chinese people. It's not been about our revenue or profit or whatnot." --Sergey Brin, demonstrating the emptiness of the "don't be evil" mantra.
_______________________________________________ openwrt-users mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
