New Note 86

I've been trying to follow the setup at
http://wiki.openwrt.org/doc/howto/vpn.client.openvpn.tap#routing.traffic.over.natbut
using the n2n interface instead. I've got every part of an n2n setup
working except for the final one: actually using resources behind the
firewall through the VPN. This is the setup:

I have a LAN (192.168.200.0/24). This LAN has a gateway router
(192.168.200.1) that gives the LAN access to the Internet at large. On this
LAN I have a resource (a web server at 192.168.200.5). Every device on the
LAN can access the resource as expected.

I have an OpenWRT router whose Ethernet port (eth0) is connected to the
LAN. Its address is provided by DHCP (currently 192.168.200.4). It also has
a WiFi radio (wlan0) that provides WLAN services for 192.168.5.0/24,
setting itself up as the gateway router at 192.168.5.1. This setup works
and allows, for example, anybody connected via WiFi—a notebook at
192.168.5.100, for example—to access anything in the WLAN, anything in the
LAN (including the web server at 192.168.200.5) and anything on the
Internet.

Where this all falls down is with the VPN.

That same OpenWRT router that works at providing the LAN services and the
WLAN services and in bridging them together (and routing them appropriately
for Internet services) falls down with the VPN. The router provides a TAP
interface (edge0) at 192.168.100.3. Another device sits at 192.168.100.21.
That latter device can ping 192.168.100.3 (or anything else in
192.168.100.0/24). It can even ssh in to that router using that address
without any trouble. The end-to-end portion of the connection is fine.

What's not fine is that nothing on 192.168.100.0/24 can access anything on
the LAN (192.168.200.0/24) nor on the WLAN (192.168.5.0/24), and I simply
cannot fathom the reasons why. I'm guessing that I've screwed up the
firewall or the network settings, but I have no idea how or why.

Here are the relevant config files, modified (without success) according to
details provided at
http://wiki.openwrt.org/doc/howto/vpn.client.openvpn.tap#routing.traffic.over.nat:

# /etc/config/n2n -- this works, sensitive details elided
config edge
option ipaddr '192.168.100.3'
option supernode '<...>'
option port '6781'
option community '<...>'
option key '<...>'
option route '1'
option mtu '1200'
option reresolve '1'

# /etc/config/network -- this works for everything except the n2n portions
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd8b:cc75:5289::/48'

config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.5.1'
option netmask '255.255.255.0'
option ip6assign '60'

config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'

config interface 'n2n'
option proto 'none'
option ifname 'edge0'

# /etc/config/wireless -- this all works, sensitive details elided
config wifi-device 'radio0'
list ht_capab 'SHORT-GI-20'
list ht_capab 'SHORT-GI-40'
list ht_capab 'RX-STBC1'
list ht_capab 'DSSS_CCK-40'
option type 'mac80211'
option channel 'auto'
option hwmode '11ng'
option path 'platform/ar933x_wmac'
option htmode 'HT20'
option disabled '0'

config wifi-iface
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid '<...>'
option encryption 'psk2'
option key '<...>'

# /etc/config/firewall -- modifications tagged with # MOD BEGIN/END
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option disable_ipv6 '0'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

# MOD BEGIN
config zone
option name 'n2n'
option masq '1'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'n2n'

config forwarding
option dest 'n2n'
option src 'wan'
# MOD END

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

# Allow IPv4 ping
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

# Allow essential incoming IPv6 ICMP traffic
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

# Allow essential forwarded IPv6 ICMP traffic
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

# include a file with users custom iptables rules
config include
option path '/etc/firewall.user'

-- 
"Perhaps people don't believe this, but throughout all of the discussions
of entering China our focus has really been what's best for the Chinese
people. It's not been about our revenue or profit or whatnot."
--Sergey Brin, demonstrating the emptiness of the "don't be evil" mantra.
_______________________________________________
openwrt-users mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users

Reply via email to