<routing / firewall config question> 2 router VPN setup works but has a small problem

[bobo221]

Hello - I'm hoping that someone can help me (long-time forum lurker/ first time poster) with a small issue that I have with my home network setup. Apologies in advance for the wall of text ....

Basically, I have the following setup:

Internet
|
Cable Modem
|
Primary router (AC66u: 192.168.1.1) <--> Computer_1 connected via hardwired lan connection
|
VPN router (AC86u: 192.168.9.1 - running merlin and OPENvpn client to VPN provider)
|
Wireless clients

Right now, everything works according to plan. For example, computer_1 that connects to the primary router is given a 192.168.1.x address and can access open internet. Any wireless client that connects to the VPN router is given a 192.168.9.x address and can access the internet via VPN. Static routes have been set up on primary router to route all 192.168.9.x traffic to VPN router and vice versa so that clients in the 192.168.9.x address can access computer_1 and computer_1 can access 192.168.9.x addresses. Both firewalls are enabled - with the VPN router with a single line in the firewall-start script that forwards 192.168.1.x traffic.

The Question: Is there a way to update firewall rules or routing rules to allow computer_1 (keeping a 192.168.1.x address) to use 192.168.9.1 (the VPN router) as a gateway to route out via VPN? I don't want to change the topology and don't have a way to connect to the VPN router directly (long story)

I have searched the forum but every post that I've looked at deals with the initial 2 router VPN setup not working and not with this specific scenario .... I'm hoping somebody can point me in the right direction with this issue.

 

[kfp]

The Question: Is there a way to update firewall rules or routing rules to allow computer_1 (keeping a 192.168.1.x address) to use 192.168.9.1 (the VPN router) as a gateway to route out via VPN?

Sounds like you’re already on the right track. You’ll probably have to set the gw on computer_1 to the ‘WAN’ address of the VPN router (192.168.1.x), then add a firewall rule on VPN router to route that traffic through the OpenVPN tunnel.

You’ll probably also have to set all 192.168.1.x IPs statically so your computer_1 doesn’t set gw back to 192.168.1.1.

 

[bobo221]

thanks for the quick reply! I've got the config done on computer_1 but I'm currently stuck on the iptables rules to add to the VPN router (192.168.9.1) - I've tried to add the following to firewall-start but doesn't seem to work .... maybe the forward rules need to go to the nat-start?

iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun0 -j MASQUERADE

 

[kfp]

I think you’ll need a rule for the INPUT chain as well. OUTPUT should be ok since it’s generally not too restrictive.

As a general rule when messing with iptables rules, you can reset the counters then make your connection and observe where the packets are being dropped:

# iptables -Z
# iptables -nvL

Edit: just saw you changed the interface from wl0 to etho, in any case I don’t think either is correct. Try br0, that is the WAN interface.

 

[bobo221]

Ok - so I now have the following rules in my firewall-start and it still doesn't seem to want to work for computer_1 when i change it's gw to the VPN router:

#accept all from 192.168.1.x subnet - get it to the top of the accept list
iptables -I INPUT 1 -s 192.168.1.0/24 -j ACCEPT

#forward anything from the vpn tunnel to the wan interface (and vice versa) - i renamed the vpn interface to tun11 from ifconfig.
iptables -A FORWARD -i br0 -o tun11 -j ACCEPT
iptables -A FORWARD -i tun11 -o br0 -j ACCEPT

#enable nat for traffic from wan to the vpn tunnel
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun11 -j MASQUERADE

I've looked at the output from iptables -vL and it looks like the packets are being accepted from 192.168.1.x and the only place that has any dropped packets are those in state = INVALID. No traffic on the FORWARD rules that i put in though ....

... hoping you have a suggestion on where I go from here.

 

[kfp]

Nothing is really jumping out at me, I’ll try to replicate this setup tomorrow.

 

[Jack Yaz]

You might need to add the 192.168.1.x to the routing table of the vpn client

ovpnc1

I'll find the syntax when I'm back from walking my dog!

 

[Jack Yaz]

What do these output on vpn router?

ip route show table ovpnc1

ip rule show

 

[bobo221]

the output from both commands - the ip route command returns nothing (!) ....

 

[Jack Yaz]

the output from both commands - the ip route command returns nothing (!) ....
View attachment 13483

Which vpn client are you using? And if redirect Internet is set to all, then try

ip route show

 

[eibgrad]

The INPUT chain is irrelevant to this process. The INPUT chain is only relevant when the destination IP on the packet is one that belongs to the router! But your destination IP is NOT the router, but a public IP on the internet, so only the FORWARDing rules apply.

Also, the OpenVPN client's network interface name is tun11. And you can determine the WAN w/ the following command.

nvram get wan_iface

IIRC, the OpenVPN client tunnel is already NAT'd unconditionally, so you probably don't need any additional NAT rules either. But it's good to check anyway.

iptables -t nat -vnL POSTROUTING

So all you should really need is the following.

iptables -I FORWARD -i $(nvram get wan_iface) -o tun11 -j ACCEPT

You don't even need the reverse of this (-i tun11 -o $(nvram get wan_iface)) since the ESTABLISHED rule will take care of it.

 

[bobo221]

Which vpn client are you using? And if redirect Internet is set to all, then try

ip route show

here is the output from the 'ip route show' command - using the built-in openvpn client in merlin:

 

[kfp]

The INPUT chain is irrelevant to this process. The INPUT chain is only relevant when the destination IP on the packet is one that belongs to the router! But your destination IP is NOT the router, but a public IP on the internet, so only the FORWARDing rules apply.

Port for OpenVPN at least should be open in the INPUT chain but I get where you’re coming from [emoji4]

 

[bobo221]

nvram get wan_iface

no results ...

iptables -I FORWARD -i $(nvram get wan_iface) -o tun11 -j ACCEPT

... so i assume that this won't work without the first command working.

 

[eibgrad]

nvram get wan_iface

no results ...
View attachment 13487

iptables -I FORWARD -i $(nvram get wan_iface) -o tun11 -j ACCEPT

... so i assume that this won't work without the first command working.

If you know the WAN's network interface name, you can just insert it in-place of the command. Since you didn't dump ifconfig or reveal the routing table (until just recently), I wasn't sure. I'm a little surprised though that the command returned nothing. That's a common variable. Try eth0.

iptables -I FORWARD -i eth0 -o tun11 -j ACCEPT

 

[bobo221]

Hi all - thanks again for all of the help ....

@eibgrad - about your suggestion to add:

iptables -I FORWARD -i eth0 -o tun11 -j ACCEPT

[/QUOTE]

My first attempt with my firewall-start script did initially have reference to 'eth0' for my wan connection in my forward chain but that didn't seem to work so the suggestion from @kfp was to reference 'br0' instead so the code now (still not working) is:

#accept all from 192.168.1.x subnet - get it to the top of the accept list
iptables -I INPUT 1 -s 192.168.1.0/24 -j ACCEPT

#forward anything from the vpn tunnel to the wan interface (and vice versa) - i renamed the vpn interface to tun11 from ifconfig. 
iptables -A FORWARD -i br0 -o tun11 -j ACCEPT
iptables -A FORWARD -i tun11 -o br0 -j ACCEPT

#enable nat for traffic from wan to the vpn tunnel
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun11 -j MASQUERADE

.... maybe you're suggesting that I use -i instead of -a for the FORWARD rule? dumping ifconfig which i guess was missing in all of this (thanks @eibgrad)

thanks again.

 

[eibgrad]

While the OpenVPN client is active, please post the results of the following command.

iptables -t nat -vnL

 

[bobo221]

While the OpenVPN client is active, please post the results of the following command.

iptables -t nat -vnL

Here it is ...

 

[eibgrad]

The reason I asked you to dump the nat table was because I want to see exactly what was going on in there.

One thing is clear. The NAT rule for the OpenVPN client is specifically limited to 192.168.9.0/24. So you will have to add a rule for the primary router's network.

iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -o tun11 -j MASQUERADE

As I said before, the following rule allows forwarding of traffic from the WAN (eth0) of the second router, to the OpenVPN client (tun11).

iptables -I FORWARD -i eth0 -o tun11 -j ACCEPT

I can clearly see from the previous ifconfig dump that eth0 is the network interface since it has the WAN ip of the second router (192.168.1.134). But if there remains any doubt, the way to settle the issue is to simply reference the source IP network (-s) rather than the input network interface (-i).

iptables -I FORWARD -s 192.168.1.0/24 -o tun11 -j ACCEPT

So now it doesn't matter what the network interface is, it just matches on the IP network of the primary router!

So take your pick, either FORWARD rule should work.

An appropriate FORWARDing rule and NAT rule should be all that's required to gain access to the OpenVPN client from the 192.168.1.0/24 network.

Please realize that I'm only telling you how to navigate the firewall of the second router. I assume you've managed to change the default gateway, for whatever device on the 192.168.1.0/24 network needs to use the VPN, to point to the WAN ip of the second router (192.168.1.134).

When you test the connection, I recommend NOT using a browser (at least initially), but just a simple ping, and preferably not using a domain name, but an explicit IP.

ping 8.8.8.8

If that works, then trace the routing. If this is a Windows client, you can use the following command from a DOS prompt.

tracert -d 8.8.8.8

Notice the routing the path that's taken. It should indicate 192.168.1.134 if it's being correctly directed at the second router. Then the path should continue over the VPN's local assigned IP, etc.

IOW, avoid relying solely on the browser. When you use the browser, because it initially relies on DNS to get to a website, sometimes the connection is working, but there's a DNS problem. And so it looks like you don't have the basic connectivity working (which can be confirmed w/ ping and tracert), when in fact it is working but it's just DNS that's the problem.

 

[bobo221]

Success! Thanks to @eibgrad, @kfp, and @Jack Yaz for all of your help.

The solution - the NAT rule (below) needs to be run from the nat-start script (and not the firewall-start script where I had it)

 iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -o tun11 -j MASQUERADE

the other 2 rules (below) can still run from the firewall-start script

#accept all from 192.168.1.x subnet - get it to the top of the accept list
iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT

#forward anything from the vpn tunnel to the wan interface (and vice versa) - i renamed the vpn interface to tun11 from ifconfig.
iptables -I FORWARD -s 192.168.1.0/24 -o tun11 -j ACCEPT

the final clue was the 'iptables -t nat -vL' output after changes suggested by @eibgrad. It didn't show any POSTROUTING rule for 192.168.1.0/24 traffic - so there must have been some reason why the firewall-start script didn't execute that command. I tried it manually via command line and it worked so after a bit of investigation, I inserted the POSTROUTING rule into the nat-start script instead and it all worked!

Thanks again to everyone!