Losing access to RUT360 after connecting it to OpenVPN server

Maciej · August 21, 2023, 8:10am

Hi!

I’m having a problem with RUT360 behavior after it establishes OpenVPN connection with the server.
The idea behind this deployment is to have access to all devices connected to the RUT360 LAN port. RUT360 and other clients connect to the same OpenVPN server and thus they are in the same subnet. This functionality works fine and I’m able to connect to devices connected directly do RUT360 LAN port via OpenVPN connection.
The problem is that I can’t access RUT360 WebUI (ping isn’t working too) either from local RUT360 LAN network or from OpenVPN connection after the OpenVPN connection is established. I’ve already enabled access to GUI from WAN in firewall.

Some RUT360 configuration details:
LAN interface:
Static 192.168.3.1/24

RUT360 OpenVPN configuration:

client
dev tap0
proto tcp
remote xxx
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert rut360.crt
key rut360.key
cipher AES-128-CBC
verb 3

Below you can find current OpenVPN server configuration.

dev tap5
server-bridge 192.168.3.230 255.255.255.0 192.168.3.232 192.168.3.238
askpass /openvpn/SterbitVPN_6/server/server.pass
dh /openvpn/SterbitVPN_6/server/dh.pem
ca /openvpn/SterbitVPN_6/server/ca.crt
cert /openvpn/SterbitVPN_6/server/server.crt
key /openvpn/SterbitVPN_6/server/server.key
max-clients 6
verb 3
log-append /openvpn/openvpn6.log
keepalive 10 60
reneg-sec 0
client-to-client
cipher AES-128-CBC
status /openvpn/ovpn_status_6_result 30
status-version 2
proto tcp-server
port 1199

I’m having the same issue on similar deployment using RUT241.

Could you please help me investigate what am I doing wrong?

Best regards,
Maciej.

AndzejJ · August 25, 2023, 6:35am

Hello,

It seems like your OpenVPN server assigns IP addresses to clients.

Is RUT360 the only device connected to the server?

Is there a chance that there are other devices with the same 192.168.3.1 IP address in the network?

It would be great to see your Network and Firewall configurations from the config files in /etc/config/network and /etc/config/firewall.

Generally, OpenVPN has its own firewall zone. You can try settings everything to accept for openvpn in Network → Firewall.

Kind Regards,

Maciej · August 25, 2023, 2:24pm

Hi,

thanks for helping me out with this issue!
RUT360 is the only client, so with server occupying address 192.168.3.230 I don’t see an option for an IP conflict.
I tried messing with firewall but with no results, still the same behavior. Below you cant find those config files you were asking for.

Network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd38:a2d6:3c62::/48'

config interface 'lan'
        option ifname 'eth0'
        option proto 'static'
        option type 'bridge'
        option netmask '255.255.255.0'
        option metric '1'
        option ip6assign '60'
        option delegate '1'
        option force_link '1'
        option ipaddr '192.168.3.1'
        option stp '0'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option metric '2'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'
        option metric '3'

config interface 'mob1s1a1'
        option proto 'wwan'
        option modem '1-1'
        option metric '4'
        option sim '1'
        option dhcpv6 '0'
        option pdptype 'ip'
        option method 'nat'
        option auth 'none'
        option force_apn '-1'
        option apn 'internet'
        option pdp '1'
        option auto_apn '0'
        option pref_apn '568'

Firewall


config defaults '1'
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone '2'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone '3'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 mob1s1a1'

config forwarding '4'
	option src 'lan'
	option dest 'wan'

config rule '5'
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
	option priority '1'

config rule '6'
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option priority '2'

config rule '7'
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option priority '3'

config rule '8'
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option priority '4'

config rule '9'
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option priority '5'

config rule '10'
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option priority '6'

config rule '11'
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option priority '7'

config rule '12'
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option priority '8'

config rule '13'
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option priority '9'

config include '14'
	option path '/etc/firewall.user'

config rule '15'
	option dest_port '22'
	option proto 'tcp'
	option name 'Enable_SSH_WAN'
	option target 'ACCEPT'
	option src 'wan'
	option enabled '0'
	option priority '10'

config rule '16'
	option dest_port '80'
	option proto 'tcp'
	option name 'Enable_HTTP_WAN'
	option target 'ACCEPT'
	option src 'wan'
	option enabled '0'
	option priority '11'

config rule '17'
	option dest_port '443'
	option proto 'tcp'
	option name 'Enable_HTTPS_WAN'
	option target 'ACCEPT'
	option src 'wan'
	option enabled '0'
	option priority '12'

config rule '18'
	option dest_port '4200-4220'
	option proto 'tcp'
	option name 'Enable_CLI_WAN'
	option target 'ACCEPT'
	option src 'wan'
	option enabled '0'
	option priority '13'

config include 'pscan'
	option port_scan '0'
	option type 'script'
	option path '/etc/port-scan-prevention.sh'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone '19'
	option name 'openvpn'
	option device 'tun_+'
	option input 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option output 'ACCEPT'

config forwarding '20'
	option dest 'lan'
	option src 'openvpn'

config forwarding '21'
	option dest 'openvpn'
	option src 'lan'

config rule '22'
	option dest_port '1194'
	option src 'wan'
	option name 'Allow-openvpn-traffic'
	option target 'ACCEPT'
	option vpn_type 'openvpn'
	option proto 'tcp udp'
	option family 'ipv4'

Thank you for your help,
Maciej.

AndzejJ · August 31, 2023, 5:39am

Hello,

Apologies for a delayed response.

I do not see a TAP interface for OpenVPN bridge under your LAN network config. You would want to bridge the eth0 and tap interface under the LAN interface.

Is the issue with accessing RUT360 itself, but everything else works properly?

I assume that you are unable to view logs from the command line since it is not accessible when OpenVPN is active. Are you able to see any logs if you run logread in real-time and then enable OpenVPN after?:

logread -f

Kind Regards,

system · September 5, 2023, 8:11am

This topic was automatically closed after 15 days. New replies are no longer allowed.