No subject
Misja Heuveling
misja.heuveling at gmail.com
Tue Feb 10 12:49:51 PST 2015
Hi All,
I have installed OpenWRT on my router and installed ocserv like
indicated here:
https://github.com/openwrt/packages/tree/master/net/ocserv
I am able to connect to my VPN with openconnect from my work place or
my mobile phone. However eventhough I have configured the subnet of my
local network to be routed through the VPN, I am only able to access
the router itself (192.168.2.1) and not any other system on the
network.
When I do a netstat -rn I can see that 192.168.2.0/24 is routed
through the VPN connection (gateway 192.168.100.225).
Could you point me in the right direction of getting this resolved? My
initial thought would be that it is a firewall issue.
Disabling the firewall does not resolve the issue.
My /etc/config/ocserv is as follows:
config ocserv 'config'
option dpd '180'
option max_clients '8'
option max_same '2'
option zone 'vpn'
option auth 'plain'
option ipaddr '192.168.100.1'
option netmask '255.255.255.0'
option port '4443'
option enable '1'
option default_domain '192.168.2.1'
config dns
option ip '192.168.2.1'
config routes
option ip '192.168.2.0'
option netmask '255.255.255.0'
My /etc/config/network is as follows:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd73:78f1:e503::/48'
config interface 'guest'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option ip6assign '60'
option _orig_ifname 'eth1 wlan0 wlan1'
option _orig_bridge 'true'
option netmask '255.255.255.0'
option ifname 'eth1'
option ipaddr '192.168.2.1/24'
option gateway '192.168.0.1'
option dns '192.168.2.1'
config interface 'wan'
option _orig_ifname 'eth0'
option _orig_bridge 'false'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.0.2'
option netmask '255.255.255.0'
option gateway '192.168.0.1'
option dns '212.54.44.54 212.54.40.25'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
config interface 'vpn'
option proto 'none'
option ifname 'vpns+'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 2 3 4 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6'
And my /etc/config/firewall is setup as follows:
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow DNS Queries'
option src 'guest'
option dest_port '53'
option proto 'tcpudp'
option target 'ACCEPT'
config rule
option name 'Allow DHCP request'
option src 'guest'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest_ip '192.168.0.2'
option dest_port '4443'
option proto 'tcpudp'
option target 'ACCEPT'
option name 'Allow OpenConnect VPN'
config rule
option name 'Deny access to the router'
option src 'guest'
option target 'DROP'
option enabled '0'
config rule
option src 'guest'
option dest 'lan'
option name 'Deny Guest -> LAN'
option proto 'all'
option target 'DROP'
config rule
option target 'ACCEPT'
option src 'guest'
option dest 'wan'
option name 'Allow Guest -> WAN http'
option proto 'tcp'
option dest_port '80'
config rule
option target 'ACCEPT'
option src 'guest'
option dest 'wan'
option name 'Allow Guest -> WAN https'
option proto 'tcp'
option dest_port '443'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq_dest '!modem'
option network 'wan'
option input 'ACCEPT'
option masq '1'
option mtu_fix '1'
config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option device 'vpns+'
option network 'vpn'
config zone
option name 'guest'
option network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'guest'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option src 'vpn'
option dest 'lan'
config rule
option proto 'tcpudp'
option name 'Deny other ports to WAN'
option src '*'
option dest_port '25'
option dest 'wan'
option target 'DROP'
More information about the openconnect-devel
mailing list