OpenVPN: Can’t ping public or internet IP’s, but can ping local or internal IP’s
While establishing an OpenVPN connection, the internal IP's are able to ping yet the external IP's are not, the issue might be with packet NAT from tun to vlan2 interfaces. Note below there are NO replies:
root@DD-WRT-KHUFU:/jffs/etc/openvpn# tcpdump -na -s0 -i tun2 icmp
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on tun2, link-type RAW (Raw IP), snapshot length 262144 bytes
10:49:55.636673 IP 10.1.1.2 > 74.208.236.205: ICMP echo request, id 1, seq 9093, length 40
10:50:00.028370 IP 10.1.1.2 > 192.168.0.46: ICMP 10.1.1.2 udp port 52858 unreachable, length 535
10:50:00.661006 IP 10.1.1.2 > 74.208.236.205: ICMP echo request, id 1, seq 9094, length 40
10:50:05.666028 IP 10.1.1.2 > 74.208.236.205: ICMP echo request, id 1, seq 9095, length 40
10:50:10.661477 IP 10.1.1.2 > 74.208.236.205: ICMP echo request, id 1, seq 9096, length 40
10:50:11.204349 IP 10.1.1.2 > 192.168.0.51: ICMP 10.1.1.2 udp port 65235 unreachable, length 479
NOTE: there are no reply packets above. Looking at the interfaces and rules:
# ——————————————————————
# VPN: Required to be able to ping local on-prem or Azure VLAN's
# ——————————————————————
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT
iptables -I INPUT -i tun2 -j logdrop
iptables -t nat -A POSTROUTING -o tun2 -j MASQUERADE
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I INPUT -i tun1 -j logdrop
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j logdrop
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
and interfaces:
6: vlan2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1452 qdisc noqueue state UP qlen 1000
link/ether 2c:fd:a1:35:60:51 brd ff:ff:ff:ff:ff:ff
inet 100.100.100.100/27 brd 108.168.115.31 scope global vlan2
valid_lft forever preferred_lft forever
inet6 fe80::2efd:a1ff:fe35:6051/64 scope link
valid_lft forever preferred_lft forever
11: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 2c:fd:a1:35:60:50 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.6/24 brd 192.168.0.255 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::2efd:a1ff:fe35:6050/64 scope link
valid_lft forever preferred_lft forever
14: tun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
link/[65534]
inet 10.1.1.1/24 scope global tun2
valid_lft forever preferred_lft forever
forwarding to br0, which is the local network, works very well:
C:\Users\tom>ping josh-vm01.nix.mds.xyz
Pinging josh-vm01.nix.mds.xyz [10.0.0.101] with 32 bytes of data:
Reply from 10.0.0.101: bytes=32 time=5ms TTL=62
Reply from 10.0.0.101: bytes=32 time=5ms TTL=62
But ping to outside does not:
C:\Users\tom>ping microdevsys.com
Pinging microdevsys.com [74.208.236.205] with 32 bytes of data:
Control-C
^C
C:\Users\tom>
the rules responsible for the above local forwarding, which works were:
# ——————————————————————
# VPN: Required to be able to ping local on-prem or Azure VLAN's
# ——————————————————————
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT
iptables -I INPUT -i tun2 -j logdrop
iptables -t nat -A POSTROUTING -o tun2 -j MASQUERADE
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I INPUT -i tun1 -j logdrop
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j logdrop
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
however, there was nothing for vlan2 above, which is the internet facing network. The following rules added in forward traffic from the tun (tunnel) interfaces to the outside world, allowing external ping's to work:
# ——————————————————————
# VPN: Allow web traffic: tunX to internet.
# ——————————————————————
iptables -I FORWARD -i vlan2 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o vlan2 -j ACCEPT
# iptables -I INPUT -i tun2 -j logdrop
# iptables -t nat -A POSTROUTING -o tun2 -j MASQUERADE
iptables -I FORWARD -i vlan2 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o vlan2 -j ACCEPT
# iptables -I INPUT -i tun1 -j logdrop
# iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
iptables -I FORWARD -i vlan2 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o vlan2 -j ACCEPT
# iptables -I INPUT -i tun0 -j logdrop
# iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
Added 2 additional stanzas for any other future tun interfaces. The result is:
root@DD-WRT-KHUFU:~# uptime
17:22:08 up 7 min, load average: 0.06, 0.18, 0.13
root@DD-WRT-KHUFU:~# tcpdump -na -s 0 -i tun2 icmp
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on tun2, link-type RAW (Raw IP), snapshot length 262144 bytes
17:22:30.628458 IP 10.1.1.2 > 74.208.236.205: ICMP echo request, id 1, seq 32132, length 40
17:22:30.664892 IP 74.208.236.205 > 10.1.1.2: ICMP echo reply, id 1, seq 32132, length 40
17:22:31.648842 IP 10.1.1.2 > 74.208.236.205: ICMP echo request, id 1, seq 32133, length 40
17:22:31.684757 IP 74.208.236.205 > 10.1.1.2: ICMP echo reply, id 1, seq 32133, length 40
17:22:32.661280 IP 10.1.1.2 > 74.208.236.205: ICMP echo request, id 1, seq 32134, length 40
17:22:32.699882 IP 74.208.236.205 > 10.1.1.2: ICMP echo reply, id 1, seq 32134, length 40
17:22:33.668026 IP 10.1.1.2 > 74.208.236.205: ICMP echo request, id 1, seq 32135, length 40
17:22:33.705033 IP 74.208.236.205 > 10.1.1.2: ICMP echo reply, id 1, seq 32135, length 40
17:22:38.492608 IP 10.1.1.2 > 74.208.236.205: ICMP echo request, id 1, seq 32136, length 40
17:22:38.530251 IP 74.208.236.205 > 10.1.1.2: ICMP echo reply, id 1, seq 32136, length 40
17:22:39.504142 IP 10.1.1.2 > 74.208.236.205: ICMP echo request, id 1, seq 32137, length 40
17:22:39.541025 IP 74.208.236.205 > 10.1.1.2: ICMP echo reply, id 1, seq 32137, length 40
17:22:40.515175 IP 10.1.1.2 > 74.208.236.205: ICMP echo request, id 1, seq 32138, length 40
17:22:40.554968 IP 74.208.236.205 > 10.1.1.2: ICMP echo reply, id 1, seq 32138, length 40
17:22:46.839749 IP 10.1.1.2 > 10.0.0.101: ICMP echo request, id 1, seq 32139, length 40
17:22:46.841578 IP 10.0.0.101 > 10.1.1.2: ICMP echo reply, id 1, seq 32139, length 40
17:22:47.855641 IP 10.1.1.2 > 10.0.0.101: ICMP echo request, id 1, seq 32140, length 40
17:22:47.857412 IP 10.0.0.101 > 10.1.1.2: ICMP echo reply, id 1, seq 32140, length 40
^C
18 packets captured
18 packets received by filter
0 packets dropped by kernel
root@DD-WRT-KHUFU:~#
The full set of rules is:
root@DD-WRT-KHUFU:~# vi /jffs/firewall/DD-WRT-KHUFU-firewall.run
# ——————————————————————
# VPN: Required to be able to ping local on-prem or Azure VLAN's
# ——————————————————————
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT
iptables -I INPUT -i tun2 -j logdrop
iptables -t nat -A POSTROUTING -o tun2 -j MASQUERADE
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I INPUT -i tun1 -j logdrop
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j logdrop
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
# ——————————————————————
# VPN: Allow web traffic: tunX to internet.
# ——————————————————————
iptables -I FORWARD -i vlan2 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o vlan2 -j ACCEPT
# iptables -I INPUT -i tun2 -j logdrop
# iptables -t nat -A POSTROUTING -o tun2 -j MASQUERADE
iptables -I FORWARD -i vlan2 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o vlan2 -j ACCEPT
# iptables -I INPUT -i tun1 -j logdrop
# iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
iptables -I FORWARD -i vlan2 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o vlan2 -j ACCEPT
# iptables -I INPUT -i tun0 -j logdrop
# iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
# ———————-
# VPN
# ———————-
# iptables -I INPUT 1 -p tcp –dport 47888 -j ACCEPT
# iptables -A INPUT -d 10.1.1.0/24 -j ACCEPT
# iptables -A INPUT -s 10.1.1.0/24 -j ACCEPT
# iptables -I FORWARD 1 –source 10.1.1.0/24 -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE
Now that both rules are in, traffic to both the internal and external resources works!
HTH,
Tom K
