11441 questions

13629 answers

21365 comments

32105 members

0 votes
2,280 views 15 comments
by

I have successfully established an openvpn connection between a RUT955 device and an openvpn linux server. Now I try to figure out why firewall rules rejects the traffic from devices in the openvpn network to the router. If i run /etc/init.d/firewall stop ping from clients in openvpn network work. But with firewall running i get "destination port unreachable". How do I configure firewall rules to make sure that tcp traffic can flow from openvpn clients to router?

root@Teltonika-RUT955:~# ifconfig
...
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
 inet addr:10.8.0.40 P-t-P:10.8.0.40 Mask:255.255.255.0
 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
 RX packets:81158 errors:0 dropped:0 overruns:0 frame:0
 TX packets:81648 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:100
 RX bytes:4862648 (4.6 MiB) TX bytes:7314626 (6.9 MiB)
...
root@Teltonika-RUT955:~# tcpdump -i tun0 -vv
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
23:53:34.765248 IP (tos 0x0, ttl 128, id 9213, offset 0, flags [none], proto ICMP (1), length 60)
    10.8.0.24 > 10.8.0.40: ICMP echo request, id 1, seq 153, length 40
23:53:34.765441 IP (tos 0x0, ttl 64, id 8347, offset 0, flags [none], proto ICMP (1), length 60)
    10.8.0.40 > 10.8.0.24: ICMP echo reply, id 1, seq 153, length 40
23:53:34.963312 IP (tos 0x0, ttl 64, id 19301, offset 0, flags [DF], proto TCP (6), length 60)
    10.8.0.40.43243 > 10.8.0.1.5123: Flags [S], cksum 0x9d4a (correct), seq 323831374, win 29200, options [mss 1460,sackOK,TS val 11996459 ecr 0,nop,wscale 8], length 0
23:53:34.990849 IP (tos 0x0, ttl 64, id 15720, offset 0, flags [DF], proto TCP (6), length 40)
    10.8.0.1.5123 > 10.8.0.40.43243: Flags [R.], cksum 0x850d (correct), seq 0, ack 323831375, win 0, length 0
23:53:35.766489 IP (tos 0x0, ttl 128, id 9214, offset 0, flags [none], proto ICMP (1), length 60)
    10.8.0.24 > 10.8.0.40: ICMP echo request, id 1, seq 154, length 40
23:53:35.766651 IP (tos 0x0, ttl 64, id 8444, offset 0, flags [none], proto ICMP (1), length 60)
    10.8.0.40 > 10.8.0.24: ICMP echo reply, id 1, seq 154, length 40
23:53:36.767990 IP (tos 0x0, ttl 128, id 9215, offset 0, flags [none], proto ICMP (1), length 60)
    10.8.0.24 > 10.8.0.40: ICMP echo request, id 1, seq 155, length 40
23:53:36.768148 IP (tos 0x0, ttl 64, id 8477, offset 0, flags [none], proto ICMP (1), length 60)
    10.8.0.40 > 10.8.0.24: ICMP echo reply, id 1, seq 155, length 40
23:53:37.771806 IP (tos 0x0, ttl 128, id 9216, offset 0, flags [none], proto ICMP (1), length 60)
    10.8.0.24 > 10.8.0.40: ICMP echo request, id 1, seq 156, length 40
23:53:37.771961 IP (tos 0x0, ttl 64, id 8478, offset 0, flags [none], proto ICMP (1), length 60)
    10.8.0.40 > 10.8.0.24: ICMP echo reply, id 1, seq 156, length 40
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
root@Teltonika-RUT955:~# /etc/init.d/firewall start
Warning: Unable to locate ipset utility, disabling ipset support
...
   ! Skipping due to path error: No such file or directory
root@Teltonika-RUT955:~# tcpdump -i tun0 -vv
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
23:54:16.348815 IP (tos 0x0, ttl 128, id 9220, offset 0, flags [none], proto ICMP (1), length 60)
    10.8.0.24 > 10.8.0.40: ICMP echo request, id 1, seq 160, length 40
23:54:16.349050 IP (tos 0xc0, ttl 64, id 10260, offset 0, flags [none], proto ICMP (1), length 88)
    10.8.0.40 > 10.8.0.24: ICMP 10.8.0.40 protocol 1 port 19643 unreachable, length 68
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel

2 Answers

+5 votes
by

I fell into the same trap/issue. It is not stated in the Wiki documentation, and there is a big caveat in the configuration: the OpenVPN client and server in the RUT devices are expected to use TUN devices with name tun_* (ie, tun_c_<CLIENTNAME>, tun_s__<SRV_NAME>). If you upload your own openvpn config, make doubly sure you define the TUN device name, the default one "tun0" does NOT work!!

This is due to the zoning setup in the RUT firmware, where the devices tun0/1/2/3 are reserved for the hotspot functionality!

Best solution: delete you client config, and create a new one using the GUI.
Best answer
by 1 flag

This is actually the best answer and the best explanation to what is causing the issue. Since we are deploying config files from other sources manual entry is not an option. Using the method with updating the firewall rules is working for us.

UPDATE: We have changed our deployment process to include the following statement for config files that target RUT955:

dev tun_c_vpn
dev-type tun

This solves the issue without updating firewall rules.
by
Thanks for this. Was about to throw this thing across the room.

Thanks for the suggestion as well, torgil. That seems to work.
by
me banging heads against walls, here I found sanity again.
by

Life savior comment :

dev tun_c_vpn
dev-type tun

0 votes
by

Hello,

On the router navigate to Network -> Firewall -> Zone Forwarding and check Source Zone - vpn: openvpn try clicking edit and uncheck LAN save it and then also change Default forwardubg action from  reject to accept and see if this will solve your issue.

If not, then try unchecking Masquerading on same interface and check then.

If issue will persist download troubleshoot file (System -> Administration -> Troubleshoot) and PM it to me.

by
Same issue still persists on RUT955 FW ver.: RUT9XX_R_00.06.06.1, see output log here:

BusyBox v1.30.1 () built-in shell (ash)

   ____        _    ___  ____        _(_)_

  |  _ \ _   _| |_ / _ \/ ___|      (_)@(_)

  | |_) | | | | __| | | \___ \       /(_)

  |  _ <| |_| | |_| |_| |___) |    \|/

  |_| \_\\__,_|\__|\___/|____/     \|/

Teltonika RUT9XX 2014 - 2019

root@RUT955_1107172410:~# ifconfig tun0

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.8.0.52  P-t-P:10.8.0.52  Mask:255.255.255.0

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

root@RUT955_1107172410:~# ping 10.8.0.1

PING 10.8.0.1 (10.8.0.1): 56 data bytes

64 bytes from 10.8.0.1: seq=0 ttl=64 time=118.366 ms

64 bytes from 10.8.0.1: seq=1 ttl=64 time=119.450 ms

64 bytes from 10.8.0.1: seq=2 ttl=64 time=120.305 ms

^C

--- 10.8.0.1 ping statistics ---

3 packets transmitted, 3 packets received, 0% packet loss

round-trip min/avg/max = 118.366/119.373/120.305 ms

root@RUT955_1107172410:~# iptables -S |grep vpn

-N forwarding_vpn_rule

-N input_vpn_rule

-N output_vpn_rule

-N zone_vpn_dest_ACCEPT

-N zone_vpn_dest_REJECT

-N zone_vpn_forward

-N zone_vpn_input

-N zone_vpn_output

-N zone_vpn_src_ACCEPT

-N zone_vpn_src_REJECT

-A INPUT -i tun_+ -m comment --comment "!fw3" -j zone_vpn_input

-A FORWARD -i tun_+ -m comment --comment "!fw3" -j zone_vpn_forward

-A OUTPUT -o tun_+ -m comment --comment "!fw3" -j zone_vpn_output

-A zone_vpn_dest_ACCEPT -o tun_+ -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP

-A zone_vpn_dest_ACCEPT -o tun_+ -m comment --comment "!fw3" -j ACCEPT

-A zone_vpn_dest_REJECT -o tun_+ -m comment --comment "!fw3" -j reject

-A zone_vpn_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_vpn_rule

-A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> lan" -j zone_lan_dest_ACCEPT

-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT

-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_src_REJECT

-A zone_vpn_input -m comment --comment "!fw3: user chain for input" -j input_vpn_rule

-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT

-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT

-A zone_vpn_output -m comment --comment "!fw3: user chain for output" -j output_vpn_rule

-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT

-A zone_vpn_src_ACCEPT -i tun_+ -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT

-A zone_vpn_src_REJECT -i tun_+ -m comment --comment "!fw3" -j reject

-A zone_wan_input -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: Allow-vpn-traffic" -j ACCEPT

-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-vpn-traffic" -j ACCEPT

root@RUT955_1107172410:~# uci show firewall|grep tun

firewall.vpn_zone.device='tun_+'

firewall.hotspot.device='tun0 tun1 tun2 tun3'

root@RUT955_1107172410:~# uci set firewall.vpn_zone.device="tun+"

root@RUT955_1107172410:~# uci commit firewall

root@RUT955_1107172410:~# /etc/init.d/firewall restart

...

root@RUT955_1107172410:~# /etc/init.d/openvpn restart

root@RUT955_1107172410:~# ping 10.8.0.1

PING 10.8.0.1 (10.8.0.1): 56 data bytes

64 bytes from 10.8.0.1: seq=0 ttl=64 time=123.178 ms

64 bytes from 10.8.0.1: seq=1 ttl=64 time=124.433 ms

64 bytes from 10.8.0.1: seq=2 ttl=64 time=131.266 ms

64 bytes from 10.8.0.1: seq=3 ttl=64 time=122.973 ms

^C

--- 10.8.0.1 ping statistics ---

4 packets transmitted, 4 packets received, 0% packet loss

round-trip min/avg/max = 122.973/125.462/131.266 ms

root@RUT955_1107172410:~# iptables -S |grep vpn

-N forwarding_vpn_rule

-N input_vpn_rule

-N output_vpn_rule

-N zone_vpn_dest_ACCEPT

-N zone_vpn_dest_REJECT

-N zone_vpn_forward

-N zone_vpn_input

-N zone_vpn_output

-N zone_vpn_src_ACCEPT

-N zone_vpn_src_REJECT

-A INPUT -i tun+ -m comment --comment "!fw3" -j zone_vpn_input

-A FORWARD -i tun+ -m comment --comment "!fw3" -j zone_vpn_forward

-A OUTPUT -o tun+ -m comment --comment "!fw3" -j zone_vpn_output

-A zone_vpn_dest_ACCEPT -o tun+ -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP

-A zone_vpn_dest_ACCEPT -o tun+ -m comment --comment "!fw3" -j ACCEPT

-A zone_vpn_dest_REJECT -o tun+ -m comment --comment "!fw3" -j reject

-A zone_vpn_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_vpn_rule

-A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> lan" -j zone_lan_dest_ACCEPT

-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT

-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_src_REJECT

-A zone_vpn_input -m comment --comment "!fw3: user chain for input" -j input_vpn_rule

-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT

-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT

-A zone_vpn_output -m comment --comment "!fw3: user chain for output" -j output_vpn_rule

-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT

-A zone_vpn_src_ACCEPT -i tun+ -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT

-A zone_vpn_src_REJECT -i tun+ -m comment --comment "!fw3" -j reject

-A zone_wan_input -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: Allow-vpn-traffic" -j ACCEPT

-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-vpn-traffic" -j ACCEPT

root@RUT955_1107172410:~#
by

Hello

From provided information, I see that before applying any changes to firewall settings you were able to ping OpenVPN server (10.8.0.1) so from my point of view it is working with the latest firmware.

But if you still think that there is any issue with the latest firmware and OpenVPN, could you please PM me with the troubleshoot file (System -> Administration -> Troubleshoot), and also provide us a openvpn configuration file which you use, so we could test it on our side with our RUT device and furthermore, could you draw a simple topology, how everything is connected, via what interfaces they are connected, what IP addresses and gateway they have and etc.

Will be waiting for reply.

by
Apologies to torgilfolger, didn't notice your private message, I will contact with you via PM.
by

To clearify the above issue please note that pinging 10.8.0.1 is possible only after applying the uci firewall changes and restarting the vpn tunnel:

root@RUT955_1107172410:~# uci set firewall.vpn_zone.device="tun+"
root@RUT955_1107172410:~# uci commit firewall
root@RUT955_1107172410:~# /etc/init.d/firewall restart
...
root@RUT955_1107172410:~# /etc/init.d/openvpn restart
root@RUT955_1107172410:~# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1): 56 data bytes
64 bytes from 10.8.0.1: seq=0 ttl=64 time=123.178 ms

by
The problem we are trying to solve is accessing the RUT955 outer on its openvpn ip address from the openvpn router. Reason for this is to be able to use router services (modbus, RS485, ssh etc.) over VPN. Use the following steps to reproduce the issue:

A brand new RUT955 out of the box with latest firmware. Connect to WAN using cable, wifi or gsm. OpenVPN via uploaded config file:

root@Teltonika-RUT955:~# cat /etc/version                                                           

RUT9XX_R_00.06.06.1                                                                                 

root@Teltonika-RUT955:~# uname -a                                                                   

Linux Teltonika-RUT955.com 3.18.44 #1 Fri Mar 13 09:37:25 UTC 2020 mips GNU/Linux                   

root@Teltonika-RUT955:~# /sbin/mnf_info sn                                                          

1106344926                                                                                          

root@Teltonika-RUT955:~# /sbin/mnf_info batch                                                       

0081                                                                                                

root@Teltonika-RUT955:~# /sbin/mnf_info name                                                        

RUT955T03XXX                                                                                        

root@Teltonika-RUT955:~# /sbin/mnf_info hwver                                                       

1714                                                                                                

root@Teltonika-RUT955:~# gsmctl -y                                                                  

EC25EUGAR06A03M4G                                                                                   

root@Teltonika-RUT955:~# gsmctl -m                                                                  

EC25                                                                                                

root@Teltonika-RUT955:~# ifconfig tun0                                                                  

                                                                                                    

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00                 

          inet addr:10.8.0.64  P-t-P:10.8.0.64  Mask:255.255.255.0                                  

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1                                

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0                                        

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0                                      

          collisions:0 txqueuelen:100                                                               

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)                                                    

                                                                                                   

Check that OpenVPN link is up and running:

root@Teltonika-RUT955:~# ping -c 4 10.8.0.1                                                         

PING 10.8.0.1 (10.8.0.1): 56 data bytes                                                             

64 bytes from 10.8.0.1: seq=0 ttl=64 time=32.746 ms                                                 

64 bytes from 10.8.0.1: seq=3 ttl=64 time=31.541 ms                                                 

                                                                                                    

--- 10.8.0.1 ping statistics ---                                                                    

4 packets transmitted, 4 packets received, 0% packet loss                                           

round-trip min/avg/max = 31.541/32.176/32.746 ms                                                    

root@Teltonika-RUT955:~# traceroute 10.8.0.1                                                        

traceroute to 10.8.0.1 (10.8.0.1), 30 hops max, 38 byte packets                                     

 1  10.8.0.1 (10.8.0.1)  31.340 ms  31.577 ms  32.289 ms                                            

From server side try to ping RUT955 on OpenVON ip address, this is NOT WORKING:

ubuntu@web04:~$ ifconfig tun0                                                                       

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00                 

          inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0                                    

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1                                

          RX packets:87690 errors:0 dropped:0 overruns:0 frame:0                                    

          TX packets:88958 errors:0 dropped:0 overruns:0 carrier:0                                  

          collisions:0 txqueuelen:100                                                               

          RX bytes:5377239 (5.3 MB)  TX bytes:4961161 (4.9 MB)                                      

ubuntu@web04:~$ ping -c 4 10.8.0.64                                                                 

PING 10.8.0.64 (10.8.0.64) 56(84) bytes of data.                                                    

From 10.8.0.64 icmp_seq=1 Destination Port Unreachable                                              

From 10.8.0.64 icmp_seq=4 Destination Port Unreachable                                              

                                                                                                    

--- 10.8.0.64 ping statistics ---                                                                   

4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3004ms                         

                                                                                                    

ubuntu@web04:~$ traceroute 10.8.0.64                                                                

traceroute to 10.8.0.64 (10.8.0.64), 30 hops max, 60 byte packets                                   

 1  10.8.0.64 (10.8.0.64)  35.558 ms  66.103 ms  66.095 ms                                          

Disable firewall on RUT955 to check if the problem is here:

root@Teltonika-RUT955:~# /etc/init.d/firewall stop                                                  

Ping from OpenVPN router to RUT955 OpenVPN ip address is now working:

ubuntu@web04:~$ ping -c 4 10.8.0.64                                                                 

PING 10.8.0.64 (10.8.0.64) 56(84) bytes of data.                                                    

64 bytes from 10.8.0.64: icmp_seq=1 ttl=64 time=32.1 ms                                             

64 bytes from 10.8.0.64: icmp_seq=4 ttl=64 time=31.6 ms                                             

                                                                                                    

--- 10.8.0.64 ping statistics ---                                                                   

4 packets transmitted, 4 received, 0% packet loss, time 3004ms                                      

rtt min/avg/max/mdev = 31.612/31.787/32.112/0.198 ms                                                

ubuntu@web04:~$ traceroute 10.8.0.64                                                                

traceroute to 10.8.0.64 (10.8.0.64), 30 hops max, 60 byte packets                                   

 1  10.8.0.64 (10.8.0.64)  36.807 ms  67.566 ms  67.579 ms                                          

This issue is from my point of view caused by an error in the uci firewall setup where the interface name for vpn_zone has an extra underscore in its name (tun_+):

root@Teltonika-RUT955:~# uci show firewall|grep tun                                                 

firewall.vpn_zone.device='tun_+'                                                                    

firewall.hotspot.device='tun0 tun1 tun2 tun3'                                                       

Changing this to the correct interface name (tun+), restarting firewall and openvpn:

root@Teltonika-RUT955:~# uci set firewall.vpn_zone.device="tun+"                                    

root@Teltonika-RUT955:~# uci commit firewall                                                        

root@Teltonika-RUT955:~# /etc/init.d/firewall restart                                               

...

root@Teltonika-RUT955:~# /etc/init.d/openvpn restart                                                

And ping from server side is working:

ubuntu@web04:~$ ping -c 4 10.8.0.64                                                                  

PING 10.8.0.64 (10.8.0.64) 56(84) bytes of data.                                                     

64 bytes from 10.8.0.64: icmp_seq=1 ttl=64 time=32.9 ms                                              

64 bytes from 10.8.0.64: icmp_seq=4 ttl=64 time=32.3 ms                                              

                                                                                                     

--- 10.8.0.64 ping statistics ---                                                                    

4 packets transmitted, 4 received, 0% packet loss, time 3004ms                                       

rtt min/avg/max/mdev = 32.350/32.574/32.934/0.318 ms                                                 

(had to cut a lot in the shell output because of post limits)