FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
5,656 views 4 comments
by anonymous
Hey we have an interface tun0 and we want to forward traffic from this interface as in if you try to access the router over router IP port 8080 you will be forwarded to port 8080 (or any we config) within a host within the routers network. We have seen this working from LAN to LAN but not from OpenVPN.

We added a costume rule to get our VPN working in the way we intend.

iptables -A INPUT -i tun0 -j ACCEPT

So in our specific config we want to come from the tun0 interface to LAN 10.0.0.101 connection via the router. So on a desktop on the other side of the VPN if we connect to the router we would type 10.8.0.4:8080 (ip of the router tun0 interface) and this would forward us to 10.0.0.101:8080

1 Answer

0 votes
by anonymous

Hi,

The bug will be fixed in the next FW release, which should be out within a few weeks. Meanwhile, the fix is already available in this test FW version. You can use it to test whether it meets your requirements.

by anonymous

Hey I still don't have this fully functional with the testfirmware. Maybe there is something wrong in my config and I have the wrong assumption? 

This is the rule as defined in the webinterface. I am asuming here VPN is tun0 any router IP is forwarded also includes the VPN. 

LoRa server

TCP

From any hostin vpn

To any router IP at port 8080

Forward to IP 10.0.0.101, port 8080 in lan

 

I did a port scan on the router with the latest firmware. This gave back the following result. 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-04 15:01 CET
Nmap scan report for 10.8.0.4
Host is up (0.050s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|     SSH-2.0-SSH
|     curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group16-sha512,kexguess2@matt.ucc.asn.au
|     ssh-rsa
|     aes128-ctr,aes256-ctr
|     aes128-ctr,aes256-ctr
|     hmac-sha2-256
|     hmac-sha2-256
|     none
|_    none
53/tcp  open  domain   dnsmasq 2.79
| dns-nsid: 
|   NSID: tlbzcnsnl11 (746c627a636e736e6c3131)
|   id.server: tlbzcnsnl11
|_  bind.version: dnsmasq-2.79
80/tcp  open  http     LuCI Lua http config
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http LuCI Lua http config
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=Teltonika/organizationName=Teltonika858e0682/stateOrProvinceName=Vilnius/countryName=LT
| Not valid before: 2019-11-26T09:47:38
|_Not valid after:  2021-11-25T09:47:38
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP:V=7.80%I=7%D=3/4%Time=5E5FB4C8%P=x86_64-pc-linux-gnu%r(NULL,
SF:14D,"SSH-2\.0-SSH\r\n\0\0\x01<\n\x14\xa09~\)\xc1\xd4\x02/\xa7\x9a1\x161
SF:\x94\xb0\x0b\0\0\0\xa0curve25519-sha256,curve25519-sha256@libssh\.org,d
SF:iffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman
SF:-group16-sha512,kexguess2@matt\.ucc\.asn\.au\0\0\0\x07ssh-rsa\0\0\0\x15
SF:aes128-ctr,aes256-ctr\0\0\0\x15aes128-ctr,aes256-ctr\0\0\0\rhmac-sha2-2
SF:56\0\0\0\rhmac-sha2-256\0\0\0\x04none\0\0\0\x04none\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\x08\x81\xebM\xdb\x07<\xbb\xa6");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.59 seconds
by anonymous

Hi,

Thank you for the files. Unfortunately, I can't see the the OpenVPN config as it seems to have been uploaded by file and the file is in another directory, which is not in the Troubleshoot file. 

But it seems like you're using TCP on Port Forwarding and UDP on OpenVPN. Please change the protocol from TCP to UDP in the Port Forward rule and tell me if it works.

by anonymous

Hi Yes, 

I directly took the config from the RW with the function take config frome file. 

Here is the config from the OpenVPN file. 
 

client

dev tun

proto udp

remote 167.71.0.161 1194

resolv-retry infinite

nobind

persist-key

persist-tun

remote-cert-tls server

auth SHA512

cipher AES-256-CBC

ignore-unknown-option block-outside-dns

block-outside-dns

verb 3

I tried changing the foward zones to UDP it but this didn't fix it. What did happen is that I locked myself out somehow. I can get the router up again and give you a roadwarrior so you can get all the config. (it is in a test setup now) 
by anonymous

So with the test firmware I tried something else. 

uci add firewall rule

uci set firewall.@rule[18].rule.enabled='1'

uci set firewall.@rule[18].src='hotspot'

uci set firewall.@rule[18].target='ACCEPT'

uci set firewall.@rule[18].proto='tcp'

uci set firewall.@rule[18].source_port='8080'

uci set firewall.@rule[18].dest_port='8080'

uci set firewall.@rule[18].E_HTTPS_W_P.dest_ip='10.0.0.101'

uci set firewall.@rule[18].rule.enabled='1'

uci commit firewall

uci commit firewall

/etc/init.d/firewall restart

Restarting the firewall gave the following result:

Warning: Unable to locate ipset utility, disabling ipset support

Warning: Section @zone[1] (wan) cannot resolve device of network 'ppp'

Warning: Section 'vpn_zone' cannot resolve device of network 'vpn'

Warning: Section 'l2tp_zone' cannot resolve device of network 'l2tp'

Warning: Section 'pptp_zone' cannot resolve device of network 'pptp'

Warning: Section 'gre_zone' cannot resolve device of network 'gre'

Warning: Section 'hotspot' cannot resolve device of network 'hotspot'

Warning: Section 'sstp' cannot resolve device of network 'sstp'

Warning: Option @rule[14]._name is unknown

Warning: Option @rule[15]._name is unknown

Warning: Option @rule[16]._name is unknown

Warning: Option @rule[17]._name is unknown

Warning: Option 'TR069'.source_port is unknown

Warning: Section @rule[25] has neither a source nor a destination zone assigned - assuming an output r

Warning: Section @rule[25] does not specify a protocol, assuming TCP+UDP

Warning: Section @rule[25] has no target specified, defaulting to REJECT

 * Flushing IPv4 filter table

 * Flushing IPv4 nat table

 * Flushing IPv4 mangle table

 * Flushing IPv4 raw table

 * Flushing IPv6 filter table

 * Flushing IPv6 nat table

 * Flushing IPv6 mangle table

 * Flushing IPv6 raw table

 * Flushing conntrack table ...

 * Populating IPv4 filter table

   * Zone 'lan'

   * Zone 'wan'

   * Zone 'vpn'

   * Zone 'l2tp'

   * Zone 'pptp'

   * Zone 'gre'

   * Zone 'hotspot'

   * Zone 'sstp'

   * Rule 'Allow-DHCP-Renew'

   * Rule 'Allow-Ping'

   * Rule 'Allow-vpn-traffic'

   * Rule 'Allow_TR069_server_request'

   * Rule #7

   * Forward 'vpn' -> 'lan'

   * Forward 'l2tp' -> 'lan'

   * Forward 'pptp' -> 'lan'

   * Forward 'gre' -> 'lan'

   * Forward 'hotspot' -> 'wan'

 * Populating IPv4 nat table

   * Zone 'lan'

   * Zone 'wan'

   * Zone 'vpn'

   * Zone 'l2tp'

   * Zone 'pptp'

   * Zone 'gre'

   * Zone 'hotspot'

   * Zone 'sstp'

 * Populating IPv4 mangle table

   * Zone 'lan'

   * Zone 'wan'

   * Zone 'vpn'

   * Zone 'l2tp'

   * Zone 'pptp'

   * Zone 'gre'

   * Zone 'hotspot'

   * Zone 'sstp'

 * Populating IPv4 raw table

   * Zone 'lan'

   * Zone 'wan'

   * Zone 'vpn'

   * Zone 'l2tp'

   * Zone 'pptp'

   * Zone 'gre'

   * Zone 'hotspot'

   * Zone 'sstp'

 * Populating IPv6 filter table

   * Zone 'lan'

   * Zone 'wan'

   * Zone 'vpn'

   * Zone 'l2tp'

   * Zone 'pptp'

   * Zone 'gre'

   * Zone 'hotspot'

   * Zone 'sstp'

   * Rule 'Allow-DHCPv6'

   * Rule 'Allow-ICMPv6-Input'

   * Rule 'Allow-ICMPv6-Forward'

   * Rule 'Allow_TR069_server_request'

     ! Skipping due to different family of ip address

   * Rule #7

   * Forward 'vpn' -> 'lan'

   * Forward 'l2tp' -> 'lan'

   * Forward 'pptp' -> 'lan'

   * Forward 'gre' -> 'lan'

   * Forward 'hotspot' -> 'wan'

 * Populating IPv6 nat table

   * Zone 'lan'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'

   * Zone 'wan'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'

   * Zone 'vpn'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_vpn_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_vpn_rule'

   * Zone 'l2tp'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_l2tp_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_l2tp_rule'

   * Zone 'pptp'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_pptp_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_pptp_rule'

   * Zone 'gre'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_gre_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_gre_rule'

   * Zone 'hotspot'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_hotspot_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_hotspot_rule'

   * Zone 'sstp'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_sstp_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_sstp_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'

 * Populating IPv6 mangle table

   * Zone 'lan'

   * Zone 'wan'

   * Zone 'vpn'

   * Zone 'l2tp'

   * Zone 'pptp'

   * Zone 'gre'

   * Zone 'hotspot'

   * Zone 'sstp'

 * Populating IPv6 raw table

   * Zone 'lan'

   * Zone 'wan'

   * Zone 'vpn'

   * Zone 'l2tp'

   * Zone 'pptp'

   * Zone 'gre'

   * Zone 'hotspot'

   * Zone 'sstp'

 * Set tcp_ecn to off

 * Set tcp_syncookies to on

 * Set tcp_window_scaling to on

 * Running script '/etc/firewall.user'

 * Running script '/tmp/privoxy/firewall'

   ! Skipping due to path error: No such file or directory

 * Running script '/etc/logtrigger/fwblock_wrapper.sh'

80,443

 * Running script '/etc/add-firewall-rule.sh'

 * Running script '/etc/add-rs-rule.sh'

 * Running script '/etc/add-port-rule.sh'

iptables: Bad rule (does a matching rule exist in that chain?).

iptables: Bad rule (does a matching rule exist in that chain?).

iptables: Bad rule (does a matching rule exist in that chain?).

iptables: Bad rule (does a matching rule exist in that chain?).

iptables: Bad rule (does a matching rule exist in that chain?).

   ! Failed with exit code 1

 * Running script '/tmp/ipsec/firewall.sh'

   ! Skipping due to path error: No such file or directory

root@Teltonika-RUT955:~# uci show firewall | grep tun0

firewall.hotspot.device='tun0 tun1 tun2 tun3'

root@Teltonika-RUT955:~# uci show firewall | grep hotspot

firewall.hotspot=zone

firewall.hotspot.name='hotspot'

firewall.hotspot.input='REJECT'

firewall.hotspot.output='ACCEPT'

firewall.hotspot.forward='REJECT'

firewall.hotspot.device='tun0 tun1 tun2 tun3'

firewall.hotspot.network='hotspot'

firewall.@forwarding[4].src='hotspot'

firewall.Hotspot_input.src='hotspot'

firewall.TR069.src='hotspot'

root@Teltonika-RUT955:~# uci show firewall | grep 4

firewall.@rule[1].family='ipv4'

firewall.@rule[2].family='ipv4'

firewall.@rule[3].family='ipv4'

firewall.@rule[3].dest_port='1194'

firewall.@forwarding[4]=forwarding

firewall.@forwarding[4].dest='wan'

firewall.@forwarding[4].src='hotspot'

firewall.@include[4]=include

firewall.@include[4].path='/etc/add-rs-rule.sh'

firewall.@include[4].reload='1'

firewall.Hotspot_input.dest_port='53 67-68 444 81 1812 1813 3991 3990'

firewall.@rule[6].dest_port='4200-4220'

firewall.@rule[8].dest_port='443'

firewall.@rule[11].src_port='547'

firewall.@rule[11].dest_port='546'

firewall.@rule[14]=rule

firewall.@rule[14].name='Allow-l2tpd-on-1701'

firewall.@rule[14]._name='l2tpd'

firewall.@rule[14].target='ACCEPT'

firewall.@rule[14].proto='udp'

firewall.@rule[14].dest_port='1701'

firewall.@rule[14].family='ipv4'

firewall.@rule[14].src='wan'

firewall.@rule[14].enabled='0'

firewall.@rule[15].family='ipv4'

firewall.@rule[16].family='ipv4'

firewall.@rule[17].family='ipv4'

firewall.IPsecNAT.dest_port='4500'

firewall.E_HTTPS_W_P.src_dport='443'

firewall.E_CLI_W_P.src_dport='4200-4220'

firewall.ALLOW_GRE.proto='47'

root@Teltonika-RUT955:~# reboot

root@Teltonika-RUT955:~# client_loop: send disconnect: Broken pipe

And locks me out of the VPN tunnel. We couldn't find our VPN tunnel back.

Just a short note out of the result of uci firewall I assumed tun0 is defined as hotspot

firewall.hotspot.device='tun0 tun1 tun2 tun3'