FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
680 views 2 comments
by anonymous
Hey,

I have a problem with my RUT955. I run an OpenVPN server which uses TAP and has two interfaces configured. Interface 1 has the public IP of the OpenVPN server. Interface 2 is connected to netbr2 which has the IP 10.15.1.43/16. This is the LAN of the OpenVPN server.

My RUT955 uses the mobile network of telefonica as WAN. As LAN the RUT955 provides the subnet 192.168.21.0/24. The RUT955 should now establish a connection to the OpenVPN server and make the LAN of the OpenVPN server (10.15.0.0/16) accessible. So a NAT from LAN to the tap interface of the RUT955 is necessary. There is also my problem at the moment.

The RUT955 is already connected to my OpenVPN and has also been assigned an IP from my OpenVPN server. The RUT955 has the IP "10.15.90.10" inside the tunnel. I can also ping the remote devices in the subnet "10.15.0.0/16" from the RUT955 without any problems. Also a ping of a device within the 10.15.0.0/16 subnet can reach the RUT955 without problems. However, it is not possible to reach the devices in the 10.15.0.0/16 subnet on the LAN of the RUT955. A tcpdump on the OpenVPN server shows that the ICMP requests do not arrive at all. The RUT955 does not seem to NAT the LAN for the VPN. Unfortunately I can't get any further with the firewall configuration. How exactly can I configure the firewall so that this works?

1 Answer

0 votes
by anonymous
Hi nightcore500,

Please take note that the LAN networks of the VPN server and client need to be from the same subnet when configuring a TAP connection. The TAP connection operates at the data link layer (OSI layer 2), creating a network bridge between two Ethernet segments in different locations. Based on the above, I suggest you configure the OPEN VPN to work with the TUN connection and make the LAN segments routable through the tunnel. I will drop two links below regarding this topic:

https://wiki.teltonika-networks.com/view/RUT955_VPN#OpenVPN

https://wiki.teltonika-networks.com/view/OpenVPN_configuration_examples

I hope you find this information useful. I will keep an eye on your comments.

Regards.
by anonymous
I thank you for your answer. However, from OpenVPN point of view this is not quite correct. With a tap configured server/client a normal routing including NAT is also possible. The interface behaves the same (as you said) as a normal ethernet interface because it is a l2 tunnel. The configuration described here I have already configured on debian "routers" and in use. The reason why a tap based configuration is used at all is because some of the openvpn clients also bridge the tap interface with other interfaces. But only where this is mandatory.

I have in the meantime also tried some configurations and understood a little better how the firewall is configured via GUI. Partly the configuration now also works. However, at the moment unfortunately without the possibility that the openvpn server can assign an IP to the RUT client.

I have decided after multiple failures to reset the RUT to factory settings. Oddly enough, the result behaved a bit different after that, so I looked at the configuration via CLI again. This time the tap interface was added to the LAN bridge. This was not the case before. However, with my intention also not desired why I removed the tap interface in the GUI of the lan bridge. I noticed that under Network - Network Interfaces there is no "interface" which is assigned to the tap device. I previously assumed that in the menu item firewall the entry "openvpn" is automatically assigned to the tap device. But this is apparently not correct? My settings in the firewall had therefore apparently no influence. Now I have created an "interface" and selected static as "protocol", assigned the 10.15.90.10 and selected the tap device. Then I created a new zone in the firewall and configured the NAT between LAN and VPN. The result was that still no NAT was made, but now ICMP requests arrived. But the source IP was 192.168.21.xxx. After a restart of the RUT was also the problem solved. From the LAN of the RUT it is now possible to reach the remote subnet.

However, since I was forced to select "static" in the GUI, it is not possible to assign the IP to the RUT via the ifconfig-push command from the OpenVPN server. This is normally configured on my clients. Sure, I could also choose DHCP and run a DHCP server in the subnet of the openvpn server. However, I would not like to deviate now from my standard configuration of my clients. Is there not another possibility? At the moment it looks like the configuration option is missing for this purpose. Or am I missing something here?
by anonymous

Hi nightcore500,

I was able to replicate your scenario by using another teltonika device as a server, so probably the server configuration is not quite the same; but still, you could use the following information as guidance to solve your query:

Regarding assigning an IPv4 address to the router (client) tap interface from the OpenVPN server configuration, I have been able to do it by declaring the client-config-dir directive on the server configuration. For more detailed information about this directive, you can check the link below:

https://openvpn.net/community-resources/reference-manual-for-openvpn-2-0/

Regarding firewall zones and rules, this is my RUT955 (OpenVPN client) configuration:

root@Teltonika-RUT955:~# cat /etc/config/firewall

config zone

    option device 'tun_+ tun+ tap+'

    option name 'openvpn'

    option masq '1'

    option input 'ACCEPT'

    option forward 'ACCEPT'

    option network 'openvpn'

    option mtu_fix '0'

    option output 'ACCEPT'

config forwarding

        option dest 'lan'

        option src 'openvpn'

config forwarding

        option dest 'openvpn'

        option src 'lan'

config rule

        option dest_port '1194'

        option src 'wan'

        option name 'Allow-openvpn-traffic'

        option target 'ACCEPT'

        option vpn_type 'openvpn'

        option proto 'tcp udp'

        option family 'ipv4'

*If tap+ is missing on the zone config, please add it and reboot your device.

This is also how the iptables output looks like:

root@Teltonika-RUT955:~# iptables -L -v | grep tap

  1  84 zone_openvpn_input all -- tap+  any   anywhere       anywhere       /* !fw3 */

  0   0 zone_openvpn_forward all -- tap+  any   anywhere       anywhere       /* !fw3 */

  0   0 zone_openvpn_output all -- any  tap+  anywhere       anywhere       /* !fw3 */

  0   0 DROP    all -- any  tap+  anywhere       anywhere       ctstate INVALID /* !fw3: Prevent NAT leakage */

  0   0 ACCEPT   all -- any  tap+  anywhere       anywhere       /* !fw3 */

  1  84 ACCEPT   all -- tap+  any   anywhere       anywhere       ctstate NEW,UNTRACKED /* !fw3 */

Also, here is an image of my WebUI OpenVPN client configuration:

https://community.teltonika-networks.com/?qa=blob&qa_blobid=13191750865080106853

https://community.teltonika-networks.com/?qa=blob&qa_blobid=15389222558620993382

Regarding the network address translation, if your OpenVPN firewall zone has enabled masquerading, all the outgoing traffic is translated to your tap interface IP address. However, if the traffic coming from your server to your LAN router RUT955 does not belongs to the same OpenVPN address network, make sure to apply iptables masquerading or a network translation on the server-side tunnel interface. 

Finally, this is how my RUT955 tap interface and openvpn logs configuration look like:

https://community.teltonika-networks.com/?qa=blob&qa_blobid=9389561436871900544

https://community.teltonika-networks.com/?qa=blob&qa_blobid=13435586397830371666

I hope this information helps you to solve your query.