1
I have set up an OpenVPN client on my home router. The moment the tunnel goes up, I can no longer ping my router from the internet using its WAN_IP. I would like to allow certain incoming connections (ping, ssh) through the WAN interface while the vpn tunnel is up. I read a little bit about this, and I understand I need source-based routing.
I tried to implement that, but it's not working. Here's what I did:
# ip rule list
0: from all lookup local
32765: from all fwmark 0x1 lookup 128
32766: from all lookup main
32767: from all lookup default
# ip route list table 128
default via WAN_IP dev vlan2
# iptables -t mangle -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CONNMARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
0 0 CONNMARK all -- vlan2 * 0.0.0.0/0 0.0.0.0/0 CONNMARK set 0x1
# iptables -t mangle -nvL OUTPUT
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
My thinking was the following. Please correct me if I misunderstood something:
- When a packet arrives on vlan2 (the WAN iface), PREROUTING:2 sets a connection mark of 0x1
- The packet has no packet mark at this point (is this right?)
- The packet has the router as destination, so it will be received. If this was DNATed, the previous point would be crucial because table 128 is missing LAN stuff.
- A reply packet is locally generated.
- OUTPUT:1 will set a packet mark of 0x1 using the connection mark on the reply packet
- PREROUTING:1 would do the same for DNATed connections on LAN (br0)
- The reply packet with mark 0x1 will be routed using table 128.
Unfortunately this is not working, and I would like to understand why. From a remote server, if I ping the WAN_IP, I don't see any replies. I also turned on ssh remote access on the router, and I cannot open the port from the remote computer with telnet WAN_IP SSH_PORT
, so this is not only an icmp issue. How does one debug these issues?
Update: I checked rp_filter
and it was set to 1. I tried setting it to 0, and now everything works as expected (2 didn't work either). Since this is an internet facing router, I'm thinking that no RPF might not be a great idea. From the little I understand, when strict RPF runs on the initial packet, the kernel observes the route back to REMOTE_IP is through TUN_IF, while the packet arrived on WAN_IF, so it is dropped. Is this right? I tried MARK set 0x1 && CONNMARK save
as mangle PREROUTING, hoping the kernel would see the mark during RPF, but it doesn't.
I suppose you mean WAN_IP? Q1: The router runs dnsmasq, wouldn't this cause DNS traffic to go out through the WAN? What SRC_IP would DNS traffic have, WAN_IP or TUN_IP? Q2: Eventually, I want to allow incoming ssh not just on the router but on my desktop as well (that's why I had PREROUTING:1). Could I do that as well without mangling? – Matei David – 2014-10-01T15:49:23.537
@MateiDavid 1) Yes 2) Not if you use WANIP in answer one. 3) TUN_IP 4) Yes, but you will have in any case to use a different port for ssh to your pc. In this case, replies to ssh will apperar to be coming from the LAN, while those from dd-wrt from WAN_IP – MariusMatutiae – 2014-10-01T16:38:23.840
I don't understand the last part. Clearly the forwarded ssh port will be different. Port forwarding on the router's UI will add a nat rule of the form
-i vlan2 -p tcp --dport PC_SSH -j DNAT --to-dest PC_IP:PC_SSH
. But how do I route replies back without mangling and marks? If I doip rule from PC_IP table theother
, then all pc traffic would go out on WAN_IF, defeating the purpose of having a vpn tunnel, isn't that right? – Matei David – 2014-10-01T20:55:08.790