0

I'm trying to reach my OpenVPN server deployed into an USG.

The USG has a WAN with IP address 192.168.1.110. This was is named in the router eth2.

Running

sudo tcpdump -ni eth2 dst host 192.168.1.110 and dst port 1194 -vv

I can get packets coming

tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
20:15:06.395294 IP (tos 0x0, ttl 57, id 12658, offset 0, flags [none], proto UDP (17), length 70)
    <Public-IP>.18525 > 192.168.1.110.1194: [udp sum ok] UDP, length 42

The problem is that those packets should get into the interface vtun1 which is the interface where the OpenVPN server is deployed with subnet 172.16.10.0/24 but they do not get. I cannot see anything running

sudo tcpdump -ni vtun1

This is my configuration

{
  "firewall": {
    "name": {
      "WAN_IN": {
        "rule": {
          "20": {
            "action": "accept",
            "description": "allow OpenVPN",
            "destination": {
              "address": "172.16.10.1",
              "port": "1194"
            },
            "log": "enable",
            "protocol": "udp"
          }
        }
      },
      "WAN_LOCAL": {
        "rule": {
          "20": {
            "action": "accept",
            "description": "allow OpenVPN",
            "destination": {
              "port": "1194"
            },
            "log": "enable",
            "protocol": "udp"
          }
        }
      }
    },
    "group": {
      "network-group": {
        "openvpn_network": {
          "description": "OpenVPN subnets",
          "network": ["192.168.100.0/28"]
        }
      }
    },
    "modify": {
      "SOURCE_ROUTE": {
        "rule": {
          "5": {
            "action": "modify",
            "description": "route traffic from LAN to openvpn_network",
            "modify": {
              "table": "main"
            },
            "destination": {
              "address": "192.168.10.1/24"
            }
          },
          "10": {
            "action": "modify",
            "description": "route traffic from openvpn_network to vtun0",
            "modify": {
              "table": "2"
            },
            "source": {
              "group": {
                "network-group": "openvpn_network"
              }
            }
          }
        }
      }
    },
    "source-validation": "disable"
  },
  "load-balance": {
    "group": {
      "wan_failover": {
        "interface": {
          "eth0": {
            "route-test": {
              "count": {
                "failure": "6",
                "success": "1"
              },
              "initial-delay": "20",
              "interval": "15",
              "type": {
                "ping": {
                  "target": "8.8.8.8"
                }
              }
            }
          },
          "eth2": {
            "route-test": {
              "count": {
                "failure": "6",
                "success": "1"
              },
              "initial-delay": "20",
              "interval": "15",
              "type": {
                "ping": {
                  "target": "8.8.8.8"
                }
              }
            }
          }
        }
      }
    }
  },
  "interfaces": {
    "ethernet": {
      "eth1": {
        "vif": {
          "10": {
            "address": [
              "192.168.100.1/28"
            ],
            "firewall": {
              "in": {
                "modify": "SOURCE_ROUTE",
                "name": "LAN_IN"
              }
            }
          }
        }
      }
    },
    "openvpn": {
      "vtun0": {
        "config-file": "/config/user-data/client.ovpn",
        "description": "OpenVPN Client"
      },
      "vtun1": {
        "description": "OpenVPN Server",
        "encryption": "aes256",
        "mode": "server",
        "openvpn-option": [
          "--keepalive 10 120",
          "--comp-lzo",
          "--duplicate-cn",
          "--user nobody --group nogroup",
          "--verb 3",
          "--proto udp",
          "--port 1194",
          "--tls-auth /config/auth/keys/ta.key 0",
          "--push route 10.10.0.0 255.255.252.0",
          "--push route 192.168.200.0 255.255.255.224",
          "--push route 192.168.10.0 255.255.255.0"
        ],
        "server": {
          "subnet": "172.16.10.0/24",
          "name-server": "192.168.10.1"
        },
        "tls": {
          "ca-cert-file": "/config/auth/keys/ca.crt",
          "cert-file": "/config/auth/keys/server.crt",
          "dh-file": "/config/auth/keys/dh2048.pem",
          "key-file": "/config/auth/keys/server.key"
        }
      }
    }
  },
  "protocols": {
    "static": {
      "table": {
        "2": {
          "interface-route": {
            "0.0.0.0/0": {
              "next-hop-interface": {
                "vtun0": "''"
              }
            }
          }
        }
      }
    }
  },
  "service": {
    "gui": {
      "listen-address": "192.168.10.1",
      "older-ciphers": "disable"
    },
    "nat": {
      "rule": {
        "1001": {
          "description": "OpenVPN server traffic to WAN2 [eth2] - DNAT",
          "log": "enable",
          "inbound-interface": "eth2",
          "inside-address": {
            "address": "172.16.10.1",
            "port": "1194"
          },
          "destination": {
            "address": "192.168.1.110",
            "port": "1194"
          },
          "protocol": "udp",
          "type": "destination"
        },
        "1002": {
          "description": "OpenVPN server traffic to WAN1 [vtun1] - Hairpin NAT",
          "log": "enable",
          "inbound-interface": "vtun1",
          "inside-address": {
            "address": "172.16.10.1",
            "port": "1194"
          },
          "destination": {
            "address": "192.168.1.110",
            "port": "1194"
          },
          "protocol": "udp",
          "type": "destination"
        },
        "5001": {
          "description": "MASQ openvpn_network to VPN",
          "log": "disable",
          "outbound-interface": "vtun0",
          "source": {
            "group": {
              "network-group": "openvpn_network"
            }
          },
          "type": "masquerade"
        },
        "5002": {
          "destination": {
            "address": ["192.168.1.1"]
          },
          "description": "Access to Huawei B2368 antenna (O2 LTE)",
          "outbound-interface": ["eth2"],
          "type": "masquerade"
        },
        "5003": {
          "destination": {
            "address": ["192.168.8.1"]
          },
          "description": "Access to Huawei B535-232 (T-Mobile LTE)",
          "outbound-interface": ["eth0"],
          "type": "masquerade"
        },
        "5004": {
          "description": "MASQ OpenVPN server traffic to WAN1 [vtun1] - Hairpin NAT",
          "log": "enable",
          "outbound-interface": "vtun1",
          "source": {
            "address": "172.16.10.0/24"
          },
          "destination": {
            "address": "172.16.10.1",
            "port": "1194"
          },
          "protocol": "udp",
          "type": "masquerade"
        }
      }
    },
    "ssh": {
      "listen-address": "192.168.10.1",
      "protocol-version": "v2"
    }
  }
}

What am I missing?

Improve this question
1
  • 1
    I have never personally set up OpenVPN on a USG, but there are some step-by-step tutorials out there for accomplishing this. Are you following one of those? If so, which one?
    – Sam Forbis
    Commented Jun 21, 2020 at 22:56

1 Answer 1

Reset to default
0

I've solved this. Actually the NAT rules 1001, 1002, and 5004 are not needed at all.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .