openvpn openwrt port forwarding?

P

portpolaris2019-10-28 14:51:19

openvpn

portpolaris, 2019-10-28 14:51:19

Greetings.
Such a question:
there are 2 routers on openwrt, between them the openvpn
server config is configured:

config openvpn 'severst'
  option port '1195'
  option proto 'udp'
  option dev 'tun'
  option keepalive '10 60'
  option verb '3'
  option server '172.16.10.0 255.255.255.0'
  option client_config_dir '/etc/openvpn/ccd/'
  option client_to_client '1'
  option ifconfig '172.16.10.1 255.255.255.0'
  option enabled '1'
  option log_append '/var/log/openvpn.log'
  option status '/var/run/openvpn.status 5'
  option persist_tun '1'
  option persist_key '1'
  list push 'route 192.168.1.0 255.255.255.0'
  option tls_server '1'
  option dh '/etc/luci-uploads/cbid.openvpn.severga.dh'
  option ca '/etc/luci-uploads/cbid.openvpn.severga.ca'
  option cert '/etc/luci-uploads/cbid.openvpn.severga.cert'
  option key '/etc/luci-uploads/cbid.openvpn.severga.key'
  option comp_lzo 'no'
  list route '192.168.2.0 255.255.255.0'

/etc/rc.local:
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
iptables -I FORWARD -i br-lan -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br-lan -j ACCEPT
iptables -I INPUT -i tun0 -p tcp --dport 80 -j ACCEPT
exit 0

client config:

config openvpn 'custom_config'
  option config '/etc/openvpn/my-vpn.conf'
  option log_append '/var/log/openvpn.log'
  option status '/var/run/openvpn.status 5'
  option persist_tun '1'
  option persist_key '1'
  option nobind '1'
  option client '1'
  option proto 'udp'
  option dev 'tun'
  option pull '1'
  option resolv_retry 'infinite'
  option ns_cert_type 'server'
  option ca '/etc/luci-uploads/cbid.openvpn.custom_config.ca'
  option cert '/etc/luci-uploads/my-client.crt'
  option key '/etc/luci-uploads/my-client.key'
  option enabled '1'
  option comp_lzo 'no'
  list remote 'x.x.x.x 1195'

/etc/rc.local:
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
iptables -I FORWARD -i br-lan -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br-lan -j ACCEPT
iptables -I INPUT -i tun0 -p tcp --dport 80 -j ACCEPT
exit 0

Devices from the first network 192.168.1.1 see devices from 192.168.2.1 and vice versa
, you need to forward port 564 from the wan of the first network to the address of the second network 192.168.2.245
now done:

сервер:
config redirect
  option dest_port '564'
  option src 'wan'
  option src_dport '564'
  option target 'DNAT'
  option dest_ip '172.16.10.6'
  option proto 'tcp'

клиент:
config redirect
  option enabled '1'
  option target 'DNAT'
  option dest 'lan'
  option proto 'tcp'
  option src_dport '564'
  option dest_ip '192.168.2.245'
  option name '564'
  option dest_port '8090'
  option src 'vpn'

config zone
  option input 'ACCEPT'
  option output 'ACCEPT'
  option name 'vpn'
  option forward 'ACCEPT'
  option network 'vpn0'

What am I doing wrong? What is missing? forwarding doesn't work

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

D

Dmitry, 2019-10-28
@hempy80

Why do you need double dst-nat? One rule on the "server" is enough. You see each other's networks, there are routes