VPN - Client cannot access hosts lan

Report wireless and/or network connectivity problems in this forum.

Moderator: Moderators

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: VPN - Client cannot access hosts lan

Post by RomanHK »

coolman wrote:I've tried a Sophos UTM connection with openvpn with the same issue, for solve the issue I have set a NAT Masquerade for Internal and external.
How can I replicate this setting with gargoyle?
Edit the /etc/config/firewall file via ssh and add the following lines to the appropriate zones:

Code: Select all

option masq '1'
option mtu_fix '1'
To apply the changes, restart the firewall:

Code: Select all

/etc/init.d/firewall restart
... or restart the router.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

coolman
Posts: 23
Joined: Mon May 11, 2015 10:35 am

Re: VPN - Client cannot access hosts lan

Post by coolman »

Hi Roman, thank's for your reply, I've modified the firewall file and rebooted, but nothing change.I can ping ip of gargoyle, the ip of vpn but nothing else, this is my firewall config (that is the default + added the masq and mtu for the 3 forward at the last of file).
Do you have more trick for solve my problem?
thanks ;)

Code: Select all

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
	option reload '1'

config include
	option type 'script'
	option path '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
	option family 'IPv4'
	option reload '1'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'openvpn_include_file'
	option path '/etc/openvpn.firewall'
	option reload '1'

config include 'tor_include_file'
	option path '/etc/tor.firewall'
	option reload '1'

config zone 'vpn_zone'
	option name 'vpn'
	option device 'tun0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	option masq '1'

config forwarding 'vpn_lan_forwarding'
	option src 'lan'
	option dest 'vpn'
	
config forwarding 'lan_wan_forwarding'
	option src 'lan'
	option dest 'wan'
	option masq '1'
	option mtu_fix '1'

config forwarding 'lan_vpn_forwarding'
	option src 'vpn'
	option dest 'lan'
	option masq '1'
	option mtu_fix '1'
	
config remote_accept 'ra_openvpn'
	option zone 'wan'
	option local_port '1194'
	option remote_port '1194'
	option proto 'udp'

config forwarding 'vpn_wan_forwarding'
	option src 'vpn'
	option dest 'wan'
	option masq '1'
	option mtu_fix '1'
openvpn_gargoyle

Code: Select all

config server 'server'
	option internal_ip '10.8.0.1'
	option internal_mask '255.255.255.0'
	option port '1194'
	option proto 'udp'
	option cipher 'AES-256-CBC'
	option client_to_client 'false'
	option duplicate_cn 'false'
	option redirect_gateway 'true'
	option enabled 'true'
	option subnet_access 'true'
	option subnet_ip '192.168.10.0'
	option subnet_mask '255.255.255.0'

config client 'client'
	option enabled 'false'

config allowed_client 'client1'
	option id 'client1'
	option name 'Client1'
	option ip '10.8.0.2'
	option remote 'WANIP'
	option prefer_vpngateway '0'
	option enabled 'true'

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: VPN - Client cannot access hosts lan

Post by RomanHK »

:D The two lines belong only to the "zone". In "forwarding" it does not belong, has no effect and it is wrong ;) .
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: VPN - Client cannot access hosts lan

Post by RomanHK »

Maybe this documentation will help you:
https://openwrt.org/docs/guide-user/fir ... masquerade
https://openwrt.org/docs/guide-user/fir ... tion#zones

I recommend trying it on OpenWrt via LuCI and then copying the configuration to Gargoyle, I have nothing better.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

coolman
Posts: 23
Joined: Mon May 11, 2015 10:35 am

Re: VPN - Client cannot access hosts lan

Post by coolman »

Thanks Roman, i will try to see and try to understand how it works. :geek:

Forger38
Posts: 5
Joined: Fri Oct 11, 2019 11:53 am

Re: VPN - Client cannot access hosts lan

Post by Forger38 »

I've tried that and it works, thanks!

Post Reply