Gargoyle Forum

A forum to discuss the Gargoyle web interface for Openwrt
https://www.gargoyle-router.com/phpbb/

VPN - Client cannot access hosts lan

https://www.gargoyle-router.com/phpbb/viewtopic.php?t=12120

Page 2 of 2

Re: VPN - Client cannot access hosts lan

Posted: Fri Sep 27, 2019 9:59 am
by RomanHK
coolman wrote:I've tried a Sophos UTM connection with openvpn with the same issue, for solve the issue I have set a NAT Masquerade for Internal and external.
How can I replicate this setting with gargoyle?
Edit the /etc/config/firewall file via ssh and add the following lines to the appropriate zones:

Code: Select all

option masq '1'
option mtu_fix '1'
To apply the changes, restart the firewall:

Code: Select all

/etc/init.d/firewall restart
... or restart the router.

Re: VPN - Client cannot access hosts lan

Posted: Fri Sep 27, 2019 12:32 pm
by coolman
Hi Roman, thank's for your reply, I've modified the firewall file and rebooted, but nothing change.I can ping ip of gargoyle, the ip of vpn but nothing else, this is my firewall config (that is the default + added the masq and mtu for the 3 forward at the last of file).
Do you have more trick for solve my problem?
thanks ;)

Code: Select all

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
	option reload '1'

config include
	option type 'script'
	option path '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
	option family 'IPv4'
	option reload '1'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'openvpn_include_file'
	option path '/etc/openvpn.firewall'
	option reload '1'

config include 'tor_include_file'
	option path '/etc/tor.firewall'
	option reload '1'

config zone 'vpn_zone'
	option name 'vpn'
	option device 'tun0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	option masq '1'

config forwarding 'vpn_lan_forwarding'
	option src 'lan'
	option dest 'vpn'
	
config forwarding 'lan_wan_forwarding'
	option src 'lan'
	option dest 'wan'
	option masq '1'
	option mtu_fix '1'

config forwarding 'lan_vpn_forwarding'
	option src 'vpn'
	option dest 'lan'
	option masq '1'
	option mtu_fix '1'
	
config remote_accept 'ra_openvpn'
	option zone 'wan'
	option local_port '1194'
	option remote_port '1194'
	option proto 'udp'

config forwarding 'vpn_wan_forwarding'
	option src 'vpn'
	option dest 'wan'
	option masq '1'
	option mtu_fix '1'
openvpn_gargoyle

Code: Select all

config server 'server'
	option internal_ip '10.8.0.1'
	option internal_mask '255.255.255.0'
	option port '1194'
	option proto 'udp'
	option cipher 'AES-256-CBC'
	option client_to_client 'false'
	option duplicate_cn 'false'
	option redirect_gateway 'true'
	option enabled 'true'
	option subnet_access 'true'
	option subnet_ip '192.168.10.0'
	option subnet_mask '255.255.255.0'

config client 'client'
	option enabled 'false'

config allowed_client 'client1'
	option id 'client1'
	option name 'Client1'
	option ip '10.8.0.2'
	option remote 'WANIP'
	option prefer_vpngateway '0'
	option enabled 'true'

Re: VPN - Client cannot access hosts lan

Posted: Fri Sep 27, 2019 12:57 pm
by RomanHK
:D The two lines belong only to the "zone". In "forwarding" it does not belong, has no effect and it is wrong ;) .

Re: VPN - Client cannot access hosts lan

Posted: Fri Sep 27, 2019 1:50 pm
by RomanHK
Maybe this documentation will help you:
https://openwrt.org/docs/guide-user/fir ... masquerade
https://openwrt.org/docs/guide-user/fir ... tion#zones

I recommend trying it on OpenWrt via LuCI and then copying the configuration to Gargoyle, I have nothing better.

Re: VPN - Client cannot access hosts lan

Posted: Fri Sep 27, 2019 3:40 pm
by coolman
Thanks Roman, i will try to see and try to understand how it works. :geek:

Re: VPN - Client cannot access hosts lan

Posted: Sat Oct 12, 2019 1:29 am
by Forger38
I've tried that and it works, thanks!
All times are UTC-04:00
Page 2 of 2

Powered by phpBB® Forum Software © phpBB Limited