I try to configure my Firewall for SSH honeypot and OpenVPN using LuCi.
First, I’ll describe, what works:
For SSH honeypot I use the following DNAT rule configured in “Port Forwards” tab, which in /etc/config/firewall looks like this:
config redirect
option target 'DNAT’
option src 'wan’
option dest 'lan’
option proto 'tcp’
option src_dport '22’
option dest_port '58732’
option name ‘SSH honeypot’
For OpenVPN (Turris is an OpenVPN server) I use the following ACCEPT rule configured in “Traffic Rules” tab:
config rule
option target 'ACCEPT’
option src 'wan’
option proto 'udp’
option dest_port '1194’
option name 'Allow-OpenVPN’
With this configuration the honeypot works as expected and an OpenVPN connection between an android client and the Turris can be established.
My question is why the firewall blocks packets sent by an OpenVPN client if I use for OpenVPN a variation of the above-mentioned DNAT rule (instead of the ACCEPT rule):
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '1194'
option dest_port '1194'
option name 'OpenVPN'
If I add option dest_ip '192.168.0.1' to the DNAT rule (which is required according to the documentation), the client can send packets to Turris, but the Turris can’t send anything back. For the honeypot, I used an empty destination IP field, because it was recommended here.
For me, “openvpn” (OpenVPN server) and “python” (SSH honeypot) are both processes running on Turris,
listening on all interfaces (at least it is what a netstat showed me), communicating with devices in a WAN zone and I don’t know, why the forward rule works only for one of them.
Except for the rules mentioned earlier, I didn’t add anything else to the basic set of rules configured by default. If you need more data, I can provide a full configuration, but I still hope, that I just miss something very simple, so the full configuration won’t be necessary.
DNAT means translation to a different IP address and/or port number. In your third example, you are not changing either which makes no sense.
DNAT rule does not decide whether connection is allowed or not, that’s why you need a rule saying connection is accepted. The honeypots have such rules hidden somewhere in /etc/firewall.d/with_reload/99-ucollect-fake.fw.
If you add option dest_ip '192.168.0.1' the connection would not get established probably because of stateless nature of UDP, where the source address of each datagram is not bound to a connection but is selected by outgoing interface instead. This asymmetry confuses many applications.
Guys, do you have some hints/steps to check/follow ?
I manage sshd/honeypot working correctly. (ssh is now accessible via lan(22)/wan(forwarded-port)) So i tried to make similar stuff (on firewall) for openVPN. But still having UDPv4 link remote: [undef]
1194 opened on WAN for src=’*’ , i prepare similar port-fwd rule for vpn as i have for ssh. …also based on some guides i make my tun0 in vpn0 network which is in vpn zone … forwarding between lan/vpn vpn/lan was set-up (+additionally i added wan at some point) …so all seems to be prepared.
In best scenario/configs i recieve TLS auth/decrypt failed or/and TLS handshake failed for 60 sec …
Do i need to prepare something on firewall for TLS ? (i have multi-routed-client server setup, so TLS is mandatory=to-use, as i understand from openvpn articles).
So i make it working, here are my entries from configs which i have edit/add
, maybe it will help someone to set it up
tls options were removed completely from client/server side …
no route, gw, dhcp explicit pushing/listing (using topology subnet , which should take care of some stuff automatically)
no need explicit port-forward (wan2lan/wan2vpn) for handling 1194
regen_sec (is now 5 to see if that is working, default is around 3600)
link_mtu i have to specify fix value, each time it was defined something 1541,1542,1548 and client was always 1542 (i seens some options to have initially 1300 when having network issues) …
opening port via uci based on howto-step:
uci set firewall.Allow_OpenVPN_Inbound=rule
uci set firewall.Allow_OpenVPN_Inbound.target=ACCEPT
uci set firewall.Allow_OpenVPN_Inbound.src=* ### changed to — … src=wan (not to confuse zone forwarding)
uci set firewall.Allow_OpenVPN_Inbound.proto=udp
uci set firewall.Allow_OpenVPN_Inbound.dest_port=1194
and most helpful one : https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
(just to check what must/can be used together … and what are the params… , too bad that luci-openvpn allows you tu put client specific options to server and vice-versa …)