ACCEPT vs DNAT (port forwarding) firewall rules

I try to configure my Firewall for SSH honeypot and OpenVPN using LuCi.

First, I’ll describe, what works:

  • For SSH honeypot I use the following DNAT rule configured in “Port Forwards” tab, which in /etc/config/firewall looks like this:

    config redirect
    option target 'DNAT’
    option src 'wan’
    option dest 'lan’
    option proto 'tcp’
    option src_dport '22’
    option dest_port '58732’
    option name ‘SSH honeypot’

  • For OpenVPN (Turris is an OpenVPN server) I use the following ACCEPT rule configured in “Traffic Rules” tab:

    config rule
    option target 'ACCEPT’
    option src 'wan’
    option proto 'udp’
    option dest_port '1194’
    option name 'Allow-OpenVPN’
    With this configuration the honeypot works as expected and an OpenVPN connection between an android client and the Turris can be established.

My question is why the firewall blocks packets sent by an OpenVPN client if I use for OpenVPN a variation of the above-mentioned DNAT rule (instead of the ACCEPT rule):

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '1194'
        option dest_port '1194'
        option name 'OpenVPN'

If I add option dest_ip '' to the DNAT rule (which is required according to the documentation), the client can send packets to Turris, but the Turris can’t send anything back. For the honeypot, I used an empty destination IP field, because it was recommended here.

For me, “openvpn” (OpenVPN server) and “python” (SSH honeypot) are both processes running on Turris,
listening on all interfaces (at least it is what a netstat showed me), communicating with devices in a WAN zone and I don’t know, why the forward rule works only for one of them.

Except for the rules mentioned earlier, I didn’t add anything else to the basic set of rules configured by default. If you need more data, I can provide a full configuration, but I still hope, that I just miss something very simple, so the full configuration won’t be necessary.

DNAT means translation to a different IP address and/or port number. In your third example, you are not changing either which makes no sense.

DNAT rule does not decide whether connection is allowed or not, that’s why you need a rule saying connection is accepted. The honeypots have such rules hidden somewhere in /etc/firewall.d/with_reload/99-ucollect-fake.fw.

If you add option dest_ip '' the connection would not get established probably because of stateless nature of UDP, where the source address of each datagram is not bound to a connection but is selected by outgoing interface instead. This asymmetry confuses many applications.

Thank you for a great and prompt answer. I’m glad that I wasn’t completely wrong.

Guys, do you have some hints/steps to check/follow ?

I manage sshd/honeypot working correctly. (ssh is now accessible via lan(22)/wan(forwarded-port)) So i tried to make similar stuff (on firewall) for openVPN. But still having UDPv4 link remote: [undef]

1194 opened on WAN for src=’*’ , i prepare similar port-fwd rule for vpn as i have for ssh. …also based on some guides i make my tun0 in vpn0 network which is in vpn zone … forwarding between lan/vpn vpn/lan was set-up (+additionally i added wan at some point) …so all seems to be prepared.

In best scenario/configs i recieve TLS auth/decrypt failed or/and TLS handshake failed for 60 sec …

Do i need to prepare something on firewall for TLS ? (i have multi-routed-client server setup, so TLS is mandatory=to-use, as i understand from openvpn articles).

So i make it working, here are my entries from configs which i have edit/add
, maybe it will help someone to set it up :slight_smile:

  • tls options were removed completely from client/server side …

  • no route, gw, dhcp explicit pushing/listing (using topology subnet , which should take care of some stuff automatically)

  • no need explicit port-forward (wan2lan/wan2vpn) for handling 1194

  • regen_sec (is now 5 to see if that is working, default is around 3600)

  • link_mtu i have to specify fix value, each time it was defined something 1541,1542,1548 and client was always 1542 (i seens some options to have initially 1300 when having network issues) …

  • opening port via uci based on howto-step:
    uci set firewall.Allow_OpenVPN_Inbound=rule
    uci set
    uci set firewall.Allow_OpenVPN_Inbound.src=* ### changed to — … src=wan (not to confuse zone forwarding)
    uci set firewall.Allow_OpenVPN_Inbound.proto=udp
    uci set firewall.Allow_OpenVPN_Inbound.dest_port=1194

    config openvpn 'my_openvpn_server’
    option keepalive '10 60’
    option server '’
    option port '1194’
    option dev_type 'tun’
    option ca '/etc/openvpn/certs/ca.crt’
    option dh '/etc/openvpn/certs/dh2048.pem’
    option cert '/etc/openvpn/certs/server.crt’
    option key '/etc/openvpn/certs/server.key’
    option proto 'udp’
    option fast_io '1’
    option persist_tun '1’
    option persist_key '1’
    option persist_local_ip '1’
    option mode 'server’
    option topology 'subnet’
    option tls_server '1’
    option tls_exit '1’
    option auth_nocache '1’
    option auth 'SHA1’
    option cipher 'BF-CBC’
    option log '/var/log/openvpn-server.log’
    option log_append '/var/log/openvpn-all.log’
    option enabled '1’
    option comp_lzo 'adaptive’
    option status '/etc/openvpn/openvpn.status 5’
    option verb '5’
    option dev 'tun0’
    option reneg_sec '5’
    option link_mtu '1500’
    option float ‘1’

win10 (openvpn 2.3.8)

dev tun
proto udp
remote ROUTER_PUB_IP 1194
comp-lzo adaptive
keepalive 10 60
verb 5
auth SHA1
cipher BF-CBC
remote-cert-eku "TLS Web Server Authentication"
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\client.crt"
key "C:\\Program Files\\OpenVPN\\config\\client.key"
resolv-retry infinite		


config zone
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'vpn'

config forwarding
        option dest 'wan'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'vpn'

config forwarding
        option dest 'vpn'
        option src 'lan'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '1194'
        option name 'Allow-OpenVPN-Inbound'


config interface 'vpn'
        option ifname 'tun0'
        option proto 'none'
        option auto '1'
        option delegate '0'

using some guides:

and most helpful one :
(just to check what must/can be used together … and what are the params… , too bad that luci-openvpn allows you tu put client specific options to server and vice-versa …)

Excellent guide and simple guide.