Hello folks,
after my old Asus router with Merlin-WRT, I now bought a Turris Omnia AX Wifi.
I am totally satisfied with this great device. Thumbs up already.
Unfortunately, I’m currently facing a problem where I’m absolutely stuck and haven’t found a solution anywhere.
In my network I have a mini computer running a Nextcloud and a Jitsi Meet.
I have released the corresponding ports. I also have a VPN account with VyprVPN and have configured the TO as a VPN client. Furthermore, the TO also runs as a VPN server to connect to my home network from outside.
Unfortunately, everything together does not work properly.
If the VPN client and the VPN server are running and I can reach my internal server from outside, the TO has no internet. So no update and no ddns works.
I’ll write my relevant configurations below, maybe someone can help me.
192.168.111.2 → my Raspberry Pi4 with Pihole as DNS server
192.168.111.10 → my Server with nextcloud and jitsi meet
192.168.111.1 → my Router Turris Omnia with T-Online Internet and DynDNS
Thanks for any help…
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxxxxxxxx'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.111.1'
list dns '192.168.111.2'
config interface 'wan'
option proto 'pppoe'
option username 'myaccount@t-online.de'
option password 'mypasswd'
option ipv6 '1'
option device 'eth2.7'
list dns '208.67.222.222'
list dns '208.67.220.220'
option peerdns '0'
config device 'br_lan'
option name 'br-lan'
option type 'bridge'
list ports 'lan0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device 'dev_wan'
option name 'eth2'
config device
option vid '7'
option type '8021q'
option name 'eth2.7'
option ifname 'eth2'
config interface 'vpnserver'
option enabled '1'
option proto 'none'
option device 'tun0'
option ifname 'vpnGermany'
option auto '1'
config device
option mtu6 '1500'
option txqueuelen '500'
option name 'tun0'
option mtu '1500'
config device
option name 'pppoe-wan'
option ipv6 '0'
config interface 'vpnclient'
option proto 'none'
option device 'vpnGermany'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
option flow_offloading '1'
option flow_offloading_hw '1'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option dest_port '80'
option src 'wan'
option name 'certbot-auf-cube'
option src_dport '80'
option dest 'lan'
option dest_ip '192.168.111.10'
option target 'DNAT'
config redirect
option dest_port '443'
option src 'wan'
option name 'jitsi'
option src_dport '443'
option dest 'lan'
option dest_ip '192.168.111.10'
option target 'DNAT'
config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'
option family 'IPv4'
option reload '1'
config zone 'vpnclient'
option name 'vpnclient'
option network 'vpnclient'
option input 'REJECT'
option output 'REJECT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list device 'vpnGermany'
config forwarding 'vpnclient_forward'
option src 'lan'
option dest 'vpnclient'
config zone 'vpnserver'
option enabled '1'
option name 'vpnserver'
option network 'vpnserver'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
config forwarding 'vpnserver_forward_wan_out'
option enabled '1'
option src 'vpnserver'
option dest 'wan'
config forwarding 'vpnserver_forward_lan_in'
option enabled '1'
option src 'vpnserver'
option dest 'lan'
config forwarding
option src 'vpnserver'
option dest 'vpnclient'
config rule 'vpnserver_rule'
option name 'vpnserver_rule'
option target 'ACCEPT'
option proto 'tcp'
option src '*'
option dest_port '1194'
config forwarding 'vpnserver_forward_lan_out'
option enabled '1'
option src 'lan'
option dest 'vpnserver'
config forwarding
option dest 'wan'
option src 'lan'
cat /etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
list supported_interface 'vpnGermany'
option enabled '1'
option webui_protocol_column '1'
option webui_chain_column '1'
option webui_show_ignore_target '1'
option webui_sorting '0'
option webui_enable_column '1'
config policy
option name 'Cube Local'
option interface 'wan'
option src_addr '192.168.111.10'
option src_port '80 443'
config policy
option name 'Cube Remote'
option interface 'wan'
option dest_addr 'ddns-address'
config policy
option name 'VPN-Server'
option interface 'wan'
option proto 'tcp'
option src_port '1194'
option chain 'OUTPUT'
and finally the firewall rules for accessibility for my server from my own network or from the Android phone via VPN from outside.
iptables -t nat -A prerouting_rule -d dyndns-address -p tcp --dport 80 -j DNAT --to 192.168.111.10
iptables -A forwarding_rule -p tcp --dport 80 -d 192.168.111.10 -j ACCEPT
iptables -t nat -A postrouting_rule -s 192.168.111.0/24 -p tcp --dport 80 -d 192.168.111.10 -j MASQUERADE
iptables -t nat -A prerouting_rule -d dyndns-address -p tcp --dport 443 -j DNAT --to 192.168.111.10
iptables -A forwarding_rule -p tcp --dport 443 -d 192.168.111.10 -j ACCEPT
iptables -t nat -A postrouting_rule -s 192.168.111.0/24 -p tcp --dport 443 -d 192.168.111.10 -j MASQUERADE