VPN server behind Turris (L2TP/IPSEC)

Radim_Ramesses · December 14, 2016, 2:23pm

Hi!
Does anyone know the correct settings to get work VPN server behind Turris (not on Turris!)?
I have Synology NAS in LAN and there is working VPN server (L2TP/IPSEC). I would like to set Turris up to pass VPN to my Synology.
I did port forwarding for 500, 1701 and 4500:
config rule
option src 'wan’
option dest 'lan’
option dest_port '500’
option proto 'udp’
option target 'ACCEPT’
option name 'VPN-500’
option dest_ip '192.168.0.10’
option family ‘ipv4’

config rule
option target 'ACCEPT’
option src 'wan’
option proto 'udp’
option dest_port '1701’
option name 'VPN-1701’
option dest 'lan’
option family 'ipv4’
option dest_ip ‘192.168.0.10’

config rule
option target 'ACCEPT’
option src 'wan’
option proto 'udp’
option dest_port '4500’
option name 'VPN-4500’
option dest 'lan’
option dest_ip '192.168.0.10’
option family ‘ipv4’

Also I tried rules like this one:
config rule
option src 'wan’
option dest 'lan’
option dest_port '500’
option proto 'udp’
option target 'ACCEPT’
option name 'VPN-500’
option dest_ip '192.168.0.10’
option family ‘ipv4’

Please help someone.
Radim

Ondrej_Caletka · December 14, 2016, 2:32pm

config rule is for firewall rules, not NAT. You should use config redirect instead.

See OpenWRT wiki for details.

Radim_Ramesses · December 14, 2016, 2:45pm

Thanks for the answer.
I copied wrong block and you answered so fast :). I had config redirect also included in my settings:

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option src_dport '500'
	option dest_ip '192.168.0.10'
	option dest_port '500'
	option name 'VPN server 500'
	option proto 'udp'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option src_dport '4500'
	option dest_ip '192.168.0.10'
	option dest_port '4500'
	option name 'VPN server 4500'
	option proto 'udp'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option src_dport '1701'
	option dest_ip '192.168.0.10'
	option dest_port '1701'
	option name 'VPN server 1701'
	option proto 'udp'

…but no luck.

marck48 · December 14, 2016, 6:53pm

Hi Radim,

I am having a VPN server on a mac mini server at lan address 192.168.22.100.
My Turris Omnia has lan address 192.168.22.1.

These are my firewall redirect settings (forwarding ports to my VPN server):

config redirect
option target 'DNAT’
option src 'wan’
option dest 'lan’
option proto 'udp’
option src_dport '500’
option dest_ip '192.168.22.100’
option dest_port '500’
option name ‘MacMiniServer VPN udp500’

config redirect
option target 'DNAT’
option src 'wan’
option dest 'lan’
option proto 'udp’
option src_dport '1701’
option dest_ip '192.168.22.100’
option dest_port '1701’
option name ‘MacMiniServer VPN udp1701’

config redirect
option target 'DNAT’
option src 'wan’
option dest 'lan’
option proto 'udp’
option src_dport '4500’
option dest_ip '192.168.22.100’
option dest_port '4500’
option name ‘MacMiniServer VPN udp4500’

config redirect
option target 'DNAT’
option src 'wan’
option dest 'lan’
option proto 'tcp’
option src_dport '1723’
option dest_ip '192.168.22.100’
option dest_port '1723’
option name ‘MacMiniServer VPN tcp1723’

I just checked, I do have vpn connection to my vpn server.

Radim_Ramesses · December 15, 2016, 7:40am

Hi marck48,
thank you for your settings. I set it up like you but still cannot estabilish VPN connection from internet (from LAN it works).
I read there should be installed iptables-mod-ipsec and kmod-ipt-ipsec - Did you install them?

I also tryied to include these rules https://wiki.openwrt.org/doc/uci/firewall#ipsec_passthrough but it didn’t help.

marck48 · December 15, 2016, 9:08am

Hi Radim,

The only thing I had to do in order to get VPN up and running again, after taking in use the Omnia as my new router, was forwarding the ports udp500, udp1701, udp4500 and tcp1723 to the vpn server. I did this with help of LuCI, the tabs network/firewall/port forwards.

My vpn server also uses l2tp/ipsec. No messing with other rules or iptables.

p.s. I don’t see you are forwarding port tcp1723 in your settings

peci1 · December 30, 2016, 1:19am

At least for PPtP VPN I also needed to allow GRE protocol in the firewal:

config rule
option target 'ACCEPT’
option _name 'pptp’
option src 'wan’
option proto 'tcp’
option dest_port ‘1723’

config rule
option target 'ACCEPT’
option _name 'gre’
option src 'wan’
option proto ‘47’

Xeevis · January 11, 2017, 1:17pm

Have you figured out this one yet? I have same problem, PPTP works fine, but L2TP/IPSec ends in error 809.

Radim_Ramesses · January 17, 2017, 10:49am

Hi Xeevis,
finaly it works. I think the last advice from peci1 and “gre” did the trick. I just added the rule and restart Turris.