Router Netgear R7800, openfortivpn & iptables, how do i share VPN connection on my LAN

HUHA

New Member
Joined
Apr 17, 2021
Messages
2
Reaction score
1
Credits
76
Hello.
I hope here i can find some pointers or a solution.
From home i have to connect to work via VPN, i have Fortinet VPN. In present time i connect from my laptop , win 10 with Forticlient.


From the router i can connect to my VPN at work , and connect to my server on telnet, but how can i share that connection to my LAN machines ?




I have a netgear R7800 router with voxel Firmware Version V1.0.2.83SF and with OPKG i installed openfortivpn - 1.15.0-1 .

root@Router:~$ uname -a
Linux Router 3.4.103 #1 SMP Fri Mar 12 13:53:38 UTC 2021 armv7l IPQ8065


I configure on my router openfortivpn with IP , port , username & password and is connecting to VPN server at work , creating a new interface PPP1.

Before i connect this is my route in the router


root@Router:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.0.1 0.0.0.0 UG 0 0 0 ppp0
10.0.0.1 * 255.255.255.255 UH 0 0 0 ppp0
192.168.2.0 * 255.255.255.0 U 0 0 0 br0
239.0.0.0 * 255.0.0.0 U 0 0 0 br0


When i am starting openfortivpn connection i get this information from DEBUG

INFO: Negotiation complete.
DEBUG: pppd ---> gateway (6 bytes)
local IP address 10.212.134.17
remote IP address 192.0.2.1

DEBUG: Got Address: 10.212.134.17
DEBUG: Interface Name: ppp0
DEBUG: Interface Addr: 79.XXX.XXX.205
DEBUG: Interface Name: ppp1
DEBUG: Interface Addr: 10.212.134.17
INFO: Interface ppp1 is UP.
INFO: Setting new routes...
DEBUG: ip route show to 0.0.0.0/0.0.0.0 dev !ppp1
DEBUG: ip route show to 109.XXX.XXX.186/255.255.255.255 dev ppp1
DEBUG: Route not found.
DEBUG: ip route show to 109.XXX.XXX.186/255.255.255.255 dev !ppp1
DEBUG: Setting route to vpn server...
DEBUG: ip route show to 109.XXX.XXX.186/255.255.255.255 via 10.0.0.1 dev ppp0
DEBUG: ip route add to 109.XXX.XXX.186/255.255.255.255 via 10.0.0.1 dev ppp0
DEBUG: ip route add to 10.237.42.0/255.255.255.0 dev ppp1
DEBUG: ip route add to 10.56.4.0/255.255.255.0 dev ppp1
DEBUG: ip route add to 10.56.5.0/255.255.255.0 dev ppp1
DEBUG: ip route add to 10.141.141.0/255.255.255.0 dev ppp1
INFO: Tunnel is up and running.

after connection, the route table looks like this

root@Router:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.0.1 0.0.0.0 UG 0 0 0 ppp0
10.0.0.1 * 255.255.255.255 UH 0 0 0 ppp0
10.56.4.0 * 255.255.255.0 U 0 0 0 ppp1
10.56.5.0 * 255.255.255.0 U 0 0 0 ppp1
10.141.141.0 * 255.255.255.0 U 0 0 0 ppp1
10.237.42.0 * 255.255.255.0 U 0 0 0 ppp1
109.XXX.XXX.186 10.0.0.1 255.255.255.255 UGH 0 0 0 ppp0
192.0.2.1 * 255.255.255.255 UH 0 0 0 ppp1
192.168.2.0 * 255.255.255.0 U 0 0 0 br0
239.0.0.0 * 255.0.0.0 U 0 0 0 br0


Now i get no reply from pinging an IP from work = 10.56.4.254

root@Router:~$ ping 10.56.4.254
PING 10.56.4.254 (10.56.4.254): 56 data bytes
^C
--- 10.56.4.254 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

but in debug window i see this

DEBUG: pppd ---> gateway (86 bytes)
DEBUG: gateway ---> pppd (86 bytes)
DEBUG: pppd ---> gateway (114 bytes)
DEBUG: pppd ---> gateway (86 bytes)
DEBUG: gateway ---> pppd (86 bytes)
DEBUG: pppd ---> gateway (114 bytes)
DEBUG: pppd ---> gateway (86 bytes)
DEBUG: gateway ---> pppd (86 bytes)
DEBUG: pppd ---> gateway (114 bytes)
DEBUG: pppd ---> gateway (86 bytes)
DEBUG: gateway ---> pppd (86 bytes)
DEBUG: pppd ---> gateway (114 bytes)
DEBUG: pppd ---> gateway (86 bytes)
DEBUG: gateway ---> pppd (86 bytes)
DEBUG: pppd ---> gateway (114 bytes)
DEBUG: pppd ---> gateway (86 bytes)
DEBUG: gateway ---> pppd (86 bytes)
DEBUG: pppd ---> gateway (114 bytes)



if i enter this command
iptables -I INPUT -i ppp1 -j ACCEPT
the reply is starting to work,


root@Router:~$ ping 10.56.4.254
PING 10.56.4.254 (10.56.4.254): 56 data bytes
64 bytes from 10.56.4.254: icmp_seq=0 ttl=255 time=56.7 ms
64 bytes from 10.56.4.254: icmp_seq=1 ttl=255 time=56.3 ms
^C
--- 10.56.4.254 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 56.3/56.5/56.7 ms


but i can not use telnet

root@Router:~$ telnet 10.56.4.254 8443
telnet: cannot connect to remote host (10.56.4.254): Connection refused


if i enter

iptables -I OUTPUT -o ppp1 -j ACCEPT

then telnet is working

root@Router:~$ telnet 10.56.4.254 8443

Connection closed by foreign host.


And from the router i can connect to telnet and work .





i found about tcpdump . I run it on router, tcpdump -i ppp1

After i start openfortivpn interface =ppp1 and ip = 10.212.134.17 , i try a ping 10.56.4.21 from router

20:33:07.375390 IP 10.212.134.17 > 10.56.4.21: ICMP echo request, id 39201, seq 0, length 64
20:33:07.440994 IP 10.56.4.21 > 10.212.134.17: ICMP echo reply, id 39201, seq 0, length 64
20:33:07.441057 IP 10.212.134.17 > 10.56.4.21: ICMP 10.212.134.17 protocol 1 port 34855 unreachable, length 92
20:33:08.375889 IP 10.212.134.17 > 10.56.4.21: ICMP echo request, id 39201, seq 1, length 64
20:33:08.440401 IP 10.56.4.21 > 10.212.134.17: ICMP echo reply, id 39201, seq 1, length 64
20:33:08.440463 IP 10.212.134.17 > 10.56.4.21: ICMP 10.212.134.17 protocol 1 port 2353 unreachable, length 92


i run
iptables -I INPUT -i ppp1 -j ACCEPT
iptables -I OUTPUT -o ppp1 -j ACCEPT

and again ping 10.56.4.21 and i get reply :

20:34:55.709754 IP 10.212.134.17 > 10.56.4.21: ICMP echo request, id 15139, seq 0, length 64
20:34:55.775421 IP 10.56.4.21 > 10.212.134.17: ICMP echo reply, id 15139, seq 0, length 64
20:34:56.710254 IP 10.212.134.17 > 10.56.4.21: ICMP echo request, id 15139, seq 1, length 64
20:34:56.775015 IP 10.56.4.21 > 10.212.134.17: ICMP echo reply, id 15139, seq 1, length 64


Now i try a ping 10.56.4.21 from LAN laptop=192.168.2.51 and no reply

20:36:39.149710 IP 192.168.2.51 > 10.56.4.21: ICMP echo request, id 1, seq 13940, length 40
20:36:44.094915 IP 192.168.2.51 > 10.56.4.21: ICMP echo request, id 1, seq 13946, length 40

i run this on router
iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE
to change the original packets from LAN source 192.168.2.51 to ppp1 interface ip = 10.212.134.17


and again a ping 10.56.4.21 from laptop 192.168.2.51 , the result is

20:39:00.605630 IP 10.212.134.17 > 10.56.4.21: ICMP echo request, id 1, seq 14086, length 40
20:39:00.670422 IP 10.56.4.21 > 10.212.134.17: ICMP echo reply, id 1, seq 14086, length 40
20:39:00.670516 IP 10.212.134.17 > 10.56.4.21: ICMP 10.212.134.17 protocol 1 port 7765 unreachable, length 68
20:39:05.609004 IP 10.212.134.17 > 10.56.4.21: ICMP echo request, id 1, seq 14092, length 40
20:39:05.674484 IP 10.56.4.21 > 10.212.134.17: ICMP echo reply, id 1, seq 14092, length 40
20:39:05.674546 IP 10.212.134.17 > 10.56.4.21: ICMP 10.212.134.17 protocol 1 port 7759 unreachable, length 68


i see i send a ping to 10.56.4.21 and is replying back to 10.212.134.17 , but on the 3rd line i get this
20:39:00.670516 IP 10.212.134.17 > 10.56.4.21: ICMP 10.212.134.17 protocol 1 port 7765 unreachable, length 68

how can i instruct the router to direct the reply back to my lan laptop 192.168.2.51 which is the source of the ping ?



If you need other informations, i can provide .
Can you help me with some hints or a solution ?

Thank you
 


If you can connect from your router as a client to your vpn provider it should go for the rest of your your LAN because your router is the gateway way for the rest of the LAN. The router firmware I use supports it but I don't use it, see screenshot.
 

Attachments

  • 2021-04-18_01_18_25.jpg
    2021-04-18_01_18_25.jpg
    40.6 KB · Views: 330
I my router menu i have a configuration page for OPENVPN and i supposed is working for the rest of my LAN machines. But Openfortivpn i installed via OPKG , entware, and it does not have a menu page in my router menu, i started with a line command via SSH . After the connection i still have to add 2 lines to be able to work from the router
iptables -I INPUT -i ppp1 -j ACCEPT
iptables -I OUTPUT -o ppp1 -j ACCEPT
after these 2 lines, everything is OK from the router, but not from LAN .




I am still looking how to share this PPP1 connection to the LAN machines, and i think is something with IPTABLES.


Anyone ?
 

Staff online


Top