search

Ysurac / openmptcprouter

OpenMPTCProuter is an open source solution to aggregate multiple internet connections using Multipath TCP (MPTCP) on OpenWrt
https://www.openmptcprouter.com/
GNU General Public License v3.0
1.8k stars 259 forks source link

DMZ or Help with NAT for public IPs #3481

Open JshGrn opened 1 month ago

JshGrn commented 1 month ago

Expected Behavior

I want all traffic that comes to my VPS to be routed to a specific IP address bypassing NAT on the router. For example anything that comes into my VPS 123.123.123.123 I want routed to 192.168.80.100. I do not want NAT at all here if possible.

Current Behavior

I add a port forward for 192.168.80.100 and the port does not show open until I add a NAT rule. When I add a NAT rule the server I am using sees all public traffic as 192.168.80.1. I tried SNAT and MASQUEADE, I also tried changing Loopback to external IP with no success.

I actually don't really need the router features at all, I literally just need the VPS to forward all traffic to a IP within my network. My current setup is Mikrotik handling 3 WANs, I have a VLAN interface which the OpenMPTCPRouter serves its LAN. I have 2 other VLAN interfaces which are WAN1 and WAN2. Everything else is handled within the network

Is it possible to do this? If not, how can I make it so that the public IP is visible to my service rather than the router gateway IP?

Specifications

Ysurac commented 1 month ago

If you check on VPS, routes to the local network should be available. You can add a rule to use them in /etc/shorewall/rules on the VPS.

JshGrn commented 1 month ago

Is adding them on the router not doing this?

JshGrn commented 1 month ago

Looking on the VPS, when I run route I see:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         vpsgatewayip 0.0.0.0         UG    0      0        0 enp1s0
10.255.246.0    0.0.0.0         255.255.255.0   U     0      0        0 client-wg0
10.255.247.0    0.0.0.0         255.255.255.0   U     0      0        0 wg0
10.255.248.0    0.0.0.0         255.255.255.0   U     0      0        0 omr-bonding
10.255.248.2    0.0.0.0         255.255.255.255 UH    0      0        0 omr-bonding
10.255.250.0    0.0.0.0         255.255.255.0   U     0      0        0 tun1
10.255.251.2    0.0.0.0         255.255.255.255 UH    0      0        0 dsvpn0
10.255.252.0    0.0.0.0         255.255.255.0   U     0      0        0 tun0
10.255.253.0    0.0.0.0         255.255.255.0   U     0      0        0 mlvpn0
10.255.254.0    0.0.0.0         255.255.255.252 U     0      0        0 gt-udp-tun0
10.255.255.0    0.0.0.0         255.255.255.252 U     0      0        0 gt-tun0
45.77.228.0     0.0.0.0         255.255.254.0   U     0      0        0 enp1s0
169.254.169.254 vpsgatewayip     255.255.255.255 UGH   0      0        0 enp1s0
192.168.80.0    10.255.252.2    255.255.255.0   UG    0      0        0 tun0

So the route to 192.168.80.0 should be using the gateway, but I cannot ping the service at 192.168.80.162 nor can I curl it.

Ysurac commented 1 month ago

You should be able to ping it from VPS, as ping is open in router firewall, you can't curl as it's close by router firewall rules. You can accept all traffic from/to VPN in network->Firewall

JshGrn commented 1 month ago

I cannot ping it from the VPS. All traffic from/to VPN is enabled in Network -> Firewall 

root@vultr:~# ping 192.168.80.1
PING 192.168.80.1 (192.168.80.1) 56(84) bytes of data.
^C
--- 192.168.80.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

root@vultr:~# ping 192.168.80.162
PING 192.168.80.162 (192.168.80.162) 56(84) bytes of data.
^C
--- 192.168.80.162 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2024ms

I also have Redirects all ports from server to this router checked

JshGrn commented 1 month ago

@Ysurac Not really sure what I need to look at next to debug why I can't ping from the VPS one of the devices connected to the router?

Ysurac commented 1 month ago

What is the VPN used ? From the IP, I would say it's OpenVPN TCP. What is the LAN IP of OpenMPTCProuter ? What do you get when you try a tcpdump -i tun0 icmp via SSH on OpenMPTCProuter while doing a ping to OpenMPTCProuter IP ? Can you put a Screenshot of System->OpenMPTCProuter, Status page ?

JshGrn commented 1 month ago

What is the VPN used ? From the IP, I would say it's OpenVPN TCP. What is the LAN IP of OpenMPTCProuter ? What do you get when you try a tcpdump -i tun0 icmp via SSH on OpenMPTCProuter while doing a ping to OpenMPTCProuter IP ?

VPN = Standard config, OpenVPN LAN IP of OMR = 192.168.80.1

Ping on VPS:

root@vultr:~# ping 192.168.80.1
PING 192.168.80.1 (192.168.80.1) 56(84) bytes of data.
^C
--- 192.168.80.1 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6145ms

TCPDump on Router:

root@OpenMPTCProuter:~# tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
18:56:21.952033 IP 10.255.252.2 > 10.255.252.1: ICMP echo request, id 28893, seq 1, length 64
18:56:21.967609 IP 10.255.252.1 > 10.255.252.2: ICMP echo reply, id 28893, seq 1, length 64
18:56:27.046759 IP 10.255.252.2 > 10.255.252.1: ICMP echo request, id 12355, seq 1, length 64
18:56:27.063779 IP 10.255.252.1 > 10.255.252.2: ICMP echo reply, id 12355, seq 1, length 64
18:56:32.144615 IP 10.255.252.2 > 10.255.252.1: ICMP echo request, id 51727, seq 1, length 64
18:56:32.161344 IP 10.255.252.1 > 10.255.252.2: ICMP echo reply, id 51727, seq 1, length 64
18:56:37.244890 IP 10.255.252.2 > 10.255.252.1: ICMP echo request, id 9785, seq 1, length 64
18:56:37.261097 IP 10.255.252.1 > 10.255.252.2: ICMP echo reply, id 9785, seq 1, length 64
18:56:42.342077 IP 10.255.252.2 > 10.255.252.1: ICMP echo request, id 62030, seq 1, length 64
18:56:42.357961 IP 10.255.252.1 > 10.255.252.2: ICMP echo reply, id 62030, seq 1, length 64

So, why isn't it responding.... hmm..

EDIT: Picture attached as requested

image
Ysurac commented 1 month ago

On tcpdump, it's only the ping from OMR to the VPS checking if the VPN is up or down. I tested and it's seems that direct route is not working correctly when OpenVPN is used. I will check that.

JshGrn commented 1 month ago

What is the reason OpenVPN is default? I could change the VPN type but I don't understand the tradeoffs between them. Where do I change it to another type and what is the next in chain in terms of recommended VPN's?

Ysurac commented 1 month ago

As proxy, some VPNs works better in some usage. I modified VPS script, OpenVPN should allow route now.

To configure proxy or VPN, it's in System->OpenMPTCProuter, "wizard" tab and "advanced settings" checkbox.

JshGrn commented 1 month ago

What is the process to update VPS?

Ysurac commented 1 month ago

https://github.com/Ysurac/openmptcprouter/wiki/Snapshots

JshGrn commented 1 month ago

That page is not clear, and looks like thats for the router?

Ysurac commented 1 month ago

Please...

JshGrn commented 1 month ago

Is that page snapshots for the VPS? There is a lot of translational issues on the Wiki and instructions, including on the router, so it is difficult to understand specifically sometimes.

JshGrn commented 1 month ago

I updated the VPS, and routing table is still the same and unable to ping the router nor the client connected to router from the VPS.

Ysurac commented 1 month ago

I fixed the script, should be better

JshGrn commented 1 month ago

I re-ran the script, no change

Ysurac commented 1 month ago

You reboot after ? What do you have in /etc/openvpn/ccd on the server ?

JshGrn commented 1 month ago 
root@vultr:/etc/openvpn/ccd# cat ipp_udp.txt 
openmptcprouter,10.255.252.2,
root@vultr:/etc/openvpn/ccd# cat ipp_tcp.txt 
openmptcprouter,10.255.252.2,
root@vultr:/etc/openvpn/ccd# cat openmptcprouter 
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
iroute 192.168.80.0/24 255.255.255.0
Ysurac commented 1 month ago

Can you do a rm /etc/openvpn/ccd/openmptcprouter ?

JshGrn commented 4 weeks ago

The file recreated after a reboot without the /24:

iroute 192.168.80.0 255.255.255.0

Unable to ping 192.168.80.1 still