search

dndx / phantun

Transforms UDP stream into (fake) TCP streams that can go through Layer 3 & Layer 4 (NAPT) firewalls/NATs.
Apache License 2.0
1.71k stars 138 forks source link

Questions about the use of router openwrt #111

Closed thisdk closed 1 year ago

thisdk commented 1 year ago

First of all, thanks to the developers for developing such a great project. I encountered some problems when using

The server uses archlinux, and IP forwarding has been turned on

The following is the configuration of phantun & wireguard

[Interface]
PrivateKey = Private key
Address = 10.10.128.1/32
ListenPort = 51820
MTU = 1380
DNS = 8.8.8.8
PreUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PreUp = iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8686 -j DNAT --to-destination 10.10.188.2
PreUp = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PreUp = ip6tables -t nat -A PREROUTING -p tcp -i eth0 --dport 8686 -j DNAT --to-destination fcc9::2
PreUp = RUST_LOG=info phantun -l 8686 -r 127.0.0.1:51820 --tun phantun --tun-local 10.10.188.1 --tun-peer 10.10.188.2 &> /var/log/phantun.log &
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 8686 -j DNAT --to-destination 10.10.188.2
PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = ip6tables -t nat -D PREROUTING -p tcp -i eth0 --dport 8686 -j DNAT --to-destination fcc9::2
PostDown = killall phantun || true

[Peer]
PublicKey = Public key
AllowedIPs = 10.10.128.2/32

The above configuration, I have verified the feasibility through another server. Setting the agent through wget can also download the file smoothly

here comes the problem

My openwrt version is 21.02, using iptables

Because the router has many network interfaces, br-lan eth0 pppoe-wan wan

And my pppoe dial-up network, the operator returns an internal network IP, no public network IP

So the iptables statement I execute in the router is

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -t nat -A POSTROUTING -o eth0 -s 10.10.188.2 -j MASQUERADE

phantun --local 127.0.0.1:8686 --remote SERVER_IP:8686 --tun phantun --tun-local 10.10.188.1 --tun-peer 10.10.188.2

But phantun keeps prompting timeout and unable to connect

I tried to replace the network interface in the iptables statement and couldn't connect

So How can I use it under the openwrt router, how to configure iptables

dndx commented 1 year ago

You do not need both DNAT and SNAT for client. Client uses SNAT where server uses DNAT.

Run tcpdump and capture what client sends out to determine where the handshake went wrong.

terrytw commented 1 year ago

Check this out: https://www.vinoca.org/openwrtpei-zhi-tou-ming-dai-li/ It worked for me.