I am using GL-Mifi as an OpenVPN “road warrior” client to my pfSense-based OpenVPN server. It runs the latest “lede-mifi-2.271.bin” firmware. It recognized OpenVPN configuration exported by pfSense instantly. It is set to automatically connect the OpenVPN after boot.
The only issue I have that while I can connect from behind GL-Mifi to any network device behind the pfSense OpenVPN server network in the office, I can only connect from the office to the GL-Mifi and not the devices behind it.
To fix this, I have to modify GL-Mifi’s firewall settings every time it is powered on, by adding “option input ACCEPT” and “option forward ACCEPT” to the VPN_client interface; also to add forward rules between LAN and VPN_client interface.
This makes it work, but the problem is that the firewall rule is lost after re-connect, reboot or power-off.
I need to always re-enter the rules manually.
Is there a way to make the rule survive reboots? Maybe alter the auto-generated rule when OpenVPN connects to automatically contain the forwarding options needed?
Because I need to see networks behind routers from both directions, not only from GL-Mifi side. Need to see what’s behind GL-Mifi from pfSense side too. Pretty much like here was the issue. Nothing special about pfSense, it’s only special about the way I want to use it, similar like a site-to-site connection.
In /usr/bin/setvpnfirewall you have to uncomment the last 3 lines in set_vpn_config, and change vpn_zone.forward to ‘ACCEPT’:
All you need is to find the section below and change it from
set_vpn_config() {
uci set firewall.vpn_zone=zone
uci set firewall.vpn_zone.name='VPN_client'
uci set firewall.vpn_zone.input='ACCEPT'
uci set firewall.vpn_zone.forward='REJECT'
uci set firewall.vpn_zone.output='ACCEPT'
uci set firewall.vpn_zone.network='VPN_client'
uci set firewall.vpn_zone.masq='1'
uci set firewall.forwarding_vpn1='forwarding'
uci set firewall.forwarding_vpn1.dest='VPN_client'
uci set firewall.forwarding_vpn1.src='lan'
# uci set firewall.forwarding_vpn2='forwarding'
# uci set firewall.forwarding_vpn2.src='VPN_client'
# uci set firewall.forwarding_vpn2.dest='lan'
}
to
set_vpn_config() {
uci set firewall.vpn_zone=zone
uci set firewall.vpn_zone.name='VPN_client'
uci set firewall.vpn_zone.input='ACCEPT'
uci set firewall.vpn_zone.forward='ACCEPT'
uci set firewall.vpn_zone.output='ACCEPT'
uci set firewall.vpn_zone.network='VPN_client'
uci set firewall.vpn_zone.masq='1'
uci set firewall.forwarding_vpn1='forwarding'
uci set firewall.forwarding_vpn1.dest='VPN_client'
uci set firewall.forwarding_vpn1.src='lan'
uci set firewall.forwarding_vpn2='forwarding'
uci set firewall.forwarding_vpn2.src='VPN_client'
uci set firewall.forwarding_vpn2.dest='lan'
}
and the firewall rules will be generated correctly at connection and boot for site-to-site traffic in both directions!!!
Thank you!
(this is not a bug, as most users don’t need it for just remote access, if you don’t use your own OpenVPN server with GL-Mifi, don’t do these mods for security reasons)
When ovpn disconnects, the ovpn zone and those purple ovpn forwardings go away (thanks to /etc/init.d/startvpn). When the openvpn client it reconnects, they reappear. This works great until a reboot, when my firewall rules get changed to:
You can see there are three changes being made somewhere in the boot process, neither of which are desired. First there is a forwarding rule added to forward lan → wan (I don’t want this, as the other side of the split tunnel, lan_unsec, should go out through wan, while lan should only be able to go out through ovpn). The other undesired change is removal of two reciprocal forwarding rules, allowing both sides of the split tunnel to reach eachother locally, lan → lan_unsec and lan_unsec → lan. These are removed somewhere during the boot process also.
I’ve already removed the lan → wan forwarding in /etc/init.d/startvpn, by doing this:
Well, not the most elegant or efficient solution, but temporarily until I can find what is overwriting my rules at boot, I just saved a static version of my desired firewall config and added the instruction cat /desired_fw_config > /etc/config/firewall to the end of /etc/rc.local. If anyone has details on which process(es) write firewall configurations during boot that I’ve overlooked, I’d be curious to know!
Thanks @alzhao! For those still having this issue also in WIREGUARD, in version 3.105 you have to change the /etc/init.d/wireguard file. Just search for the word “DROP” and replace it by ACCEPT, save the change and the new setting will be persistent.