OpenVPN Connections invalid

Hi,

I have an OpenVPN Server on my Raspberry Pi and is behind the RouterBOARD 750G r2.
There is no problem connecting my client to the server. However everything in the firewall forward chain is dropped.
Because the connection state is invalid.

I created firewall rules to allow these invalid connections.

My question is, is this normal behaviour that these connections are marked as invalid? If not, I guess this is more of a OpenVPN question?

Thanks in advance.

Few more details would help. Some info about used addresses, where exactly from and to you connect, etc. My guess is that you might have created some asymetric routing scenario.

For example, your LAN would be router (192.168.0.1), RasPi (192.168.0.2) and server (192.168.0.100). Remote LAN would use 192.168.2.x. Router would have route to 192.168.2.x via 192.168.0.2. If you’d connect from remote PC (192.168.2.10) to server, first packet would come through RasPi and router would not see it. If server doesn’t have its own static route to 192.168.2.x, it would send reply to default gateway (router) and it would look as invalid to router, because it did not see initial packet.

Here is the scenario:

I completely forgot that I have two routers and cant avoid double NAT (Router1 is mandatory because of my provider and I cant even change the LAN Network on it).
Router1: 192.168.2.1
Router2 (MikroTik): WAN 192.168.2.2 LAN 10.10.66.1
DstNat for port 1194 on Router1 to 192.168.2.2
DstNat for port 1194 on Router2 to 10.10.66.3

RasPi: 10.10.66.3
Remote LAN: 10.111.96.0 (RasPi: 10.111.96.1)
Static Route on Router2: Dest: 10.111.96.0 Gateway: 10.10.66.3 (Do I even need this?)

My client is a notebook and has 10.111.96.11.
Im connecting from the WAN side (through both routers) to my Raspberry.

With the default firewall rules I can establish the connection to the raspberry and I am able to ping 10.10.66.1 and 10.10.66.3.
Different IPs on my network are not reachable, only if I add specific firewall rules or disable the ‘drop invalid’ rule.

And I just checked my OpenVPN Server config and added the static route, unfortunately I can only test it tomorrow.

Sounds like my guess was right. Your other router does not matter here, it’s about what happens in your LAN. You can add static route to devices in LAN, to make them send packets to remote subnet directly to RasPi. But it may be a lot of work and you have to do it for every new device, so it’s probably worth doing only for static servers and such. For the rest, instead of allowing all invalid connections, add specific allow rule for VPN traffic (it’s normal for this kind of setup):

/ip firewall filter
add action=accept chain=forward dst-address=10.111.96.0/24 src-address=10.10.66.0/24



Yes. Otherwise the router (and other devices without own static route) would not know where to find remote subnet.

Ok I got it!

Only my QNAP Device is still being blocked.
From inside the LAN I can reach the VPN Clients but not the other way around. I added the static route to the NAS and checked the routes with traceroute and everything seems fine.
VPN Client → Router → Pi → QNAP → Pi → Router → blocked!

But that seems like a entirely different problem because all other devices are working X)
Edit: Ok the NAS doesnt use the static route for “answers” despite being in the routing table.

You can combine both approaches, add static routes to some devices and let traffic from others go through router (add allow rule from my previous post).

The reason for static routes on individual devices is that it’s a little more effective, you can skip one hop and save some resources on router. But it only really matters if you’d need as low latency as possible (you can save half a millisecond by not going through router) and if you have really fast internet at both sites (so that traffic not passing through router could save noticeable amount of resources). Chances are, if you let it pass through router, it will work just fine.

Thanks for your help :slight_smile: