Hello everybody,
I have a little problem with an OpenVPN Site-to-Site connection and the firewall between 2 EdgeRouters. Maybe somebody here can help me to understand that issue :
I have an EdgeRouter Pro and an EdgeRouter Lite and both are connected using an OpenVPN Site-to-Site connection. That was working pretty fine right from the beginning and I was totally happy, but then we wanted to add one more router to the network and that required some 'cleanup' so that the 3 networks behind the three router can communicate without problems.
While I was cleaning up my current setup, I've changed the ports of the Site-to-Site VPN on both routers and forgot to change these ports in the firewall. To my surprise was the site-to-site connection still working like a charm. I've then disabled the rules on the firewall and the connection is still working fine.
Now I'm wondering, why the firewall is not blocking these ports, if they are not explicitly allowed (the default action is to drop any packets from the WAN to LOCAL).
Here are the configurations for both routers :
Router 1 - Site-to-Site VPN :
local-address 10.250.10.10 {
}
local-port 1194
mode site-to-site
openvpn-option --comp-lzo
openvpn-option --float
openvpn-option "--ping 10"
openvpn-option "--ping-restart 20"
openvpn-option --ping-timer-rem
openvpn-option --persist-tun
openvpn-option --persist-key
openvpn-option "--user nobody"
openvpn-option "--group nogroup"
remote-address 10.250.10.20
remote-host <DDNS Name of Router #2>
remote-port 1194
shared-secret-key-file /config/auth/vpn/site-to-site/10/secret
Router 1 - WAN to LOCAL FIrewall :
default-action drop
description ""
enable-default-log
rule 10 {
action accept
description "Accept established / related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action accept
description "Accept OpenVPN Server Connections"
destination {
port 443
}
log enable
protocol udp
}
rule 30 {
action accept
description "Accept OpenVPN Site-to-Site Connection"
destination {
port 1194
}
disable
log disable
protocol udp
}
rule 40 {
action drop
description "Drop invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
Router 2 - Site-to-Site VPN :
local-address 10.250.10.20 {
}
local-port 1194
mode site-to-site
openvpn-option --comp-lzo
openvpn-option --float
openvpn-option "--ping 10"
openvpn-option "--ping-restart 20"
openvpn-option --ping-timer-rem
openvpn-option --persist-tun
openvpn-option --persist-key
openvpn-option "--user nobody"
openvpn-option "--group nogroup"
remote-address 10.250.10.10
remote-host <DDNS Name of Router #1>
remote-port 1194
shared-secret-key-file /config/auth/vpn/site-to-site/10/secret
Router 2 - WAN to LOCAL FIrewall :
default-action drop
description ""
rule 10 {
action accept
description "Accept established / related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action accept
description "Accept OpenVPN Server Connections"
destination {
port 443
}
disable
log disable
protocol udp
}
rule 30 {
action accept
description "Accept OpenVPN Site-to-Site Connection"
destination {
port 1194
}
disable
log disable
protocol udp
}
rule 40 {
action drop
description "Drop invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
Any ideas ?