[s123456]

hello, I need some help with ddwrt and openvpn client\server setup in routed node. between two dd-wrt routers.

I have established the vpn tunnel so we can skip past all of the certs and discussion about it please.

192.168.1.0/24 - LAN subnet of server
192.168.254.0/24 - openvpn subnet
192.168.254.1 - server ip

192.168.2.0/24 - LAN subnet of client
192.168.254.2 - ip of client for openvpn subnet

Client symptoms:
if i login to the client router (192.168.2.0) CLI I can ping any host on 192.168.1.0/24 subnet

if I ping from a host on 192.168.2.0/24 via the vpn tunnel I can not hit anything

I also can not ping 192.168.254.1 (server)
I can ping 192.168.254.2 ( local side of the openvpn subnet)

what am i missing to get my client subnet hosts to talk to my servers hosts?

now in the reverse
from the server any host on the 192.168.1.0/24 subnet can ping 192.168.254.2 (client openvpn subnet assignment)

I can not ping any host from either the server routers CLI or from any host on the 192.168.1.0/24 subnet




Server firewall rules:
# Accepts incoming traffic via port 1194 UDP
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT

# Allows the VPN client access to router internal
# processes, e.g. Web admin, SSH etc
iptables -I INPUT 3 -i tun2 -j ACCEPT

# Allows connections between VPN clients, if
# client-to-client is enabled in OpenVPN server
iptables -I FORWARD 3 -i tun2 -o tun2 -j ACCEPT

# Allows connection from local VPN to the internet
iptables -I FORWARD 1 --source 192.168.254.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -j MASQUERADE

# Allows connections from local network to VPN network
# and other way around (br0 is LAN and WIFI)
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT


Server ip route
192.168.2.0/24 to gateway 192.168.254.2

====================================

client firewall rules
# Accepts incoming traffic via port 1194 UDP
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT

# Allows the VPN client access to router internal
# processes, e.g. Web admin, SSH etc
iptables -I INPUT 3 -i tun1 -j ACCEPT

# Allows connections between VPN clients, if
# client-to-client is enabled in OpenVPN server
iptables -I FORWARD 3 -i tun1 -o tun1 -j ACCEPT

# Allows connection from local VPN to the internet
iptables -I FORWARD 1 --source 192.168.254.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -j MASQUERADE

# Allows connections from local network to VPN network
# and other way around (br0 is LAN and WIFI)
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT


client route:
192.168.1.0/24 gateway 192.168.254.1

=======================
before the tun1 vs tun2 is brought up I've confirmed they are correct. Can anyone give me some helpful direction?

[s123456]

I agree with your assessment... but how do I fix it?

[s123456]

thx for the tip. I dug around and found a nat option on the client disabled. I enabled it. disabled the firewall and I can ping one direction now. Thank you!

any host on 192.168.2.0/24 (client) can ping anything on the 192.168.1.0/24 (server).

now whats the trick to get the server's hosts to ping the other way?

192.168.1.0/24 can still ping the remote end openvpn subnet 192.168.254.2. but I can't hit any host on 192.168.2.0/24 from 192.168.1.0/24 yet. any idea?

[Per Yngve Berg]

You shouldn't use any NAT at all.

You are probably missing a route to the remote network.
You need a route to 192.168.1.0/24 and 192.168.2.0/24 on both routers.

[s123456]

no NAT right, that's what i was reading in a ton of other threads, but it does work in one direction with it on via the client once I turned it on. i gota be missing something that the NAT is fixing...?

here's partial shots of my routing table. i don't see any gaps in my routing do you?

Server:
192.168.2.0/24 via 192.168.254.2 dev tun2
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
192.168.254.0/24 dev tun2 proto kernel scope link src 192.168.254.1
169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
127.0.0.0/8 dev lo scope link


Client:

192.168.2.0/24 dev br0 proto kernel scope link src 192.168.2.1
192.168.1.0/24 via 192.168.254.1 dev tun1
192.168.254.0/24 dev tun1 proto kernel scope link src 192.168.254.2
169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
127.0.0.0/8 dev lo scope link

[s123456]

bingo that did it. In that other post you referenced there was a link https://community.openvpn.net/openvpn/wiki/RoutedLans. After reading that I understood completely what was going on. I made the adjustments. removed NAT, added the iroute needed and I have 2 way traffic!!! thanks for the help! this was my first time posting even though I read these forums quite often. I really appreciate the helpful push over the edge to get this working.

[blueone]

Can you post your current firewall rules? I really helps me with setting up openvpn, I'm experiencing the same issues.

[s123456]

no change to the firewall rules I posted above. they are exactly the same. it's the Iroute that I had to add. eibgrad did a great job of explaining in his post

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=305852