Quick question regds DNSmasq, expressVPN had me set this already to
interface=tun1
Should i have this to interface=tun2 which is my serverTUN you helped me create?
Also this may help someone else, but I struggled a moment ago to add my expressVPN connection to my android app, i kept getting a "fragmentation not supported" error, I looked at the oVPN FAQ and this is not supported so I removed in from the import file and bang works perfect!
You did not miss anything.
But when using an OVPN server and client on the same router you have to use Policy based routing on the OVPN client.
Otherwise traffic goes in through the WAN and is routed out through the vpn client and the firewall wiil not do that.
For policy based routing enter the ip addresses of the clients you want to route via the VPN client in the PBR field of the client use CIDR notation and do not include the router itself.
The ddwrt PBR implementation has some flaws, if you run into that then see my signature for a better implementation.
If you have your android client connected to your OVPN server you can have it use your outbound vpn client by adding the IP's of the OVPN server added to the PBR field
I.e add 10.8.0.2 to the PBR field
In the next iteration of the guide I will dedicate a chapter to this kind of setup
Okay tried that, in fact the IP you suggested was my "virtual IP" so i added this in PBR of WRT-clientVPN, and brill I can connect with both the client/server running together.
However I cannot hit my CCTV in the 192.168.49.x in this scenario.
So i tried adding that IP address as another seperate line in PBR, no joy.
I tried /32 each one also to no avail.
I have had a read of your script that again, and credit to you looks great, but I was struggling with it somewhat, but am sure it is what I want as I have a push access controller here that also needs to go out and loopback via the WAN from Googles push servers, but that is another story, at the moment I am not sure what I am missing ref the issue above?
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Wed Mar 13, 2019 7:07 Post subject:
The problem with the PBR implementation of DDWRT is such that clients in the PBR can not see other clients so your virtual ip when placed in the PBR can not see your cctv.
Just to test, place another ip address in the PBR, does not matter what and not your virtual ip.
Now you should be able to contact/ping other clients.
I have written a better PBR implementation see my signature but it is still somewhat experimental
Chapter about Running an OpenVPN server and OpenVPN client on the same router added to the guide using Policy Based Routing, now v1.31
Nice update thanks
Trying to keep mine simple still as you recommended ref PBR, not the script option.
Mine has to have an external virtual IP (mobile device) defined to allow a remote client & server to run together at once, to allow this I added the only two i use:-
10.8.0.2/32
10.8.0.3/32
ServerVPN only running results:- (from 4G mobile)
1. Can browse the internet etc.
2. IP resolved is the TRUE one my ISP provides me.
3. Can access local CCTV client 192.168.49.232
ServerVPN & ClientVPN running results:- (from 4G mobile)
1. Can browse the internet etc.
2. IP resolved is the FAKE one my expressVPN provides me.
3. CANNOT access local CCTV client 192.168.49.232
Ammended PBR to:-
10.8.0.2/32
10.8.0.3/32
192.168.49.232 (and tried with 192.168.49.232/32)
But cannot access the LAN client, or any LAN client?
"The problem is that you access your OpenVPN server via the WAN, and if you also have an OpenVPN client running, the return traffic will go out via the VPN client and your firewall will not allow that."
I never thought about that when trying to set up both an OPVN client and server. Thank you _________________ Netgear R9000
DD-WRT v3.0-r55819 std (04/17/24)
Linux 4.9.337 #722 SMP Wed Apr 17 04:16:49 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps
Well, I had that wrong (as I'm sure anyone who knows this new notation figured out. :))
A couple of hints to those reading this thread. First, make da*n sure you backup your configuration before messing with routing tables. My PBR sent DNS requests out the VPN and I lost the ability to contact the router! Reset the router and restore my backup and I'm back in business.
Second note, use a calculator like https://www.ipaddressguide.com/cidr. I plugged in the IP range of my network and it nicely spit out the table I needed.
Lesson learned, don't try this at home (meaning setting routing tables off the top of your head.) The pros make it look easy. It is not-so-easy. :)
My proper table is:
192.168.16.129/32
192.168.16.130/31
192.168.16.132/30
192.168.16.136/29
192.168.16.144/28
192.168.16.160/27
192.168.16.192/26
192.168.16.128 is my router and my local DNS! Oh well, learned something new.
Again thanks to egc for the great guide. _________________ Netgear R9000
DD-WRT v3.0-r55819 std (04/17/24)
Linux 4.9.337 #722 SMP Wed Apr 17 04:16:49 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps
lol,
glad you saw the error of your ways man.
Yeah I read your post and thought "thats not gonna work, he put the network where his first addressable host should be." then read your 2nd post.
It really isnt hard but unless you know one of the shortcuts or have it down to memory I recommend a free calc for ease of use.
I still use a calc once in a while when dealing with subnets I dont typically address in my job. _________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Thu Mar 14, 2019 7:45 Post subject:
Due to the flaws in the DDWRT PBR implementation you can not add your routers own IP to the PBR range or you will lock yourself out as you found out the hard way.
This is because the alternate routing table does not have any local routes, only the VPN clients route.
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Thu Mar 14, 2019 7:54 Post subject:
c0l0c0d0s wrote:
egc wrote:
Chapter about Running an OpenVPN server and OpenVPN client on the same router added to the guide using Policy Based Routing, now v1.31
Nice update thanks
Trying to keep mine simple still as you recommended ref PBR, not the script option.
Mine has to have an external virtual IP (mobile device) defined to allow a remote client & server to run together at once, to allow this I added the only two i use:-
10.8.0.2/32
10.8.0.3/32
ServerVPN only running results:- (from 4G mobile)
1. Can browse the internet etc.
2. IP resolved is the TRUE one my ISP provides me.
3. Can access local CCTV client 192.168.49.232
ServerVPN & ClientVPN running results:- (from 4G mobile)
1. Can browse the internet etc.
2. IP resolved is the FAKE one my expressVPN provides me.
3. CANNOT access local CCTV client 192.168.49.232
Ammended PBR to:-
10.8.0.2/32
10.8.0.3/32
192.168.49.232 (and tried with 192.168.49.232/32)
But cannot access the LAN client, or any LAN client?
You have stumbled upon the flaws in the DDWRT PBR implementation, there are no local routes in the alternate routing table so your PBR clients can not see other LAN clients.
You can either use my PBR implentation with the script (see my signature) or use a script from @Eibgrad which copies the local routes from main routing table to alternate routing table.
Both involve a script running as Startup, my PBR implementation of course also has local routes copied to the alternate routing table but my implementation has some more benefits but is still somewhat experimental.
@Eibgrad's coding skills are far superior to mine _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Thanks for the guide, it helped me re-configuring openvpn after a firmware update.
I only have one issue left. I can't connect to my nas using http but I can connect to it as a file server. I get a "Could not connect to the server" when I try http://192.168.1.35:8080
Router: Netgear R7000
Firmware: 37015M kongac
The configuration of openvpn is as in your document except for network, cipher and hash. I have the firewall rule to allow internet access.