Accessing Clients Behind DD-WRT VPN Client

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
aeglos
DD-WRT Novice


Joined: 10 May 2019
Posts: 4

PostPosted: Fri May 10, 2019 16:55    Post subject: Accessing Clients Behind DD-WRT VPN Client Reply with quote
I'm trying to set up VPN access to a handful of computers at our lab. File management, checking tests, etc. The building we lease doesn't allow us to port forward anything, so we've setup an OpenVPN AS on digital ocean and have connected both the remote computers and the lab router to that VPN.

Connections seem to work, and we can see the router remotely. But we cannot figure out how to connect to the computers behind the router. How would we expose those computers to the VPN network for access?

I've tried port forwarding the four ports that Samba uses through the router, to no avail.

Thank you for the help!
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Fri May 10, 2019 17:52    Post subject: Reply with quote
If you're referring to site-to-site capabilities, where either the OpenVPN server itself, or clients behind the OpenVPN server are able to initiate connections to the local network behind the OpenVPN client, then it's not enough to simply add a static route to the server's routing table that points to that local network (the first thing ppl usually do). OpenVPN also requires that you specify an iroute directive in a file, whose name is based on the OpenVPN client's common name on its cert, in the CCD directory.

https://community.openvpn.net/openvpn/wiki/RoutedLans
aeglos
DD-WRT Novice


Joined: 10 May 2019
Posts: 4

PostPosted: Fri May 10, 2019 19:44    Post subject: Reply with quote
eibgrad wrote:
If you're referring to site-to-site capabilities, where either the OpenVPN server itself, or clients behind the OpenVPN server are able to initiate connections to the local network behind the OpenVPN client, then it's not enough to simply add a static route to the server's routing table that points to that local network (the first thing ppl usually do). OpenVPN also requires that you specify an iroute directive in a file, whose name is based on the OpenVPN client's common name on its cert, in the CCD directory.

https://community.openvpn.net/openvpn/wiki/RoutedLans


That seems to be what I'm looking for! For context, the network behind the router is 10.0.0.X, while the VPN network is 10.1.0.X.

I added the following to the Server Config Directives:

route 10.0.0.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
client-to-client

However, I'm not sure how to configure the iroute in dd-wrt. I can add it to the client.conf file like a usual client, but where should I add it in the ddwrt GUI? Still not able to connect without this, so I'm assuming I need it somewhere.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Fri May 10, 2019 19:52    Post subject: Reply with quote
The iroute and CCD directory go on the OpenVPN server side! It's the server side that needs the routing information.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4415
Location: Netherlands

PostPosted: Fri May 10, 2019 21:06    Post subject: Reply with quote
In my signature is an OpenVPN server setup guide, it gives you some pointers how to work with CCD files
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
aeglos
DD-WRT Novice


Joined: 10 May 2019
Posts: 4

PostPosted: Mon May 13, 2019 17:48    Post subject: [Solved] Reply with quote
First of all, thank you eibgrad and egc for the help.

I was able to find a solution this morning, and will outline it for posterity.

Configuring CCD is in fact what was necessary, but it's a little different through Access Server. All of the configuration I needed was in the user permissions tab, and was pretty straightforward.

Under the user used by the router, I enabled the VPN Gateway option and entered "10.0.0.0/24", the lab subnet into the box.

Under the users that needed access, I enabled access to the same subnet with NAT.

This technically allows access to the internal network over VPN, but the router will still block incoming connections unless they're port forwarded. Therefore, in DD-WRT I forwarded the ports that I needed for RDP, Samba, etc.

Hope this helps someone in the future, and again thank you for the help.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue May 14, 2019 6:28    Post subject: Reply with quote
Glad to hear. And thanks for reporting back. I wish everyone did.

I don't know why I didn't pick up on this earlier (I just blew past the fact you mentioned digital ocean, a VPS, duh), but it finally dawned on me based on your last post that this really isn't a site-to-site VPN in the traditional sense. It's really more of a reverse tunnel, made necessary by a local firewall on the OpenVPN client side. It's basically the same thing you see ppl do w/ SSH reverse tunneling, and for usually the same reasons. Had I picked up on that sooner, perhaps I could have been more helpful.

Be very careful w/ this configuration. It isn't clear to what extent, if any, you're firewall'ing the VPS's public side. And don't assume the router's firewall will protect you, because it won't!

https://svn.dd-wrt.com/ticket/6332

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum