DD-WRT :: View topic - openvpn server clients no access to lan

openvpn server clients no access to lan

DD-WRT Forum Index -> Advanced Networking

View previous topic :: View next topic

Author

Message

mdhwoods
DD-WRT Novice

Joined: 18 May 2019
Posts: 5

Posted: Sat May 18, 2019 1:51 Post subject: openvpn server clients no access to lan

I have read countless threads on this issue but cant for the life of me seem to get it working. Running on a linksys wrt1900ac Firmware: DD-WRT v3.0-r37305 std (10/10/1 Cool

local lan 192.168.1.0/24
vpn 10.0.10.0

i see it pushing the route, but i can not see anything on the lan when the vpn is up. if i set to redirect gateway i can not access the internet also when the vpn is up. i applied this to the firewall, no luck.

iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -j MASQUERADE

client can connect to open vpn server. below is the log

Code:

20190517 21:28:06 99.203.30.184:29462 TLS: Initial packet from [AF_INET]99.203.30.184:29462 sid=cf01c7d4 aa476ae4
20190517 21:28:07 99.203.30.184:29462 VERIFY OK: depth=1
20190517 21:28:07 99.203.30.184:29462 VERIFY OK: depth=0
20190517 21:28:07 I 99.203.30.184:29462 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.2-894
20190517 21:28:07 I 99.203.30.184:29462 peer info: IV_VER=3.2
20190517 21:28:07 I 99.203.30.184:29462 peer info: IV_PLAT=ios
20190517 21:28:07 I 99.203.30.184:29462 peer info: IV_NCP=2
20190517 21:28:07 I 99.203.30.184:29462 peer info: IV_TCPNL=1
20190517 21:28:07 I 99.203.30.184:29462 peer info: IV_PROTO=2
20190517 21:28:07 I 99.203.30.184:29462 peer info: IV_AUTO_SESS=1
20190517 21:28:07 I 99.203.30.184:29462 peer info: IV_BS64DL=1
20190517 21:28:07 W 99.203.30.184:29462 WARNING: 'link-mtu' is used inconsistently local='link-mtu 1554' remote='link-mtu 1553'
20190517 21:28:07 W 99.203.30.184:29462 WARNING: 'comp-lzo' is present in local config but missing in remote config local='comp-lzo'
20190517 21:28:07 99.203.30.184:29462 Control Channel: TLSv1.2 cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 4096 bit RSA
20190517 21:28:07 I 99.203.30.184:29462 [changeme] Peer Connection Initiated with [AF_INET]99.203.30.184:29462
20190517 21:28:07 I changeme/99.203.30.184:29462 MULTI_sva: pool returned IPv4=10.0.10.2 IPv6=(Not enabled)
20190517 21:28:07 changeme/99.203.30.184:29462 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_174d5e500170170c.tmp
20190517 21:28:07 changeme/99.203.30.184:29462 MULTI: Learn: 10.0.10.2 -> changeme/99.203.30.184:29462
20190517 21:28:07 changeme/99.203.30.184:29462 MULTI: primary virtual IP for changeme/99.203.30.184:29462: 10.0.10.2
20190517 21:28:07 changeme/99.203.30.184:29462 PUSH: Received control message: 'PUSH_REQUEST'
20190517 21:28:07 changeme/99.203.30.184:29462 SENT CONTROL [changeme]: 'PUSH_REPLY redirect-gateway def1 route 192.168.1.0 255.255.255.0 route-gateway 10.0.10.1 topology subnet ping 10 ping-restart 120 ifconfig 10.0.10.2 255.255.255.0 peer-id 0 cipher AES-256-GCM' (status=1)
20190517 21:28:07 changeme/99.203.30.184:29462 Data Channel: using negotiated cipher 'AES-256-GCM'
20190517 21:28:07 changeme/99.203.30.184:29462 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20190517 21:28:07 changeme/99.203.30.184:29462 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

server config

Code:

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto udp4
cipher bf-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
comp-lzo adaptive
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
client-to-client
push "redirect-gateway def1"
fast-io
tun-mtu 1500
mtu-disc yes
server 10.0.10.0 255.255.255.0
dev tun2
push "route 192.168.1.0 255.255.255.0"

client config

Code:

remote xxxxxx.com 1194
client
dev tun2
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
auth SHA256
float
all keys removed from client config

routing table

Code:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 47.***.**.* 0.0.0.0 UG 0 0 0 eth1
10.0.10.0 * 255.255.255.0 U 0 0 0 tun2
47.xxx.xx.0 * 255.255.255.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
169.254.0.0 * 255.255.0.0 U 0 0 0 br0
192.168.1.0 * 255.255.255.0 U 0 0 0 br0

Sponsor

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12889
Location: Netherlands

Posted: Sat May 18, 2019 8:26 Post subject:

In my signature (bottom of the page) is a thread with an OpenVPN server setup guide and a troubleshooting guide.

Have look and adjust your server and client settings
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Per Yngve Berg
DD-WRT Guru

Joined: 13 Aug 2013
Posts: 6868
Location: Romerike, Norway

Posted: Sat May 18, 2019 8:35 Post subject:
Use a output interface on the NAT. Otherwise the client will be NAT'ed into the LAN iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE

mdhwoods
DD-WRT Novice

Joined: 18 May 2019
Posts: 5

Posted: Sat May 18, 2019 13:14 Post subject:

egc wrote:

In my signature (bottom of the page) is a thread with an OpenVPN server setup guide and a troubleshooting guide.

Have look and adjust your server and client settings

Thanks a bunch, printed your guide, cleared all current setup and keys and started from scratch. Worked 1st time. it appears all the info out there is in fact dated. Can access my lan as well as the wan from the tunnel. Now to push my pihole dns server to the tunnel. This should really be a sticky. Well written and descriptive.

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12889
Location: Netherlands

Posted: Sat May 18, 2019 13:42 Post subject:

Glad you got it working.

There is info about pushing DNS servers in the guide.
On the router make sure to disable "Foreced DNS redirection" on setup page and disable "No DNS rebind" On services page to use an DNS server other then your router
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

mdhwoods
DD-WRT Novice

Joined: 18 May 2019
Posts: 5

Posted: Sat May 18, 2019 13:57 Post subject:

egc wrote:

yup saw it in the guide. got dns working though my pihole while connected to the vpn and also enabled tlsauth key. All working well. Configured my iphone as well as my laptop so far.

Display posts from previous:

Page 1 of 1

DD-WRT Forum Index -> Advanced Networking

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Log in

openvpn server clients no access to lan

Quick Links

Log in