OpenVPN clients not able to reach LAN devices

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
RoomClearInnTemper
DD-WRT Novice


Joined: 10 Jul 2019
Posts: 22

PostPosted: Wed Jul 10, 2019 18:52    Post subject: OpenVPN clients not able to reach LAN devices Reply with quote
Hey everyone, thanks for the amazing help you all provide... really have learned a lot from you all. I'm not great at networking though, so bear with me.

I'm having an issue with not being able to reach my LAN devices while tunneled into the OpenVPN server running on my router.

SETUP
Router: DD-WRT v3.0-r40065 std (06/20/19) on a Netgear R6700

DD-WRT OpenVPN client to a paid VPN service for privacy (tun1, 10.14.0.x) - working
DD-WRT OpenVPN server for remoting into my network from outside (tun2, 10.1.1.x). For reaching it via a static WAN hostname, I use dynamic DNS set to use my WAN IP provided by my ISP, NOT my paid-for VPN exit point IP (via DDNS/Use External IP Check: False) - working with this issue
LAN DHCP server: Pi-Hole (br0, 192.168.54.100-150) (set via DD-WRT Basic Setup/DHCP Forwarder with Pi-Hole LAN IP). Some LAN clients also have static LAN IPs/hostnames - working
LAN DNS server: Pi-Hole with upstream DNS server set to paid-for VPN's DNS server (set via DD-WRT Basic Setup/Local DNS Server = Pi-Hole LAN IP) - working


ISSUE
I can connect to my OpenVPN server from the outside world, but once I'm on it I think my issue is I can't route from my tun2 network (VPN server) into my br0 network (LAN). I can't ping anything on my 192.168.54.x subnet. I added the firewall rules below and assumed that would work (but I'm not good with iptables). If it matters, I also set up PBR in my OpenVPN client settings so all my LAN clients excluding my router route out using the OpenVPN client. However I heard there is a PBR bug so I added this startup script to run, and I verified routing table 10 has all the default routes in it now. But still, I can't reach any local clients so I'm not routing.

Is there maybe something wrong with my firewall?

Also, side questions if anyone happens to know...
1. Once I'm VPN-ed into my local network from outside, how can I make it so I appear as though I am on the LAN? I'm asking for purposes of streaming TV from Xfinity, which requires me to be on my home network, which I'm assuming requires me to route through the nearest Comcast router? Or maybe use Comcast's DNS server?
2. When on the LAN WiFi (which is all tunneled out to my paid-for VPN server), I can't use the OpenVPN client on my phone to connect to my paid-for VPN and have to manually disable it. Basically I can't VPN client my phone on top of my router VPN client, which I used to be able to do but now can't. Just a minor annoyance having to switch on/off the VPN from the OpenVPN app whenever I leave/enter my house.

Thanks in advance.

FIREWALL
Code:
# OPENVPN SERVER: Accepts incoming traffic via port 553 UDP for OpenVPN clients to connect to DD-WRT server
iptables -I INPUT 1 -p udp --dport 553 -j ACCEPT

# OPENVPN SERVER: Allows the VPN client access to router internal
# processes, e.g. Web admin, SSH etc
iptables -I INPUT 3 -i tun2 -j ACCEPT

# OPENVPN SERVER: Allows connections between VPN clients, if
# client-to-client is enabled in OpenVPN server
iptables -I FORWARD 3 -i tun2 -o tun2 -j ACCEPT

# OPENVPN SERVER: Allows connection from local VPN to the internet
iptables -I FORWARD 1 --source 10.1.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE

# OPENVPN SERVER: Allows connections from local network to VPN network
# and other way around (br0 is LAN and WIFI)
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT

# OPENVPN CLIENT: VPN client killswitch - only allow traffic from VPN subnet (10.), not local (192.)
iptables -I FORWARD ! -o tun1 -m iprange --src-range 192.168.54.11-192.168.54.150 -j DROP

# Close ports 21, 1720 - were showing as open from WAN-side nmap scan
iptables -I FORWARD -p tcp --dport 21 -j DROP
iptables -I FORWARD -p tcp --dport 1720 -j DROP
iptables -I INPUT -p tcp --dport 21 -j DROP
iptables -I INPUT -p tcp --dport 1720 -j DROP


CLIENT CONNECTION LOG ON DD-WRT
Code:
<MyClientRemoteIP>:1194 TLS: Initial packet from [AF_INET]<MyClientRemoteIP>:1194 sid=02e0ddb2 d5239011
<MyClientRemoteIP>:1194 VERIFY OK: depth=1 <MyCAInfo>
<MyClientRemoteIP>:1194 VERIFY OK: depth=0 <MyClientInfo>
I <MyClientRemoteIP>:1194 peer info: IV_VER=2.4.6
I <MyClientRemoteIP>:1194 peer info: IV_PLAT=win
I <MyClientRemoteIP>:1194 peer info: IV_PROTO=2
I <MyClientRemoteIP>:1194 peer info: IV_NCP=2
I <MyClientRemoteIP>:1194 peer info: IV_LZ4=1
I <MyClientRemoteIP>:1194 peer info: IV_LZ4v2=1
I <MyClientRemoteIP>:1194 peer info: IV_LZO=1
I <MyClientRemoteIP>:1194 peer info: IV_COMP_STUB=1
I <MyClientRemoteIP>:1194 peer info: IV_COMP_STUBv2=1
I <MyClientRemoteIP>:1194 peer info: IV_TCPNL=1
I <MyClientRemoteIP>:1194 peer info: IV_GUI_VER=OpenVPN_GUI_11
W <MyClientRemoteIP>:1194 WARNING: 'tun-mtu' is used inconsistently local='tun-mtu 1500' remote='tun-mtu 1448'
<MyClientRemoteIP>:1194 Control Channel: TLSv1.2 cipher SSLv3 DHE-RSA-AES256-SHA 2048 bit RSA
I <MyClientRemoteIP>:1194 [<MyClientName>] Peer Connection Initiated with [AF_INET]<MyClientRemoteIP>:1194
I <MyClientName>/<MyClientRemoteIP>:1194 MULTI_sva: pool returned IPv4=10.1.1.2 IPv6=(Not enabled)
<MyClientName>/<MyClientRemoteIP>:1194 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_24c970042e51664f.tmp
<MyClientName>/<MyClientRemoteIP>:1194 MULTI: Learn: 10.1.1.2 -> <MyClientName>/<MyClientRemoteIP>:1194
<MyClientName>/<MyClientRemoteIP>:1194 MULTI: primary virtual IP for <MyClientName>/<MyClientRemoteIP>:1194: 10.1.1.2
<MyClientName>/<MyClientRemoteIP>:1194 PUSH: Received control message: 'PUSH_REQUEST'
<MyClientName>/<MyClientRemoteIP>:1194 SENT CONTROL [<MyClientName>]: 'PUSH_REPLY route-gateway 10.1.1.1 topology subnet ping 10 ping-restart 120 ifconfig 10.1.1.2 255.255.255.0 peer-id 0 cipher AES-256-GCM' (status=1)
<MyClientName>/<MyClientRemoteIP>:1194 Data Channel: using negotiated cipher 'AES-256-GCM'
<MyClientName>/<MyClientRemoteIP>:1194 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
<MyClientName>/<MyClientRemoteIP>:1194 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
<MyClientName>/<MyClientRemoteIP>:1194 NOTE: --mute triggered...
<MyClientName>/<MyClientRemoteIP>:1194 3 variation(s) on previous 3 message(s) suppressed by --mute
I <MyClientName>/<MyClientRemoteIP>:1194 peer info: IV_VER=2.4.6
I <MyClientName>/<MyClientRemoteIP>:1194 peer info: IV_PLAT=win
I <MyClientName>/<MyClientRemoteIP>:1194 peer info: IV_PROTO=2
I <MyClientName>/<MyClientRemoteIP>:1194 peer info: IV_NCP=2
I <MyClientName>/<MyClientRemoteIP>:1194 peer info: IV_LZ4=1
I <MyClientName>/<MyClientRemoteIP>:1194 peer info: IV_LZ4v2=1
I <MyClientName>/<MyClientRemoteIP>:1194 peer info: IV_LZO=1
I <MyClientName>/<MyClientRemoteIP>:1194 peer info: IV_COMP_STUB=1
I <MyClientName>/<MyClientRemoteIP>:1194 peer info: IV_COMP_STUBv2=1
I <MyClientName>/<MyClientRemoteIP>:1194 peer info: IV_TCPNL=1
I <MyClientName>/<MyClientRemoteIP>:1194 peer info: IV_GUI_VER=OpenVPN_GUI_11
W <MyClientName>/<MyClientRemoteIP>:1194 WARNING: 'tun-mtu' is used inconsistently local='tun-mtu 1500' remote='tun-mtu 1448'
<MyClientName>/<MyClientRemoteIP>:1194 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
<MyClientName>/<MyClientRemoteIP>:1194 TLS: tls_multi_process: untrusted session promoted to semi-trusted
<MyClientName>/<MyClientRemoteIP>:1194 Control Channel: TLSv1.2 cipher SSLv3 DHE-RSA-AES256-SHA 2048 bit RSA
<MyClientName>/<MyClientRemoteIP>:1194 PUSH: Received control message: 'PUSH_REQUEST'
<MyClientName>/<MyClientRemoteIP>:1194 PUSH: Received control message: 'PUSH_REQUEST'
<MyClientName>/<MyClientRemoteIP>:1194 PUSH: Received control message: 'PUSH_REQUEST'


CLIENT CONNECTION LOG ON CLIENT PC
Code:
OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Windows version 6.2 (Windows 8 or greater) 64bit
library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Enter Management Password:
WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1448)
RESOLVE: Cannot resolve host address: <MyDDNSHostname>:1194 (No such host is known. )
UDP link local (bound): [AF_INET][undef]:1194
UDP link remote: [AF_INET]<MyRouterIP>:1194
WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1448', remote='tun-mtu 1500'
[<MyOpenVPNServerName>] Peer Connection Initiated with [AF_INET]<MyRouterIP>:1194
OPTIONS IMPORT: WARNING: peer-id set, but link-mtu fixed by config - reducing tun-mtu to 1445, expect MTU problems
open_tun
TAP-WIN32 device [<MyTAP_NIC>] opened: \\.\Global\{727EEB94-CF44-4EE2-BC32-E99F8C214321}.tap
Set TAP-Windows TUN subnet mode network/local/netmask = 10.1.1.0/10.1.1.2/255.255.255.0 [SUCCEEDED]
Notified TAP-Windows driver to set a DHCP IP/netmask of 10.1.1.2/255.255.255.0 on interface {727EEB94-CF44-4EE2-BC32-E99F8C214321} [DHCP-serv: 10.1.1.254, lease-time: 31536000]
Successful ARP Flush on interface [14] {727EEB94-CF44-4EE2-BC32-E99F8C214321}
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Initialization Sequence Completed
Sponsor
RoomClearInnTemper
DD-WRT Novice


Joined: 10 Jul 2019
Posts: 22

PostPosted: Wed Jul 10, 2019 19:37    Post subject: Reply with quote
Well I'm dumb... all I had to do was add this to my additional config -_-

Code:
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.54.95"


However, now my location still appears to be where I am, not my house. My DNS is the ISP of where I am located right now, not my LAN DNS server's upstream server Sad. How do I make it appear like I am in my house?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Jul 10, 2019 19:39    Post subject: Reply with quote
I see a lot of room for improvement in your Setup Wink

In my signature is an OVPN server setup guide, have a look.
There is also a chapter about running a client and server on the same router.

That said you are almost there, so good job

Make sure you disable SFE.

Did you set redirect default gateway?

I think your main problem now is the kill switch, disable it and see if it is working, if this is the problem I will send you one which is working Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
RoomClearInnTemper
DD-WRT Novice


Joined: 10 Jul 2019
Posts: 22

PostPosted: Wed Jul 10, 2019 20:31    Post subject: Reply with quote
Any suggestions would be appreciated! I kind of hacked this together with my limited knowledge.

I'll take a look at the guide.

SFE is disabled, and yes, I have push "redirect-gateway def1" in my additional server config. How do I know all traffic is going out my VPN? When I look up my location online, it still shows my current location, not my house location. And my default gateway in ipconfig /all is blank, not 10.1.1.1 :/

Also it appears even though now my DNS server is now my LAN DNS server and the Wireshark DNS packets support this, I don't see any traffic from my client (10.1.1.2) in my DNS server's logs.

The killswitch is actually for clients on tun1 (going out to my VPN service via the DD-WRT OpenVPN client) so I think I am good there?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Wed Jul 10, 2019 20:54    Post subject: Reply with quote
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE

You should specify an output interface. Otherwise it will NAT everything including traffic to your LAN.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Jul 10, 2019 20:55    Post subject: Reply with quote
You stated that you could not reach clients on your LAN from the VPN server.
That could be due to the kill switch. Because your LAN clients can only communicate via the VPN client due to the kill switch.

DNS is also discussed in the guide although you have an unusual setup.

Is the Pi-hole on the same subnet as the router? If so do not use DHCP forwarder but just disable DHCP on the router.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
RoomClearInnTemper
DD-WRT Novice


Joined: 10 Jul 2019
Posts: 22

PostPosted: Wed Jul 10, 2019 21:04    Post subject: Reply with quote
Good point. I actually fixed it with the "push route" line actually, so the problem is solved!

Also I can watch TV appearing to be on my network, so that's solved too!

My Pi-Hole DNS server is on the same subnet as the router (192.168.54.95), so I'll try to disable DHCP. I couldn't find a disable button anywhere so I just did forwarding and it seems to work.


I just need to figure out how to VPN client on my phone while connected to the router and I'll be good to go. I'll dig into that now.

Another question for anyone out there... would it be possible to take my traffic from the client (my laptop via the DD-WRT server) and route it through to my private paid-for VPN (via the DD-WRT client)? So essentially routing tun2 to tun1?
RoomClearInnTemper
DD-WRT Novice


Joined: 10 Jul 2019
Posts: 22

PostPosted: Wed Jul 10, 2019 21:08    Post subject: Reply with quote
Also, still not sure how I know all traffic is going through the VPN. I still see some Wireshark activity on my wireless card even with the "redirect-gateway def1" line in both the client and server.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Jul 10, 2019 21:12    Post subject: Reply with quote
There is a disable radio button right under DHCP settings.

Routing out clients connected via the OVPN server via the VPN client is also discussed in the guide.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Jul 10, 2019 21:17    Post subject: Reply with quote
I trust you do all testing from outside your network, i.e. using cellular or from a friend's wifi, if doing the latter make sure the networks are all different.

To check traffic I run tracert/traceroute

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
RoomClearInnTemper
DD-WRT Novice


Joined: 10 Jul 2019
Posts: 22

PostPosted: Tue Jul 16, 2019 17:41    Post subject: Reply with quote
Thanks, I got the traffic tunneled through my client now with PBR and I am at 99% as far as getting it working.

My final issue: I am not able to tunnel all traffic on my laptop through this VPN server. It appears to be in split tunnel mode and I need a full tunnel.

For instance I am seeing duplicate DNS requests. One goes out my laptop's TAP adapter and one goes out my wireless card. The response my laptop uses is the one on my TAP as I expect, but it still sends out the same request out two interfaces. I am also seeing some TCP frames to some Amazon AWS server somewhere and some HTTP and TCP frames to my work router. All these packets are not OpenVPN packets.

I have followed the steps here https://openvpn.net/community-resources/how-to/#redirect and also in your guide.

Server Additional Config + also in Client Config
Code:
push "route 192.168.54.0 255.255.255.0"
push "dhcp-option DNS 192.168.54.95"
push "redirect-gateway def1"


Firewall
I tried adding
Code:
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o br0 -j MASQUERADE

to my firewall but then I can no longer ping the 192.168.54 network or access the internet when this rule is in place, so I have to remove this rule. Here is my full firewall

Code:
# OPENVPN SERVER: Accepts incoming traffic via port 553 UDP for OpenVPN clients to connect to DD-WRT server
iptables -I INPUT 1 -p udp --dport 553 -j ACCEPT

# OPENVPN SERVER: Allows the VPN client access to router internal
# processes, e.g. Web admin, SSH etc
iptables -I INPUT 3 -i tun2 -j ACCEPT

# OPENVPN SERVER: Allows connections between VPN clients, if
# client-to-client is enabled in OpenVPN server
iptables -I FORWARD 3 -i tun2 -o tun2 -j ACCEPT

# OPENVPN SERVER: Allows connection from local VPN to the internet
iptables -I FORWARD 1 --source 10.1.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE
# Force all traffic coming to VPN server to NAT out to the Internet from https://openvpn.net/community-resources/how-to/#redirect - does not work
#iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o br0 -j MASQUERADE

# OPENVPN SERVER: Allows connections from local network to VPN network
# and other way around (br0 is LAN and WIFI)
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT

# OPENVPN CLIENT: VPN client killswitch - only allow traffic from VPN subnet (10.), not local (192.)
iptables -I FORWARD ! -o tun1 -m iprange --src-range 192.168.54.11-192.168.54.150 -j DROP

# Close ports 21, 1720 - were showing as open from WAN-side nmap scan
iptables -I FORWARD -p tcp --dport 21 -j DROP
iptables -I FORWARD -p tcp --dport 1720 -j DROP
iptables -I INPUT -p tcp --dport 21 -j DROP
iptables -I INPUT -p tcp --dport 1720 -j DROP
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Tue Jul 16, 2019 18:11    Post subject: Reply with quote
Replace these two rules:

iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o br0 -j MASQUERADE

with:

iptables -t nat -I POSTROUTING -o tun1 -j MASQUERADE
RoomClearInnTemper
DD-WRT Novice


Joined: 10 Jul 2019
Posts: 22

PostPosted: Tue Jul 16, 2019 18:50    Post subject: Reply with quote
Thanks @Per Yngve Berg. What does that line exactly do?

I commented out those two lines and added yours and I'm able to reach my LAN and WAN, just like if I am using

iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE

However I still see identical DNS packets out both my laptop's wireless adapter and TAP adapter...
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Tue Jul 16, 2019 21:18    Post subject: Reply with quote
The AP is probably one of the DNS servers set.
Morphlingg
DD-WRT Novice


Joined: 17 Jul 2019
Posts: 4

PostPosted: Wed Jul 17, 2019 17:38    Post subject: Reply with quote
RoomClearInnTemper wrote:
Well I'm dumb... all I had to do was add this to my additional config -_-

Code:
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.54.95"


However, now my location still appears to be where I am, not my house. My DNS is the ISP of where I am located right now, not my LAN DNS server's upstream server Sad. How do I make it appear like I am in my house?

How did you found this config?
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum