dd-wrt as openvpn-client is NATìng = problem [SOLVED]

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
vongehlens
DD-WRT Novice


Joined: 29 Jun 2020
Posts: 4

PostPosted: Mon Jun 29, 2020 22:39    Post subject: dd-wrt as openvpn-client is NATìng = problem [SOLVED] Reply with quote
Hello all,

i´m new here.
i did do my best to find a solution within this vast amount of articles, also on the web and now i´m back need to ask for assistance after i have no hair left because i scratched them all off ...

setup:
- 1x Openvpn server (Ubuntu 18.04) 192.168.242.10/24 (ovpn net 10.8.0.0/24 on tun0)
- all iptables chains on openvpn-server are flushed and set to ACCEPT by default.
- 1x DD-WRT v3.0-r40189 std (07/04/19) acting as openvpn-client01 and local network 192.168.190.0/23
- dd-wrt is openvpn-client01 sending 0.0.0.0/0 to the local DSL line, and just 192.168.242.0/24 to the opvpn-server via tun1
- on serverside openvpn-route and openvpn-iroute settings are set.

situation:
- openvpn tunnel is created sucessfully
- LAN behind openvpn-client01 can reach (ping) the internet 0.0.0.0
- LAN behind openvpn-client01 can reach (ping) the internet 192.168.242.0/24
- openvpn-server LAN cannot ping the LAN behind the openvpn-client01
- i can see that traffic is traveling from openvpn-server to openvpn-client but return path is NATed on the dd-wrt.

"iptables -L -v -t nat" shows:
Code:

Chain POSTROUTING (policy ACCEPT 602 packets, 40441 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1313  308K SNAT       0    --  any    vlan2   192.168.190.0/23     anywhere            to:192.168.2.143
    0     0 MASQUERADE  0    --  any    any     anywhere             anywhere            mark match 0x80000000/0x80000000


if i send a logger message from openvpn-client01 to the openvpn-server:
Bauernhof-Router01:~# logger hallo

i receive on server side:
Jun 29 22:31:09 10.8.0.2 root: hallo

problem(s):
- i need to reach the LAN behind the openvpn-client01 and have no clue where to switch off NAT towards the openvpn-server LAN.
- the DD-WRT is 750km far away and i cannot afford an "big mistake" as you could imagine.

question(s):
- is the problem known?
- can this be sorted by iptables command/rule?
- any specific hind where i should change something to solve my challenge?


your help is very much appreciated!

kind regards
Stephan
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 6356
Location: Texas, USA

PostPosted: Tue Jun 30, 2020 0:13    Post subject: Reply with quote
You may also wish to consider upgrading to the most recent release, 43516. There have been a lot of things fixed in regards to OpenVPN in DD-WRT since 40189.

https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2020/06-25-2020-r43516/

Yes, I realize, you do not have direct access to the router, but you need to upgrade, most likely.

_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
RTFM/STFW - TL;DR is NOT an excuse.
Why Should I Care What Color the Bikeshed Is?

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
“Suitcase” v5: 4x (2x Intel® E5645) on Intel® S5500HV
“Suitcase” v1: 4xQuad P6pro-200 SL25A SMP Proliant 7000s
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5761
Location: Netherlands

PostPosted: Tue Jun 30, 2020 8:23    Post subject: Reply with quote
I agree with @kernel-panic69 a lot has changed for OpenVPN so get a recent build.

Recent builds have the CVE-14899 patch you should disable it to get access to local LAN clients (it is a bit more complicated as you do not NAT it should actually work with it enabled)

You do not NAT from the client side as your iptables show, and as the server has a return route you do not have to either.

Actually everything is explained in the OpenVPN server setup guide (link in my signature at the bottom) there is a paragraph about site-to-site setup although written for DDWRT the same applies for another platform (like setting up route/iroute and use of ccd files @eibgrad referred to)

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
vongehlens
DD-WRT Novice


Joined: 29 Jun 2020
Posts: 4

PostPosted: Tue Jun 30, 2020 11:39    Post subject: Reply with quote
Thank you very much Gentlemen!
your inputs are welcome.

@eibgrad: i do have this CCD files and they match the CN of course. stuff written inside does find it´s way to the DD-wrt machine (the client).

@egc & kernel-panic69: i will check again your doc´s . and i must confess that i seem not to have the balls to upgrade from 750km away...

@all: such "remote upgrades" are they usually OK? - or does it tend to be a volcano dance ?

cheers
Stephan
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 6356
Location: Texas, USA

PostPosted: Tue Jun 30, 2020 12:41    Post subject: Reply with quote
Depending on the router, you may be able to do remote ssh upgrade via command line. You would just want to use and appending & at the end of the command line input so that it will continue if you get disconnected. Do you have someone who has direct access to the router that can do the upgrade? That would be ideal.
_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
RTFM/STFW - TL;DR is NOT an excuse.
Why Should I Care What Color the Bikeshed Is?

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
“Suitcase” v5: 4x (2x Intel® E5645) on Intel® S5500HV
“Suitcase” v1: 4xQuad P6pro-200 SL25A SMP Proliant 7000s
vongehlens
DD-WRT Novice


Joined: 29 Jun 2020
Posts: 4

PostPosted: Tue Jun 30, 2020 13:37    Post subject: Reply with quote
Hi Kernel-Panic69,

upgrade did work remotely. - honestly: it was straight forward. Smile ... but i´d my fingers crossed i must confess.

now i´ll go through the HowTos once again and check if i will solve this issue.

rgds
Stephan
vongehlens
DD-WRT Novice


Joined: 29 Jun 2020
Posts: 4

PostPosted: Tue Jun 30, 2020 13:48    Post subject: Reply with quote
Hi all,

the upgrade simply fixed my issue.
now the tunnel works in both directions.

thanks a lot for your superb support and hints! Smile Smile

cheers
Stephan
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum