[vongehlens]

Hello all,

i´m new here.
i did do my best to find a solution within this vast amount of articles, also on the web and now i´m back need to ask for assistance after i have no hair left because i scratched them all off ...

setup:
- 1x Openvpn server (Ubuntu 18.04) 192.168.242.10/24 (ovpn net 10.8.0.0/24 on tun0)
- all iptables chains on openvpn-server are flushed and set to ACCEPT by default.
- 1x DD-WRT v3.0-r40189 std (07/04/19) acting as openvpn-client01 and local network 192.168.190.0/23
- dd-wrt is openvpn-client01 sending 0.0.0.0/0 to the local DSL line, and just 192.168.242.0/24 to the opvpn-server via tun1
- on serverside openvpn-route and openvpn-iroute settings are set.

situation:
- openvpn tunnel is created sucessfully
- LAN behind openvpn-client01 can reach (ping) the internet 0.0.0.0
- LAN behind openvpn-client01 can reach (ping) the internet 192.168.242.0/24
- openvpn-server LAN cannot ping the LAN behind the openvpn-client01
- i can see that traffic is traveling from openvpn-server to openvpn-client but return path is NATed on the dd-wrt.

"iptables -L -v -t nat" shows:

[kernel-panic69]

You may also wish to consider upgrading to the most recent release, 43516. There have been a lot of things fixed in regards to OpenVPN in DD-WRT since 40189.

https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2020/06-25-2020-r43516/

Yes, I realize, you do not have direct access to the router, but you need to upgrade, most likely.

[egc]

I agree with @kernel-panic69 a lot has changed for OpenVPN so get a recent build.

Recent builds have the CVE-14899 patch you should disable it to get access to local LAN clients (it is a bit more complicated as you do not NAT it should actually work with it enabled)

You do not NAT from the client side as your iptables show, and as the server has a return route you do not have to either.

Actually everything is explained in the OpenVPN server setup guide (link in my signature at the bottom) there is a paragraph about site-to-site setup although written for DDWRT the same applies for another platform (like setting up route/iroute and use of ccd files @eibgrad referred to)

[vongehlens]

Thank you very much Gentlemen!
your inputs are welcome.

@eibgrad: i do have this CCD files and they match the CN of course. stuff written inside does find it´s way to the DD-wrt machine (the client).

@egc & kernel-panic69: i will check again your doc´s . and i must confess that i seem not to have the balls to upgrade from 750km away...

@all: such "remote upgrades" are they usually OK? - or does it tend to be a volcano dance ?

cheers
Stephan

[kernel-panic69]

Depending on the router, you may be able to do remote ssh upgrade via command line. You would just want to use and appending & at the end of the command line input so that it will continue if you get disconnected. Do you have someone who has direct access to the router that can do the upgrade? That would be ideal.

[vongehlens]

Hi Kernel-Panic69,

upgrade did work remotely. - honestly: it was straight forward. ... but i´d my fingers crossed i must confess.

now i´ll go through the HowTos once again and check if i will solve this issue.

rgds
Stephan

[vongehlens]

Hi all,

the upgrade simply fixed my issue.
now the tunnel works in both directions.

thanks a lot for your superb support and hints!

cheers
Stephan