Posted: Mon Jun 29, 2020 22:39 Post subject: dd-wrt as openvpn-client is NATìng = problem [SOLVED]
Hello all,
i´m new here.
i did do my best to find a solution within this vast amount of articles, also on the web and now i´m back need to ask for assistance after i have no hair left because i scratched them all off ...
setup:
- 1x Openvpn server (Ubuntu 18.04) 192.168.242.10/24 (ovpn net 10.8.0.0/24 on tun0)
- all iptables chains on openvpn-server are flushed and set to ACCEPT by default.
- 1x DD-WRT v3.0-r40189 std (07/04/19) acting as openvpn-client01 and local network 192.168.190.0/23
- dd-wrt is openvpn-client01 sending 0.0.0.0/0 to the local DSL line, and just 192.168.242.0/24 to the opvpn-server via tun1
- on serverside openvpn-route and openvpn-iroute settings are set.
situation:
- openvpn tunnel is created sucessfully
- LAN behind openvpn-client01 can reach (ping) the internet 0.0.0.0
- LAN behind openvpn-client01 can reach (ping) the internet 192.168.242.0/24
- openvpn-server LAN cannot ping the LAN behind the openvpn-client01
- i can see that traffic is traveling from openvpn-server to openvpn-client but return path is NATed on the dd-wrt.
"iptables -L -v -t nat" shows:
Code:
Chain POSTROUTING (policy ACCEPT 602 packets, 40441 bytes)
pkts bytes target prot opt in out source destination
1313 308K SNAT 0 -- any vlan2 192.168.190.0/23 anywhere to:192.168.2.143
0 0 MASQUERADE 0 -- any any anywhere anywhere mark match 0x80000000/0x80000000
if i send a logger message from openvpn-client01 to the openvpn-server:
Bauernhof-Router01:~# logger hallo
i receive on server side:
Jun 29 22:31:09 10.8.0.2 root: hallo
problem(s):
- i need to reach the LAN behind the openvpn-client01 and have no clue where to switch off NAT towards the openvpn-server LAN.
- the DD-WRT is 750km far away and i cannot afford an "big mistake" as you could imagine.
question(s):
- is the problem known?
- can this be sorted by iptables command/rule?
- any specific hind where i should change something to solve my challenge?
Joined: 08 May 2018 Posts: 14243 Location: Texas, USA
Posted: Tue Jun 30, 2020 0:13 Post subject:
You may also wish to consider upgrading to the most recent release, 43516. There have been a lot of things fixed in regards to OpenVPN in DD-WRT since 40189.
Joined: 18 Mar 2014 Posts: 12913 Location: Netherlands
Posted: Tue Jun 30, 2020 8:23 Post subject:
I agree with @kernel-panic69 a lot has changed for OpenVPN so get a recent build.
Recent builds have the CVE-14899 patch you should disable it to get access to local LAN clients (it is a bit more complicated as you do not NAT it should actually work with it enabled)
You do not NAT from the client side as your iptables show, and as the server has a return route you do not have to either.
Actually everything is explained in the OpenVPN server setup guide (link in my signature at the bottom) there is a paragraph about site-to-site setup although written for DDWRT the same applies for another platform (like setting up route/iroute and use of ccd files @eibgrad referred to) _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Joined: 08 May 2018 Posts: 14243 Location: Texas, USA
Posted: Tue Jun 30, 2020 12:41 Post subject:
Depending on the router, you may be able to do remote ssh upgrade via command line. You would just want to use and appending & at the end of the command line input so that it will continue if you get disconnected. Do you have someone who has direct access to the router that can do the upgrade? That would be ideal. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net