Posted: Wed Jul 20, 2022 22:31 Post subject: Routing OpenVPN traffic out the WAN
Hi All:
Ok, (relatively) short question first and history/detail to follow. I've recently set up a router/TUN server on my home DD-WRT router and have a client mini PC I'm using as my remote gateway tunneling in over a tethered cell phone connection. Bit of a pain to get everything setup again (see history) but the connection is there. However, my goal for this round is to route all the remote client traffic from the tunnel out through the WAN connection of my local router, basically making my local router a VPN gateway to the internet. So far I haven't been able to get that to work and I don't know if it's firewall rules, a routing table entry that's needed, or something related to some other unusual changes I've made.
So now to the history for those who care...
For years I had my home router set up as an OpenVPN server and a remote router set up as a client and was able to build a TAP/Bridge connection between the two to make my remote network an extension of my local network. This was originally all before the nice new GUI interface, but once I got it all figured out it worked great. The one major benefit I had with the tunnel was that even when the tethered wireless link would quit serving up internet connections locally, the tunnel would remain and I could access those PCs with Windows Remote Desktop.
Over time I had to replace routers and at one point was using the Netscape OpenVPN implementation before going back to DD-WRT. Eventually Chrome Remote Desktop got to the point that it was a viable solution for connections, and I'd long ago developed a tool that automatically reset the connection when things went kerflooey, so the VPN tunnel wasn't as critical as it once was. By the end I'd started having problems with local devices (especially my IoT stuff) getting their DHCP and DNS through the tunnel. The final straw was when I found my Xbox predicting a week to install a new game because it was trying to download updates through the tunnel and back up through a 3G speed cell phone link!
So back to the present, I'm convinced that the cellular provider is limiting the number of simultaneous connections I'm allowed to have, so I'm wanting to tunnel all that traffic through a single connection to get past that issue. I tried a public paid VPN service but it couldn't get to the most basic sites like Amazon properly, and I didn't want to waste my time and money debugging on their system! So at least temporarily I want to go back to using DD-WRT but in routed mode, since now I've made the remote network a mirror of my local network and can't share IP address ranges without a lot of trouble.
And one other tidbit that might be part of the problem here. I long ago turned off DD-WRT's DHCP server because I was running out of addresses, and am now using a mini PC with DualServer to give me DHCP and DNS independent of DD-WRT. Not sure if that's part of the problem, and also not positive that I have DNS completely disabled on the router (it's not clear how that's linked to the DHCP enable/disable).
At any rate, any suggestions are greatly appreciated. I did find the DNS leak and PBR documents that look like they might have some stuff that would help, but figured I'd post this anyway in case they don't!
Normally, if you've configured the OpenVPN server to push itself as the default gateway to the OpenVPN client, it just works.
What's the possible fly in the ointment here is DNS. If you're also pushing your local DNS to those same clients, it might be DNS that's failing. IOW, a ping to 8.8.8.8 might work, but NOT google.com. And that might be because your DNS server has a same-origin policy that limits access to only those devices on its own private IP network. So when it sees the private IP of the OpenVPN server's tunnel (e.g., 10.8.0.0/24), it refuses to respond.
If that's the case, you need to review the DNS server's config file to determine how to allow the tunnel's IP network.