Posted: Mon Sep 12, 2022 2:27 Post subject: DD-WRT multi VPN host?
Greetings all.
A long while ago I bodged together a single site-to-site TUN between two DD-WRT routers using OpenVPN GUI. It's been working fairly reliably and with some tickling of DNS (BIND server on this side, DNSmasq on the remote) we've been successful at accessing LAN resources in both directions over the VPN.
However, this was done with a fairly old revisions of DD-WRT on both sides and I'm feeling the urge to NOT be running a year old internet facing device so I've started the updating process.
Firstly, I'm hoping for some feedback on my settings or any suggestions to make things better.
Secondly, I'd really like to add a second and third site2site and ideally an additional link for remotely accessing my LAN from a phone/laptop on the road. Hoping for some advice and guidance as to if this is possible and how it might be done!
For the site2sites, there's no need for the sites to interact with each other nor need for anything other than accessing remote LAN resources (commonly SSH, RDP & SMB). All the sites have broadband connections and different subnets.
Router is a Netgear R9000 running DD-WRT v3.0-r50146 std (09/10/22). We're not pushing a ton of traffic so hopefully it's beefy enough. Clients are R8000's and will be migrated to r50146 as this project progresses. Pretty sure they're r47822 or older currently.
Apologies in advance though, I have an ABI that's making these concepts pretty deep going. I'm attempting to crash the v25 open vpn guide into my cerebellum bit by bit.
You are not pushing any routes, is that what you want?
Old build carryover - routes have been defined in the additional options.
"#push a route to the client, which will send traffic destined for the Server's LAN over the VPN.
push "route 192.168.xx.yy 255.255.255.0 vpn_gateway"
#Define a local (serverside) route to remote client
route 192.168.aa.bb 255.255.255.0 vpn_gateway"
I note the guide section where this should be deprecated now.
I've also got a statement in my startup script
"echo "iroute 192.168.aa.bb 255.255.255.0" > /tmp/openvpn/ccd/RemoteLAN"
No idea quite where I got that from. Guess I'll have to try removing it and see what breaks...
While it's working, my understanding of why it's working and what is redundant or can be changed for the better is insufficient.
I should note that I'm doing split tunnelling here on the site2site. Only traffic destined for servers inside each LAN should be transiting the VPN. Everything else should be using the WAN port.
Conversely, ideally the roadwarrior VPN will carry all traffic.
Is it possible to run two instances of OpenVPN on different ports?
egc wrote:
WireGuard.
Cheers, will see how I go digesting that.
Slow going so far, but the testing router got updated to r50146 + entware installed today and seems to work OK (despite double NAT) through a 4G hotspot.
It's a good idea to print all the router config pages to PDF and just do a hard reset so that any gremlins or old nvram variables are cleared out.
Code:
nvram erase && reboot
AND / OR
Code:
nvram clear && reboot
_________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
It is possible to run multi instance of openvpn server so you can link multi site to site connections. do you try it out or what error pop up so we can help to make it work for you? on my router i can run 6 instance of openvpn server and it work very good .
this is how I can run multi instance Openvpn server.
you need to prepare a working version openvpn config file with extension conf. running on ddwrt first so we known before doing this.
go to router/service/usb tab and enable all of them . move to NAS and make samba enable so we create a file server . make sure it working and we will store all config file on that usb so it will easy to edit and change as we like. Now create a folder call openvpn and put all config files on that folder.
this is my config you can use it and add your owe certificate
Code:
server 10.10.90.0 255.255.255.0
mute-replay-warnings
port 700
please note first port is 700 . ip range 10.10.90.0 and dev tun2 . this is differnce from each config . the second config is the same but only need difference port ,range dev
Code:
server 10.10.80.0 255.255.255.0
mute-replay-warnings
port 710
You can create as many config file as you like and store on usb . after that we need create virtual network card ,going to Administration /commands copy and paste into idit box and save as start up
the first command is create virtual network card name tun 0 to tun 6
Next command is start openvpn from reboot router.
Code:
cd /tmp
openvpn --mktun --dev tun2
ifconfig tun2 0.0.0.0 promisc up
cd /tmp
openvpn --mktun --dev tun3
ifconfig tun3 0.0.0.0 promisc up
cd /tmp
openvpn --mktun --dev tun4
ifconfig tun4 0.0.0.0 promisc up
cd /tmp
openvpn --mktun --dev tun5
ifconfig tun5 0.0.0.0 promisc up
cd /tmp
openvpn --mktun --dev tun6
ifconfig tun6 0.0.0.0 promisc up
you need to have correct remote lan subnet to make it work copy all this into start up so it will create file name call remote lan with contain iroute and ifconfig stament.
engine dynamic will use hardware speed up openvpn and remap will restart openvpn in care it stop.
engine dynamic
remap-usr1 SIGHUP
Still puzzling my way through this. Currently trying to wrap my broken brain around wireguard.
egc, it's probably my stupid brain, but it'd be a lot easier if your instructions lists actually corresponded with the order of fields in the DD-WRT gui.
ie, WG server setup guide v44 pg4, CVE-2019-14899 is step 8. when it's field #3 in the GUI. Jumping around is doing my head in and makes it too easy to miss stuff.