Posted: Wed Mar 22, 2023 23:55 Post subject: Newer builds of DD-WRT blocking WebGUI access?
Hello everyone, hope you all are doing well.
I'll first try to give a very brief description of the issue, to see if someone can immediately spot the problem. If you require more information from me to help solve this, I'll definitely provide them later but I dont want to clutter the post too much too early.
The situation is this:
Site A:
DD-WRT router running build 47528
Ubuntu box hosting OpenVPN server, in TAP configuration
Site B:
DD-WRT router running build 52081
Router is also running OpenVPN Client, connected with TAP Bridge back to Site A
Please excuse the vagueness, everything related to VPN is working and this is not a question related to VPN.
I have noticed that computers from Site B can access Site A Router WebGUI
BUT
Computers from Site A CANNOT access Site B Router WebGUI.
I know that something within DD-WRT has changed since build 47528 to affect WebGUI access from traffic inbound on tap1 interface (if the router is acting as VPN client)
Because after immediately noticing the issue, I re-flashed Site B Router from 52081 to 47528 to match Site A and everything is working again.
So my very simple question is this:
Does anyone know what changed in recent months?
Is there a way to make Site B allow WebGUI from traffic inbound on VPN tunnel?
This issue is also affect the ability to perform iperf3 tests (only transferring data one way)
but for some reason pings still work 100% fine.
If this is a security change, can someone please explain to me the logic behind the change?
I am a newbie but I want to learn more about everything!
OpenVPN documentation is a sticky in this forum, the OpenVPN *Server* setup guide has a paragraph about TAP setup (also to setup the client side) you might take a look there to see if that gives you any clues.
Thank you for your swift response, egc. This isn't the first time you've answered my posts so I very much appreciate the help.
I was a little worried you might say that, so I'd just like to clarify the situation. Despite the fact that I am very much NOT a professional, calling myself a Newbie when it comes to dd-wrt/openvpn might be selling myself a little short here.
I just wanted to clarify that even though the example I showed only consisted of two sites, the reality is that I am currently managing a mesh of five locations. I have spent countless hours researching and tinkering to get Openvpn to work months ago, and everything is absolutely PERFECT and does exactly what we need it to do. I opted for TAP because we like having having printers/scanners and other devices broadcast over the network. It's a mix of work and play and sometimes my friends and I play older games remotely that don't seem to work between routed subnets no matter how hard we tried.
Anyway, my point is this:
This wasn't REALLY a troubleshooting post. More of a note and hoping to find a solution so other people can search for it on the forum/google.
All I know is that something changed between builds 47528 and 52081 that is now preventing WebGUI access and possibly other services from working properly through the VPN tunnel, even though pings are allowed. I don't think one needs to be an expert at dd-wrt to realize this because there have been new options added to the Openvpn client on dd-wrt since 47528.
For example: the "Source Routing (PBR)" options.
I just wish to learn more about what is happening under the hood to try and see for myself what changed.
When I am trying to access the router's webgui from the other site's computers, the browser can clearly find the IP, almost like it's loading, but the packets are being dropped by firewall. I've investigated iptables but can't seem to see anything. Again, on 47528 and older builds, this is no issue. Everything works as intended.
Perhaps there are more verbose troubleshooting commands you can provide?
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Thu Mar 23, 2023 15:18 Post subject:
I just did a quick test with two DDWRT routers one as OpenVPN server and the other as OpenVPN client with a TAP (bridged setup) and I had no problem connecting to the GUI from either side.
Ensure you are using http://your.router.ip.here instead of https (unless it is enabled). Modern browsers seem to default to https-only with no http fallback as well. Mixed versions of DD-WRT may also hinder functionality, but to each their own. Also, to be quite clear, reporting an issue without being on the current release is forum fodder most of the time, anyway.