Hey all, I'm new to the forum but by no means new to DD-WRT. I have been trying to set up a bridged VPN connection between my home router (Buffalo) and my laptop on a campus network. It hasn't worked at all even though I THINK that I did the setup right. The kicker is that the OpenVPN GUI gives me a green icon and "connects" to the router. Yet when I try to ping my router, or any computer on my home network, I get nothing, and also when I check my IP, I get the campus network's IP. Also, I get no gateway at all on the VPN connection. Does anyone have any idea why this is the case. I am truly stumped, even though I have tried to look for similar setups, nothing helps.
The paragraph above was my first post, where I followed as many tutorials as I could and tried to use as much as what pertained to my setup from other setups but I had those problems. The following 2 posts were also things I tried once I found them. In the end, only a few lines were missing and I had a few lines that shouldn't have been there. I will provide the before and after server config files so that I can tell what I did wrong.
My router's local IP: 192.168.11.x
The network's subnet: 255.255.255.0
The range of IP's to be assigned to clients (last digits can be changed so more clients can connect, just as long as it stays within router's local IP range): 192.168.11.58 to 192.168.11.59
Start Type: WAN up
Public Server Cert -filled-
Certificate Revoke List -empty-
Public Client Cert -filled-
Private Client Key -filled-
DH PEM -filled-
TLS Auth -empty-
VPN Config BEFORE:
dev tap0 #tap for bridging rather than tun
proto udp #up to here, all is standard for bridging
server-bridge 192.168.21.40 255.255.255.0 192.168.21.41 192.168.21.49 #This IP range didn't work for my purpose
keepalive 10 120 #from this comment on, nothing was ever changed, it is what is found in most setups, bridged or otherwise
VPN Config AFTER (WORKS):
proto udp #up to here, it was always the same
push "redirect-gateway def1" #This is necessary for internet bridging, it won't work without it
server-bridge 192.168.11.x 255.255.255.0 192.168.11.58 192.168.11.59 #This is what works for my setup, notice it is the same IP range and subnet of my router and network, except that the range of the assigned addresses are far from my home network's range so there are no IP conflicts. You can expand the range so more clients can connect. There are other setups that say to use a completely different range and bridge that to the router's range, but that didn't work for me.
push "dhcp-option DNS 126.96.36.199" #This gives you the DNS server from home, change to own DNS server (first one)
push "dhcp-option DNS 188.8.131.52" #This gives you the DNS server from home, change to own DNS server (second one)
keepalive 10 120 #from here on, no change
Firewall Script: (This was always the same, but apparently the first line that says forward doesn't serve a purpose anymore, but I see no ill effects, so I left it as is. The first 2 lines of code are important though.)
remote xxxx.dyndns.org 1194 #like other tutorials say, this is the address of your home network as seen from the internet and the port OpenVPN uses to communicate.
route 192.168.11.x 255.255.255.0 vpn_gateway #I added this to route my internet connection, but it was at the same time as the other bits of code on the server that allowed the routing of the internet, so I am not sure if it's necessary. Nothing else was changed on the client.
keepalive 10 120
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.key"
I had a Routing table addition, but it wasn't necessary at all.
The comments after "#" and including that character can be removed, but if not, they won't be read by OpenVPN.
Without having any push or server-bridge commands on the server (the DD-WRT router), it turns the vpn connection to local LAN only and doesn't route the internet connection on the client.
This setup was used on a Buffalo WHR-HP-G54 router, probably works on others, but just so you know.
Also, to Moderators, I would suppose this would make a good sticky, unless I was the only one with this problem. But at the very least, don't remove this topic since it might be helpful for others, I know it would've been for me.
If there are any mistakes, let me know, or correct them, etc.
Last edited by Laz91 on Thu Sep 17, 2009 13:54; edited 7 times in total
push "redirect-gateway def1"
server-bridge 192.168.21.40 255.255.255.0 192.168.21.41 192.168.21.49
keepalive 10 120
Now, I am actually getting a gateway address and a DHCP server, so my ipconfig for the connection looks like:
IP Address: 192.168.21.41
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.21.40
DHCP Server: 192.168.21.0
I still can't ping any of my home network's computers or the router but I do see that the client's (the laptop) internet traffic is being routed through the vpn connection even though it isn't able to connect. Apparently, I am missing a small piece of code for the router's config. If anyone can help on that, I will be grateful, and I hope that this topic can be helpful for anyone in my dilemma as well, because if there would be a topic that had all the specifics on Bridged VPN config, I would already have my VPN up and running.
I tried a few more things I searched up about bridged setups and ended up adding these lines to the server config:
push "dhcp-option WINS 192.168.11.x"
push "dhcp-option DNS 192.168.11.x"
while taking away the previously added
push "redirect-gateway def1"
The gateway is apparently my biggest (and only?) problem, in which when I added the line I took out now, I got the gateway that would be my VPN server IP rather than the router's IP. This doesn't work for what I need apparently, so the main thing is a command to get the gateway as my home router (that's my best supposition). Keep in mind I did try some commands, but none worked. Maybe I'm going at it all wrong, but I have no guidance since the man pages for openvpn aren't too helpful here.
Last edited by Laz91 on Fri Sep 11, 2009 7:52; edited 1 time in total
"2:18AM, I finally got internet routing with network access through OpenVPN" (This is EST by the way)
If I had a journal or an online blog, that's what it would say right now.
But really, this has been my journal for the past few days, since I've gotten no help or response from anyone on this forum. That's kinda weird, but I guess that's life. Either no one knows how to do this or no one cares at all to help. I really hope it's the former. But nonetheless, I finally got it working, full LAN access along with full internet routing. I researched and tested so much that if this was a class, I'd probably get an A.
But in all seriousness, I would really like to help anyone else out with the same problem and help them get some sleep, 'cause like my PC and router can attest, I haven't gotten much the past few days. Thus, I will keep to my promise and make this tutorial/sample setup-like by editing my first post up top so it can help someone like nothing in this forum helped me. (Not an insult or anything, just a fact, even though it helped me get started, it didn't help me have the setup I wanted and needed.)
So, good luck to anyone trying to have a BRIDGED OpenVPN connection from a potentially hostile campus network or hotspot, etc. on their laptop to their home network with full internet routing (I will also add what did what, so that if you don't want routing, you can have that too.) I sincerely hope this helps.
It also took me quite a while to configure OpenVPN as a server with the WebGUI on my WRT54GL v1.1 with VPN pre SP2 (build 12533) firmware.
I apologize for the long and complex example, but I think it might be helpful to some :)
I firstly struggled to get the Encryption working, due to the date not being set correctly, which was still the year 1970.
The second place where I got stuck was when I tried for the tap0 interface to be on a different IP address than the LAN interface IP.
Lastly, the WebGUI assumes that you're going to use a tunnelling interface if I'm not mistaken. That's why I have bit of a workaround startup script for stopping the current OpenVPN daemon, creating the tap0 interface & bridge & the new OpenVPN daemon.
My network layout:
Nanostation WAN IP: 10.20.x.x (port forward up 1194 to WRT54GL & 1195 to Server #2)
WRT54GL LAN IP: 192.168.1.192 mask 255.255.255.0
Server #2 LAN IP: 192.168.1.193
Default Gateway: 192.168.1.1
Range IP's assigned to clients: 192.168.1.194-223
WAN IP's: 10.20.x.x & 146.232.x.x
The clients and server (router) are at 2 different locations and are both part of a WUG (10.20.x.x)
I wanted to share the server's Internet connection with the clients and make it their default gateway, while not letting the clients' WAN IP ranges pass through the VPN too.
WRT54GL v1.1 setup:
Administration -> Commands -> Startup script:
kill `openvpn` # kill initial openvpn daemon started by WebGUI
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
openvpn --daemon --config /tmp/openvpn/openvpn.conf
Start OpenVPN: Enable
Start type: System
Public Server Cert: -filled-
Certificate Revoke List: -empty-
Public Client Cert: -filled-
Private Client Key: -filled-
DH PEM: -filled-
TLS Auth: -empty-
server-bridge 192.168.1.192 255.255.255.0 192.168.1.194 192.168.1.223
push "route 10.20.0.0 255.255.0.0 net_gateway 999" # prevent pass-through for 10.20.*
push "route 184.108.40.206 255.255.0.0 net_gateway 999" # prevent pass-through for 146.232.*
push "redirect-gateway def1" # override default gateway safely
keepalive 10 120
comp-lzo no # disables compression
cipher BF-CBC # enable blowfish encryption; disabling encryption would result in better performance on the WRT54GL !
Setup -> Advanced Routing -> Static routing:
Added a static route for 10.20.0.0 netmask 255.255.0.0 to go through the Nanostation, since the default gateway goes to the Internet and not to the WUG
remote 10.20.62.232 1194 # Server 1
remote 10.20.62.232 1195 # Server 2 for fail-over
mute-replay-warnings # hide duplicate packet warnings due to wireless connection