OpenVPN Bridged Setup Sample DD-WRT v24 sp2 (SOLVED Setup)

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
Laz91
DD-WRT Novice


Joined: 09 Sep 2009
Posts: 4

PostPosted: Wed Sep 09, 2009 16:52    Post subject: OpenVPN Bridged Setup Sample DD-WRT v24 sp2 (SOLVED Setup) Reply with quote
Hey all, I'm new to the forum but by no means new to DD-WRT. I have been trying to set up a bridged VPN connection between my home router (Buffalo) and my laptop on a campus network. It hasn't worked at all even though I THINK that I did the setup right. The kicker is that the OpenVPN GUI gives me a green icon and "connects" to the router. Yet when I try to ping my router, or any computer on my home network, I get nothing, and also when I check my IP, I get the campus network's IP. Also, I get no gateway at all on the VPN connection. Does anyone have any idea why this is the case. I am truly stumped, even though I have tried to look for similar setups, nothing helps.

The paragraph above was my first post, where I followed as many tutorials as I could and tried to use as much as what pertained to my setup from other setups but I had those problems. The following 2 posts were also things I tried once I found them. In the end, only a few lines were missing and I had a few lines that shouldn't have been there. I will provide the before and after server config files so that I can tell what I did wrong.

Before all this, I would follow a guide like rmeytin's post http://www.dd-wrt.com/phpBB2/viewtopic.php?t=37518&postdays=0&postorder=asc&start=0
, dereks's post http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35689 or the "OpenVPN (the Easy Way) v24+" Tutorial since I don't cover the making of certificates and all the preliminary stuff. I just get down to the configs.

My Setup looks like this:

My router's local IP: 192.168.11.x
The network's subnet: 255.255.255.0
The range of IP's to be assigned to clients (last digits can be changed so more clients can connect, just as long as it stays within router's local IP range): 192.168.11.58 to 192.168.11.59


ROUTER:

VPN Tab:
Start Type: WAN up

Public Server Cert -filled-
Certificate Revoke List -empty-
Public Client Cert -filled-
Private Client Key -filled-
DH PEM -filled-
TLS Auth -empty-

VPN Config BEFORE:
Code:
mode server
client-to-client
tls-server
dev tap0 #tap for bridging rather than tun
proto udp  #up to here, all is standard for bridging
server-bridge 192.168.21.40 255.255.255.0 192.168.21.41 192.168.21.49 #This IP range didn't work for my purpose
keepalive 10 120  #from this comment on, nothing was ever changed, it is what is found in most setups, bridged or otherwise
comp-lzo
cipher BF-CBC
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

VPN Config AFTER (WORKS):
Code:
mode server
client-to-client
tls-server
dev tap0
proto udp #up to here, it was always the same
push "redirect-gateway def1" #This is necessary for internet bridging, it won't work without it
server-bridge 192.168.11.x 255.255.255.0 192.168.11.58 192.168.11.59 #This is what works for my setup, notice it is the same IP range and subnet of my router and network, except that the range of the assigned addresses are far from my home network's range so there are no IP conflicts. You can expand the range so more clients can connect. There are other setups that say to use a completely different range and bridge that to the router's range, but that didn't work for me.
push "dhcp-option DNS 208.67.222.222" #This gives you the DNS server from home, change to own DNS server (first one)
push "dhcp-option DNS 208.67.220.220" #This gives you the DNS server from home, change to own DNS server (second one)
keepalive 10 120 #from here on, no change
daemon
comp-lzo
cipher BF-CBC
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem




Startup Script: (This was always the same.)
Code:
sleep 45
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up


Firewall Script: (This was always the same, but apparently the first line that says forward doesn't serve a purpose anymore, but I see no ill effects, so I left it as is. The first 2 lines of code are important though.)
Code:

iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT

iptables -I FORWARD 1 --source 192.168.21.0/24 -j ACCEPT

iptables -I FORWARD -i br0 -o tap0 -j ACCEPT
iptables -I FORWARD -i tap0 -o br0 -j ACCEPT




CLIENT (Laptop) Config:
Code:
client
remote xxxx.dyndns.org 1194 #like other tutorials say, this is the address of your home network as seen from the internet and the port OpenVPN uses to communicate.
route 192.168.11.x 255.255.255.0 vpn_gateway #I added this to route my internet connection, but it was at the same time as the other bits of code on the server that allowed the routing of the internet, so I am not sure if it's necessary. Nothing else was changed on the client.
persist-key
tls-client
proto udp
nobind
persist-tun
comp-lzo
dev tap
cipher BF-CBC
ns-cert-type server
resolv-retry infinite
verb 3
keepalive 10 120
float
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.key"


I had a Routing table addition, but it wasn't necessary at all.


The comments after "#" and including that character can be removed, but if not, they won't be read by OpenVPN.

Without having any push or server-bridge commands on the server (the DD-WRT router), it turns the vpn connection to local LAN only and doesn't route the internet connection on the client.

I used http://whatismyip.com/ to check if I had a routed internet connection. It worked fine for my purpose.

This setup was used on a Buffalo WHR-HP-G54 router, probably works on others, but just so you know.

Also, to Moderators, I would suppose this would make a good sticky, unless I was the only one with this problem. But at the very least, don't remove this topic since it might be helpful for others, I know it would've been for me.

If there are any mistakes, let me know, or correct them, etc.


Last edited by Laz91 on Thu Sep 17, 2009 13:54; edited 7 times in total
Sponsor
Laz91
DD-WRT Novice


Joined: 09 Sep 2009
Posts: 4

PostPosted: Thu Sep 10, 2009 8:03    Post subject: Progress Reply with quote
Whoa, I hit some progress, something is better than nothing. I came upon this post in the forum http://www.dd-wrt.com/phpBB2/viewtopic.php?t=40220&highlight=openvpn+v24+bridged
(scroll down to super-kev's first post there)where I found a similar, albeit not completely working, config to my own, and so I added this line to the Router's VPN config in hopes it would improve something:
Code:
push "redirect-gateway def1"
so it now looks like:

Code:
mode server
client-to-client
tls-server
dev tap0
proto udp
push "redirect-gateway def1"
server-bridge 192.168.21.40 255.255.255.0 192.168.21.41 192.168.21.49
keepalive 10 120
comp-lzo
cipher BF-CBC
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem


Now, I am actually getting a gateway address and a DHCP server, so my ipconfig for the connection looks like:
IP Address: 192.168.21.41
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.21.40
DHCP Server: 192.168.21.0

I still can't ping any of my home network's computers or the router but I do see that the client's (the laptop) internet traffic is being routed through the vpn connection even though it isn't able to connect. Apparently, I am missing a small piece of code for the router's config. If anyone can help on that, I will be grateful, and I hope that this topic can be helpful for anyone in my dilemma as well, because if there would be a topic that had all the specifics on Bridged VPN config, I would already have my VPN up and running.
Laz91
DD-WRT Novice


Joined: 09 Sep 2009
Posts: 4

PostPosted: Thu Sep 10, 2009 9:58    Post subject: Reply with quote
I tried a few more things I searched up about bridged setups and ended up adding these lines to the server config:
Code:
push "dhcp-option WINS 192.168.11.x"
push "dhcp-option DNS 192.168.11.x"

while taking away the previously added
Code:
push "redirect-gateway def1"

The gateway is apparently my biggest (and only?) problem, in which when I added the line I took out now, I got the gateway that would be my VPN server IP rather than the router's IP. This doesn't work for what I need apparently, so the main thing is a command to get the gateway as my home router (that's my best supposition). Keep in mind I did try some commands, but none worked. Maybe I'm going at it all wrong, but I have no guidance since the man pages for openvpn aren't too helpful here.


Last edited by Laz91 on Fri Sep 11, 2009 7:52; edited 1 time in total
Laz91
DD-WRT Novice


Joined: 09 Sep 2009
Posts: 4

PostPosted: Fri Sep 11, 2009 6:33    Post subject: Reply with quote
"2:18AM, I finally got internet routing with network access through OpenVPN" (This is EST by the way)

If I had a journal or an online blog, that's what it would say right now.
But really, this has been my journal for the past few days, since I've gotten no help or response from anyone on this forum. That's kinda weird, but I guess that's life. Either no one knows how to do this or no one cares at all to help. I really hope it's the former. But nonetheless, I finally got it working, full LAN access along with full internet routing. I researched and tested so much that if this was a class, I'd probably get an A.

But in all seriousness, I would really like to help anyone else out with the same problem and help them get some sleep, 'cause like my PC and router can attest, I haven't gotten much the past few days. Thus, I will keep to my promise and make this tutorial/sample setup-like by editing my first post up top so it can help someone like nothing in this forum helped me. (Not an insult or anything, just a fact, even though it helped me get started, it didn't help me have the setup I wanted and needed.)
So, good luck to anyone trying to have a BRIDGED OpenVPN connection from a potentially hostile campus network or hotspot, etc. on their laptop to their home network with full internet routing (I will also add what did what, so that if you don't want routing, you can have that too.) I sincerely hope this helps.

Laz91
Pada
DD-WRT Novice


Joined: 10 May 2009
Posts: 21

PostPosted: Wed Sep 23, 2009 1:40    Post subject: Reply with quote
It also took me quite a while to configure OpenVPN as a server with the WebGUI on my WRT54GL v1.1 with VPN pre SP2 (build 12533) firmware.

I apologize for the long and complex example, but I think it might be helpful to some :)

I firstly struggled to get the Encryption working, due to the date not being set correctly, which was still the year 1970.
The second place where I got stuck was when I tried for the tap0 interface to be on a different IP address than the LAN interface IP.
Lastly, the WebGUI assumes that you're going to use a tunnelling interface if I'm not mistaken. That's why I have bit of a workaround startup script for stopping the current OpenVPN daemon, creating the tap0 interface & bridge & the new OpenVPN daemon.

My network layout:
    server side:
      Nanostation WAN IP: 10.20.x.x (port forward up 1194 to WRT54GL & 1195 to Server #2)
      WRT54GL LAN IP: 192.168.1.192 mask 255.255.255.0
      Server #2 LAN IP: 192.168.1.193
      Default Gateway: 192.168.1.1
      Range IP's assigned to clients: 192.168.1.194-223


    clients:
      WAN IP's: 10.20.x.x & 146.232.x.x


    The clients and server (router) are at 2 different locations and are both part of a WUG (10.20.x.x)
    I wanted to share the server's Internet connection with the clients and make it their default gateway, while not letting the clients' WAN IP ranges pass through the VPN too.


WRT54GL v1.1 setup:

    Administration -> Commands -> Startup script:
    Code:
    kill `openvpn` # kill initial openvpn daemon started by WebGUI
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    openvpn --daemon --config /tmp/openvpn/openvpn.conf


    Administration -> Commands -> Firewall script:
    Code:
    iptables -I INPUT -p udp --dport 1194 -j ACCEPT
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


    Services -> VPN:

      Start OpenVPN: Enable
      Start type: System
      Public Server Cert: -filled-
      Certificate Revoke List: -empty-
      Public Client Cert: -filled-
      Private Client Key: -filled-
      DH PEM: -filled-
      TLS Auth: -empty-
      Config:
      Code:
      mode server
      tls-server
      dev tap0
      proto udp
      server-bridge 192.168.1.192 255.255.255.0 192.168.1.194 192.168.1.223
      push "route 10.20.0.0 255.255.0.0 net_gateway 999" # prevent pass-through for 10.20.*
      push "route 146.232.0.0 255.255.0.0 net_gateway 999" # prevent pass-through for 146.232.*
      push "redirect-gateway def1" # override default gateway safely
      client-to-client
      keepalive 10 120
      comp-lzo no # disables compression
      cipher BF-CBC  # enable blowfish encryption; disabling encryption would result in better performance on the WRT54GL !
      dh /tmp/openvpn/dh.pem
      ca /tmp/openvpn/ca.crt
      cert /tmp/openvpn/cert.pem
      key /tmp/openvpn/key.pem


    Setup -> Advanced Routing -> Static routing:
      Added a static route for 10.20.0.0 netmask 255.255.0.0 to go through the Nanostation, since the default gateway goes to the Internet and not to the WUG


client1 config:
Code:
client
dev tap
proto udp
remote 10.20.62.232 1194 # Server 1
remote 10.20.62.232 1195 # Server 2 for fail-over
resolv-retry 60
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo no
verb 3
mute-replay-warnings # hide duplicate packet warnings due to wireless connection
JeremyG
DD-WRT Novice


Joined: 10 Aug 2007
Posts: 5

PostPosted: Mon Oct 26, 2009 20:53    Post subject: Reply with quote
Thank you so much for this post!!!

After trying nearly everything to get a bridged connection working, this finally did it!


The current Wiki article on OpenVPN ("the easy way") is really bad and does not work at all. You should update it with this method, it would help a lot of people.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum