OpenVPN connected but unsure about local IP config [SOLVED]

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
blumman
DD-WRT Novice


Joined: 03 Aug 2012
Posts: 16
PostPosted: Tue Feb 05, 2013 23:41    Post subject: OpenVPN connected but unsure about local IP config [SOLVED] Reply with quote
Hey guys,

This is driving me crazy. I have read endless of guides and I cannot get a clear picture of how this is supposed to be configured on my "DD-WRT v24-sp2 (03/19/12)(SVN revision 18777)" mega loaded routers.

First of all, my goal is to setup two DD-WRT routers in a site-to-site VPN router TUN configuration via the GUI. As far as I understand a TUN tunnel will connect my local LAN with the remote site's LAN. I.e I will be able to have 192.168.1.0/24 and the remote LAN will be able to have 192.168.2.0/24. These two networks will with some help of iptables route traffic and make clients visible from both LAN's.

I have some questions on how the setup should look like.

1. On my OpenVPN Server/Daemon and "Network". I interpret this as my local network ID e.g. 192.168.1.0/24 and have therefore configured it with 192.168.1.0. Is this correct or should it be the internal IP of the router?

Answer: There must be a third subnet for the VPN tunnel e.g. 172.16.0.0/24. Smile

2. On the OpenVPN Client and IP address. Should this be configured with the remote routers local LAN IP? Or should it be the remote network ID?

Still unsure about number 2.

3. On the OpenVPN server side and status I see this under "State":

Code:
State Server: CONNECTED: SUCCESS Local Address: 192.168.1.1 Remote Address: 192.168.1.1 Client: : Local Address: Remote Address: 192.168.1.1

This looks a bit weird to me, don't you agree?

Answer: Answer to question number one resolves this.

4. Also on the server side and under status I see this:

Code:
Status
Wed Feb 6 00:27:16 2013
Common Name   Real Address   Virtual Address   Bytes Received   Bytes Sent   Connected Since
REMOTE_ROUTER   External_IP:32771   192.168.1.2   42679   43726   Tue Feb 5 23:30:03 2013

Virtual Address   Common Name   Real Address   Last Ref
192.168.1.2   REMOTE_ROUTER   External_IP:32771   Tue Feb 5 23:30:04 2013
Max bcast/mcast queue length


This also looks weird. The virtual address is the same network as the server LAN. Should there be a third LAN that connects both LAN's?

Answer: Answer to question number one resolves this.

I do not have any errors in my VPN logs so I assume the tunnel is established. Now I just need to establish routing tables so I can see the remote computers and the remote computers see the local computers.

Do you have any ideas if I'm doing it right or wrong?
_________________


Last edited by blumman on Fri Mar 01, 2013 9:12; edited 3 times in total
Back to top View user's profile Send private message
Sponsor
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany
PostPosted: Wed Feb 06, 2013 19:14    Post subject: Reply with quote
upgrade
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
Back to top View user's profile Send private message
blumman
DD-WRT Novice


Joined: 03 Aug 2012
Posts: 16
PostPosted: Wed Feb 06, 2013 22:03    Post subject: Reply with quote
Sash wrote:
upgrade


Thanks for the advice. Do you also have a suggestion to which firmware to upgrade to if I mention that I have one Linksys E4200v1 and one Linksys E3200v1?

I only have one main router so I would like to avoid disruption by trying every build after 18777, though I don't mind trying something newer if that's what it takes. Preferably limited to one or two builds. Though I have not found any preferred build for the E4200 through the search.

I think I want to give the upgrade suggestion some more thought (It took my quite some time to find a good base build for the E4200). In the meantime I have made some progress with 18777.

Here's my new server config:

Code:
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 4
mute 5
log-append /var/log/openvpn
writepid /var/log/openvpnd.pid
management 127.0.0.1 5002
management-log-cache 50
mtu-disc yes
topology subnet
client-config-dir /tmp/openvpn/ccd
script-security 2
port 1194
proto udp
cipher aes-128-cbc
auth sha256
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
client-to-client
tls-cipher AES128-SHA
fast-io
tun-mtu 1500
server 172.16.0.0 255.255.255.0
dev tun0
push "route 192.168.1.0 255.255.255.0"
comp-lzo


I can ping the server subnet (192.168.1.0/24) from the remote/client router (note not from the clients behind it. Will work on that later).

Code:
root@OpenVPNClientRouter:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
WAN      0.0.0.0         255.255.255.255 UH    0      0        0 vlan2
192.168.1.0   172.16.0.1      255.255.255.0   UG    0      0        0 tun1
172.16.0.0      0.0.0.0         255.255.255.0   U     0      0        0 tun1
WAN             0.0.0.0         255.255.255.0   U     0      0        0 vlan2
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         WAN      0.0.0.0         UG    0      0        0 vlan2

root@OpenVPNClientRouter:~# traceroute 192.168.1.250
traceroute to 192.168.1.250 (192.168.1.250), 30 hops max, 38 byte packets
 1  172.16.0.1 (172.16.0.1)  3.127 ms  1.855 ms  1.735 ms
 2  192.168.1.250 (192.168.1.250)  3.249 ms  2.065 ms  2.120 ms


However from the OpenVPN server router I was not able to ping the clients in the remote subnet 192.168.2.0/24. There was no route added so I tried to add it from the GUI but it would never show up in the routing table. Here's what I did from the CLI.

Code:
/sbin/route add -net 192.168.2.0 netmask 255.255.255.0 gw 172.16.0.2


After that I had a new route in the routing table but still no go.

Code:
root@OpenVPNServerRouter:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
WAN      0.0.0.0         255.255.255.255 UH    0      0        0 vlan2
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
172.16.0.0      0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.2.0     172.16.0.2      255.255.255.0   UG    0      0        0 tun0
WAN      0.0.0.0         255.255.255.0   U     0      0        0 vlan2
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         WAN      0.0.0.0         UG    0      0        0 vlan2

root@OpenVPNServerRouter:~# traceroute 192.168.2.250
traceroute to 192.168.2.250 (192.168.2.250), 30 hops max, 38 byte packets
 1  *  *  *
 2  *  *  *
 3  *  *  *
 4  *  *  *
 5  *  *  *
 6  *  *  *
 7  *  *  *
 8  *  *  *
 9  *  *  *
10  *  *  *
11  *  *  *
12  *  *  *
13  *  *  *
14  *  *  *
15  *  *  *
16  *  *  *
17  *  *  *
18  *  *  *
19  *  *  *
20  *  *  *
21  *  *  *
22  *  *  *
23  *  *  *
24  *  *  *
25  *  *  *
26  *  *  *
27  *  *  *
28  *  *  *
29  *  *  *
30  *  *  *


However I can ping the end of the tunnel and I could that before I added the route as well.

Code:
root@OpenVPNServerRouter:~# ping 172.16.0.2
PING 172.16.0.2 (172.16.0.2): 56 data bytes
64 bytes from 172.16.0.2: seq=0 ttl=64 time=2.898 ms
64 bytes from 172.16.0.2: seq=1 ttl=64 time=2.802 ms
64 bytes from 172.16.0.2: seq=2 ttl=64 time=3.431 ms


Here are the VPN iptables for OpenVPNServerRouter:

Code:
iptables -I INPUT 1 -i tun0 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT 1 -i tun0 -p udp --dport 53 -j ACCEPT
iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT
iptables -I INPUT 1 -p udp --dport 11942 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.2.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


Here are the VPN iptables for OpenVPNClientRouter:

Code:
iptables -I INPUT 1 -i tun1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT 1 -i tun1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT 3 -i tun1 -p icmp -j ACCEPT
iptables -I INPUT 1 -p udp --dport 11942 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT


It seems doable with 18777, it's just that this is new to me and I haven't figured everything out yet. Any ideas, anyone?
_________________
Back to top View user's profile Send private message
blumman
DD-WRT Novice


Joined: 03 Aug 2012
Posts: 16
PostPosted: Fri Mar 01, 2013 9:13    Post subject: Reply with quote
I got it all worked out now. It took me a while though. Smile

For those of you who encounter similar problems, you can achieve this with the mega build 18777. I can really recommend reading the following pages:

http://openvpn.net/index.php/open-source/documentation/howto.html#examples
http://www.davidwang.com/?p=98
http://www.smallnetbuilder.com/myincludes/new_page.php?howto_openvpn_config.htm

Happy troubleshooting! Smile
_________________
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum