Posted: Tue Feb 05, 2013 23:41 Post subject: OpenVPN connected but unsure about local IP config [SOLVED]
Hey guys,
This is driving me crazy. I have read endless of guides and I cannot get a clear picture of how this is supposed to be configured on my "DD-WRT v24-sp2 (03/19/12)(SVN revision 18777)" mega loaded routers.
First of all, my goal is to setup two DD-WRT routers in a site-to-site VPN router TUN configuration via the GUI. As far as I understand a TUN tunnel will connect my local LAN with the remote site's LAN. I.e I will be able to have 192.168.1.0/24 and the remote LAN will be able to have 192.168.2.0/24. These two networks will with some help of iptables route traffic and make clients visible from both LAN's.
I have some questions on how the setup should look like.
1. On my OpenVPN Server/Daemon and "Network". I interpret this as my local network ID e.g. 192.168.1.0/24 and have therefore configured it with 192.168.1.0. Is this correct or should it be the internal IP of the router?
Answer: There must be a third subnet for the VPN tunnel e.g. 172.16.0.0/24.
2. On the OpenVPN Client and IP address. Should this be configured with the remote routers local LAN IP? Or should it be the remote network ID?
Still unsure about number 2.
3. On the OpenVPN server side and status I see this under "State":
Code:
State Server: CONNECTED: SUCCESS Local Address: 192.168.1.1 Remote Address: 192.168.1.1 Client: : Local Address: Remote Address: 192.168.1.1
This looks a bit weird to me, don't you agree?
Answer: Answer to question number one resolves this.
4. Also on the server side and under status I see this:
Code:
Status
Wed Feb 6 00:27:16 2013
Common Name Real Address Virtual Address Bytes Received Bytes Sent Connected Since
REMOTE_ROUTER External_IP:32771 192.168.1.2 42679 43726 Tue Feb 5 23:30:03 2013
Virtual Address Common Name Real Address Last Ref
192.168.1.2 REMOTE_ROUTER External_IP:32771 Tue Feb 5 23:30:04 2013
Max bcast/mcast queue length
This also looks weird. The virtual address is the same network as the server LAN. Should there be a third LAN that connects both LAN's?
Answer: Answer to question number one resolves this.
I do not have any errors in my VPN logs so I assume the tunnel is established. Now I just need to establish routing tables so I can see the remote computers and the remote computers see the local computers.
Do you have any ideas if I'm doing it right or wrong? _________________
Last edited by blumman on Fri Mar 01, 2013 9:12; edited 3 times in total
Thanks for the advice. Do you also have a suggestion to which firmware to upgrade to if I mention that I have one Linksys E4200v1 and one Linksys E3200v1?
I only have one main router so I would like to avoid disruption by trying every build after 18777, though I don't mind trying something newer if that's what it takes. Preferably limited to one or two builds. Though I have not found any preferred build for the E4200 through the search.
I think I want to give the upgrade suggestion some more thought (It took my quite some time to find a good base build for the E4200). In the meantime I have made some progress with 18777.
I can ping the server subnet (192.168.1.0/24) from the remote/client router (note not from the clients behind it. Will work on that later).
Code:
root@OpenVPNClientRouter:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
WAN 0.0.0.0 255.255.255.255 UH 0 0 0 vlan2
192.168.1.0 172.16.0.1 255.255.255.0 UG 0 0 0 tun1
172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun1
WAN 0.0.0.0 255.255.255.0 U 0 0 0 vlan2
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 WAN 0.0.0.0 UG 0 0 0 vlan2
root@OpenVPNClientRouter:~# traceroute 192.168.1.250
traceroute to 192.168.1.250 (192.168.1.250), 30 hops max, 38 byte packets
1 172.16.0.1 (172.16.0.1) 3.127 ms 1.855 ms 1.735 ms
2 192.168.1.250 (192.168.1.250) 3.249 ms 2.065 ms 2.120 ms
However from the OpenVPN server router I was not able to ping the clients in the remote subnet 192.168.2.0/24. There was no route added so I tried to add it from the GUI but it would never show up in the routing table. Here's what I did from the CLI.
However I can ping the end of the tunnel and I could that before I added the route as well.
Code:
root@OpenVPNServerRouter:~# ping 172.16.0.2
PING 172.16.0.2 (172.16.0.2): 56 data bytes
64 bytes from 172.16.0.2: seq=0 ttl=64 time=2.898 ms
64 bytes from 172.16.0.2: seq=1 ttl=64 time=2.802 ms
64 bytes from 172.16.0.2: seq=2 ttl=64 time=3.431 ms
Here are the VPN iptables for OpenVPNServerRouter: