Posted: Sat May 11, 2013 18:35 Post subject: Does DD-WRT OpenVPN support full VPN tunneling????
I can't get full tunneling to work with OpenVPN. I can securely access my home network from a laptop on a Public WiFi using the OpenVPN tunnel. But I also want to securely access the Internet from the laptop by tunneling ALL the laptop's traffic via the OpenVPN tunnel to my home router and then out to the Internet. That way, no one on the Public WiFi could snoop my Internet traffic. Here's my setup:
Code:
Laptop running OpenVPN client
|
| (Public WiFi)
|
Internet
|
|
(WAN port - 173.x.x.x)
Home router - Linksys E2000 running DD-WRT v24-sp2 and configured as OpenVPN Server
(LAN port - 192.168.1.1)
|
|
home network (192.168.1.0/24)
I can ping from laptop to any node on the 192.168.1.0 network. But the laptop cannot ping to the WAN port of the home router (173.x.x.x) or any IP on the Internet. And DNS does not work from laptop. It looks like the VPN server just won't route traffic from the VPN tunnel to the Internet. I have the firewall turned off on the VPN server just to make sure that's not the problem.
I can't figure out if this is:
1) a limitation of the DD-WRT implementation of OpenVPN
2) some special route needs to be configured on the router
3) some special configuration required on the VPN server
Any ideas?
Code:
-------------------------------------------------------------------------------
VPN server config:
-------------------------------------------------------------------------------
dev tun0
client-to-client
server 10.168.1.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 10.168.1.1"
proto udp
port 1194
keepalive 10 60
verb 3
comp-lzo
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
-------------------------------------------------------------------------------
VPN server route table:
-------------------------------------------------------------------------------
Destination LAN Subnet Mask Gateway Flags Metric Interface
10.168.1.2 255.255.255.255 0.0.0.0 UH 0 tun0
173.x.x.y 255.255.255.248 0.0.0.0 U 0 WAN
192.168.1.0 255.255.255.0 0.0.0.0 U 0 LAN & WLAN
10.168.1.0 255.255.255.0 10.168.1.2 UG 0 tun0
169.254.0.0 255.255.0.0 0.0.0.0 U 0 LAN & WLAN
0.0.0.0 0.0.0.0 173.x.x.x UG 0 WAN
-------------------------------------------------------------------------------
VPN client config:
-------------------------------------------------------------------------------
# Be the client, not the server.
client
# Use any TUN (not TAP) device on the client.
dev tun
# The address of the VPN server. 1194 is the default port for OpenVPN.
remote 173.x.x.x 1194
# Send ALL traffic via the VPN
redirect-gateway def1
# We don't care what interface or port we use on the client.
nobind
# Make the link resistant to connection failures.
keepalive 10 60
ping-timer-rem
persist-key
persist-tun
# Enable data link compression.
comp-lzo
# You can set this to a higher level.
verb 1
# Accept authenticated packets from any address, not just one in remote option.
float
# Connect only to servers with the right certificate.
ns-cert-type server
# Certificates, etc.
ca ca.crt
cert client.crt
key client.key
Success on the DNS front! Thanks to the suggestion from eibgrad I added
interface=tun0
no-dhcp-interface=tun0
to the Additional DNSMasq Options box in the Services - Services tab of the router config. It works regardless of whether you use the router's tun0 address - 10.168.1.1 or LAN address - 192.168.1.1.
Now I just need to get the tun0 to WAN routing to work...
Do you mean the 'redirect-gateway def1' line in the client config file? Yes, this can be in the client config file or you can do a 'push "redirect-gateway def1"' in the server config. Either way, it causes all traffic from the client to go through the VPN tunnel. I've verified that this is working correctly in this case. All the traffic is going through the VPN tunnel but then the VPN server doesn't send it where it needs to go.
The first four lines allow the VPN server to accept OpenVPN, DNS, SSH, and ping protocols. The next line tells the VPN server to forward the VPN tunnel network traffic?
The next two lines with the MASQUERADE option are the key to getting VPN tunnel traffic to connect to the Internet. I never did find any mention of this in the OpenVPN documentation but thanks to don_b I found an example using these exact two lines and it finally worked. A lot of other examples only had the second of these lines and that doesn't work for me. But with both these lines it finally works.
The last two lines in the Firewall config allow the VPN tunnel network to connect to the LAN network of the VPN server router. FYI, I also have the SPI Firewall enabled now.
I will try out the same thing with my home router very soon.
Just a quick question. I have a wifi blueray dvd player that streams netflix, amazon prime and other stuff.
Do you know if the vpn server is up and running on the ddwrt router, would I have problems streaming on that client (dvd player). ? .. or traffic from that client would work just fine?.. any thoughts?
I haven't had time to benchmark the VPN yet. But it seems pretty fast when doing web browsing, etc. I'll have to try out video streaming Netflix through the tunnel for example.
Are you concerned about the VPN server running on the router causing slow downs in normal, non-VPN, traffic flowing through the router?
Or are you wondering if the VPN tunnel is fast enough to stream video?
What I was wondering is with the openVPN server up on the ddwrt router, how would my sony blueray player stream netflix?
Obviously there is no way i can add certificates and keys , etc on the bluray player.
I am pretty sure there would be a way to get the dvd player's IP to bypass the VPN tunnel and directly reach netflix.
The VPN server has no effect on the regular router traffic. The router can still pass traffic back and forth between the LAN and WAN ports while at the same time handling a VPN tunnel running between the VPN client and the VPN server.