Does DD-WRT OpenVPN support full VPN tunneling????

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
calpalmore
DD-WRT Novice


Joined: 11 May 2013
Posts: 7

PostPosted: Sat May 11, 2013 18:35    Post subject: Does DD-WRT OpenVPN support full VPN tunneling???? Reply with quote
I can't get full tunneling to work with OpenVPN. I can securely access my home network from a laptop on a Public WiFi using the OpenVPN tunnel. But I also want to securely access the Internet from the laptop by tunneling ALL the laptop's traffic via the OpenVPN tunnel to my home router and then out to the Internet. That way, no one on the Public WiFi could snoop my Internet traffic. Here's my setup:

Code:

Laptop running OpenVPN client
       |
       | (Public WiFi)
       |
Internet
       |
       |
  (WAN port - 173.x.x.x)
Home router - Linksys E2000 running DD-WRT v24-sp2 and configured as OpenVPN Server
  (LAN port - 192.168.1.1)
       |
       |
home network (192.168.1.0/24)


I can ping from laptop to any node on the 192.168.1.0 network. But the laptop cannot ping to the WAN port of the home router (173.x.x.x) or any IP on the Internet. And DNS does not work from laptop. It looks like the VPN server just won't route traffic from the VPN tunnel to the Internet. I have the firewall turned off on the VPN server just to make sure that's not the problem.

I can't figure out if this is:
1) a limitation of the DD-WRT implementation of OpenVPN
2) some special route needs to be configured on the router
3) some special configuration required on the VPN server

Any ideas?

Code:

-------------------------------------------------------------------------------
VPN server config:
-------------------------------------------------------------------------------
dev tun0
client-to-client
server 10.168.1.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 10.168.1.1"
proto udp
port 1194
keepalive 10 60
verb 3
comp-lzo
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

-------------------------------------------------------------------------------
VPN server route table:
-------------------------------------------------------------------------------
Destination LAN   Subnet Mask      Gateway     Flags   Metric  Interface
10.168.1.2        255.255.255.255  0.0.0.0      UH     0       tun0
173.x.x.y         255.255.255.248  0.0.0.0      U      0       WAN
192.168.1.0       255.255.255.0    0.0.0.0      U      0       LAN & WLAN
10.168.1.0        255.255.255.0    10.168.1.2   UG     0       tun0
169.254.0.0       255.255.0.0      0.0.0.0      U      0       LAN & WLAN
0.0.0.0           0.0.0.0          173.x.x.x    UG     0       WAN

-------------------------------------------------------------------------------
VPN client config:
-------------------------------------------------------------------------------
# Be the client, not the server.
client

# Use any TUN (not TAP) device on the client.
dev tun

# The address of the VPN server.  1194 is the default port for OpenVPN.
remote 173.x.x.x 1194

# Send ALL traffic via the VPN
redirect-gateway def1

# We don't care what interface or port we use on the client.
nobind

# Make the link resistant to connection failures.
keepalive 10 60
ping-timer-rem
persist-key
persist-tun

# Enable data link compression.
comp-lzo

# You can set this to a higher level.
verb 1

# Accept authenticated packets from any address, not just one in remote option.
float

# Connect only to servers with the right certificate.
ns-cert-type server

# Certificates, etc.
ca ca.crt
cert client.crt
key client.key
[/quote]
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7414

PostPosted: Sat May 11, 2013 19:25    Post subject: Reply with quote
As far as DNS, the problem is probably due to the fact the DNS server is not listening on the VPN's interface (tun#), so it doesn't respond to 10.168.1.1. You either have to add the tunnel's interface to the DNS config so it will listen...

interface=br0,tun*
no-dhcp-interface=tun* # I'm not sure if this accepts wildcards

... or use the router's local IP address (192.168.1.1) instead (which is probably easier).
calpalmore
DD-WRT Novice


Joined: 11 May 2013
Posts: 7

PostPosted: Sat May 11, 2013 20:35    Post subject: Reply with quote
Success on the DNS front! Thanks to the suggestion from eibgrad I added

interface=tun0
no-dhcp-interface=tun0

to the Additional DNSMasq Options box in the Services - Services tab of the router config. It works regardless of whether you use the router's tun0 address - 10.168.1.1 or LAN address - 192.168.1.1.

Now I just need to get the tun0 to WAN routing to work...
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7414

PostPosted: Sat May 11, 2013 21:24    Post subject: Reply with quote
I don't use OpenVPN, so keep that in mind. I'm merely reading the documentation. Smile

It's my understanding you can configure the server to force clients to use the VPN's gateway for internet access (which it seems you've done). I can understand that as a security measure in a business setting. But for a home user, I would think the better and more flexible option would be to control this from the client configuration. In fact, if it was me, I'd have two .ovpn configs, one with and one without the gateway option.

That doesn’t explain the current problem, of course, but it would be interesting to see if using the client as the controlling mechanism made a difference.
calpalmore
DD-WRT Novice


Joined: 11 May 2013
Posts: 7

PostPosted: Sat May 11, 2013 21:58    Post subject: Reply with quote
Do you mean the 'redirect-gateway def1' line in the client config file? Yes, this can be in the client config file or you can do a 'push "redirect-gateway def1"' in the server config. Either way, it causes all traffic from the client to go through the VPN tunnel. I've verified that this is working correctly in this case. All the traffic is going through the VPN tunnel but then the VPN server doesn't send it where it needs to go.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7414

PostPosted: Sat May 11, 2013 22:46    Post subject: Reply with quote
Ok, I see what you're saying. It always sends it through the tunnel, but stops there. That sounds like a routing issue on the VPN server side. Perhaps the firewall is not allowing traffic to be routed from the vpn interface to the WAN interface. Try dumping iptables to verify the routes are there.

iptables -vnL

NOTE: I would assume the openvpn implementation in dd-wrt would automatically add these routes, but I would have assumed it would added the interface=tun* option to dnsmasq as well, and apparently it didn't. So perhaps those routes aren't there.
calpalmore
DD-WRT Novice


Joined: 11 May 2013
Posts: 7

PostPosted: Sun May 12, 2013 1:02    Post subject: Reply with quote
Yeah, I think it is a routing issue. I have the Firewall disabled. Anyway, here is the 'iptables -vnL' output:

Code:

Chain INPUT (policy ACCEPT 185K packets, 24M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8080
    1    60 DROP       tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
    0     0 DROP       tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443
    0     0 DROP       tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:69
    3   180 DROP       tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:23
Chain FORWARD (policy ACCEPT 495 packets, 25376 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 3656  585K ACCEPT     0    --  *      *       10.168.1.0/24       0.0.0.0/0           
    0     0 ACCEPT     0    --  tun0   br0     0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  br0    tun0    0.0.0.0/0            0.0.0.0/0           
6025K 5812M lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
19896 1140K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
5995K 5807M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.21       tcp dpt:10081
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.21       udp dpt:10081
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.22       tcp dpt:10082
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.22       udp dpt:10082
   0     0 TRIGGER    0    --  vlan2  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
30168 5239K trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           
29673 5213K ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
Chain OUTPUT (policy ACCEPT 36831 packets, 5631K bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_1 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_10 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_2 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_3 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_4 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_5 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_6 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_7 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_8 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_9 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_1 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_10 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_2 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_3 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_4 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_5 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_6 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_7 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_8 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_9 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain lan2wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
Chain trigger_out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
don_b
DD-WRT Novice


Joined: 23 Apr 2013
Posts: 11

PostPosted: Wed May 15, 2013 21:00    Post subject: try MASQUERADE Reply with quote
@calpalmore.

I am trying to setup something very similar to you. ( I haven't done it yet).

Check this link.
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=751909

apparently there is something called MASQUERADE.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

Hopefully this will work for you. Let us all know if it does.
calpalmore
DD-WRT Novice


Joined: 11 May 2013
Posts: 7

PostPosted: Thu May 16, 2013 13:52    Post subject: SUCCESS! Reply with quote
Well, I finally got it to work. The key was using a MASQUERADE in the iptables. Here is my final Firewall configuration on the VPN server:

Code:

iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -p udp --dport 53 -j ACCEPT
iptables -I INPUT -p udp --dport 22 -j ACCEPT
iptables -I INPUT -p icmp -j ACCEPT
iptables -I FORWARD 1 --source 10.168.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.168.1.0/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.168.1.0/24 -j MASQUERADE
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


The first four lines allow the VPN server to accept OpenVPN, DNS, SSH, and ping protocols. The next line tells the VPN server to forward the VPN tunnel network traffic?

The next two lines with the MASQUERADE option are the key to getting VPN tunnel traffic to connect to the Internet. I never did find any mention of this in the OpenVPN documentation but thanks to don_b I found an example using these exact two lines and it finally worked. A lot of other examples only had the second of these lines and that doesn't work for me. But with both these lines it finally works.

The last two lines in the Firewall config allow the VPN tunnel network to connect to the LAN network of the VPN server router. FYI, I also have the SPI Firewall enabled now.
don_b
DD-WRT Novice


Joined: 23 Apr 2013
Posts: 11

PostPosted: Thu May 16, 2013 17:33    Post subject: Reply with quote
glad you got it working .

I will try out the same thing with my home router very soon.

Just a quick question. I have a wifi blueray dvd player that streams netflix, amazon prime and other stuff.
Do you know if the vpn server is up and running on the ddwrt router, would I have problems streaming on that client (dvd player). ? .. or traffic from that client would work just fine?.. any thoughts?
calpalmore
DD-WRT Novice


Joined: 11 May 2013
Posts: 7

PostPosted: Thu May 16, 2013 22:31    Post subject: Reply with quote
I haven't had time to benchmark the VPN yet. But it seems pretty fast when doing web browsing, etc. I'll have to try out video streaming Netflix through the tunnel for example.

Are you concerned about the VPN server running on the router causing slow downs in normal, non-VPN, traffic flowing through the router?

Or are you wondering if the VPN tunnel is fast enough to stream video?
don_b
DD-WRT Novice


Joined: 23 Apr 2013
Posts: 11

PostPosted: Thu May 16, 2013 23:24    Post subject: Reply with quote
What I was wondering is with the openVPN server up on the ddwrt router, how would my sony blueray player stream netflix?
Obviously there is no way i can add certificates and keys , etc on the bluray player.
I am pretty sure there would be a way to get the dvd player's IP to bypass the VPN tunnel and directly reach netflix.
calpalmore
DD-WRT Novice


Joined: 11 May 2013
Posts: 7

PostPosted: Fri May 17, 2013 2:16    Post subject: Reply with quote
The VPN server has no effect on the regular router traffic. The router can still pass traffic back and forth between the LAN and WAN ports while at the same time handling a VPN tunnel running between the VPN client and the VPN server.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum