Posted: Sat Dec 26, 2015 23:40 Post subject: Help with Site to Site OpenVPN tunnel
Hi,
So I’m working on setting up an OpenVPN tunnel between my parents router and my router. My goal is to be able to access all computers from either side of the tunnel and most importantly share files. I’m pretty close to having this working and have gotten a tunnel set up between both routers. My only problem is that I’m unable to see any computers on either side of the tunnel. What I’m asking for is any help to see if I’m doing anything wrong.
My configuration is as follows:
Both routers are R8000’s running DD-WRT Kong 28575M from 12/21/15.
Client:
Router IP: 192.168.10.1
OpenVPN Client Config is in the attached picture:
I don’t have any extra commands in additional config box for client.
I took a screenshot from the server status page showing that it’s connected. I also know it’s connected since I can access the client router’s DD-WRT page through the tunnel at ip address: 10.1.2.2. I just can’t access any other computers on the client side (anything on 192.168.10.x network).
I also attached a copy/paste from the ClientLog in case this might be helpful (I xxx’d out my IP addresses):
Clientlog:
20151226 18:19:01 I OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 22 2015
20151226 18:19:01 I library versions: OpenSSL 1.0.2e 3 Dec 2015 LZO 2.09
20151226 18:19:01 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20151226 18:19:01 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20151226 18:19:01 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
20151226 18:19:01 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
20151226 18:19:01 I Control Channel Authentication: using '/tmp/openvpncl/ta.key' as a OpenVPN static key file
20151226 18:19:01 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
20151226 18:19:01 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
20151226 18:19:01 Socket Buffers: R=[180224->131072] S=[180224->131072]
20151226 18:19:01 I UDPv4 link local: [undef]
20151226 18:19:01 I UDPv4 link remote: [AF_INET]xxxxxxxxxxxxx:1194
20151226 18:19:16 TLS: Initial packet from [AF_INET]xxxxxxxxxx:1194 sid=3d90fd4e f0af815f
20151226 18:19:16 VERIFY OK: depth=1 C=US ST=KY L=Louisville O=OpenVPN OU=Subhash CN=Subhash name=Subhash emailAddress=xxxxxxxxxxxxxxx
20151226 18:19:16 VERIFY OK: nsCertType=SERVER
20151226 18:19:16 NOTE: --mute triggered...
20151226 18:19:16 6 variation(s) on previous 3 message(s) suppressed by --mute
20151226 18:19:16 I [server] Peer Connection Initiated with [AF_INET]xxxxxxxxx:1194
20151226 18:19:18 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
20151226 18:19:19 PUSH: Received control message: 'PUSH_REPLY route 192.168.1.0 255.255.255.0 dhcp-option DNS 8.8.8.8 route-gateway 10.1.2.1 topology subnet ping 10 ping-restart 120 ifconfig 10.1.2.2 255.255.255.0'
20151226 18:19:19 OPTIONS IMPORT: timers and/or timeouts modified
20151226 18:19:19 NOTE: --mute triggered...
20151226 18:19:19 4 variation(s) on previous 3 message(s) suppressed by --mute
20151226 18:19:19 I TUN/TAP device tun1 opened
20151226 18:19:19 TUN/TAP TX queue length set to 100
20151226 18:19:19 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0
20151226 18:19:19 I /sbin/ifconfig tun1 10.1.2.2 netmask 255.255.255.0 mtu 1500 broadcast 10.1.2.255
20151226 18:19:19 /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.1.2.1
20151226 18:19:19 I Initialization Sequence Completed
20151226 18:21:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151226 18:21:01 D MANAGEMENT: CMD 'state'
20151226 18:21:01 MANAGEMENT: Client disconnected
20151226 18:21:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151226 18:21:01 D MANAGEMENT: CMD 'state'
20151226 18:21:01 MANAGEMENT: Client disconnected
20151226 18:21:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151226 18:21:01 D MANAGEMENT: CMD 'state'
20151226 18:21:01 MANAGEMENT: Client disconnected
20151226 18:21:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151226 18:21:01 D MANAGEMENT: CMD 'status 2'
20151226 18:21:01 MANAGEMENT: Client disconnected
20151226 18:21:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151226 18:21:01 D MANAGEMENT: CMD 'log 500'
20151226 18:21:01 MANAGEMENT: Client disconnected
20151226 18:29:11 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151226 18:29:11 D MANAGEMENT: CMD 'state'
20151226 18:29:11 MANAGEMENT: Client disconnected
20151226 18:29:11 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151226 18:29:11 D MANAGEMENT: CMD 'state'
20151226 18:29:11 MANAGEMENT: Client disconnected
20151226 18:29:11 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151226 18:29:11 D MANAGEMENT: CMD 'state'
20151226 18:29:11 MANAGEMENT: Client disconnected
20151226 18:29:11 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151226 18:29:11 D MANAGEMENT: CMD 'status 2'
20151226 18:29:11 MANAGEMENT: Client disconnected
20151226 18:29:11 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151226 18:29:11 D MANAGEMENT: CMD 'log 500'
19691231 19:00:00
PS - Just a comment for eibgrad. You have got to be the most patient person I’ve ever seen on the internet. I actually learned how to set up OpenVPN over the past two weeks just by reading and searching all the the threads on this site and reading your replies. It seems like you answer the exact same question on so many threads and I’m impressed with your patience and understanding with everyone.
So I tested out pining from the client side and it looks like I'm getting closer now. I can ping computers on the sever network (192.168.1.x) from the client network (192.168.10.x).
I still cannot ping any computers on the client network when I'm on the servers side however. I can only access the client router through the tunnel address (10.1.2.2). What's interesting though is if I do a traceroute to the Client router local IP address (192.168.10.1) it doesn't get to the destination, but the addresses it's going through are pretty close to it as "midwest.rr.com" is familiar to me. Not sure why it just loses the route to get to client network after a few hops though. I attached a picture to show you.
So I tried the changes you suggested and unfortunately, I still cannot ping anything on the client network (192.168.10.x) from the server side (192.168.1.x). Also, now I can't access the remote client's DD-WRT page through the tunnel IP address (10.1.2.2). What's interesting though is that on the OpenVPN status page it gave the Client a new Virtual address (192.168.1.0) which I think means it's trying to route the client network to the server network. I attached a picture of this,
I saw you're helping another person, JoeArmy, with a different, but somewhat similar issue with OpenVPN. I saw you advised adding a route command to the OpenVPN server config file to allow routing from the server network to the client network. I did the same thing and added this command to my OpenVPN server additional config:
route 192.168.10.0 255.255.255.0
With that I can again access my client DD-WRT router at the tunnel IP address: 10.1.2.2. However, I still cannot access any computers on the client network (192.168.10.x). Also on the Open VPN Status page, I then lose the additional routing that I mentioned above and attached a picture to show you. I'm not sure if adding that route command interfered with the original changes you had suggested (the iroute command).
I modified your original suggestion for the iroute command to make it refer to the client address (192.168.10.0) instead of the server address (192.168.1.0).
Doing that and adding the extra route command you had mentioned in the other thread solved it, and I can now ping computers on the remote network!
Just for completeness sake, my OpenVPN Server startup script has:
And it's working!
Now that it's working, it's time for hopefully the final wrinkle!
On my client side, I have a wireless bridge on the network - a WNDR3700v1 at IP address 192.168.10.5. It's running DD-WRT on it and I would like to make it the OpenVPN client in this setup instead of the main router. The main router is already an OpenVPN server for my phone, etc... and does so much already that I'd prefer to distribute the workload to this other router that isn't doing too much.
What I'll do is simply copy my configuration to the wireless bridge and modify the IP addresses as needed (192.168.10.5 instead of 192.168.10.1)
I think I'll need to add a static route on the client network's main router (192.168.10.1) so that it'll know that to access resources on the OpenVPN tunnel (10.1.2.0) by going through the wireless bridge as a gateway (192.168.10.5).
I do know that the wireless bridge is not directly connected to the WAN and I think I saw you mention in another post once that this might make it very difficult or maybe even impossible to set up. If you feel it's impossible then I'll stop here and keep things as is. Let me know what you think, and thanks for all your help!
PS - you had mentioned in an earlier post that i can avoid NAT-ing the tunnel by adding a static route to client network. I read that having NAT adds overhead to a network. Any idea what route I would add on the client network (192.168.10.x)? My guess is:
Thanks again for all your help! So far everything seems to be working well, but I really haven't had a lot of time to test it out.
I see your point about using different keys with different common names - especially as one of the routers is acting as both an OpenVPN server and OpenVPN client. And though the keys are different, both have a client1. I think I'll just try to create a new key called sitetosite as you suggested and then update the client configuration. I ran the command you asked about:
As for the NAT - I disabled it as you suggested and I'm still able to access both networks, so looks like that's working as well.
I do plan on moving the OpenVPN client to my wireless bridge, but I'll probably do this in a few days when I have more free time. I'll let you know how it goes, but hopefully with the right static route it should work without too much trouble.
One thing I remember seeing you mention in a previous post - you had commented on changing the ports used for security. I think you had mentioned some bots that constantly try to access routers on common ports (ie. 1194, etc...) Should I change my ports I'm using for my OpenVPN server? If so, is there a range of ports for me to choose from?
I had some time today and decided to try and move the OpenVPN Client from the main router (192.168.10.1) to the wireless bridge (192.168.10.5).
I basically copied and pasted everything from the first router to the second one. I didn't see anything that looked like it needed to be changed. I also looked at the OpenVPN Server (192.168.1.1) and it doesn't look like anything needs to change there.
It connects, but I cannot access any of the computers on the Server side. I'm guessing it has to do with the static route needed. I think I'm getting confused as to what static route I should put on the OpenVPN Client's Gateway (192.168.1.1). I tried quite a few combinations.
So I tried it (after moving the OpenVPN Client back to 192.168.10.5), but still cannot see ping the computers on the server side. Any ideas?
Could this have to do with how my wireless bridge is configured? 192.168.10.5 is set to work as a Router (under Setup->Advanced Routing). I did that based on the instructions to set it up as a wireless bridge. Would changing it back to a gateway fix my OpenVPN issue and allow it to still function as a wireless bridge?
I tried setting up the static route, but for some reason I still can't ping any computers on the Server network (192.168.1.x) Interestingly, I can't even ping either side of the tunnel (10.1.2.1 or 10.1.2.2)
From looking at the routing tables on the main router and on the wireless bridge I feel like it should be working.
I attached pictures of my static route and the routing tables from 192.168.10.1 and 192.168.10.5
Overall I can tell I'm really close. Kind of makes it a little frustrating at the same time because I have a feeling it's going to be something obvious I'm missing.
I tried the new firewall command in my main router on the client network (192.168.10.1) but no luck. Still can't ping or access computers on the server side.
Your question about the gateway is a very good one. I'm pretty sure the problem has to do with my wireless bridge and how I set it up. That's really the only thing different from when the OpenVPN Client was working on the main router (192.168.10.1) instead of the wireless bridge (192.168.10.5). Maybe it'll be easier if I explain how I created the wireless bridge.
I specify the gateway in two separate places on the bridge. On the Basic Setup page, I specify the gateway and Local DNS as 192.168.10.1. Also on the wireless settings page, I have the wireless in "Client Bridge (Routed)" mode and specify the gateway as 192.168.10.1. I attached pictures.
In addition to the instructions I followed, I disabled the DNSMasq (I'm assuming it's not needed since the bridge is not a DHCP server).
For the main router 192.168.10.1, I actually left the gateway blank. I think I saw a post of yours where you mentioned putting the gateway on the main router is redundant.
So I came up with a bright idea. I was thinking about it and my main router (192.168.10.1) has an OpenVPN server running on it using UDP port 1192. The wireless bridge (192.168.10.5) OpenVPN client is also using UDP port 1192.
I started thinking, what if perhaps my main router was getting confused with the ports and where to route them? So I changed my OpenVPN Client to use UDP port 450 and configured the my parents router (192.168.1.1) OpenVPN server to also use port 450. Not only that, but I also added a port forward on my main router (192.168.10.1) so that UDP 450 points to the wireless bridge (192.168.10.5).
I set it all up and....
It still didn't work. Haha, perhaps this is going to be more complicated than I had originally thought!
Just wanted to say thanks for your help! Even though it didn't work with the OpenVPN client on the wireless bridge, at least I have the Site to Site tunnel working on my main router so I'll go back to that configuration.
It's too bad it didn't work though. I feel like it was so close to working. In fact, when I would telnet into the wireless bridge, I could ping all the clients on the server side without issue. I think you're right that it's perhaps some sort of error in how the routing tables are made for the Atheros DD-WRT version.
Do you think I should create a ticket for Brainslayer to maybe look at it?
Hi, thanks for the offer to set this up in your lab. Up to you if you want to do it, but I think ultimately you are probably correct that it's a bug in how Atheros handles the whole "Client Bridge (Routed)" and I just need to find a way to let my main router know how to access the VPN tunnel from the OpenVPN client.
I can confirm that my OpenVPN client (192.168.10.5) is correctly connected to the OpenVPN server (192.168.1.1) as I can ping the other network if I SSH into 192.168.10.5, but my problem is my network gateway (192.168.10.1) is unable to figure out how to access this. I attached pictures showing that I can ping the OpenVPN server (192.168.1.1) and even a computer on the sever's network (192.168.1.5) from the OpenVPN Client (192.168.10.5). When I try the same thing from my gateway 192.168.10.1 - it fails as in the other picture.
I enabled NAT on the tunnel as you suggested, but I'm not sure what new static route I need to add. Should I add a Route with Destination 10.1.2.0 (tunnel network) and the gateway as 192.168.10.5 (OpenVPN Client)?
Joined: 13 Aug 2013 Posts: 6870 Location: Romerike, Norway
Posted: Sun Jan 03, 2016 10:55 Post subject:
buffpatel wrote:
I enabled NAT on the tunnel as you suggested, but I'm not sure what new static route I need to add. Should I add a Route with Destination 10.1.2.0 (tunnel network) and the gateway as 192.168.10.5 (OpenVPN Client)?
You shouldn't have enabled NAT. What probably is missing, is a route on 192.168.10.1 to the 192.168.1.0/24 with 192.168.10.5 as gateway.
You shouldn't have enabled NAT. What probably is missing, is a route on 192.168.10.1 to the 192.168.1.0/24 with 192.168.10.5 as gateway.
Thanks for the advice. I actually disabled NAT and put in the static route as previously.
I did make a very interesting discovery though! When I SSH into the ClientBridge router (192.168.10.5) I can ping the Server (192.168.1.1) and all of the computers on the Server side. Not only that, but any computer directly plugged into the ClientBridge router can also ping the OpenVPN Server (192.168.1.1) and all computers on the server side!
However, any computer that connects to the main router (192.168.10.1) either through wifi or plugged in cannot access the Server network. So, now I'm thinking my problem is making my main router know how to access the OpenVPN tunnel and the network on the other side.
Also, I tested things on the Server side of the network. The computers on the Server network are only able to ping the Client router (192.168.10.5). for whatever reason they cannot ping any other computers on the client network, even ones directly plugged in. If I try to ping the main router on the Client side (192.168.10.1) from a computer on the Server side (it's IP address is 192.168.1.5), I get this error message from the OpenVPN Client (192.168.10.5) that says the main router (192.168.10.1) is unreachable:
PING 192.168.10.1 (192.168.10.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
92 bytes from 192.168.10.5: Destination Host Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 3da8 0 0000 3e 01 b2aa 192.168.1.5 192.168.10.1
92 bytes from 192.168.10.5: Destination Host Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 9233 0 0000 3e 01 5e1f 192.168.1.5 192.168.10.1
92 bytes from 192.168.10.5: Destination Host Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 9b89 0 0000 3e 01 54c9 192.168.1.5 192.168.10.1
Any ideas? It seems like it's again issues with getting the packets to the main router.
Anyway, after all the time I've spent on this, I'm starting to think perhaps I should just keep my OpenVPN client on my main router (192.168.10.1) and forget about trying to set this up on my wireless bridge. It seems like there are quite a few more issues than I had originally thought there would be in setting this up.