Posted: Tue Jan 05, 2016 13:34 Post subject: OpenVPN Cannot See LAN Computers
I am running Kong build 28600 on my R8000. While I am able to connect with OpenVPN, I am unable to view any LAN computers. I have poured through various posts and online tuturials, but I have had no luck. I hope that some one in these forums might point me in the right direction. Here are my router settings:
Local IP Address: 192.168.1.1
DNSMasq enabled.
Local DNS enabled.
No DNS rebind enabled.
Additional DNSMasq Options:
interface=tun2
OpenVPN enabled.
Start Type: WAN up
Config as: Server
Server Mode: Router (tun)
VPN Network: 192.168.3.0
VPN Net Mask: 255.255.255.0
VPN Port: 1194
Tunnel Protocol: UDP
Redirect default Gateway enabled.
Allow Client to Client enabled.
Additional VPN Config:
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 192.168.1.1"
Firewall Commands:
Code:
#!/bin/sh
OVPN_SERVER="192.168.3.0/24"
OVPN_DEV="tun2"
OVPN_PROTO="upd"
OVPN_PORT="1194"
LAN_IP="$(nvram get lan_ipaddr)"
LAN_NET="$LAN_IP/$(nvram get lan_netmask)"
LAN_SERVER="$LAN_IP/24"
# open the OpenVPN server port
iptables -I INPUT -i $WAN_IF -p $OVPN_PROTO --dport $OVPN_PORT -j ACCEPT
# allow OpenVPN clients to access the OpenVPN server
iptables -I INPUT -i $OVPN_DEV -m state --state NEW -j ACCEPT
# allow OpenVPN clients to access ALL other devices on the LAN
iptables -I FORWARD -i $OVPN_DEV -m state --state NEW -j ACCEPT
iptables -I FORWARD -i $LAN_SERVER -m state --state NEW -j ACCEPT
# allow OpenVPN clients to use the OpenVPN server as an internet gateway
iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $WAN_IF -j MASQUERADE
# allow local devices to become clients of the remote network
iptables -I FORWARD -o $OVPN_DEV -m state --state NEW -j ACCEPT
iptables -I FORWARD -o $LAN_SERVER -m state --state NEW -j ACCEPT
# NAT anything that's NOT the local network (e.g., WAN) over the OpenVPN tunnel
iptables -t nat -A POSTROUTING -s ! $LAN_NET -o $OVPN_DEV -j MASQUERADE
Thank you so much for you eyes, Eibgrad. The "upd" typo may have been the smoking gun. I fixed that typo and removed the two lines as suggested. I will reboot the router shortly and test - fingers crossed.
# open the OpenVPN server port
iptables -I INPUT -i $WAN_IF -p $OVPN_PROTO --dport $OVPN_PORT -j ACCEPT
# allow OpenVPN clients to access the OpenVPN server
iptables -I INPUT -i $OVPN_DEV -m state --state NEW -j ACCEPT
# allow OpenVPN clients to access ALL other devices on the LAN
iptables -I FORWARD -i $OVPN_DEV -m state --state NEW -j ACCEPT
iptables -I FORWARD -i $LAN_SERVER -m state --state NEW -j ACCEPT
# allow OpenVPN clients to use the OpenVPN server as an internet gateway
iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $WAN_IF -j MASQUERADE
# allow local devices to become clients of the remote network
iptables -I FORWARD -o $OVPN_DEV -m state --state NEW -j ACCEPT
iptables -I FORWARD -o $LAN_SERVER -m state --state NEW -j ACCEPT
# NAT anything that's NOT the local network (e.g., WAN) over the OpenVPN tunnel
iptables -t nat -A POSTROUTING -s ! $LAN_SERVER -o $OVPN_DEV -j MASQUERADE
Thanks again, Eibgrad. I am connecting outside the network. Yesterday, I connected from my office. This morning I connected via my cellular WiFi. Here are this morning's logs:
OpenVpn Server Log:
Code:
20160105 18:52:14 I OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 3 2016
20160105 18:52:14 I library versions: OpenSSL 1.0.2e 3 Dec 2015 LZO 2.09
20160105 18:52:14 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
20160105 18:52:14 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20160105 18:52:14 Diffie-Hellman initialized with 1024 bit key
20160105 18:52:14 Socket Buffers: R=[180224->131072] S=[180224->131072]
20160105 18:52:14 I TUN/TAP device tun2 opened
20160105 18:52:14 TUN/TAP TX queue length set to 100
20160105 18:52:14 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0
20160105 18:52:14 I /sbin/ifconfig tun2 192.168.3.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.3.255
20160105 18:52:14 I UDPv4 link local (bound): [undef]
20160105 18:52:14 I UDPv4 link remote: [undef]
20160105 18:52:14 MULTI: multi_init called r=256 v=256
20160105 18:52:14 IFCONFIG POOL: base=192.168.3.2 size=252 ipv6=0
20160105 18:52:14 IFCONFIG POOL LIST
20160105 18:52:14 I Initialization Sequence Completed
20160105 19:11:27 192.168.1.200:59918 TLS: Initial packet from [AF_INET]192.168.1.200:59918 sid=2f429b0f 38739e48
20160105 19:12:27 N 192.168.1.200:59918 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
...
20160106 07:07:29 166.170.31.35:21322 TLS: Initial packet from [AF_INET]166.170.31.35:21322 sid=4b8f0abc 4588cffb
20160106 07:07:30 166.170.31.35:21322 VERIFY OK: depth=1 C=US ST=PA L=Williamsport O=OpenVPN OU=Home CN=xx name=xx emailAddress=xx
20160106 07:07:30 166.170.31.35:21322 VERIFY OK: depth=0 C=US ST=PA L=Williamsport O=OpenVPN OU=xx CN=client1 name=xx emailAddress=xx
20160106 07:07:30 166.170.31.35:21322 NOTE: --mute triggered...
20160106 07:07:30 166.170.31.35:21322 5 variation(s) on previous 3 message(s) suppressed by --mute
20160106 07:07:30 I 166.170.31.35:21322 [client1] Peer Connection Initiated with [AF_INET]166.170.31.35:21322
20160106 07:07:30 I client1/166.170.31.35:21322 MULTI_sva: pool returned IPv4=192.168.3.2 IPv6=(Not enabled)
20160106 07:07:30 client1/166.170.31.35:21322 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_93221101a108ba0eb921c9d45c865c1a.tmp
20160106 07:07:30 client1/166.170.31.35:21322 MULTI: Learn: 192.168.3.2 -> client1/166.170.31.35:21322
20160106 07:07:30 client1/166.170.31.35:21322 MULTI: primary virtual IP for client1/166.170.31.35:21322: 192.168.3.2
20160106 07:07:32 client1/166.170.31.35:21322 PUSH: Received control message: 'PUSH_REQUEST'
20160106 07:07:32 I client1/166.170.31.35:21322 send_push_reply(): safe_cap=940
20160106 07:07:32 client1/166.170.31.35:21322 SENT CONTROL [client1]: 'PUSH_REPLY redirect-gateway def1 route 192.168.1.0 255.255.255.0 dhcp-option DNS 8.8.8.8 dhcp-option DNS 192.168.1.1 route-gateway 192.168.3.1 topology subnet ping 10 ping-restart 120 ifconfig 192.168.3.2 255.255.255.0' (status=1)
Server Route Table:
Code:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 174.60.96.1 0.0.0.0 UG 0 0 0 vlan2
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
169.254.0.0 * 255.255.0.0 U 0 0 0 br0
174.60.96.0 * 255.255.252.0 U 0 0 0 vlan2
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
192.168.3.0 * 255.255.255.0 U 0 0 0 tun2
OpenVpn Client Log:
Code:
Wed Jan 06 07:07:23 2016 OpenVPN 2.3.9 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec 16 2015
Wed Jan 06 07:07:23 2016 library versions: OpenSSL 1.0.1q 3 Dec 2015, LZO 2.09
Enter Management Password:
Wed Jan 06 07:07:23 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed Jan 06 07:07:23 2016 Need hold release from management interface, waiting...
Wed Jan 06 07:07:23 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed Jan 06 07:07:23 2016 MANAGEMENT: CMD 'state on'
Wed Jan 06 07:07:23 2016 MANAGEMENT: CMD 'log all on'
Wed Jan 06 07:07:23 2016 MANAGEMENT: CMD 'hold off'
Wed Jan 06 07:07:23 2016 MANAGEMENT: CMD 'hold release'
Wed Jan 06 07:07:23 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Jan 06 07:07:23 2016 UDPv4 link local: [undef]
Wed Jan 06 07:07:23 2016 UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1194
Wed Jan 06 07:07:23 2016 MANAGEMENT: >STATE:1452082043,WAIT,,,
Wed Jan 06 07:07:23 2016 MANAGEMENT: >STATE:1452082043,AUTH,,,
Wed Jan 06 07:07:23 2016 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=55d3f0ef 3ff63757
Wed Jan 06 07:07:24 2016 VERIFY OK: depth=1, C=US, ST=PA, L=Williamsport, O=OpenVPN, OU=Home, CN=xx, name=xx, emailAddress=xx
Wed Jan 06 07:07:24 2016 VERIFY OK: nsCertType=SERVER
Wed Jan 06 07:07:24 2016 VERIFY OK: depth=0, C=US, ST=PA, L=Williamsport, O=OpenVPN, OU=xx, CN=server, name=xx, emailAddress=xx
Wed Jan 06 07:07:24 2016 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jan 06 07:07:24 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 06 07:07:24 2016 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jan 06 07:07:24 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 06 07:07:24 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Wed Jan 06 07:07:24 2016 [server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Wed Jan 06 07:07:25 2016 MANAGEMENT: >STATE:1452082045,GET_CONFIG,,,
Wed Jan 06 07:07:26 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jan 06 07:07:26 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route 192.168.1.0 255.255.255.0,dhcp-option DNS 8.8.8.8,dhcp-option DNS 192.168.1.1,route-gateway 192.168.3.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.3.2 255.255.255.0'
Wed Jan 06 07:07:26 2016 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jan 06 07:07:26 2016 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jan 06 07:07:26 2016 OPTIONS IMPORT: route options modified
Wed Jan 06 07:07:26 2016 OPTIONS IMPORT: route-related options modified
Wed Jan 06 07:07:26 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jan 06 07:07:26 2016 ROUTE_GATEWAY 192.168.137.1/255.255.255.0 I=12 HWADDR=2c:33:7a:80:bb:3b
Wed Jan 06 07:07:26 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Jan 06 07:07:26 2016 MANAGEMENT: >STATE:1452082046,ASSIGN_IP,,192.168.3.2,
Wed Jan 06 07:07:26 2016 open_tun, tt->ipv6=0
Wed Jan 06 07:07:26 2016 TAP-WIN32 device [NETGEAR-VPN] opened: \\.\Global\{F577F634-43F9-4976-8116-18B7FCEE0FC8}.tap
Wed Jan 06 07:07:26 2016 TAP-Windows Driver Version 9.21
Wed Jan 06 07:07:26 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.3.0/192.168.3.2/255.255.255.0 [SUCCEEDED]
Wed Jan 06 07:07:26 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.3.2/255.255.255.0 on interface {F577F634-43F9-4976-8116-18B7FCEE0FC8} [DHCP-serv: 192.168.3.254, lease-time: 31536000]
Wed Jan 06 07:07:26 2016 NOTE: FlushIpNetTable failed on interface [31] {F577F634-43F9-4976-8116-18B7FCEE0FC8} (status=1168) : Element not found.
Wed Jan 06 07:07:31 2016 TEST ROUTES: 0/2 succeeded len=1 ret=0 a=0 u/d=up
Wed Jan 06 07:07:31 2016 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 06 07:07:36 2016 TEST ROUTES: 0/2 succeeded len=1 ret=0 a=0 u/d=up
Wed Jan 06 07:07:36 2016 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 06 07:07:37 2016 TEST ROUTES: 0/2 succeeded len=1 ret=0 a=0 u/d=up
Wed Jan 06 07:07:37 2016 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 06 07:07:38 2016 TEST ROUTES: 0/2 succeeded len=1 ret=0 a=0 u/d=up
Wed Jan 06 07:07:38 2016 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 06 07:07:39 2016 TEST ROUTES: 0/2 succeeded len=1 ret=0 a=0 u/d=up
Wed Jan 06 07:07:39 2016 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 06 07:07:40 2016 TEST ROUTES: 0/2 succeeded len=1 ret=0 a=0 u/d=up
Wed Jan 06 07:07:40 2016 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 06 07:07:41 2016 TEST ROUTES: 0/2 succeeded len=1 ret=0 a=0 u/d=up
Wed Jan 06 07:07:41 2016 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 06 07:07:43 2016 TEST ROUTES: 0/2 succeeded len=1 ret=0 a=0 u/d=up
Wed Jan 06 07:07:43 2016 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 06 07:07:44 2016 TEST ROUTES: 0/2 succeeded len=1 ret=0 a=0 u/d=up
Wed Jan 06 07:07:44 2016 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 06 07:07:45 2016 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Jan 06 07:07:45 2016 C:\WINDOWS\system32\route.exe ADD xx.xx.xx.xx MASK 255.255.255.255 192.168.137.1
Wed Jan 06 07:07:45 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Wed Jan 06 07:07:45 2016 Route addition via IPAPI succeeded [adaptive]
Wed Jan 06 07:07:45 2016 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.3.1
Wed Jan 06 07:07:45 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Wed Jan 06 07:07:45 2016 Route addition via IPAPI succeeded [adaptive]
Wed Jan 06 07:07:45 2016 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.3.1
Wed Jan 06 07:07:45 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Wed Jan 06 07:07:45 2016 Route addition via IPAPI succeeded [adaptive]
Wed Jan 06 07:07:45 2016 MANAGEMENT: >STATE:1452082065,ADD_ROUTES,,,
Wed Jan 06 07:07:45 2016 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 192.168.3.1
Wed Jan 06 07:07:45 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Wed Jan 06 07:07:45 2016 Route addition via IPAPI succeeded [adaptive]
Wed Jan 06 07:07:45 2016 Initialization Sequence Completed
Wed Jan 06 07:07:45 2016 MANAGEMENT: >STATE:1452082065,CONNECTED,SUCCESS,192.168.3.2,xx.xx.xx.xx
I do have active access restrictions defined. They are set for late night hours on a range of IP addresses, but they do not include the current hours. For testing purposes, I just disabled the restrictions, disconnected the VPN, and then reconnected. I still can't see other computers on the LAN.
My son's phone is assigned a static IP outside the range of the restricted IPs. While it showed earlier, it is no longer showing in File Explorer.
This has been so frustrating. I had OpenVPN working flawlessly on the Netgear firmware. I wish I had some idea what is wrong. Would do you recommend for the next step?
Understood. Your explanation is very good. However, with each failed VPN connection, I have been trying to ping the static IPs in my network without success. I should also note that I originally configured OpenVPN as a daemon, and I was also able to view all computers in File Explorer. However, either after updating to the latest Kong build or upon changing OpenVPN to be a server, I have not been able to do so. Also, with the Netgear firmware OpenVPN implementation, I was able to view all computers in File Explorer.
So... Would the solution be to use the same IP segment as the router LAN? The LAN currently uses 192.168.1.X and the VPN 192.168.3.X. With DD-Wrt's implementation, could the VPN share 192.168.1.X and would that perhaps remedy my issues?
Yes, the Netgear R8000 is the primary router. I guess I'll try resetting the NVRAM, re-installing the firmware, and then re-entering everything. Wish me luck!