OpenVPN Cannot See LAN Computers

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
WJames
DD-WRT Novice


Joined: 27 Jul 2008
Posts: 45

PostPosted: Tue Jan 05, 2016 13:34    Post subject: OpenVPN Cannot See LAN Computers Reply with quote
I am running Kong build 28600 on my R8000. While I am able to connect with OpenVPN, I am unable to view any LAN computers. I have poured through various posts and online tuturials, but I have had no luck. I hope that some one in these forums might point me in the right direction. Here are my router settings:

Local IP Address: 192.168.1.1
DNSMasq enabled.
Local DNS enabled.
No DNS rebind enabled.
Additional DNSMasq Options:
interface=tun2

OpenVPN enabled.
Start Type: WAN up
Config as: Server
Server Mode: Router (tun)
VPN Network: 192.168.3.0
VPN Net Mask: 255.255.255.0
VPN Port: 1194
Tunnel Protocol: UDP
Redirect default Gateway enabled.
Allow Client to Client enabled.
Additional VPN Config:
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 192.168.1.1"

Firewall Commands:
Code:
#!/bin/sh
OVPN_SERVER="192.168.3.0/24"
OVPN_DEV="tun2"
OVPN_PROTO="upd"
OVPN_PORT="1194"
LAN_IP="$(nvram get lan_ipaddr)"
LAN_NET="$LAN_IP/$(nvram get lan_netmask)"
LAN_SERVER="$LAN_IP/24"

WAN_IF="$(ip route | awk '/^default/{print $NF}')"

# open the OpenVPN server port
iptables -I INPUT -i $WAN_IF -p $OVPN_PROTO --dport $OVPN_PORT -j ACCEPT
 
# allow OpenVPN clients to access the OpenVPN server
iptables -I INPUT -i $OVPN_DEV -m state --state NEW -j ACCEPT

# allow OpenVPN clients to access ALL other devices on the LAN
iptables -I FORWARD -i $OVPN_DEV -m state --state NEW -j ACCEPT
iptables -I FORWARD -i $LAN_SERVER -m state --state NEW -j ACCEPT

# allow OpenVPN clients to use the OpenVPN server as an internet gateway
iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $WAN_IF -j MASQUERADE

# allow local devices to become clients of the remote network
iptables -I FORWARD -o $OVPN_DEV -m state --state NEW -j ACCEPT
iptables -I FORWARD -o $LAN_SERVER -m state --state NEW -j ACCEPT

# NAT anything that's NOT the local network (e.g., WAN) over the OpenVPN tunnel
iptables -t nat -A POSTROUTING -s ! $LAN_NET -o $OVPN_DEV -j MASQUERADE

iptables -I FORWARD -i br0 -o $OVPN_DEV -j ACCEPT
iptables -I FORWARD -i $OVPN_DEV -o br0 -j ACCEPT


OpenVPN Client:
Code:
Tue Jan 05 08:16:52 2016 OpenVPN 2.3.9 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec 16 2015
Tue Jan 05 08:16:52 2016 library versions: OpenSSL 1.0.1q 3 Dec 2015, LZO 2.09
Enter Management Password:
Tue Jan 05 08:16:52 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Jan 05 08:16:52 2016 Need hold release from management interface, waiting...
Tue Jan 05 08:16:52 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Jan 05 08:16:52 2016 MANAGEMENT: CMD 'state on'
Tue Jan 05 08:16:52 2016 MANAGEMENT: CMD 'log all on'
Tue Jan 05 08:16:52 2016 MANAGEMENT: CMD 'hold off'
Tue Jan 05 08:16:52 2016 MANAGEMENT: CMD 'hold release'
Tue Jan 05 08:16:52 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Jan 05 08:16:52 2016 UDPv4 link local: [undef]
Tue Jan 05 08:16:52 2016 UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1194
Tue Jan 05 08:16:52 2016 MANAGEMENT: >STATE:1451999812,WAIT,,,
Tue Jan 05 08:16:52 2016 MANAGEMENT: >STATE:1451999812,AUTH,,,
Tue Jan 05 08:16:52 2016 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=a3f2a40a bcbf4ba4
Tue Jan 05 08:16:53 2016 VERIFY OK: depth=1, C=US, ST=PA, L=Williamsport, O=OpenVPN, OU=Home, CN=xxx, name=xxx, emailAddress=xxx
Tue Jan 05 08:16:53 2016 VERIFY OK: nsCertType=SERVER
Tue Jan 05 08:16:53 2016 VERIFY OK: depth=0, C=US, ST=PA, L=Williamsport, O=OpenVPN, OU=xxx, CN=server, name=xxx, emailAddress=xxx
Tue Jan 05 08:16:53 2016 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Jan 05 08:16:53 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 05 08:16:53 2016 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Jan 05 08:16:53 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 05 08:16:53 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Tue Jan 05 08:16:53 2016 [server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Tue Jan 05 08:16:54 2016 MANAGEMENT: >STATE:1451999814,GET_CONFIG,,,
Tue Jan 05 08:16:55 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Jan 05 08:16:55 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route 192.168.1.0 255.255.255.0,dhcp-option DNS 8.8.8.8,dhcp-option DNS 192.168.1.1,route-gateway 192.168.3.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.3.2 255.255.255.0'
Tue Jan 05 08:16:55 2016 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jan 05 08:16:55 2016 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jan 05 08:16:55 2016 OPTIONS IMPORT: route options modified
Tue Jan 05 08:16:55 2016 OPTIONS IMPORT: route-related options modified
Tue Jan 05 08:16:55 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jan 05 08:16:55 2016 ROUTE_GATEWAY 10.1.10.1/255.255.255.0 I=11 HWADDR=2c:33:7a:80:bb:3b
Tue Jan 05 08:16:55 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jan 05 08:16:55 2016 MANAGEMENT: >STATE:1451999815,ASSIGN_IP,,192.168.3.2,
Tue Jan 05 08:16:55 2016 open_tun, tt->ipv6=0
Tue Jan 05 08:16:55 2016 TAP-WIN32 device [NETGEAR-VPN] opened: \\.\Global\{F577F634-43F9-4976-8116-18B7FCEE0FC8}.tap
Tue Jan 05 08:16:55 2016 TAP-Windows Driver Version 9.21
Tue Jan 05 08:16:55 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.3.0/192.168.3.2/255.255.255.0 [SUCCEEDED]
Tue Jan 05 08:16:55 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.3.2/255.255.255.0 on interface {F577F634-43F9-4976-8116-18B7FCEE0FC8} [DHCP-serv: 192.168.3.254, lease-time: 31536000]
Tue Jan 05 08:16:55 2016 NOTE: FlushIpNetTable failed on interface [30] {F577F634-43F9-4976-8116-18B7FCEE0FC8} (status=1168) : Element not found. 
Tue Jan 05 08:17:00 2016 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Tue Jan 05 08:17:00 2016 C:\WINDOWS\system32\route.exe ADD xx.xx.xx.xx MASK 255.255.255.255 10.1.10.1
Tue Jan 05 08:17:00 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Tue Jan 05 08:17:00 2016 Route addition via IPAPI succeeded [adaptive]
Tue Jan 05 08:17:00 2016 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.3.1
Tue Jan 05 08:17:00 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue Jan 05 08:17:00 2016 Route addition via IPAPI succeeded [adaptive]
Tue Jan 05 08:17:00 2016 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.3.1
Tue Jan 05 08:17:00 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue Jan 05 08:17:00 2016 Route addition via IPAPI succeeded [adaptive]
Tue Jan 05 08:17:00 2016 MANAGEMENT: >STATE:1451999820,ADD_ROUTES,,,
Tue Jan 05 08:17:00 2016 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 192.168.3.1
Tue Jan 05 08:17:00 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue Jan 05 08:17:00 2016 Route addition via IPAPI succeeded [adaptive]
Tue Jan 05 08:17:00 2016 Initialization Sequence Completed
Tue Jan 05 08:17:00 2016 MANAGEMENT: >STATE:1451999820,CONNECTED,SUCCESS,192.168.3.2,xx.xx.xx.xx


I have verified that the interface is indeed tun2. I imagine the firewall script is overkill (and maybe wrong). Any help is greatly appreciated!
Sponsor
WJames
DD-WRT Novice


Joined: 27 Jul 2008
Posts: 45

PostPosted: Tue Jan 05, 2016 21:26    Post subject: Reply with quote
Thank you so much for you eyes, Eibgrad. The "upd" typo may have been the smoking gun. I fixed that typo and removed the two lines as suggested. I will reboot the router shortly and test - fingers crossed.
WJames
DD-WRT Novice


Joined: 27 Jul 2008
Posts: 45

PostPosted: Tue Jan 05, 2016 23:07    Post subject: Reply with quote
Bah. I still can't see any LAN computers. Here are the adjusted Firewall commands:
Code:
#!/bin/sh
OVPN_SERVER="192.168.3.0/24"
OVPN_DEV="tun2"
OVPN_PROTO="udp"
OVPN_PORT="1194"
LAN_IP="$(nvram get lan_ipaddr)"
LAN_SERVER="$LAN_IP/24"

WAN_IF="$(ip route | awk '/^default/{print $NF}')"

# open the OpenVPN server port
iptables -I INPUT -i $WAN_IF -p $OVPN_PROTO --dport $OVPN_PORT -j ACCEPT
 
# allow OpenVPN clients to access the OpenVPN server
iptables -I INPUT -i $OVPN_DEV -m state --state NEW -j ACCEPT

# allow OpenVPN clients to access ALL other devices on the LAN
iptables -I FORWARD -i $OVPN_DEV -m state --state NEW -j ACCEPT
iptables -I FORWARD -i $LAN_SERVER -m state --state NEW -j ACCEPT

# allow OpenVPN clients to use the OpenVPN server as an internet gateway
iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $WAN_IF -j MASQUERADE

# allow local devices to become clients of the remote network
iptables -I FORWARD -o $OVPN_DEV -m state --state NEW -j ACCEPT
iptables -I FORWARD -o $LAN_SERVER -m state --state NEW -j ACCEPT

# NAT anything that's NOT the local network (e.g., WAN) over the OpenVPN tunnel
iptables -t nat -A POSTROUTING -s ! $LAN_SERVER -o $OVPN_DEV -j MASQUERADE


Any suggestions on what needs tweaked?

Thanks again!
WJames
DD-WRT Novice


Joined: 27 Jul 2008
Posts: 45

PostPosted: Wed Jan 06, 2016 12:37    Post subject: Reply with quote
Thanks again, Eibgrad. I am connecting outside the network. Yesterday, I connected from my office. This morning I connected via my cellular WiFi. Here are this morning's logs:

OpenVpn Server Log:
Code:
 20160105 18:52:14 I OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 3 2016
 20160105 18:52:14 I library versions: OpenSSL 1.0.2e 3 Dec 2015 LZO 2.09
 20160105 18:52:14 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
 20160105 18:52:14 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
 20160105 18:52:14 Diffie-Hellman initialized with 1024 bit key
 20160105 18:52:14 Socket Buffers: R=[180224->131072] S=[180224->131072]
 20160105 18:52:14 I TUN/TAP device tun2 opened
 20160105 18:52:14 TUN/TAP TX queue length set to 100
 20160105 18:52:14 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0
 20160105 18:52:14 I /sbin/ifconfig tun2 192.168.3.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.3.255
 20160105 18:52:14 I UDPv4 link local (bound): [undef]
 20160105 18:52:14 I UDPv4 link remote: [undef]
 20160105 18:52:14 MULTI: multi_init called r=256 v=256
 20160105 18:52:14 IFCONFIG POOL: base=192.168.3.2 size=252 ipv6=0
 20160105 18:52:14 IFCONFIG POOL LIST
 20160105 18:52:14 I Initialization Sequence Completed
 20160105 19:11:27 192.168.1.200:59918 TLS: Initial packet from [AF_INET]192.168.1.200:59918 sid=2f429b0f 38739e48
 20160105 19:12:27 N 192.168.1.200:59918 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
...
 20160106 07:07:29 166.170.31.35:21322 TLS: Initial packet from [AF_INET]166.170.31.35:21322 sid=4b8f0abc 4588cffb
 20160106 07:07:30 166.170.31.35:21322 VERIFY OK: depth=1 C=US ST=PA L=Williamsport O=OpenVPN OU=Home CN=xx name=xx emailAddress=xx
 20160106 07:07:30 166.170.31.35:21322 VERIFY OK: depth=0 C=US ST=PA L=Williamsport O=OpenVPN OU=xx CN=client1 name=xx emailAddress=xx
 20160106 07:07:30 166.170.31.35:21322 NOTE: --mute triggered...
 20160106 07:07:30 166.170.31.35:21322 5 variation(s) on previous 3 message(s) suppressed by --mute
 20160106 07:07:30 I 166.170.31.35:21322 [client1] Peer Connection Initiated with [AF_INET]166.170.31.35:21322
 20160106 07:07:30 I client1/166.170.31.35:21322 MULTI_sva: pool returned IPv4=192.168.3.2 IPv6=(Not enabled)
 20160106 07:07:30 client1/166.170.31.35:21322 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_93221101a108ba0eb921c9d45c865c1a.tmp
 20160106 07:07:30 client1/166.170.31.35:21322 MULTI: Learn: 192.168.3.2 -> client1/166.170.31.35:21322
 20160106 07:07:30 client1/166.170.31.35:21322 MULTI: primary virtual IP for client1/166.170.31.35:21322: 192.168.3.2
 20160106 07:07:32 client1/166.170.31.35:21322 PUSH: Received control message: 'PUSH_REQUEST'
 20160106 07:07:32 I client1/166.170.31.35:21322 send_push_reply(): safe_cap=940
 20160106 07:07:32 client1/166.170.31.35:21322 SENT CONTROL [client1]: 'PUSH_REPLY redirect-gateway def1 route 192.168.1.0 255.255.255.0 dhcp-option DNS 8.8.8.8 dhcp-option DNS 192.168.1.1 route-gateway 192.168.3.1 topology subnet ping 10 ping-restart 120 ifconfig 192.168.3.2 255.255.255.0' (status=1)


Server Route Table:
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         174.60.96.1     0.0.0.0         UG        0 0          0 vlan2
127.0.0.0       *               255.0.0.0       U         0 0          0 lo
169.254.0.0     *               255.255.0.0     U         0 0          0 br0
174.60.96.0     *               255.255.252.0   U         0 0          0 vlan2
192.168.1.0     *               255.255.255.0   U         0 0          0 br0
192.168.3.0     *               255.255.255.0   U         0 0          0 tun2


OpenVpn Client Log:
Code:
Wed Jan 06 07:07:23 2016 OpenVPN 2.3.9 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec 16 2015
Wed Jan 06 07:07:23 2016 library versions: OpenSSL 1.0.1q 3 Dec 2015, LZO 2.09
Enter Management Password:
Wed Jan 06 07:07:23 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed Jan 06 07:07:23 2016 Need hold release from management interface, waiting...
Wed Jan 06 07:07:23 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed Jan 06 07:07:23 2016 MANAGEMENT: CMD 'state on'
Wed Jan 06 07:07:23 2016 MANAGEMENT: CMD 'log all on'
Wed Jan 06 07:07:23 2016 MANAGEMENT: CMD 'hold off'
Wed Jan 06 07:07:23 2016 MANAGEMENT: CMD 'hold release'
Wed Jan 06 07:07:23 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Jan 06 07:07:23 2016 UDPv4 link local: [undef]
Wed Jan 06 07:07:23 2016 UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1194
Wed Jan 06 07:07:23 2016 MANAGEMENT: >STATE:1452082043,WAIT,,,
Wed Jan 06 07:07:23 2016 MANAGEMENT: >STATE:1452082043,AUTH,,,
Wed Jan 06 07:07:23 2016 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=55d3f0ef 3ff63757
Wed Jan 06 07:07:24 2016 VERIFY OK: depth=1, C=US, ST=PA, L=Williamsport, O=OpenVPN, OU=Home, CN=xx, name=xx, emailAddress=xx
Wed Jan 06 07:07:24 2016 VERIFY OK: nsCertType=SERVER
Wed Jan 06 07:07:24 2016 VERIFY OK: depth=0, C=US, ST=PA, L=Williamsport, O=OpenVPN, OU=xx, CN=server, name=xx, emailAddress=xx
Wed Jan 06 07:07:24 2016 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jan 06 07:07:24 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 06 07:07:24 2016 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jan 06 07:07:24 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 06 07:07:24 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Wed Jan 06 07:07:24 2016 [server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Wed Jan 06 07:07:25 2016 MANAGEMENT: >STATE:1452082045,GET_CONFIG,,,
Wed Jan 06 07:07:26 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jan 06 07:07:26 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route 192.168.1.0 255.255.255.0,dhcp-option DNS 8.8.8.8,dhcp-option DNS 192.168.1.1,route-gateway 192.168.3.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.3.2 255.255.255.0'
Wed Jan 06 07:07:26 2016 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jan 06 07:07:26 2016 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jan 06 07:07:26 2016 OPTIONS IMPORT: route options modified
Wed Jan 06 07:07:26 2016 OPTIONS IMPORT: route-related options modified
Wed Jan 06 07:07:26 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jan 06 07:07:26 2016 ROUTE_GATEWAY 192.168.137.1/255.255.255.0 I=12 HWADDR=2c:33:7a:80:bb:3b
Wed Jan 06 07:07:26 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Jan 06 07:07:26 2016 MANAGEMENT: >STATE:1452082046,ASSIGN_IP,,192.168.3.2,
Wed Jan 06 07:07:26 2016 open_tun, tt->ipv6=0
Wed Jan 06 07:07:26 2016 TAP-WIN32 device [NETGEAR-VPN] opened: \\.\Global\{F577F634-43F9-4976-8116-18B7FCEE0FC8}.tap
Wed Jan 06 07:07:26 2016 TAP-Windows Driver Version 9.21
Wed Jan 06 07:07:26 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.3.0/192.168.3.2/255.255.255.0 [SUCCEEDED]
Wed Jan 06 07:07:26 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.3.2/255.255.255.0 on interface {F577F634-43F9-4976-8116-18B7FCEE0FC8} [DHCP-serv: 192.168.3.254, lease-time: 31536000]
Wed Jan 06 07:07:26 2016 NOTE: FlushIpNetTable failed on interface [31] {F577F634-43F9-4976-8116-18B7FCEE0FC8} (status=1168) : Element not found. 
Wed Jan 06 07:07:31 2016 TEST ROUTES: 0/2 succeeded len=1 ret=0 a=0 u/d=up
Wed Jan 06 07:07:31 2016 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 06 07:07:36 2016 TEST ROUTES: 0/2 succeeded len=1 ret=0 a=0 u/d=up
Wed Jan 06 07:07:36 2016 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 06 07:07:37 2016 TEST ROUTES: 0/2 succeeded len=1 ret=0 a=0 u/d=up
Wed Jan 06 07:07:37 2016 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 06 07:07:38 2016 TEST ROUTES: 0/2 succeeded len=1 ret=0 a=0 u/d=up
Wed Jan 06 07:07:38 2016 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 06 07:07:39 2016 TEST ROUTES: 0/2 succeeded len=1 ret=0 a=0 u/d=up
Wed Jan 06 07:07:39 2016 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 06 07:07:40 2016 TEST ROUTES: 0/2 succeeded len=1 ret=0 a=0 u/d=up
Wed Jan 06 07:07:40 2016 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 06 07:07:41 2016 TEST ROUTES: 0/2 succeeded len=1 ret=0 a=0 u/d=up
Wed Jan 06 07:07:41 2016 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 06 07:07:43 2016 TEST ROUTES: 0/2 succeeded len=1 ret=0 a=0 u/d=up
Wed Jan 06 07:07:43 2016 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 06 07:07:44 2016 TEST ROUTES: 0/2 succeeded len=1 ret=0 a=0 u/d=up
Wed Jan 06 07:07:44 2016 Route: Waiting for TUN/TAP interface to come up...
Wed Jan 06 07:07:45 2016 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Jan 06 07:07:45 2016 C:\WINDOWS\system32\route.exe ADD xx.xx.xx.xx MASK 255.255.255.255 192.168.137.1
Wed Jan 06 07:07:45 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Wed Jan 06 07:07:45 2016 Route addition via IPAPI succeeded [adaptive]
Wed Jan 06 07:07:45 2016 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.3.1
Wed Jan 06 07:07:45 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Wed Jan 06 07:07:45 2016 Route addition via IPAPI succeeded [adaptive]
Wed Jan 06 07:07:45 2016 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.3.1
Wed Jan 06 07:07:45 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Wed Jan 06 07:07:45 2016 Route addition via IPAPI succeeded [adaptive]
Wed Jan 06 07:07:45 2016 MANAGEMENT: >STATE:1452082065,ADD_ROUTES,,,
Wed Jan 06 07:07:45 2016 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 192.168.3.1
Wed Jan 06 07:07:45 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Wed Jan 06 07:07:45 2016 Route addition via IPAPI succeeded [adaptive]
Wed Jan 06 07:07:45 2016 Initialization Sequence Completed
Wed Jan 06 07:07:45 2016 MANAGEMENT: >STATE:1452082065,CONNECTED,SUCCESS,192.168.3.2,xx.xx.xx.xx


Client Route Table:
Code:
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.137.1  192.168.137.202     25
          0.0.0.0        128.0.0.0      192.168.3.1      192.168.3.2     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        128.0.0.0        128.0.0.0      192.168.3.1      192.168.3.2     20
     174.60.98.75  255.255.255.255    192.168.137.1  192.168.137.202     25
      192.168.1.0    255.255.255.0      192.168.3.1      192.168.3.2     20
      192.168.3.0    255.255.255.0         On-link       192.168.3.2    276
      192.168.3.2  255.255.255.255         On-link       192.168.3.2    276
    192.168.3.255  255.255.255.255         On-link       192.168.3.2    276
    192.168.137.0    255.255.255.0         On-link   192.168.137.202    281
  192.168.137.202  255.255.255.255         On-link   192.168.137.202    281
  192.168.137.255  255.255.255.255         On-link   192.168.137.202    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link   192.168.137.202    281
        224.0.0.0        240.0.0.0         On-link       192.168.3.2    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link   192.168.137.202    281
  255.255.255.255  255.255.255.255         On-link       192.168.3.2    276


The first snippet of the server logs shows the initialization. The second snippet shows the OpenVPN connection.

If you need any other info / logs, please let me know. Thanks again for your help.
WJames
DD-WRT Novice


Joined: 27 Jul 2008
Posts: 45

PostPosted: Wed Jan 06, 2016 17:11    Post subject: Reply with quote
Unfortunately, I still can't ping or see LAN computers in Windows file explorer. Oddly, I could see my son's smart phone, however.

Here are the IP table dumps as requested (the external IP address is replaced with xx.xx.xx.xx):
Code:
root@DD-WRT:~# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   46  2418 ACCEPT     0    --  tun2   *       0.0.0.0/0            0.0.0.0/0
        state NEW
 2490  503K ACCEPT     udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0
        udp dpt:1194
 2705  304K logaccept  0    --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED
    2   658 logaccept  udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0
        udp spt:67 dpt:68
    0     0 logaccept  udp  --  *      *       0.0.0.0/0            0.0.0.0/0
        udp dpt:1194
    0     0 logaccept  0    --  tun2   *       0.0.0.0/0            0.0.0.0/0

    0     0 logdrop    udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0
        udp dpt:520
    0     0 logdrop    udp  --  br0    *       0.0.0.0/0            0.0.0.0/0
        udp dpt:520
    0     0 logaccept  udp  --  *      *       0.0.0.0/0            0.0.0.0/0
        udp dpt:520
    0     0 logaccept  41   --  *      *       0.0.0.0/0            0.0.0.0/0

    0     0 logdrop    icmp --  vlan2  *       0.0.0.0/0            0.0.0.0/0

    0     0 logdrop    2    --  *      *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0
        state NEW
 2208  427K logaccept  0    --  br0    *       0.0.0.0/0            0.0.0.0/0
        state NEW
  621 75915 logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

    7   356 logaccept  tcp  --  *      *       0.0.0.0/0            192.168.1.20
1       tcp dpt:13022
    7   435 logaccept  udp  --  *      *       0.0.0.0/0            192.168.1.20
1       udp dpt:13022
    9   531 logaccept  tcp  --  *      *       0.0.0.0/0            192.168.1.20
1       tcp dpt:24044
    6   257 logaccept  udp  --  *      *       0.0.0.0/0            192.168.1.20
1       udp dpt:24044
   61  3690 ACCEPT     0    --  tun2   *       0.0.0.0/0            0.0.0.0/0
        state NEW
    0     0 logaccept  47   --  *      vlan2   192.168.1.0/24       0.0.0.0/0

    0     0 logaccept  tcp  --  *      vlan2   192.168.1.0/24       0.0.0.0/0
        tcp dpt:1723
  418 93721 logaccept  0    --  tun2   *       0.0.0.0/0            0.0.0.0/0

  425  275K logaccept  0    --  *      tun2    0.0.0.0/0            0.0.0.0/0

34741   16M lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0

33272   16M logaccept  0    --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED
    0     0 logaccept  0    --  br0    br0     0.0.0.0/0            0.0.0.0/0

    0     0 logaccept  tcp  --  *      *       0.0.0.0/0            192.168.1.20
4       tcp dpt:25565
    0     0 logaccept  udp  --  *      *       0.0.0.0/0            192.168.1.20
4       udp dpt:25565
    0     0 TRIGGER    0    --  vlan2  br0     0.0.0.0/0            0.0.0.0/0
        TRIGGER type:in match:0 relate:0
 1469  100K trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0

 1370 95330 logaccept  0    --  br0    *       0.0.0.0/0            0.0.0.0/0
        state NEW
   99  5040 logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0


Chain OUTPUT (policy ACCEPT 5230 packets, 3204K bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain advgrp_1 (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain advgrp_10 (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain advgrp_2 (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain advgrp_3 (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain advgrp_4 (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain advgrp_5 (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain advgrp_6 (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain advgrp_7 (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain advgrp_8 (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain advgrp_9 (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain grp_1 (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 logdrop    0    --  *      *       192.168.1.100/30     0.0.0.0/0

    0     0 logdrop    0    --  *      *       192.168.1.104/29     0.0.0.0/0

    0     0 logdrop    0    --  *      *       192.168.1.112/28     0.0.0.0/0

    0     0 logdrop    0    --  *      *       192.168.1.128/28     0.0.0.0/0

    0     0 logdrop    0    --  *      *       192.168.1.144/30     0.0.0.0/0

    0     0 logdrop    0    --  *      *       192.168.1.148/31     0.0.0.0/0


Chain grp_10 (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain grp_2 (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 logdrop    0    --  *      *       192.168.1.100/30     0.0.0.0/0

    0     0 logdrop    0    --  *      *       192.168.1.104/29     0.0.0.0/0

    0     0 logdrop    0    --  *      *       192.168.1.112/28     0.0.0.0/0

    0     0 logdrop    0    --  *      *       192.168.1.128/28     0.0.0.0/0

    0     0 logdrop    0    --  *      *       192.168.1.144/30     0.0.0.0/0

    0     0 logdrop    0    --  *      *       192.168.1.148/31     0.0.0.0/0


Chain grp_3 (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain grp_4 (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain grp_5 (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain grp_6 (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain grp_7 (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain grp_8 (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain grp_9 (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain lan2wan (1 references)
 pkts bytes target     prot opt in     out     source               destination


Chain logaccept (20 references)
 pkts bytes target     prot opt in     out     source               destination

40476   18M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0


Chain logdrop (18 references)
 pkts bytes target     prot opt in     out     source               destination

  720 80955 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0


Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        reject-with tcp-reset

Chain trigger_out (1 references)
 pkts bytes target     prot opt in     out     source               destination

root@DD-WRT:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 2879 packets, 211K bytes)
 pkts bytes target     prot opt in     out     source               destination

    1    52 DNAT       tcp  --  *      *       0.0.0.0/0            xx.xx.xx.xx
        tcp dpt:13022 to:192.168.1.201:13022
    1    47 DNAT       udp  --  *      *       0.0.0.0/0            xx.xx.xx.xx
        udp dpt:13022 to:192.168.1.201:13022
    1    64 DNAT       tcp  --  *      *       0.0.0.0/0            xx.xx.xx.xx
        tcp dpt:24044 to:192.168.1.201:24044
    1    47 DNAT       udp  --  *      *       0.0.0.0/0            xx.xx.xx.xx
        udp dpt:24044 to:192.168.1.201:24044
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            xx.xx.xx.xx
        to:192.168.1.1
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            xx.xx.xx.xx
        tcp dpt:25565 to:192.168.1.204:25565
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            xx.xx.xx.xx
        udp dpt:25565 to:192.168.1.204:25565
  256 17613 TRIGGER    0    --  *      *       0.0.0.0/0            xx.xx.xx.xx
        TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT 866 packets, 75987 bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 458 packets, 45215 bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain POSTROUTING (policy ACCEPT 463 packets, 45485 bytes)
 pkts bytes target     prot opt in     out     source               destination

 1140 73963 SNAT       0    --  *      vlan2   192.168.1.0/24       0.0.0.0/0
        to:xx.xx.xx.xx
    0     0 MASQUERADE  0    --  *      *       0.0.0.0/0            0.0.0.0/0
         mark match 0x80000000/0x80000000
   59  3562 MASQUERADE  0    --  *      vlan2   192.168.3.0/24       0.0.0.0/0

root@DD-WRT:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         174.60.96.1     0.0.0.0         UG    0      0        0 vlan2
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
169.254.0.0     *               255.255.0.0     U     0      0        0 br0
174.60.96.0     *               255.255.252.0   U     0      0        0 vlan2
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.168.3.0     *               255.255.255.0   U     0      0        0 tun2


If there is any other logs / dumps that you need, please let me know. And again thank you very much for your help!

W James
WJames
DD-WRT Novice


Joined: 27 Jul 2008
Posts: 45

PostPosted: Wed Jan 06, 2016 19:36    Post subject: Reply with quote
Hi, again.

I do have active access restrictions defined. They are set for late night hours on a range of IP addresses, but they do not include the current hours. For testing purposes, I just disabled the restrictions, disconnected the VPN, and then reconnected. I still can't see other computers on the LAN.

My son's phone is assigned a static IP outside the range of the restricted IPs. While it showed earlier, it is no longer showing in File Explorer. Sad

This has been so frustrating. Sad I had OpenVPN working flawlessly on the Netgear firmware. I wish I had some idea what is wrong. Would do you recommend for the next step?
WJames
DD-WRT Novice


Joined: 27 Jul 2008
Posts: 45

PostPosted: Wed Jan 06, 2016 21:10    Post subject: Reply with quote
Understood. Your explanation is very good. However, with each failed VPN connection, I have been trying to ping the static IPs in my network without success. I should also note that I originally configured OpenVPN as a daemon, and I was also able to view all computers in File Explorer. However, either after updating to the latest Kong build or upon changing OpenVPN to be a server, I have not been able to do so. Also, with the Netgear firmware OpenVPN implementation, I was able to view all computers in File Explorer.

So... Would the solution be to use the same IP segment as the router LAN? The LAN currently uses 192.168.1.X and the VPN 192.168.3.X. With DD-Wrt's implementation, could the VPN share 192.168.1.X and would that perhaps remedy my issues?
WJames
DD-WRT Novice


Joined: 27 Jul 2008
Posts: 45

PostPosted: Wed Jan 06, 2016 23:19    Post subject: Reply with quote
Yes, the Netgear R8000 is the primary router. I guess I'll try resetting the NVRAM, re-installing the firmware, and then re-entering everything. Wish me luck!

Thanks again for all your help!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum