kuhnto DD-WRT Novice
Joined: 31 May 2015 Posts: 14
|
Posted: Sun Nov 06, 2016 3:00 Post subject: help with OpenVPN Server WAN and LAN reachability |
|
Router Model - Asus RT-N66U
Firmware Version - DD-WRT v24-sp2 (02/04/15) mega - build 26138M
Kernel Version - Linux 3.10.67 #6285 Wed Feb 4 06:45:05 CET 2015 mips
For a long while I have been able to connect via Open VPN to my DD-WRT router, but only been able to reach internal addresses such as the router or local computer (RDP).
I recently wanted to add Internet access through the VPN connection, so after perusing the internet for a while I came upon a few NAT firewall and other setting changes that seemed to gave me internet access through the VPN (checking my public IP address is showing my local ISP), but I could no longer access anything locally-192.168.1.x.
It was most likely the NAT setting in the firewall.
This is most likely something really simple. Here are the details:
LAN - 192.168.1.1 / 24
VPN - 10.1.1.1 /24
OpenVPN Services Configuration:
OpenVPN - Enable
Start Type - WAN Up
Config as Server
Server mode Router TUN
Network 10.1.1.0
Netmask 255.255.255.0
Port 443
Tunnel Protocol TCP
Encryption Cipher AES 256
Hash Algorithm SHA 1
Startup:
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"
server 10.1.1.0 255.255.255.0
dev tun0
proto tcp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
Firewall (DDWRT puts the ""& #-106" for some reason, but it should say "--dport"):
iptables -I INPUT 1 -p tcp &#-106;dport 443 -j ACCEPT
iptables -I FORWARD 1 --source 10.1.1.0/24 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o $(get_wanface) -j SNAT --to-source $(nvram get wan_ipaddr)
Client:
client
remote-cert-tls server
remote mywebsite.com 443
dev tun2
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
float
comp-lzo
verb 3
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
Like I said, It has to be something simple... A Missing route or something. I am unfortunately not a network engineer. Thank you for taking to time to try an assist.
Tom |
|