Author
Message
theorie DD-WRT Novice Joined: 28 Jan 2009 Posts: 23 Location: Sarasota, FL
Posted: Fri May 19, 2017 22:12 Post subject: OpenVPN between two routers cannot reach client router's LAN
I have two DD-WRT routers running the latest v3.0 beta.
Location 1: 192.168.138.1 (192.168.138.0/24)
Location 2: 192.168.208.1 (192.168.208.0/24)
The VPN network is set to: 192.168.7.0/24
****************************** LOCATION 1 SETUP ******************************
Note: OpenVPN Assigns this as 192.168.7.1
Location 1 is setup as OpenVPN Server:
Code: Start Type: WAN Up
Config as: Server
Server mode: Router (TUN)
Network: 192.168.7.0
Netmask: 255.255.255.0
Port: 1194
Tunnel Protocol: UDP
Encryption Cipher: AES-128 CBC
Hash Algorithm: SHA1
Advanced Options: Enable
TLS Cipher: None
LZO Compressoin: Adaptive
Redirect default Gateway: Disable
Allow Client to Client: Enable
Allow duplicate cn: Disable
Tunnel MTU: 1500
Tunnel UDP Fragment: (blank)
Tunnel UDP MSS-Fix: Disable
Public Server Cert: (hidden)
CA Cert: (hidden)
Private Server Key: (hidden)
DH PEM: (hidden)
Additional Config:
push "route 192.168.138.0 255.255.255.0"
push "dhcp-option DNS 192.168.138.1"
Location 1 Firewall Commands:
Code: iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT
Location 1 Additional Static Routing
Select set number: 1
Route Name: Client-WRT
Metric: 0
Destination LAN NET: 192.168.208.0
Subnet Mask: 255.255.255.0
Gateway: 192.168.7.2
Interface: ANY
****************************** LOCATION 2 SETUP ******************************
Note: OpenVPN Assigns this as 192.168.7.2
Location 2 is setup as OpenVPN Client:
Code: Server IP/Name: (Server's Public IP Address)
Port: 1194
Runnel Device: TUN
Tunnel Protocol: UDP
Encryption Cipher: AES-128 CBC
Hash Algorithm: SHA1
User Pass Authentication: Disable
Advanced Options: Enable
TLS Cipher: None
LZO Compressoin: Adaptive
NAT: Disable
IP Address: 192.168.7.2
Subnet Mask: 255.255.255.0
Tunnel MTU: 1500
Tunnel UDP Fragment: (blank)
Tunnel UDP MSS-Fix: Disable
nsCertType verification: (unchecked)
CA Cert: (hidden)
Public Client Cert: (hidden)
Private Client Key: (hidden)
Location 2 Firewall Commands:
(Note, according to the routing table, TUN is "tun1")
Code: iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
Location 2 Additional Static Routing
None. Note this is automatically setup with the "push" from the Server's Additional Config.
****************************** ISSUES ******************************
So here's where I need help...
All OpenVPN Clients (including the "Location 2" DD-WRT Client-router) will connect to the "Location 1" DD-WRT Server-router, and they are assigned 192.168.7.* IP addresses. Good.
All OpenVPN Clients that connect directly can see the Server-router's LAN devices (e.g. my NAS4Free server at 192.168.138.101), however the devices on the Client-router's LAN cannot see devices on Server-router's LAN, and vice-versa.
Suggestions? Need more info to diagnose? Let me know. Thanks!
Back to top
Sponsor
theorie DD-WRT Novice Joined: 28 Jan 2009 Posts: 23 Location: Sarasota, FL
Posted: Sat May 20, 2017 13:09 Post subject:
Took some screenshots...
Back to top
theorie DD-WRT Novice Joined: 28 Jan 2009 Posts: 23 Location: Sarasota, FL
Posted: Sat May 20, 2017 13:11 Post subject:
Next 3...
Back to top
theorie DD-WRT Novice Joined: 28 Jan 2009 Posts: 23 Location: Sarasota, FL
Posted: Tue May 23, 2017 15:03 Post subject:
Anyone?
Back to top
strat0 DD-WRT Novice Joined: 05 Sep 2017 Posts: 2
Posted: Tue Sep 05, 2017 6:18 Post subject:
Hi, I hope you finally found a solution to your problem, however I think it might help others to (at least) get a clue to solve it. Actually I just registered the forums to paste this here, because I've spent sooo much time on this subject that I'd be pleased to help other people sleep well .
I think you're missing some other firewall rules, here's what I have for a similar config :
Code: iptables -I INPUT -i tun0 -j ACCEPT
(this one is to allow connecting to the VPN server's interface from the VPN client side)
Code: iptables -I FORWARD 1 --source 192.168.7.0/24 -j ACCEPT
==> THIS is the one rule to rule them all
Code: iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
If you want to give a remote internet access to your VPN clients (they'd have the VPN server's WAN IP then) :
Code:
iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -o vlan2 -j MASQUERADE
(vlan2 being the wan interface in my config)
Also : it might be necessary to add an iroute command for OpenVPN, at router's startup (in administration > add it in "save startup" instead of "save firewall"):
Code: test -d /tmp/openvpn || mkdir /tmp/openvpn
test -d /tmp/openvpn/ccd || mkdir /tmp/openvpn/ccd
echo "iroute 192.168.7.0 255.255.255.0" > /tmp/openvpn/ccd/Your_VPN_profile_name
Back to top
strat0 DD-WRT Novice Joined: 05 Sep 2017 Posts: 2
Posted: Tue Sep 05, 2017 6:42 Post subject:
Ok, now that I'm here, here's a good part of my OpenVPN config file to complete my previous answer :
Note that I adapted the Ip addresses to you case.
Code:
client-config-dir /tmp/openvpn/ccd
That's to use with the iroute command that we set at router's startup in the previous post
This one might be important too in your case :
"--client-to-client : Internally route client-to-client traffic."
Code:
tls-server
dev tun0
topology subnet
server 192.168.7.0 255.255.255.0
push "route 192.168.138.0 255.255.255.0"
push "dhcp-option DNS your.dns.ip.address"
push "dhcp-option DOMAIN yourdomain.local"
keepalive 10 120
log-append /tmp/var/log/openvpn
mtu-disc yes
proto tcp-server
cipher aes-256-cbc
auth sha1
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
comp-lzo yes
tls-cipher TLS-RSA-WITH-AES-256-CBC-SHA
tcp-nodelay
tun-mtu 1500
tun-mtu-extra 32
persist-tun
persist-key
verb 4
mute 5
I know, I use TCP, which is less efficient than UDP, but is hardly blocked by any firewall (especially on port 443... ).
Back to top