OpenVPN between two routers cannot reach client router's LAN

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
theorie
DD-WRT Novice


Joined: 28 Jan 2009
Posts: 23
Location: Sarasota, FL

PostPosted: Fri May 19, 2017 22:12    Post subject: OpenVPN between two routers cannot reach client router's LAN Reply with quote
I have two DD-WRT routers running the latest v3.0 beta.

Location 1: 192.168.138.1 (192.168.138.0/24)
Location 2: 192.168.208.1 (192.168.208.0/24)

The VPN network is set to: 192.168.7.0/24

****************************** LOCATION 1 SETUP ******************************
Note: OpenVPN Assigns this as 192.168.7.1

Location 1 is setup as OpenVPN Server:
Code:
Start Type: WAN Up
Config as: Server
Server mode: Router (TUN)
Network: 192.168.7.0
Netmask: 255.255.255.0
Port: 1194
Tunnel Protocol: UDP
Encryption Cipher: AES-128 CBC
Hash Algorithm: SHA1
Advanced Options: Enable
TLS Cipher: None
LZO Compressoin: Adaptive
Redirect default Gateway: Disable
Allow Client to Client: Enable
Allow duplicate cn: Disable
Tunnel MTU: 1500
Tunnel UDP Fragment: (blank)
Tunnel UDP MSS-Fix: Disable

Public Server Cert: (hidden)
CA Cert: (hidden)
Private Server Key: (hidden)
DH PEM: (hidden)

Additional Config:
push "route 192.168.138.0 255.255.255.0"
push "dhcp-option DNS 192.168.138.1"


Location 1 Firewall Commands:
Code:
iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT


Location 1 Additional Static Routing
Select set number: 1
Route Name: Client-WRT
Metric: 0
Destination LAN NET: 192.168.208.0
Subnet Mask: 255.255.255.0
Gateway: 192.168.7.2
Interface: ANY

****************************** LOCATION 2 SETUP ******************************
Note: OpenVPN Assigns this as 192.168.7.2

Location 2 is setup as OpenVPN Client:
Code:
Server IP/Name: (Server's Public IP Address)
Port: 1194
Runnel Device: TUN
Tunnel Protocol: UDP
Encryption Cipher: AES-128 CBC
Hash Algorithm: SHA1
User Pass Authentication: Disable
Advanced Options: Enable
TLS Cipher: None
LZO Compressoin: Adaptive
NAT: Disable
IP Address: 192.168.7.2
Subnet Mask: 255.255.255.0
Tunnel MTU: 1500
Tunnel UDP Fragment: (blank)
Tunnel UDP MSS-Fix: Disable
nsCertType verification: (unchecked)

CA Cert: (hidden)
Public Client Cert: (hidden)
Private Client Key: (hidden)


Location 2 Firewall Commands:
(Note, according to the routing table, TUN is "tun1")
Code:
iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT


Location 2 Additional Static Routing
None. Note this is automatically setup with the "push" from the Server's Additional Config.

****************************** ISSUES ******************************

So here's where I need help...

All OpenVPN Clients (including the "Location 2" DD-WRT Client-router) will connect to the "Location 1" DD-WRT Server-router, and they are assigned 192.168.7.* IP addresses. Good.

All OpenVPN Clients that connect directly can see the Server-router's LAN devices (e.g. my NAS4Free server at 192.168.138.101), however the devices on the Client-router's LAN cannot see devices on Server-router's LAN, and vice-versa.

Suggestions? Need more info to diagnose? Let me know. Thanks!
Sponsor
theorie
DD-WRT Novice


Joined: 28 Jan 2009
Posts: 23
Location: Sarasota, FL

PostPosted: Sat May 20, 2017 13:09    Post subject: Reply with quote
Took some screenshots...
theorie
DD-WRT Novice


Joined: 28 Jan 2009
Posts: 23
Location: Sarasota, FL

PostPosted: Sat May 20, 2017 13:11    Post subject: Reply with quote
Next 3...
theorie
DD-WRT Novice


Joined: 28 Jan 2009
Posts: 23
Location: Sarasota, FL

PostPosted: Tue May 23, 2017 15:03    Post subject: Reply with quote
Anyone? Crying or Very sad
strat0
DD-WRT Novice


Joined: 05 Sep 2017
Posts: 2

PostPosted: Tue Sep 05, 2017 6:18    Post subject: Reply with quote
Hi, I hope you finally found a solution to your problem, however I think it might help others to (at least) get a clue to solve it. Actually I just registered the forums to paste this here, because I've spent sooo much time on this subject that I'd be pleased to help other people sleep well Rolling Eyes .

I think you're missing some other firewall rules, here's what I have for a similar config :

Code:
iptables -I INPUT -i tun0 -j ACCEPT

(this one is to allow connecting to the VPN server's interface from the VPN client side)

Code:
iptables -I FORWARD 1 --source 192.168.7.0/24 -j ACCEPT

==> THIS is the one rule to rule them all Razz

Code:
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


If you want to give a remote internet access to your VPN clients (they'd have the VPN server's WAN IP then) :
Code:

iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -o vlan2 -j MASQUERADE

(vlan2 being the wan interface in my config)

Also : it might be necessary to add an iroute command for OpenVPN, at router's startup (in administration > add it in "save startup" instead of "save firewall"):

Code:
test -d /tmp/openvpn || mkdir /tmp/openvpn
test -d /tmp/openvpn/ccd || mkdir /tmp/openvpn/ccd
echo "iroute 192.168.7.0 255.255.255.0" > /tmp/openvpn/ccd/Your_VPN_profile_name
strat0
DD-WRT Novice


Joined: 05 Sep 2017
Posts: 2

PostPosted: Tue Sep 05, 2017 6:42    Post subject: Reply with quote
Ok, now that I'm here, here's a good part of my OpenVPN config file to complete my previous answer :
Note that I adapted the Ip addresses to you case.
Code:

client-config-dir /tmp/openvpn/ccd

That's to use with the iroute command that we set at router's startup in the previous post
Code:

client-to-client

This one might be important too in your case :
"--client-to-client : Internally route client-to-client traffic."
Code:

tls-server
dev tun0
topology subnet
server 192.168.7.0 255.255.255.0
push "route 192.168.138.0 255.255.255.0"
push "dhcp-option DNS your.dns.ip.address"
push "dhcp-option DOMAIN yourdomain.local"
keepalive 10 120
log-append /tmp/var/log/openvpn
mtu-disc yes
proto tcp-server
cipher aes-256-cbc
auth sha1
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
comp-lzo yes
tls-cipher TLS-RSA-WITH-AES-256-CBC-SHA
tcp-nodelay
tun-mtu 1500
tun-mtu-extra 32
persist-tun
persist-key
verb 4
mute 5


I know, I use TCP, which is less efficient than UDP, but is hardly blocked by any firewall (especially on port 443... Rolling Eyes ).
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum