OpenVPN Server and Client simultaneously on WRT1200AC

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
d0ug
DD-WRT Guru


Joined: 31 Jul 2015
Posts: 601

PostPosted: Tue Oct 24, 2017 21:51    Post subject: OpenVPN Server and Client simultaneously on WRT1200AC Reply with quote
I have a long standing issue with the OpenVPN Server and Client being used simultaneously in DDWRT. I had made a post some months ago in the Advanced Networking forum that got no replies. Maybe someone in here is able to assist.

I have a WRT1200AC which has all of its WAN connection VPNed though PIA. All hosts on the LAN go though this tunnel except for two which host public facing services that need to be on my real WAN IP

I also have have the OpenVPN server running so my phone can remote into my LAN, and also gain access to the internet though the PIA tunnel.

Everything works, except for the phone being able to access local LAN hosts. I can access the router's admin page from the phone, but anything else on the LAN is inaccessible.

I had basically given up on this, but decided to try tackling it again today.

In troubleshooting this I found that If I turned off the OpenVPN client connected to PIA, my phone is able to access local LAN resources though the OpenVPN server running on the router. So it appears some config of the OpenVPN client is breaking the routing to/from the LAN to devices connected to the OpenVPN server.

Below is my config

Firmware: DD-WRT v3.0-r33555 std (10/20/17)
LAN Address is 10.10.10.x 255.255.255.0
OpenVPN Server Address is 10.10.12.x 255.255.255.0

OpenVPN Server


CCD-Dir DEFAULT file: <BLANK>
Client connect script: <BLANK>
Static Key: <BLANK>
PKCS12 Key: <BLANK>
Public Server Cert: <CONTAINS MY PUBLIC CERT>
CA Cert: <CONTAINS MY CA CERT>
Private Server Key: <CONTAINS MY PRIVATE KEY>
DH PEM: <CONTAINS DH PEM>
Additional Config:
push "route 10.10.10.0 255.255.255.0"
push "dhcp-option DNS 10.10.10.1"
push "redirect-gateway def1"
reneg-bytes 64000000
client-to-client
push "keepalive 10 60"
push "resolv-retry"
push "persist-tun"
TLS Auth Key: <BLANK>
Certificate Revoke List: <BLANK>

Below is my OpenVPN client to PIA config



TLS Auth Key: <BLANK>
Additional Config:
persist-key
persist-tun
tls-client
remote-cert-tls server
disable-occ
auth-nocache
fast-io
sndbuf 524288
rcvbuf 524288
comp-lzo yes
comp-noadapt
reneg-bytes 64000000
keepalive 10 60
Policy Based Routing:
10.10.12.0/24
10.10.10.2/31
10.10.10.4/30
10.10.10.8/29
10.10.10.16/28
10.10.10.32/29
10.10.10.43/32
10.10.10.44/30
10.10.10.48/28
10.10.10.64/26
10.10.10.128/25
PKCS12 Key: <BLANK>
Static Key: <BLANK>
CA Cert: <CONTAINS PIA's CA CERT>
Public Client Cert: <BLANK>
Private Client Key: <BLANK>

In my Firewall Commands I have the following

#####VPN Kill Switch
iptables -I FORWARD -s 10.10.0.0/16 -o $(nvram get wan_iface) -j DROP

#####Allow public facing services around PIA VPN
iptables -I FORWARD -s 10.10.10.41 -o $(nvram get wan_iface) -j ACCEPT
iptables -I FORWARD -s 10.10.10.42 -o $(nvram get wan_iface) -j ACCEPT

#####Enable clients on the VPN Server to access the internet though PIA VPN
iptables -t nat -A POSTROUTING -s 10.10.12.0/24 -o tun1 -j MASQUERADE
iptables -I FORWARD -i tun2 -s 10.10.12.0/24 -o br0 -j ACCEPT

Keep in mind everything is working exactly how I am expecting it to work, except for my phone being unable to access LAN resources while connecting to the OpenVPN server running on DD-WRT while the OpenVPN client in DD-WRT is connected to PIA
Sponsor
popoviciri
DD-WRT Novice


Joined: 27 May 2017
Posts: 12

PostPosted: Wed Oct 25, 2017 15:23    Post subject: Reply with quote
I found a solution posted by eibgrad. Just dump the code from the link below (all of it) in your startup scripts and restart to router.
code from here: https://pastebin.com/YwnHLqaa
More info here: http://svn.dd-wrt.com/ticket/5690
I have absolutely no firewall rules set and everything works as expected. Connected from my phone to the home network, I have access to all my home devices (including a pihole filtering adds) and exist through the mullvad tunnel.
I doubt you need anything else but the killswitch in your firewall.
Good you keep the router IP out of PBR. Also I'd disable syslog since the script will write to it every minute. I tried to change the MAX_PASS variable to a 5, but after a while table 10 gets back to WAN only. So now I just let it run every minute.
Hope this helps!
cheers

WRT1900ACSv1: 33555
OpenVPN server and client (with PBR), samba
d0ug
DD-WRT Guru


Joined: 31 Jul 2015
Posts: 601

PostPosted: Wed Oct 25, 2017 16:55    Post subject: Reply with quote
popoviciri wrote:
I found a solution posted by eibgrad. Just dump the code from the link below (all of it) in your startup scripts and restart to router.
code from here: https://pastebin.com/YwnHLqaa
More info here: http://svn.dd-wrt.com/ticket/5690
I have absolutely no firewall rules set and everything works as expected. Connected from my phone to the home network, I have access to all my home devices (including a pihole filtering adds) and exist through the mullvad tunnel.
I doubt you need anything else but the killswitch in your firewall.
Good you keep the router IP out of PBR. Also I'd disable syslog since the script will write to it every minute. I tried to change the MAX_PASS variable to a 5, but after a while table 10 gets back to WAN only. So now I just let it run every minute.
Hope this helps!
cheers

WRT1900ACSv1: 33555
OpenVPN server and client (with PBR), samba


That worked! Thank you very much. Looks like an old bug that is not yet fixed.

Yeah I learned about not putting the router's IP in the PBR earlier this year. All hell breaks loose if you do that. Basically have to factory reset it to be able to get back into the GUI from what I remember.

Would be nice if the bug got fixed. It feels very hackish to have to have a script like that to make it work. Some sanity checking in that PBR field to eliminate the router's IP if someone put their whole /24 in that entry would be nice too. Maybe even add something like allow/deny ratio buttons for PBR where in the case that you want everything except a few hosts, you could switch it to the deny option and then just specify those few hosts in the PBR field.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum