Posted: Thu Aug 16, 2018 4:26 Post subject: Site to site VPN 2 DD-WRT routers, route internet thru VPN?
I have a pair of DD-WRT routers installed at two different locations with a working site-to-site VPN configured in the scripts under the "Commands" tab. This working VPN allows me to access local resources of each location from the other location. Internet is currently NOT redirected through the VPN, with each site using its own public WAN IP for internet traffic.
My question is how do I get one computer connected to the VPN client router as 192.168.4.202 to direct its internet traffic through the VPN. I am trying to set up routing for a specific IP address for this purpose, and show the new code I added to the scripts in red below. The code in black is the existing working VPN code. What happens with this code is that the client at 192.168.4.202 cannot connect to the internet at all (nonresponive browser), and all other clients not using .202 still connect to the internet fine.
VPN Server Router at Site A uses subnet 192.168.0.x, NetGear R7000 DD-WRT v3.0-r36070M kongac (05/31/18 )
Code:
Startup Script
------------------
# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
# Config for Site-to-Site SiteA-SiteB
# ping-timer-rem needed on server to keep openvpn from restarting itself with long delays.
# auth-nocache removes a warning about caching passwords in memory on server.
# cipher AES-256-CBC override default cipher that is vulnerable to SWEET32 hack.
echo "
proto udp4
port 2000
dev tun0
secret /tmp/static.key
cipher AES-256-CBC
verb 4
comp-lzo
keepalive 15 60
ping-timer-rem
auth-nocache
daemon
" > SiteA-SiteB.conf
# Initiate the tunnel
sleep 5
/tmp/myvpn --config SiteA-SiteB.conf
#Use VPN tun0 for internet access from 192.168.4.202
ip route add default via 10.0.0.1 dev tun0 table 200
ip rule add from 192.168.4.202 table 200
ip route flush cache
Chain POSTROUTING (policy ACCEPT 13 packets, 4027 bytes)
pkts bytes target prot opt in out source destination
31 2016 SNAT 0 -- * vlan2 192.168.0.0/24 0.0.0.0/0 to:[My public IP address for Site A]
2 172 SNAT 0 -- * vlan2 192.168.2.0/24 0.0.0.0/0 to:[My public IP address for Site A]
0 0 MASQUERADE 0 -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x80000000/0x80000000
42 2734 MASQUERADE 0 -- * vlan2 0.0.0.0/0 0.0.0.0/0
ip route show table main
default via [First Three Numbers of My public IP address for Site A].1 dev vlan2
10.0.0.0/24 dev tun0 scope link src 10.0.0.1
[First Three Numbers of My public IP address for Site A].0/19 dev vlan2 scope link src [My public IP address for Site A]
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev br0 scope link src 169.254.255.1
192.168.0.0/24 dev br0 scope link src 192.168.0.1
192.168.2.0/24 dev br1 scope link src 192.168.2.1
192.168.4.0/24 via 10.0.0.2 dev tun0
ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Chain POSTROUTING (policy ACCEPT 198 packets, 14003 bytes)
pkts bytes target prot opt in out source destination
2 136 SNAT 0 -- * vlan2 192.168.4.0/24 0.0.0.0/0 to:[My public IP address for Site B]
0 0 MASQUERADE 0 -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x80000000/0x80000000
ip route show table main
default via [First Three Numbers of My public IP address for Site B].1 dev vlan2
10.0.0.0/24 dev tun0 scope link src 10.0.0.2
[First Three Numbers of My public IP address for Site B].0/21 dev vlan2 scope link src [My public IP address for Site B]
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev br0 scope link src 169.254.255.1
192.168.0.0/24 via 10.0.0.1 dev tun0
192.168.4.0/24 dev br0 scope link src 192.168.4.1
ip route show table 200
default via 10.0.0.1 dev tun0
ip rule list
0: from all lookup local
32765: from 192.168.4.202 lookup 200
32766: from all lookup main
32767: from all lookup default
How can that be? Whatever is causing this needs to be corrected because it's NOT normal.
I reran the command on the server router and obtained the below. There seems to be a bug in the GUI command shell window where sometimes it comes back blank.
I added this to the firewall script of the client and it does not help, internet still dead from 192.68.4.202 instead of going through VPN. Adding this rule did affect the result of iptables -t nat -vnL POSTROUTING on the client router, as it now produces
Code:
Chain POSTROUTING (policy ACCEPT 243 packets, 19068 bytes)
pkts bytes target prot opt in out source destination
37 2368 MASQUERADE 0 -- * tun0 0.0.0.0/0 0.0.0.0/0
111 7921 SNAT 0 -- * vlan2 192.168.4.0/24 0.0.0.0/0 to:[My public IP address for Site B]
0 0 MASQUERADE 0 -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x80000000/0x80000000
Should I run this on the client router, or on the server router, or both?
And before I run the above command, should I remove the below rule egc suggested I add to the client to return to the original scripts in my first post?
There's no need to NAT the OpenVPN tunnel on the client side. Each side is already capable of routing to the other side because each has the necessary routing information in their respective routing tables. NAT just adds unnecessary overhead and masks the actual source IP of the client should you want to filter based on it.
OK, eliminating this line from client firewall works:
iptables -I POSTROUTING -t nat -o tun0 -j MASQUERADE
eibgrad wrote:
On the server side, I suggest you be consistent when it comes to NAT'ing over the WAN (vlan2). By default, 192.168.0.0/24 is already NAT'd by the router. And when you added the 192.168.2.0/24 network on that same side, you added an SNAT rule. So do the same for the 192.168.4.0/24 network as well (rather than NAT'ing everything unconditionally).
That's still a requirement. I'm merely suggesting you replace the following ...
Code:
# this is unconditional!
iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE
with ...
Code:
# this is conditional; it only applies to 192.168.4.0/24
iptables -t nat -I POSTROUTING -s 192.168.4.0/24 -o vlan2 -j SNAT --to `nvram get wan_ipaddr`
because it's more consistent with what you did when you needed 192.168.2.0/24 to have the same access over the WAN.
OK, this does work. About the SNAT rule for 192.168.2.x, that was generated when I added a guest WiFi network using the GUI under WiFi settings and also the networking settings to put that virtual WiFi on its own subnet with a bridge (which is working and was not intended to be part of this discussion).
What is the difference between these two options and why is MASQUERADE better? If I switch, it would be for the use VPN for internet situation as I did not code the rule for the guest WiFi network on 192.168.2.x.
