OpenVPN Bridged Site-to-Site (TAP) Routing Configuration?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
mrengles
DD-WRT User


Joined: 25 Feb 2010
Posts: 255

PostPosted: Fri Jan 15, 2016 18:29    Post subject: OpenVPN Bridged Site-to-Site (TAP) Routing Configuration? Reply with quote
Sorry posted in the wrong forum sections. Please move --> Advanced Networking

Hello Everyone

I have setup my Netgear R8000 & R7000 with DD-WRT v3.0-r28800M kongac (01/14/16) and have configured both the R8000 server and R7000 client with a bridged (TAP) OpenVPN setup. The connection between the two gateways is successful as shown on the both OpenVPN status pages, but I can't access anything from the server side subnet 172.16.4.0/24 from my client side subnet 172.16.5.0/24 and visa-versa.

If telnet/ssh into the (server at 172.16.4.1) from there I can only ping the other machines on the same 172.16.4.0/24 subnet and the single client IP 172.16.5.1 but not any other machines on the 172.16.5.0/24 subnet.

If telnet/ssh into the (client at 172.16.5.1) from there I can ping any machine and the server on either subnet 172.16.5.0/24 and 172.16.4.0/24 but the machines behind the DD-WRT client (at home) can't ping anything from behind the DD-WRT server (at work) side network?

I have NAT disabled on the DD-WRT client, because I would rather not have every machine hind behind a singe IP. But If I enable NAT for testing purposes, my machines (at home) on the client side network 172.16.5.0/24 can access the server side (at work) subnet 172.16.4.0/24. The server side still can't access the client side network though. Crying or Very sad

Would someone mind looking over my network diagram and server/client configurations and help me get this issue sorted out?

I hope this makes sense? Please ask if you have any questions.

I'll post the OpenVPN server and client configurations in the next two posts...

Thank you very much:!:

Gratitude,

Robert aka Mrengles



Network Diagram.png
 Description:
 Filesize:  161.97 KB
 Viewed:  23905 Time(s)

Network Diagram.png




Last edited by mrengles on Fri Jan 15, 2016 19:39; edited 2 times in total
Sponsor
mrengles
DD-WRT User


Joined: 25 Feb 2010
Posts: 255

PostPosted: Fri Jan 15, 2016 18:31    Post subject: Reply with quote
DD-WRT OpenVPN Server Configurations:


Server Firewall.png
 Description:
 Filesize:  101.74 KB
 Viewed:  23905 Time(s)

Server Firewall.png



Server OpenVPN.png
 Description:
 Filesize:  395.39 KB
 Viewed:  23906 Time(s)

Server OpenVPN.png



Server Static Route.png
 Description:
 Filesize:  135.12 KB
 Viewed:  23906 Time(s)

Server Static Route.png


mrengles
DD-WRT User


Joined: 25 Feb 2010
Posts: 255

PostPosted: Fri Jan 15, 2016 18:33    Post subject: Reply with quote
DD-WRT OpenVPN Client Configurations:


Client Firewall.png
 Description:
 Filesize:  100.9 KB
 Viewed:  23905 Time(s)

Client Firewall.png



Client OpenVPN.png
 Description:
 Filesize:  342.48 KB
 Viewed:  23905 Time(s)

Client OpenVPN.png


mrengles
DD-WRT User


Joined: 25 Feb 2010
Posts: 255

PostPosted: Sat Jan 16, 2016 3:41    Post subject: Reply with quote
Okay well I figured out my own problem! Embarassed

I had the wrong Gateway for my Static Route on the DD-WRT OpenVPN Server You can see the image above shows 172.16.4.1, but it should be 172.16.4.51.

The Static Routing Gateway should be the same IP as the DD-WRT OpenVPN Client when setting up a Site-To-Site OpenVPN at last with my (this) particular setup. Its works this way at least.

Now I just need to figure out how to get OpenVPN -> Client -> Bridge TAP to br0 working.

Does anyone have any ideas what Firewall or other settings might be needed?

When I enable Bridge TAP on br0 on the client side DD-WRT gateway I loose access to the server and client subnets again, but the Bonjour and broadcasted servers show they just are not accessible to connect.

Any help would be greatly appreciated!

Thanks again,

Gratitude,

Robert aka Mrengles
leedawg
DD-WRT Novice


Joined: 29 Aug 2013
Posts: 13

PostPosted: Sat Jan 16, 2016 22:11    Post subject: Reply with quote
I think id have to agree with eibgrad, not really sure what you are trying to accomplish with bridging tap to br0. What your network diagram shows is a routed VPN .
mrengles
DD-WRT User


Joined: 25 Feb 2010
Posts: 255

PostPosted: Sun Jan 17, 2016 7:27    Post subject: Reply with quote
So if I'm going to keep the bridged setup then disable DHCP on my client router, otherwise change to Tun and keep the subnets separate?

I guess my real problem is I want to much out of the VPN and need to pick one.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sun Jan 17, 2016 12:20    Post subject: Reply with quote
Do you really want all the Broadcasts to traverse over the VPN?

Change to "tun".

To keep it bridged, you can change the netmask to 255.255.254.0. That will put both 172.16.4.x and 172.16.5.x in the same sub-net.
leedawg
DD-WRT Novice


Joined: 29 Aug 2013
Posts: 13

PostPosted: Sun Jan 17, 2016 16:18    Post subject: Reply with quote
I think the real problem is you need to ask yourself what are you trying to accomplish?

If you simply would like to have the resources on the other subnet available to you routed vpn is the way to go. Only the traffic that is destine for the other subnet gets transmitted across the VPN which in my opinion is the most efficient way to do this, otherwise as Per Yugve Berg said all the broadcasts are going to be going back and forth over the VPN hogging up what little upload bandwidth you have available. My wide area network upload bandwidth at 50 megabits seems like not enough some days if there are several interoffice phone calls in progress as well as heavy database queries, and then I cant imagine stacking all the network noise on top of that.

When you say you want to much out of the VPN what is not delivering?

And I assume you got this all up and running by now.
msantos2007
DD-WRT User


Joined: 13 Oct 2009
Posts: 246

PostPosted: Sat Oct 12, 2019 16:05    Post subject: Reply with quote
Special thanks to @eibgrad for his great explanation.

This thread is the best I found as of 2019-OCT. It indeed helped me to configure my network in minutes.

This should be Wiki(ed) as a example along with:

https://wiki.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-Site_Bridged_VPN_Between_Two_Routers

https://wiki.dd-wrt.com/wiki/index.php/OpenVPN
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum