Unable to ping devices on OpenVPN server's network

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
buffpatel
DD-WRT User


Joined: 22 Feb 2011
Posts: 115

PostPosted: Mon Aug 10, 2020 20:26    Post subject: Unable to ping devices on OpenVPN server's network Reply with quote
Hello,

5 years ago with help from this forum I was able to successfully set up a site to site OpenVPN tunnel connection from my parents network to my home network. This connection worked both ways and I could ping all devices on their network and they could ping all devices on my network without issue.

I also created different OpenVPN certificates for my cellphone and laptop so when traveling I could connect to my router (OpenVPN server). That way from my laptop or cellphone, I could browse my local network and through the tunnel I could browse my parents network. It was really nice and everything worked as it should.

Link to that thread for review:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=999241

A few days ago I discovered that I can no longer browse either my home network or my parents network with my cellphone or laptop when connected through OpenVPN. I can still ping and access both routers however. I just cannot ping anything on either network. Interestingly, the site to site tunnel connection is still working perfectly. From any device on my home network or any device on my parents network, I can ping any device on the other network.

The strange thing is that I haven't changed any configuration as far as the OpenVPN config goes. I'm wondering if perhaps over the years OpenVPN has changed and so maybe my config might now be outdated.


Both Routers for the OpenVPN tunnel are R8000's running DD-WRT build 44085 (8/7/20)

My config is as follows:

Server IP (my router): 192.168.10.1
Client IP (parents router): 192.168.1.1

Open VPN Server Config is in attached picture:

Additional config:
push "route 192.168.10.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
route 192.168.1.0 255.255.255.0
verb 1
mute 5

Firewall:
#!/bin/sh
OVPN_SERVER="10.1.1.0/24"
OVPN_DEV="tun2"
OVPN_PROTO="udp"
OVPN_PORT="43081"

WAN_IF="$(ip route | awk '/^default/{print $NF}')"

# open the OpenVPN server port
iptables -I INPUT -i $WAN_IF -p $OVPN_PROTO --dport $OVPN_PORT -j ACCEPT
# allow OpenVPN clients to access the OpenVPN server
iptables -I INPUT -i $OVPN_DEV -m state --state NEW -j ACCEPT
# allow OpenVPN clients to access ALL other devices on the LAN
iptables -I FORWARD -i $OVPN_DEV -m state --state NEW -j ACCEPT
# allow local devices to become clients of the remote network
iptables -I FORWARD -o $OVPN_DEV -m state --state NEW -j ACCEPT
# allow OpenVPN clients to use the OpenVPN server as an internet gateway
iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $WAN_IF -j MASQUERADE


Laptop OpenVPN Config:

client
dev tun
proto udp
tun-mtu 1500
remote ******** 43081
redirect-gateway
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
cipher AES-256-CBC
verb 1
float

ca ca.crt
cert Laptop.crt
key Laptop.key
tls-auth ta.key 1


OpenVPN server log showing my laptop connecting


Serverlog:
20200810 15:30:00 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
20200810 15:30:00 W WARNING: file '/tmp/openvpn/ta.key' is group or others accessible
20200810 15:30:00 I OpenVPN 2.4.9 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 7 2020
20200810 15:30:00 I library versions: OpenSSL 1.1.1g 21 Apr 2020 LZO 2.09
20200810 15:30:00 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20200810 15:30:00 I TUN/TAP device tun2 opened
20200810 15:30:00 I /sbin/ifconfig tun2 10.1.1.1 netmask 255.255.255.0 mtu 1500 broadcast 10.1.1.255
20200810 15:30:09 W Could not determine IPv4/IPv6 protocol. Using AF_INET
20200810 15:30:09 I UDPv4 link local (bound): [AF_INET][undef]:43081
20200810 15:30:09 I UDPv4 link remote: [AF_UNSPEC]
20200810 15:30:09 I ifconfig_pool_read() in='MomAndDad 10.1.1.2' TODO: IPv6
20200810 15:30:09 I succeeded -> ifconfig_pool_set()
20200810 15:30:09 I Initialization Sequence Completed
20200810 15:30:12 I ***:48185 peer info: IV_VER=2.4.9
20200810 15:30:12 I ***:48185 peer info: IV_PLAT=linux
20200810 15:30:12 I ***:48185 peer info: IV_PROTO=2
20200810 15:30:12 I ***:48185 peer info: IV_NCP=2
20200810 15:30:12 I ***:48185 peer info: IV_LZ4=1
20200810 15:30:12 I ***:48185 peer info: IV_LZ4v2=1
20200810 15:30:12 I ***:48185 peer info: IV_LZO=1
20200810 15:30:12 I ***:48185 peer info: IV_COMP_STUB=1
20200810 15:30:12 I ***:48185 peer info: IV_COMP_STUBv2=1
20200810 15:30:12 I ***:48185 peer info: IV_TCPNL=1
20200810 15:30:12 I ***:48185 [MomAndDad] Peer Connection Initiated with [AF_INET]***:48185
20200810 15:30:12 I MomAndDad/***:48185 MULTI_sva: pool returned IPv4=10.1.1.2 IPv6=(Not enabled)
20200810 15:34:43 I *****:8010 peer info: IV_VER=2.4.9
20200810 15:34:43 I *****:8010 peer info: IV_PLAT=win
20200810 15:34:43 I *****:8010 peer info: IV_PROTO=2
20200810 15:34:43 I *****:8010 peer info: IV_NCP=2
20200810 15:34:43 I *****:8010 peer info: IV_LZ4=1
20200810 15:34:43 I *****:8010 peer info: IV_LZ4v2=1
20200810 15:34:43 I *****:8010 peer info: IV_LZO=1
20200810 15:34:43 I *****:8010 peer info: IV_COMP_STUB=1
20200810 15:34:43 I *****:8010 peer info: IV_COMP_STUBv2=1
20200810 15:34:43 I *****:8010 peer info: IV_TCPNL=1
20200810 15:34:43 I *****:8010 peer info: IV_GUI_VER=OpenVPN_GUI_11
20200810 15:34:43 I *****:8010 [Laptop] Peer Connection Initiated with [AF_INET]*****:8010
20200810 15:34:43 I Laptop/*****:8010 MULTI_sva: pool returned IPv4=10.1.1.4 IPv6=(Not enabled)
20200810 15:39:35 I *****:8031 peer info: IV_VER=2.4.9
20200810 15:39:35 I *****:8031 peer info: IV_PLAT=win
20200810 15:39:35 I *****:8031 peer info: IV_PROTO=2
20200810 15:39:35 I *****:8031 peer info: IV_NCP=2
20200810 15:39:35 I *****:8031 peer info: IV_LZ4=1
20200810 15:39:35 I *****:8031 peer info: IV_LZ4v2=1
20200810 15:39:35 I *****:8031 peer info: IV_LZO=1
20200810 15:39:35 I *****:8031 peer info: IV_COMP_STUB=1
20200810 15:39:35 I *****:8031 peer info: IV_COMP_STUBv2=1
20200810 15:39:35 I *****:8031 peer info: IV_TCPNL=1
20200810 15:39:35 I *****:8031 peer info: IV_GUI_VER=OpenVPN_GUI_11
20200810 15:39:35 I *****:8031 [Laptop] Peer Connection Initiated with [AF_INET]*****:8031
20200810 15:39:35 I MULTI_sva: pool returned IPv4=10.1.1.4 IPv6=(Not enabled)



If needed I can provide my parents router (OpenVPN client) config as well. I left it out as I don't think it's causing my problem.

Any ideas on why my laptop can only ping the OpenVPN server, but can't reach anything else?

Thanks in advance![img][/img]
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10403
Location: Netherlands

PostPosted: Mon Aug 10, 2020 20:41    Post subject: Reply with quote
Things have changed a lot.

See my signature for the Openvpn server setup guide.

Start with disabling the CVE mitigation patch in the OVPN GUI.
This could be your problem.

Have a look at the guide there is only one firewall rule necessary!!

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
buffpatel
DD-WRT User


Joined: 22 Feb 2011
Posts: 115

PostPosted: Tue Aug 11, 2020 1:41    Post subject: Reply with quote
egc wrote:
Things have changed a lot.

See my signature for the Openvpn server setup guide.

Start with disabling the CVE mitigation patch in the OVPN GUI.
This could be your problem.

Have a look at the guide there is only one firewall rule necessary!!


Thank you! Disabling the CVE mitigation patch on my server router fixed it and now everything with my VPN is working correctly!

I downloaded the OpenVPN guide and looked through it. I'm very impressed with the guide - it's well written and very thorough. Thanks for making the guide so people like me who aren't as familiar with advanced networking can get this set up. I'll look through the guided and see if I can simplify my configuration and get rid of some of my firewall rules.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum