I have a setup with an OpenVPN server on my router at home, and an OpenVPN client router behind another router remotely. I can reach the remote router of 192.168.4.1 and the remainder of that network. I am trying to set up the routing so I can also reach the router in front (10.1.10.1).
I configured the CCD for the remote router. If I have understood it correctly, I only need to add the iroute for 10.1.10.0 since the actual route for that network is already registered in the router.
The routing table on my home router looks something like this. There is an entry to send the traffic to 10.1.10.0.
Code:
Destination LAN NET Subnet Mask Gateway Flags Metric Interface
default 0.0.0.0 x.x.x.x UG 0 WAN
10.1.10.0 255.255.255.0 192.168.102.2 UG 0 tun2
x.x.x.x 255.255.252.0 * U 0 WAN
192.168.2.0 255.255.255.0 * U 0 LAN & WLAN
192.168.4.0 255.255.254.0 192.168.102.2 UG 0 tun2
192.168.102.0 255.255.255.0 * U 0 tun2
On the client router WAN:10.1.10.113/LAN:192.168.4.1 there is the standard route to 10.0.10.0.
Code:
Destination LAN NET Subnet Mask Gateway Flags Metric Interface
default 0.0.0.0 10.1.10.1 UG 0 WAN
10.1.10.0 255.255.255.0 * U 0 WAN
192.168.0.0 255.255.252.0 192.168.102.1 UG 0 tun1
192.168.4.0 255.255.255.0 * U 0 LAN & WLAN
Yet I can't reach the secondary router at 10.1.10.1 from home. Any suggestions where I am hitting a snag? _________________ Linksys: Several WRTxx00AC variations | Netgear: 4x WNDR4500v2, 7x WNDR4300, R6400v1 | Asus: 2x RT-AC66U | Gl.inet: 3x GL-AR150
What would you advice it be? I tried a few variations with the specific subnet included, but it didn't work for me (or I did something wrong). _________________ Linksys: Several WRTxx00AC variations | Netgear: 4x WNDR4500v2, 7x WNDR4300, R6400v1 | Asus: 2x RT-AC66U | Gl.inet: 3x GL-AR150
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Tue May 26, 2020 11:00 Post subject:
Well it is an academic discussion like I said your rule gets the job done.
in general I was taught to be as specific as possible when setting firewall rules so as to not leave holes open.
As the purpose of this rule is to NAT traffic out via the WAN interface coming from the OpenVPN's subnet I would specify the openVPN's subnet, like
Code:
-s 10.8.0.0/24
.
Second point, at least you specify the interface that is good, the interface is the WAN and if you know your WAN you can add it directly (VLAN2, VLAN0, ETH0 , PPoE0 etc) and as there is no intermediate step that is actually the quickest but that is nitpicking.
So we use something to query the router for the used WAN interface
Basically you can use 4 queries (well there are more but these are the four most used):
nvram get wan_ifname
nvram get wan_iface
get_wanface
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
echo $WAN_IF
The first two are working in 90% of the routers the third in 99,99%
The fourth can be used if the third is not working
(It will also work in 99,99% of normal use cases)
So I do not advice to use the first two as someone sees it use it and it might not work.
So my ideal rule would be:
That is if 10.8.0.0/24 is your VPN subnet.
As users do not literally follow the guide and use other subnets but still copy the rule from the guide (and then of course it is not working) a lot of instructions omit the subnet like you are doing.
As I said yours is not wrong it is also a matter of personal preference
Given that there are at least 3 OpenVPN clients connecting to the main server and routing to each client, I've ended up with the original statement modified on the get_wanface. If I encounter issues, I will define each applicable subnet in the iptables.
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Tue May 26, 2020 19:53 Post subject:
Yes the server is probably not natting on the tun interface.
So traffic to the client can come from the servers subnet and from one of the connected VPN clients.
So in that case you should specify the OVPN subnet and the servers subnet.