OpenVPN Routing to VLANs

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
MaxMad1998
DD-WRT Novice


Joined: 25 Sep 2020
Posts: 2

PostPosted: Fri Sep 25, 2020 3:15    Post subject: OpenVPN Routing to VLANs Reply with quote
Hi everyone! I am trying to set up an OpenVPN server on my router. The server works and allows remote access. However, I am unable to access the two VLANs through the tunnel. The first of the two VLANs is at 192.168.1.0/24, the second is at 192.168.2.0/24.

I see that the packets are successfully routed to devices on the VLANs when I ping from a client. However, the packets hit the router but never make it back. I attempted several FORWARD rules with no luck.

One quirk I noticed is that when I apply the settings in the GUI, a single ICMP packet is often able to loop through the entire circuit. This makes me unsure whether or not there's something else on the router that I should be looking at instead.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6406
Location: Netherlands

PostPosted: Fri Sep 25, 2020 6:26    Post subject: Reply with quote
Welcome to the forum

To get the best possible support follow the forum guide lines, link in my signature at the bottom of this post.

The forum guide lines tell you what information you need to post and in what forums to post to get the best possible support (and other very useful information).

I am now transferring this post to the appropriate forum (Advanced Networking) Smile

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8350

PostPosted: Sat Sep 26, 2020 3:17    Post subject: Reply with quote
Just to be sure, that OpenVPN server is established on the same router where those two networks are defined, correct?

Did you push those specific IP networks to the OpenVPN client by adding the appropriate OpenVPN directives in the OpenVPN server Additional Config field?

Code:
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"


Assuming you did, beware that Windows clients typically will NOT respond to any *private* IP network other than the one on which they are running. For example, if the tunnel is using 10.8.0.0/24 and the local network behind the OpenVPN server is 192.168.1.0/24, the Windows firewall, by default, will block it!

Another problem you have to watch out for is using the all-too-common 192.168.1.x and 192.168.0.x networks at home when you intend to access them remotely over a VPN. There's always the risk the local network used by the OpenVPN client is the *same*, and therefore routing to your remote network is NOT possible (all references are treated as local to that OpenVPN client). Of course, this could happen w/ *any* private network you happen to choose for the tunnel, but the use of 192.168.1.x and 192.168.0.x are so common, it vastly increases the likelihood of this happening.

As an aside, I once stayed at a hotel in Pittsburgh that used 192.168.0.0/16 for its local network! Needless to say, anyone w/ a 192.168.x.x network at home had no chance of establishing a VPN back home. That's an extreme example, but it illustrates how things can go wrong through no fault of your own.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
ddwrt-ovpn-split-basic.sh (UPDATED!)
ddwrt-ovpn-split-advanced.sh (UPDATED!)
ddwrt-blacklist-domains.sh (UPDATED!)
ddwrt-ovpn-client-backup.sh
ddwrt-mount-usb-drives.sh
ddwrt-ovpn-remote-access.sh
ddwrt-pptp-policy-based-routing.sh
MaxMad1998
DD-WRT Novice


Joined: 25 Sep 2020
Posts: 2

PostPosted: Sat Sep 26, 2020 6:44    Post subject: Reply with quote
eibgrad wrote:
Just to be sure, that OpenVPN server is established on the same router where those two networks are defined, correct?

Did you push those specific IP networks to the OpenVPN client by adding the appropriate OpenVPN directives in the OpenVPN server Additional Config field?

Code:
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"


Assuming you did, beware that Windows clients typically will NOT respond to any *private* IP network other than the one on which they are running. For example, if the tunnel is using 10.8.0.0/24 and the local network behind the OpenVPN server is 192.168.1.0/24, the Windows firewall, by default, will block it!

Another problem you have to watch out for is using the all-too-common 192.168.1.x and 192.168.0.x networks at home when you intend to access them remotely over a VPN. There's always the risk the local network used by the OpenVPN client is the *same*, and therefore routing to your remote network is NOT possible (all references are treated as local to that OpenVPN client). Of course, this could happen w/ *any* private network you happen to choose for the tunnel, but the use of 192.168.1.x and 192.168.0.x are so common, it vastly increases the likelihood of this happening.

As an aside, I once stayed at a hotel in Pittsburgh that used 192.168.0.0/16 for its local network! Needless to say, anyone w/ a 192.168.x.x network at home had no chance of establishing a VPN back home. That's an extreme example, but it illustrates how things can go wrong through no fault of your own.


Thank you for your reply Eibgrad. I greatly appreciate it. The two subnets are defined behind the router. In addition, I also pushed both routes from the server and ensured that they were added to the routing tables of the clients. Unrooted Android will not properly let me check this for some reason. The current subnets I'm using are only temporary and I fully intend to find a more suitable range once I know how the VPN is configured.

I managed to get the tunnel working last night. While I'm not 100% sure, I believe that the issue I had was related to the mitigation for CVE-2019-14899. While I still need to read up on all of the details, it appears that the reverse packet filtering was causing the problem. What really convinced me was the Subversion entry I found at https://svn.dd-wrt.com/ticket/6920 in which someone said:

Quote:
The second method @BrainSlayer already adopted would totally block VPN clients to access services on the server network, except the router itself.


These are the specific symptoms I experienced on my end. As a temporary measure, I've gone ahead and disabled the mitigation as a test and it appears to work.

I'm now attempting to set up a WireGuard tunnel due to its higher performance, but it appears that I'm running into the same issue again. This time, disabling the mitigation didn't seem to make a difference. Therefore, I'm not sure if the mitigation makes no difference, or if I'm missing IPTables rules which I have for OpenVPN. Nonetheless, I'm going to read through the materials I've found and see if I'm on the right track.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6406
Location: Netherlands

PostPosted: Sat Sep 26, 2020 7:04    Post subject: Reply with quote
You get the best possible help if you follow the forum guidelines:
What router
What build
How is your network setup
What guide did you follow to setup?

I pointed you to my signature at the bottom of this post did you even look?

All the information is there.

Not only the forum guidelines but also how to setup Openvpn server (with a paragraph about the CVE mitigation patch) and also Wireguard setup guides.

Sad

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum