OpenVPN client access from LAN

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Szszescie
DD-WRT Novice


Joined: 28 Jan 2022
Posts: 9

PostPosted: Fri Jan 28, 2022 20:18    Post subject: OpenVPN client access from LAN Reply with quote
I established a VPN tunnel between two routers over the internet with the goal to allow traffic to flow between any clients on either LAN.

One router is an Asus RT-AX86 with stock firmware and the OpenVPN server configured. Its LAN subnet is 192.168.1.0/24 and there is a device with a web server on it at 192.168.1.58.

The other router is an Asus RT-AC68U running dd-wrt v3.0-r44715 std. Its LAN subnet is 192.168.4.0/24.

The dd-wrt router connects to the Asus router just fine with the following configuration parameters:

Code:
remote 99.99.99.99 1194
float
nobind
proto udp
dev tun8
sndbuf 0
rcvbuf 0
keepalive 10 30
comp-lzo yes
auth-user-pass
client
auth SHA1
cipher AES-128-CBC
(keys omitted)


Once the connection is established, a route to access the Asus LAN is created on the dd-wrt router. From an ssh session on the dd-wrt router, in can ping 192.168.1.58 and wget the home page from it.

None of the clients on the dd-wrt LAN, however, can access the LAN behind the Asus router. Ping and wget requests simply time out.

I tried enabling forwarding between the dd-wrt LAN and the VPN tunnel with the following commands, to no avail:

Code:
iptables -I FORWARD -i br0 -o tun8 -j ACCEPT
iptables -I FORWARD -i tun8 -o br0 -j ACCEPT

What am I missing? Is it possible that the stock router blocks traffic from IP addresses other than that of the VPN client?
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Fri Jan 28, 2022 20:47    Post subject: Reply with quote
Sounds like you added stuff to the Additional Config field on the dd-wrt router, which is usually a bad idea. Most are unnecessary and more likely to cause problems than help. No additional firewall rules are necessary either.

On the OpenVPN server side, you need to make sure you configured the Manage Client-Specific Options section and added an entry for the LAN network of the OpenVPN client (do NOT push it). That OpenVPN client needs to be identified by its CN (Common Name) on its cert. Also, you need to disable the Inbound Firewall option on the OpenVPN client. And do NOT NAT the OpenVPN client either. There's no need to NAT the tunnel w/ a site-to-site tunnel if configured properly.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Szszescie
DD-WRT Novice


Joined: 28 Jan 2022
Posts: 9

PostPosted: Fri Jan 28, 2022 20:57    Post subject: Reply with quote
Thanks eibgrad, your solution is the right one. I was tinkering in parallel and figured it out using information from here: https://openvpn.net/community-resources/how-to/#expanding-the-scope-of-the-vpn-to-include-additional-machines-on-either-the-client-or-server-subnet

First, I needed to set up additional parameters in the server configuration:

Code:
username-as-common-name
client-config-dir ccd
route 192.168.4.0 255.255.255.0


Then, I needed to create the client-specific file in /tmp/etc/openvpn/server1/ccd/hangar (hangar is the username), containing:

Code:
iroute 192.168.4.0 255.255.255.0


Of course now I need to figure out how to put that file back there at bootup (remember, this is a stock firmware), which means I need to add persistent storage to it and launch a script at mount time to put the file in the right place, but that should be fairly straightforward.

This was all working perfectly on a dd-wrt server router before. I wish there was dd-wrt for Wifi6, the only reason why I replaced the dd-wrt router to begin with...
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Fri Jan 28, 2022 21:00    Post subject: Reply with quote
You don't need to add the client-config-dir, route, iroute, client file, etc., manually. That's what the Manage Client-Specific Options section is for! It takes care of all those details for you, including persistence.
_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10378
Location: Netherlands

PostPosted: Fri Jan 28, 2022 21:12    Post subject: Reply with quote
To add, you are running an old build.

You are missing newer ciphers and security fixes.

We are currently on 48218

See the forum guidelines with helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Szszescie
DD-WRT Novice


Joined: 28 Jan 2022
Posts: 9

PostPosted: Fri Jan 28, 2022 21:21    Post subject: Reply with quote
eibgrad wrote:
You don't need to add the client-config-dir, route, iroute, client file, etc., manually. That's what the Manage Client-Specific Options section is for! It takes care of all those details for you, including persistence.


Look at that, I went straight to the command line without even wondering whether the GUI supported it. These things are getting better at doing non-basic things. Thanks!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum