ddwrt won't route between server LAN and openvpn client

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
fj123
DD-WRT Novice


Joined: 23 May 2016
Posts: 19
PostPosted: Mon Apr 05, 2021 3:56    Post subject: ddwrt won't route between server LAN and openvpn client Reply with quote
Hi, I have an openvpn ddwrt client connected to a ddwrt openvpn server. I can ping and access the client from the server, but not from the server's LAN nodes. Below is the server's routing table. It's a typical vanilla setup. How do I make the server route between the vpn client and its LAN nodes? I tried disabling firewall and adding all pass FORWARD rules to iptables to no avail. Also tried masquerading all outgoing traffic to tun2, also no go. I also added push "route 192.168.1.0 255.255.255.0" to openvpn server config, didn't matter either. I suspect it's something else I am missing... Can anyone provide any pointers? I tested the same setup on two different router brands/models both using latest ddwrt fw, same behavior. Also, vpn clients can talk to each other fine.

I want 192.168.1.0/24 nodes to be able to access 10.1.1.0/24 client(s). According to the routing table, the server should be able to forward? but it doesn't want to.

thanks

Code:
Destination LAN NET  Gateway  Table      Scope      Metric  Interface            Source
default                      x.x.x.1    default                      0         WAN   
10.1.1.0/24                            default    link              0         tun2              10.1.1.1
127.0.0.0/8                            default    link              0         lo
192.168.1.0/24                      default    link              0         LAN & WLAN   192.168.1.1
x.x.x.0/24                              default    link             0         WAN               x.x.x.x
Back to top View user's profile Send private message
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157
PostPosted: Mon Apr 05, 2021 4:52    Post subject: Reply with quote
Make sure you have "Inbound Firewall on TUN" disabled on the dd-wrt OpenVPN client!
_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12875
Location: Netherlands
PostPosted: Mon Apr 05, 2021 5:54    Post subject: Reply with quote
What build are you running?

To get the best out of DDWRT and the forum read the forum guidelines with helpful pointers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Did you find the documentation e.g. OpenVPN server setup guide which has a paragraph about site-to-site setup see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

Did you disable CVE mitigation?
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
fj123
DD-WRT Novice


Joined: 23 May 2016
Posts: 19
PostPosted: Mon Apr 05, 2021 5:55    Post subject: Reply with quote
Inbound Firewall on TUN is disabled, I can access it from the openvpn server itself and from other vpn clients. I can't access it from the server's LAN.

CVE-2019-14899 Mitigation is enabled, could this be the problem?

I am using build DD-WRT v3.0-r46177 std (03/26/21) on a netgear router.

Also, I cannot ping 10.1.1.1 (server's vpn tunnel IP) from the server's 192.168.1.0/24 subnet.

Same behavior with r46177 on an older linksys k26 router as vpn server.
Back to top View user's profile Send private message
fj123
DD-WRT Novice


Joined: 23 May 2016
Posts: 19
PostPosted: Mon Apr 05, 2021 6:22    Post subject: Reply with quote
I tend to think it's a server problem, because I cannot ping my android phone client when it's connected to the same vpn server (from server LAN), either. I can ping the android phone when it's not connected to the vpn server, even when I put it on a different VLAN subnet. So the server routes between VLAN subnets ok, but it won't route to/from the openvpn tun2.
Back to top View user's profile Send private message
fj123
DD-WRT Novice


Joined: 23 May 2016
Posts: 19
PostPosted: Mon Apr 05, 2021 6:34    Post subject: Reply with quote
OK, you are good, CVE-2019-14899 Mitigation is the culprit, when it's disabled, all is good Very Happy big thanks! I spent hours on this!

Is it possible to keep it enabled but still have it working? Never mind, I see that it's all written in your guide egc!
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum