[bobthenewguy]

upgraded a WRT3200 from r50841 to r55179. i've upgraded to lower revs as well and noticed that my openvpn no longer has server to client network connectivity. was there a change in the iptables in the last year? anyone know what I need to do to re-establish server-client connectivity? (note client-server direction works fine)

here the tutorial I used a while back to make it work in the first place.


https://wiki.dd-wrt.com/wiki/index.php/VPN_(the_easy_way)_v24+

-Dgonzalezh 00:41, 15 February 2010 (CET)

2009-05-11: By user icmp: To allow clients in the server side LAN to access clients in the client LAN i had to do some additional configuring.

Server side startup commands:

mkdir -p /tmp/openvpn/ccd
echo "iroute 192.168.24.0 255.255.255.0" > /tmp/openvpn/ccd/client1
echo "iroute 192.168.25.0 255.255.255.0" > /tmp/openvpn/ccd/client2

(Where 192.168.24.0 is the network on client1 and 192.168.25.0 is the network on client 2)

I added the following to the server side OpenVPN config:

push "route 192.168.24.0 255.255.255.0"
push "route 192.168.25.0 255.255.255.0"
client-config-dir /tmp/openvpn/ccd
route 192.168.24.0 255.255.255.0
route 192.168.25.0 255.255.255.0
client-to-client

Firewall commands on each client:

# Allow server-side and client-side hosts to ping routers endpoint
iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT
# Allow internal remote administration through HTTP
iptables -I INPUT 1 -i tun0 -p tcp --dport 80 -j ACCEPT
# Allow forwarding to other clients in the LAN
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

[egc]

I moved your thread to the appropriate Advanced networking forum.

See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

OpenVPN documentation is a sticky in this forum:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

You need the OpenVPN Server Setup guide which has a paragraph about site-to-site setup.

Your iptables rules are wrong and superfluous already for a very long time.


P.S. why not use WireGuard much faster and easier to setup, guides are also a sticky in this forum

[bobthenewguy]

EGC, ty for moving my help request.

so i've checked out that document (it is great btw) but I'm still having issues with 1way traffic. when originating from the Server. I have to be missing something with the firewall rule or it's not working right. can you help me figure out out?


server 192.168.1.0/24
client 192.168.2.0/24
ovpn network 192.168.254.0/24

from server I can ping the 192.168.254.x/24 ip that gets assigned by the OVPN server. but can't ping the local net. which firewall or radio button am I missing here?

everything works on r50841

when my linksys 3200ACM is upgraded to r55179 the 1way issue comes up. as described below. if I downgrade to r50841 everything works again.

[bobthenewguy]

ok so I just kept loading FW until I found the break. It works fine on R54652 broken in R54682 and beyond. so back to the original question... what changed?

[bobthenewguy]

... any help? even a shove in a direction?

[Per Yngve Berg]

https://svn.dd-wrt.com/log?action=stop_on_copy&mode=stop_on_copy&rev=54682&stop_rev=54652&limit=100&sfp_email=&sfph_mail=#

[bobthenewguy]

Thanks for the link. most of it looks like gibberish to me but there's nothing obvious sticking out.?

[egc]

For most people it is working on the latest build.

So carefully check your settings with the Server setup guide.

As said you do not need any iptables rule at all.

DCO is a hit or miss so, as stated in the guide add disable-dco when you have unexpected problems

[bobthenewguy]

egc,
Thank you, I actually added the Disable-DCO server side and everything works just fine. Odd, this is a VPN between two Linksys WRT3200ACM routers on the same firmware rev. Either way DCO is quite new yet, so ya get what ya get. Hopefully the finicky DCO stuff is worked out in the near future reading about it seems like it is a heck of a performance increase. With this post I have a much more lean VPN config now as well which simplifies life so much. Thanks again!