Posted: Sun Feb 12, 2017 16:20 Post subject: Trying to move OpenVPN server to client bridge router
With the help of the nice people on this forum I was able to set up an site to site OpenVPN bridge between my parents house and my network last year which allows full access to the network from both sides. It still works fine, but I'm now hoping to move the OpenVPN server from my main router to a client bridge router (which is connected by ethernet to the main router). I've searched quite a bit and am having trouble setting it up so I'm hoping to see if anyone knows if this is possible. My current config is as follows:
OpenVPN server: IP 192.168.10.1 and directly connected to internet.
OpenVPN server config is in screenshot below.
# open the OpenVPN server port
iptables -I INPUT -i $WAN_IF -p $OVPN_PROTO --dport $OVPN_PORT -j ACCEPT
# allow OpenVPN clients to access the OpenVPN server
iptables -I INPUT -i $OVPN_DEV -m state --state NEW -j ACCEPT
# allow OpenVPN clients to access ALL other devices on the LAN
iptables -I FORWARD -i $OVPN_DEV -m state --state NEW -j ACCEPT
# allow local devices to become clients of the remote network
iptables -I FORWARD -o $OVPN_DEV -m state --state NEW -j ACCEPT
# allow OpenVPN clients to use the OpenVPN server as an internet gateway
iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $WAN_IF -j MASQUERADE
So now I want to run the OpenVPN server from my client bridge router (192.168.10.5).
It has DHCP server disabled, and in advanced networking is operating as "Router"
What I tried to do was simply copy the above configuration into my client bridge router and I moved the firewall commands and startup commands to the client bridge.
I then created a static route on the main router with:
Destination: 10.1.1.0
Netmask: 255.255.255.0
Gateway: 192.168.10.5
but with this I cannot connect to my OpenVPN server.
Any ideas?
Thanks in advance!
Thanks for the advice. I changed the client bridge to "Gateway" mode but left everything else the same. Out of curiosity, I have DHCP server disabled (since it's a client my main router is supposed to assign all IP addresses - could this be part of my problem?)
Anyway, in addition to the above, I deleted all the firewall rules and also deleted the startup commands. It sort of connects, but now I get a CMD 'status 2' error. Here's my server log:
Serverlog:
19691231 19:00:12 W WARNING: file '/tmp/openvpn/ta.key' is group or others accessible
19691231 19:00:12 I OpenVPN 2.4.0 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb 7 2017
19691231 19:00:12 I library versions: OpenSSL 1.0.2k 26 Jan 2017 LZO 2.09
19691231 19:00:12 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
19691231 19:00:12 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19691231 19:00:12 Diffie-Hellman initialized with 2048 bit key
19691231 19:00:12 W WARNING: Your certificate is not yet valid!
19691231 19:00:12 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
19691231 19:00:12 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
19691231 19:00:12 I TUN/TAP device tun2 opened
19691231 19:00:12 TUN/TAP TX queue length set to 100
19691231 19:00:12 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
19691231 19:00:12 I /sbin/ifconfig tun2 10.1.1.1 netmask 255.255.255.0 mtu 1500 broadcast 10.1.1.255
19691231 19:00:12 /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.1.1.2
19691231 19:00:12 Socket Buffers: R=[172032->172032] S=[172032->172032]
19691231 19:00:12 I UDPv4 link local (bound): [AF_INET][undef]:43081
19691231 19:00:12 I UDPv4 link remote: [AF_UNSPEC]
19691231 19:00:12 MULTI: multi_init called r=256 v=256
19691231 19:00:12 IFCONFIG POOL: base=10.1.1.2 size=252 ipv6=0
19691231 19:00:12 IFCONFIG POOL LIST
19691231 19:00:12 I Initialization Sequence Completed
20170212 22:49:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170212 22:49:28 D MANAGEMENT: CMD 'state'
20170212 22:49:28 MANAGEMENT: Client disconnected
20170212 22:49:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170212 22:49:28 D MANAGEMENT: CMD 'state'
20170212 22:49:28 MANAGEMENT: Client disconnected
20170212 22:49:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170212 22:49:28 D MANAGEMENT: CMD 'state'
20170212 22:49:28 MANAGEMENT: Client disconnected
20170212 22:49:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170212 22:49:28 MANAGEMENT: Client disconnected
20170212 22:49:28 NOTE: --mute triggered...
20170212 22:49:28 1 variation(s) on previous 3 message(s) suppressed by --mute
20170212 22:49:28 D MANAGEMENT: CMD 'status 2'
20170212 22:49:28 MANAGEMENT: Client disconnected
20170212 22:49:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170212 22:49:28 D MANAGEMENT: CMD 'status 2'
20170212 22:49:28 MANAGEMENT: Client disconnected
20170212 22:49:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170212 22:49:28 D MANAGEMENT: CMD 'log 500'
19691231 19:00:00
I did a little search on this error and the websites mentioning this error make me think perhaps I need another static route. I also came across a webpage saying that the status 2 error might be related to having LZO compression on. What do you think?
After thinking about it a bit, I realized that the main router in addition to needing the static route also needs the OpenVPN port forwarded to the router running the OpenVPN server. So I made a new port forward to start.
I then re-added the previous firewall commands and the clients can now connect to the OpenVPN server. Reading your first message above, I think you might have gotten the wrong impression with my setup.
I'm creating an OpenVPN Tunnel, not a bridge. I happen to be running the OpenVPN server on a bridged router on my local network. Because the bridged router will now be getting connections from the Internet directly (through the OpenVPN server), I re-enabled the firewall on it (when I set up the bridge, the instructions had said to disable the SPI firewall). Because of the firewall running on the bridge, I decided to try re-adding the firewall commands and I guess that helped it a bit.
Anyway, it now connects and my clients appear to be able to access my local network without issue. I tested this with my cellphone on my cellphone providers network (not my local network). The big problem is on my local network, I cannot access the clients computers using their normal IP address - I can only access them through the tunnels IP address.
For example, my parents router has a local IP address of 192.168.1.1. On my network (behind the OpenVPN server) I cannot ping 192.168.1.1. Instead I can ping the Tunnel IP address, 10.1.1.2. I also cannot access resources behind their router (like access their vonage or ping other computers on their network).
My guess is perhaps I need to modify the firewall command that NATs the tunnel somehow?
My serverlog - I X'd out my parents IP address:
20170213 08:22:26 W WARNING: file '/tmp/openvpn/ta.key' is group or others accessible
20170213 08:22:26 I OpenVPN 2.4.0 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb 7 2017
20170213 08:22:26 I library versions: OpenSSL 1.0.2k 26 Jan 2017 LZO 2.09
20170213 08:22:26 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20170213 08:22:26 I TUN/TAP device tun2 opened
20170213 08:22:26 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
20170213 08:22:26 I /sbin/ifconfig tun2 10.1.1.1 netmask 255.255.255.0 mtu 1500 broadcast 10.1.1.255
20170213 08:22:26 I UDPv4 link local (bound): [AF_INET][undef]:43081
20170213 08:22:26 I UDPv4 link remote: [AF_UNSPEC]
20170213 08:22:26 I ifconfig_pool_read() in='MomAndDad 10.1.1.2' TODO: IPv6
20170213 08:22:26 I succeeded -> ifconfig_pool_set()
20170213 08:22:26 I ifconfig_pool_read() in='Cellphone 10.1.1.3' TODO: IPv6
20170213 08:22:26 I succeeded -> ifconfig_pool_set()
20170213 08:22:26 I Initialization Sequence Completed
20170213 08:24:30 I 74.XXXXXXXX.72:56847 peer info: IV_VER=2.4.0
20170213 08:24:30 I 74.XXXXXXXX.72:56847 peer info: IV_PLAT=linux
20170213 08:24:30 I 74.XXXXXXXX.72:56847 peer info: IV_PROTO=2
20170213 08:24:30 I 74.XXXXXXXX.72:56847 peer info: IV_NCP=2
20170213 08:24:30 I 74.XXXXXXXX.72:56847 peer info: IV_LZ4=1
20170213 08:24:30 I 74.XXXXXXXX.72:56847 peer info: IV_LZ4v2=1
20170213 08:24:30 I 74.XXXXXXXX.72:56847 peer info: IV_LZO=1
20170213 08:24:30 I 74.XXXXXXXX.72:56847 peer info: IV_COMP_STUB=1
20170213 08:24:30 I 74.XXXXXXXX.72:56847 peer info: IV_COMP_STUBv2=1
20170213 08:24:30 I 74.XXXXXXXX.72:56847 peer info: IV_TCPNL=1
20170213 08:24:30 I 74.XXXXXXXX.72:56847 [MomAndDad] Peer Connection Initiated with [AF_INET]74.XXXXXXXX.72:56847
20170213 08:24:30 I MomAndDad/74.XXXXXXXX.72:56847 MULTI_sva: pool returned IPv4=10.1.1.2 IPv6=(Not enabled)
Hey, so I figured out a way to make it work! Not sure if this is the best way in the end, but at least it's working and I'm curious to see what you think.
Thinking about it a little more, I was thinking about how does my main router know how to reach the OpenVPN server when something is trying to access it? It uses the static route - ie. when sending a packet over the OpenVPN tunnel (10.1.1.x) it needs to know that 10.1.1.x packets need to go to the OpenVPN server router (192.168.10.5).
Well, I was thinking, when I want to access my parents network at 192.168.1.x, my main router doesn't know how to reach it. So I added a new static route for 192.168.1.0 to go to my OpenVPN server at: 192.168.10.5 and I can now access everything on their network!
My only question is that this seems to be a band-aid fix for now. What if I have a client connect to my OpenVpn server with a different IP address range (say like 192.168.20.x)? With the way I have it set up, my network still wouldn't be able to access that other network.
I feel like I'm really close to getting this working, but at least it's functional for the time being!
As always, you are 100% right! I followed your instructions and it's now working perfectly.
As you mentioned, there was no need for the firewall rules so I got rid of them again. I even turned off the SPI firewall off of the OpenVPN server since there is no WAN so no need for any firewall of any sort on that.
I guess my problem was that I had deleted the startup commands:
mkdir -p /tmp/openvpn/ccd
echo "iroute 192.168.1.0 255.255.255.0" > /tmp/openvpn/ccd/MomAndDad
when I removed the firewall commands, so it appeared to me that the firewall commands are what made it work, but it was actually the startup commands.
Thanks for your help! I also wanted to say thanks for not just giving the answers, but actually explaining your reasoning behind it. It's sometimes hard and frustrating to find answers to complicated questions on the internet, but the fact that there are people like you out there makes online forums like this one less intimidating for everyone in general. Thanks!
