Connecting DD-WRT OpenVPN to Netgear R7000 standard VPN

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
Old_Codger
DD-WRT Novice


Joined: 02 Aug 2017
Posts: 10
Location: Cambridge, UK and Rouen, France

PostPosted: Wed Aug 02, 2017 19:52    Post subject: Connecting DD-WRT OpenVPN to Netgear R7000 standard VPN Reply with quote
Long Post - I have tried to provide the sort of information I've seen asked for in other posts.

I want to create a link between a “Remote” location (In France) and a “Home” location (in the UK) over two regular domestic ISP connections so I can access network facilities at the “home” location. I am hoping using a DD-WRT router set up as an OpenVPN client will connect to a Netgear OpenVPN server at the home location. (NB The Netgear is NOT DD-WRT it is Netgear’s own locked down implementation)

Kit/basic description

1. “Remote” PCs/devices/laptop- Windows PCs
Wired and/or wireless connection to:

2. “DD-WRT Router provides “Remote Devices” with IP Addresses via DHCP from a TP-LINK N600 wireless router
Wired connection to:

3. “Remote ISP ADSL Router” (French ISP – Orange Livebox)

Which connects to the internet in frnace.

4. “Home” ISP cable modem (UK ISP Virgin Media Super hub 3 in “Modem Mode” i.e. not a router)
Wired connection to

5. “Home Router” – Netgear R7000 running STANDARD Netgear firmware (latest version 2 weeks ago)


I want to setup a connection from my “Remote PCs and devices” to my “Home network”.

I am trying to use the inbuilt OpenVPN SERVER in my home Netgear router. This server is not accessible and I can only change two parameters – the connection port number and the connection type TUN or TAP. I want TAP so that all traffic from my Remote Devices is routed via my Home Network.

Remote PCs and devices
• DHCP assigned IP address
• 192.168.39.x
• 255.255.255.0

Remote DD-WRT router
• DHCP Server scope starts at 192.168.39.100 mask 255.255.255.0
• DD-WRT OpenVPN CLIENT configured to connect to Home Netgear OpenVPN server.
• The checked options are “NAT” Enabled
• The only additional config line is: route-gateway 192.168.10.1

NB: Other than route-gateway there is no non-standard stuff added to routing tables/firewalls etc. if OpenVPN, Windows 10 or DHCP doesn’t provide it, it won’t be set/changed)

Remote ISP Router
• DHCP Server scope192.168.10.2 and upwards mask 255.255.255.0
• ADSL

Home ISP modem

“dumb” Cable Modem – no non- standard settings.

Home Router
• DHCP assigned IP address
• 192.168.0.x
• 255.255.255.0


Client1.ovpn file generated by Netgear firmware : NB TAP

client
dev tap
proto udp
dev-node NETGEAR-VPN
remote PUBLICNAMEHIDDEN.ddns.net 12974
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
comp-lzo
verb 5


I have matched the client1.ovpn settings in the Remote DD-WRT client config to the above.


The dd-wrt VPN status page looks like this:


Serverlog Clientlog 20170801 21:37:08 I OpenVPN 2.3.0 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 25 2013
20170801 21:37:08 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20170801 21:37:08 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20170801 21:37:08 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
20170801 21:37:08 Socket Buffers: R=[163840->131072] S=[163840->131072]
20170801 21:37:08 I UDPv4 link local: [undef]
20170801 21:37:08 I UDPv4 link remote: [AF_INET]PUBLICIPHIDDEN:12974
20170801 21:37:08 TLS: Initial packet from [AF_INET]PUBLICIPHIDDEN:12974 sid=4bcdb8bb 396a2484
20170801 21:37:09 VERIFY OK: depth=1 C=TW ST=TW L=Taipei O=netgear OU=netgear CN=netgear emailAddress=mail@netgear.com
20170801 21:37:09 VERIFY OK: nsCertType=SERVER
20170801 21:37:09 NOTE: --mute triggered...
20170801 21:37:16 6 variation(s) on previous 3 message(s) suppressed by --mute
20170801 21:37:16 I [netgear] Peer Connection Initiated with [AF_INET]PUBLICIPHIDDEN:12974
20170801 21:37:18 SENT CONTROL [netgear]: 'PUSH_REQUEST' (status=1)
20170801 21:37:18 PUSH: Received control message: 'PUSH_REPLY route 192.168.0.0 255.255.255.0 route-delay 5 redirect-gateway def1 route-gateway dhcp ping 10 ping-restart 120'
20170801 21:37:18 OPTIONS IMPORT: timers and/or timeouts modified
20170801 21:37:18 NOTE: --mute triggered...
20170801 21:37:18 2 variation(s) on previous 3 message(s) suppressed by --mute
20170801 21:37:18 ROUTE_GATEWAY 192.168.10.1/255.255.255.0 IFACE=vlan2 HWADDR=f8:1a:67:5a:ce:41
20170801 21:37:18 I TUN/TAP device tap1 opened
20170801 21:37:18 TUN/TAP TX queue length set to 100
20170801 21:37:23 /sbin/route add -net PUBLICIPHIDDEN netmask 255.255.255.255 gw 192.168.10.1
20170801 21:37:23 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.10.1
20170801 21:37:23 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 192.168.10.1
20170801 21:37:23 /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.10.1

20170801 21:37:23 I Initialization Sequence Completed

20170801 21:37:56 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170801 21:37:56 D MANAGEMENT: CMD 'state'
20170801 21:37:56 MANAGEMENT: Client disconnected
20170801 21:37:56 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170801 21:37:56 D MANAGEMENT: CMD 'state'
20170801 21:37:56 MANAGEMENT: Client disconnected
20170801 21:37:56 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170801 21:37:56 D MANAGEMENT: CMD 'state'
20170801 21:37:56 MANAGEMENT: Client disconnected
20170801 21:37:56 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170801 21:37:56 D MANAGEMENT: CMD 'log 500'
19700101 00:00:00

So it looks like the connection was successful. The Route to 192.168.0.x was pushed from my home netgear and is in the routing table in the DD-WRT router:

Routing Table Entry List (from Remote DD-WRT)

Destination LAN NET Subnet Mask Gateway Flags Metric Interface
0.0.0.0 128.0.0.0 192.168.10.1 UG 0 WAN
0.0.0.0 0.0.0.0 192.168.10.1 UG 0 WAN
PUBLICIPHIDDEN 255.255.255.255 192.168.10.1 UGH 0 WAN
128.0.0.0 128.0.0.0 192.168.10.1 UG 0 WAN
169.254.0.0 255.255.0.0 0.0.0.0 U 0 LAN & WLAN
192.168.0.0 255.255.255.0 192.168.10.1 UG 0 WAN
192.168.10.0 255.255.255.0 0.0.0.0 U 0 WAN
192.168.39.0 255.255.255.0 0.0.0.0 U 0 LAN & WLAN



BUT I can’t see any devices on my home network. Pings to 192.168.0.x from my remote PCs all fail.

I’ve tried every suggestion I can find on the web including lots of suggestions that I need to setup firewall rules, and add a config statement redirect-gateway def1 bypass-dhcp.
Over the course of my attempts I have tried all of the following:

iptables -I INPUT 1 -p udp --dport 12973 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 12974 -j ACCEPT
iptables -A INPUT -i tap1 -j ACCEPT

iptables -I FORWARD -i br0 -o tap1 -j ACCEPT
iptables -I FORWARD -i tap1 -o br0 -j ACCEPT
iptables -I INPUT -i tap1 -j REJECT
iptables -t nat -A POSTROUTING -o tap1 -j MASQUERADE

With or without these statements behaviour is identical - except some make things fail altogether.

My knowledge in this area is limited. I only just understand most of what I have written but NOTHING at all about the firewall iptables.

The bottom line (finally) Can anyone tell me what I am doing wrong or what I need to do to fix this?


Two final points which may or may not help:

An attempt to tracert from a laptop connected to the remote dd-wrt router (192.168.39.0/24 to my home network 192.168.0.0/24 gets as far as my Remote ISP’s first hop (i.e. through my French ISP router (192.168.10.0/24) to the first hop at 80.x.y.z where tracert reports unreachable.

If I run the OpenVPN windows client software set up as Netgear suggest (it uses the client1.ovpn settings I gave above) I can connect my windows 10 laptop to my home network and everything works fine. This tells me there’s nothing between here and there that prevents it working. It must be a settings problem somewhere…

Thanks in advance to anyone who can help...

=====

Old_Codger
Sponsor
Old_Codger
DD-WRT Novice


Joined: 02 Aug 2017
Posts: 10
Location: Cambridge, UK and Rouen, France

PostPosted: Thu Aug 03, 2017 17:40    Post subject: Reply with quote
Can anyone provide me with a pointer on this please?

I have searched long and hard before I posted here. from my searches it seams this is not an isolated case - but none of the "solutions" posted work for me...


My own suspicion is I have a setting wrong or I have missed something very simple - but as I said I don't fully understand all this stuff and some (many?) of the explanations people give I just don't understand. There's so much technical language used I get easily lost.

Thanks in advance

====

Old_Codger
(An aging geek who wrote his first programs in Machine Code and Basic on Intel 8080 CPUs and Motorola 6502's...)

Shocked
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 3157

PostPosted: Thu Aug 03, 2017 18:24    Post subject: Reply with quote
You got it all wrong. Tap is a bridged interface. The routed is tun.
With a bridged tunnel, both LANs must have the same sub-net i.e 192.168.39.0. Use 192.168.39.1 and 192.168.39.2 for the routers.
Since both sides have the same sub-net, there is no routes to push and no NAT.

With a routed VPN over tun, you need 3 networks. One for each side and one for the tunnel itself. When you push the routes, you do not enable any NAT except for outgoing to the Internet.

Your gateway is also wrong as it have to be on the same sub-net as the hosts own address.
Old_Codger
DD-WRT Novice


Joined: 02 Aug 2017
Posts: 10
Location: Cambridge, UK and Rouen, France

PostPosted: Thu Aug 03, 2017 20:19    Post subject: Reply with quote
Thank you! That solved it

I didn't understand bridging as you said.

For the record I set the DHCP scope on the Home Network 192.168.0.2 - 100 - with the Hetgear router IP as 192.168.0.2

The Remote DHCP scope to192.168.0.100-200 with the DD-WRT router IP as 192.168.0.1

I removed the route-gateway statement and switched off the NATing

I can now browse my home network from my remote network...

Many Many Thanks - i have spent 3 weeks trying to fix this

=====

Old_Codger
Old_Codger
DD-WRT Novice


Joined: 02 Aug 2017
Posts: 10
Location: Cambridge, UK and Rouen, France

PostPosted: Fri Aug 04, 2017 18:17    Post subject: Reply with quote
In my excitement** that you helped me to get it working I overlooked a "small" matter - I couldn't actually connect to the internet through the bridge.

Last night I noticed my Laptop (currently connected to my Remote DD-WRT router) had an ip address assigned by my home router - but no default gateway was assigned.

Tonight the same laptop with the exact same config remote router is getting an IP address from the DD-WRT DHCP server.
So i disabled the Remote DHCP (which thinking about it, i should have done earlier...)

Now I can't browse via my Home network again and I can't now ping anything off the LAN (8.8.8.8 etc)

How do I get the Home netgear router to send the gateway and dns details acrossto my remote laptop?

I suspect its another setting i am missing..

Use DNSMasq for DHCP
Use DNSMasq for DNS
DHCP-Authoritative are all checked (default)

The DNS settings on the Home netgear router are 8.8.8.8 and 8.8.4.4

Laptop (Windows) is set to get IP and DNS automatically (DHCP)

DOSBox (New Windows 10 Creator Powershell!)

PS C:\WINDOWS\system32> ipconfig /all


Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : REMOVED
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::2197:6f71:cfe3:c4a4%5(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.15(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 04 August 2017 19:00:49
Lease Expires . . . . . . . . . . : 05 August 2017 19:56:07
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.0.2
DHCPv6 IAID . . . . . . . . . . . : 53239820
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-44-E2-D9-2C-60-0C-47-10-
DNS Servers . . . . . . . . . . . : 192.168.0.2
NetBIOS over Tcpip. . . . . . . . : Enabled

I CAN PING MY HOME NETWORK

PS C:\WINDOWS\system32> ping 192.168.0.2


Pinging 192.168.0.2 with 32 bytes of data:
Reply from 192.168.0.2: bytes=32 time=47ms TTL=64
Reply from 192.168.0.2: bytes=32 time=50ms TTL=64
Reply from 192.168.0.2: bytes=32 time=50ms TTL=64
Reply from 192.168.0.2: bytes=32 time=47ms TTL=64

Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 47ms, Maximum = 50ms, Average = 48ms

BUT AN ATTEMPT TO PING THE GOOGLE NAMESERVERS DIES AT AN IP ADDRESS ON MY REMOTE ISP's ROUTER (FRENCH END)

PS C:\WINDOWS\system32> ping 8.8.8.8


Pinging 8.8.8.8 with 32 bytes of data:
Reply from 192.168.10.3: Destination host unreachable.
Reply from 192.168.10.3: Destination host unreachable.
Reply from 192.168.10.3: Destination host unreachable.
Reply from 192.168.10.3: Destination host unreachable.

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
PS C:\WINDOWS\system32>

Given this is supposed to be in a tunnel I do not know how the ping got there (tracert dies with this as the first hop as well)

I've already tried several things but made no difference....


** Excited? I know, I know I really should get out more...
===

Old_Codger
Old_Codger
DD-WRT Novice


Joined: 02 Aug 2017
Posts: 10
Location: Cambridge, UK and Rouen, France

PostPosted: Fri Aug 04, 2017 20:50    Post subject: Reply with quote
OK - I've been playing.

The problem is definitely the lack of a default goateway.

If I give my laptop (connected to the remote dd-wrt router) a fixed IP address, everything works fine - so why isn't my gateway coming across the bridge with DHCP data? On the home network the gateway gets assigned properly.

i have tried adding the

route-gateway 192.168.10.2

to the extra commands but that doesn't fix this.

====

Old_Codger
Xeon2k8
DD-WRT Guru


Joined: 11 Feb 2016
Posts: 806

PostPosted: Sun Aug 13, 2017 11:31    Post subject: Reply with quote
Old_Codger wrote:
OK - I've been playing.

The problem is definitely the lack of a default goateway.

If I give my laptop (connected to the remote dd-wrt router) a fixed IP address, everything works fine - so why isn't my gateway coming across the bridge with DHCP data? On the home network the gateway gets assigned properly.

i have tried adding the

route-gateway 192.168.10.2

to the extra commands but that doesn't fix this.

====

Old_Codger

I think you need to explicitly define the dhcp gateway, like this:

push "dhcp-option DNS xxx.xxx.xxx.xxx"

Where xxx.. is the local IP of the router, in your case 192.168.0.1

_________________
R7800 - BS 31924 running since 05/26/17
R7000 - BS 30771 running since 12/16/16
R6250 - BS 29193 running since 03/20/16
Old_Codger
DD-WRT Novice


Joined: 02 Aug 2017
Posts: 10
Location: Cambridge, UK and Rouen, France

PostPosted: Sun Aug 13, 2017 18:47    Post subject: Reply with quote
Many thanks.

I'm away from the router for a few days and will try next time I am there

Can I just check? Does the IP address need to be remote/secondary/DD-WRT address or the home/primary/server address?

_________________
=========

Old_Codger

Aging geek who learned programming on Intel 8080 and Motorola 6502.
Xeon2k8
DD-WRT Guru


Joined: 11 Feb 2016
Posts: 806

PostPosted: Sun Aug 13, 2017 18:56    Post subject: Reply with quote
Old_Codger wrote:
Many thanks.

I'm away from the router for a few days and will try next time I am there

Can I just check? Does the IP address need to be remote/secondary/DD-WRT address or the home/primary/server address?

I'm not completely sure what you mean but the address must point to where your dchp server is,8 this case if I understood correctly should be your ddwrt ip address 0.1 from what you said.

_________________
R7800 - BS 31924 running since 05/26/17
R7000 - BS 30771 running since 12/16/16
R6250 - BS 29193 running since 03/20/16
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 2650
Location: Texas

PostPosted: Sun Aug 13, 2017 20:49    Post subject: Reply with quote
Looks like you have the TAP connected ----

Normal ovpn TAP using r33006 for server and client.
Once TAP bridge is made:
Turn off DHCP on the client router. It will make your life much easier using TAP.
All clients should get DHCP from server router pool --- not ovpnserver IPs.. that is
for TAP clients for more than one VPN client.
All clients connected behind a dd-wrt ovpn client TAP router should get DHCP from main server.
There are various ways to do this but what I mentioned is the easiest and usually the best.
Server setup should have:
'Block DHCP across the tunnel' should be disabled.
'DHCP-Proxy mode' should be disabled.
Shouldn't be any need for Additional Config.

ovpn client turn off DHCP let server do this.
Gateway should point to ovpn server LAN IP
ovpn client settings:
'Bridge TAP to br0' should be enabled
'Tunnel UDP MSS-Fix' should only be enabled on server or client, Not both. Server usually good place for this.
If you go tinkering with this you will find out quickly you will lose the server if changes are made on it.
Usually restart the client (click apply settings on services/vpn) on client router will reconnect and renew
all DHCP ... unless you made a bad booboo on the server.

It is actually simple to setup with two dd-wrt devices no need for bunch extra rules and such.
Don't know about the netgear ovpn server?????
This of course puts everything connected to the client router going thru the TAP bridge.
Create an unbridged VAP on client router for devices to connect straight thru out of the TAP.

EDIT:
You can also set static leases and use local DNS and everything you need on main server router....
This will all work fairly good if you have decent UL/DL internet connecttion at each end.
Xeon2k8
DD-WRT Guru


Joined: 11 Feb 2016
Posts: 806

PostPosted: Sun Aug 13, 2017 20:55    Post subject: Reply with quote
Ah damn haven't seen the dev tap param
_________________
R7800 - BS 31924 running since 05/26/17
R7000 - BS 30771 running since 12/16/16
R6250 - BS 29193 running since 03/20/16
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum