Posted: Fri Dec 18, 2009 18:52 Post subject: OpenVPN Firewall / Routing Configuration
Hi All, hoping someone might be able to help.
I have DD-WRT v24.sp2 up and running OpenVPN server via tun interface with pki authentication.
The client machine connects to the server just fine and gets an IP address. I believe the tunnel is working properly. Here's the basic config
Server LAN 192.168.2.x
OpenVPN subnet 192.168.10.x
Client LAN 192.168.1.x
Router can ping client (192.168.10.6)
Router can ping local LAN (192.168.2.180)
Client can ping VPN server(on router) (192.168.10.1)
Client can ping router (192.168.2.1)
Client CANNOT ping anything on the router's lan (i.e. 192.168.2.180).
Here's the server configuration:
port 1194
proto udp
dev tun
#tls-server
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
#ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt
client-config-dir /usr/local/etc/openvpn/ccd
server 192.168.10.0 255.255.255.0
keepalive 10 120
client-to-client
comp-lzo
persist-key
persist-tun
#user nobody
#group nobody
#status openvpn-status.log
verb 3
push "route 192.168.2.0 255.255.255.0"
The problem has to be in the translation to the 192.168.2.x network. Its strange that I can reach the router at 192.168.2.1 but not any of the machines in that subnet.
I'm still struggling with this. Here are the routing tables from the server/router and client, seems to me like everything is in place. Would someone well versed with routing tables please take a look at this?
The problem is that I can connect to the dd-wrt/openvpn server/router on its lan address (192.168.2.1) but I cannot reach any of the computers on the router's LAN. The client computer's local IP is 192.168.1.67 and the client computers's VPN IP is 192.168.10.6.
Thanks VERY much for any help.
CS
SERVER NETSTAT
root@TA:~# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.10.0 192.168.10.2 255.255.255.0 UG 0 0 0 tun0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
7x.9.152.0 0.0.0.0 255.255.252.0 U 0 0 0 vlan1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 7X.9.152.1 0.0.0.0 UG 0 0 0 vlan1
Given that you can talk to the router 192.168.2.1, and it can talk with it's local 192.168.2.0 network all I'd do is add the following routes on the client box:
I'm assuming that 10.5 is the OpenVPN interface of the router. _________________ D-Link DIR-300
Asus RT-N16
Asus WL-500gPv2
Linksys WRT54GL 1.1
Way too much time.
I got it working... well, for the most part at least. There were two problems. The first was that I needed to add this line to my firewall config:
iptables -A FORWARD -s 192.168.10.0/24 -j ACCEPT (IP Range of my VPN network)
After adding that, I could ping my wireless printer, but not any of the computers on my network. Sounds like a firewall problem....
Disabled Kaspersky and whala, ping response from the computer. Not sure what the issue is. The The OpenVPN server is running on the Linksys router (dd-wrt). This computer is in the router's LAN and I have the LAN network set as a "Local" network (because the openvpn server is on the router, there is no extra network adaptor associated with the openvpn server). Other computers on the router's LAN have no problem accessing this computer. Has anyone else had this problem before?