I haven't been able to figure out how this works. The directions say to use the SAME dhcp IP range on both sides of the bridge! What happens when both wrt's hand out the same IP addres? I also don't want to end up with inaccessible DNS server info being handed out etc. Comments?
Thanks so much for any help offered.
I seem to have most working right since I can get the remote router's internal (192.168.x.x) IP and a really dumb device connected to it to respond to pings over the web right after router startup. I also have been able to browse shares and transfer a few files (both directions) when bridge is up. If I keep pinging, the VPN bridge stays up. However if I stop pinging, the connection eventually shuts down thusly:
<29>openvpn[557]: dd-wrt-22/75.88.129.19:1028 [dd-wrt-22] inactivity timeout (--ping-restart), restarting
<29>openvpn[557]: dd-wrt-22/75.88.129.19:1028 sigusr1[soft,ping-restart] received, client-instance restarting
The remote end of the bridge does not reconnect. Reboot of router will restore connection. Connection will restart spontaneously on occasion also. These spontaneous re-starts are not caused by PCs on the remote net (there aren't any at that time). Perhaps DNS update due to IP address change? I am using dynamic DNS and it seems to be working fine. How do I fix this?
This is the only message I have found during startup that seems like it might indicate a problem.
<27>openvpn[557]: dd-wrt-22/75.88.129.19:1028 multi: no dynamic or static remote --ifconfig address is available for dd-wrt-22/75.88.129.19:1028 . How do I fix this?
I assigned a different port for openVPN to use (unused 22xxx) but don't see that port in use in logs such as segment shown above. If I understand it correctly, 1028 (a deprecated port number according to IANA) is being used. What gives here? Update: changed port to default 1194 now logs show 1027 (also not used)!!
Of course I have removed the "naughty bits" from the config files below.
Firewall config on home wrt:
/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
Startup config on home wrt:
cd /tmp
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
echo "
# Tunnel options
mode server # Set OpenVPN major mode
proto udp # Setup the protocol (server)
port 1194 # TCP/UDP port number
dev tap0 # TUN/TAP virtual network device
keepalive 15 60 # Simplify the expression of --ping
daemon # Become a daemon after all initialization
verb 8 # Set output verbosity to n
comp-lzo # Use fast LZO compression
# OpenVPN server mode options
client-to-client # tells OpenVPN to internally route client-to-client traffic
#duplicate-cn # Allow multiple clients with the same common name
# TLS Mode Options
tls-server # Enable TLS and assume server role during TLS handshake
ca ca.crt # Certificate authority (CA) file
dh dh1024.pem # File containing Diffie Hellman parameters
cert server.crt # Local peer's signed certificate
key server.key # Local peer's private key
" > openvpn.conf
This seems to have worked. Should some kind of remarks be added to the WIKI to deal with this? Perhaps change is trivial but I never would have figured it out on my own! I would like to save someone else the trouble of having to search/ask.
I am seeing some misbehavior regarding DHCP with the present config. Computers at home configured for DHCP are getting addresses issued from the remote router (they are showing up on the network status page of the remote router).
Placebo, (or anyone else of course) are you willing /able to suggest a proper DHCP config?
This is probably obvious but I am hoping to have each router hand out DNS information allowing internet traffic 'directly' through the ISP's connection local to each router. Am using dynamic DNS on each end if that matters. Do want to keep samba share capability etc.
I'm not clear on what problem you're having regarding IP addresses. Your system will typically have two IP addresses assigned to it, one from the local router and a second one on the TAP interface from the remote router running the VPN server. What network traffic goes through which interface depends on what routes you set up on your computer.
Ignore my last post. I didn't read back earlier and see that you were connecting two routers. I guess your problem is that you want to make sure that the computers use the local internet connection when appropriate instead of routing all traffic through the VPN, which is what will happen when the remote router responds to a DHCP request. Is this correct? The assigned IP addresses shouldn't be a problem since everything's on the same network, but you'd want a different gateway depending on the location of a system.
The only point of confusion here is that the directions (link in original post) say use same DHCP range on both routers! So what happens when the respective DHCP servers hand out the same address from the same range? This part is easy to fix. I just can't believe the directions say (and meant to say) that! I am more inclined to think I am missing something!
Assuming I need to set up separate ranges on each router, that leaves this message :
<27>openvpn[557]: dd-wrt-22/75.88.129.19:1028 multi: no dynamic or static remote --ifconfig address is available for dd-wrt-22/75.88.129.19:1028 . How do I fix this?
and the general question of optimum DNS settings for each router.
Do I understand that in bridge mode makes IP addresses for VPN interfaces makes no sense because the bridge is invisible and no routing per se takes place (all broadcast traffic is passed and any for IPs on the other side)?
The only point of confusion here is that the directions (link in original post) say use same DHCP range on both routers! So what happens when the respective DHCP servers hand out the same address from the same range? This part is easy to fix. I just can't believe the directions say (and meant to say) that! I am more inclined to think I am missing something!
I noticed that too. I'm fairly certain it's a mistake, but I could be wrong.
Anyway, here's the man page for dnsmasq. There are some options that might solve your problem.