Hi
Some years ago I put a wrt54gl1.1 with ddwrt as edge router for a friend's small business.
Now he and one colleague need to access the office from home/road.
I think VPN is the thing they need. I read a lot headhache then asked around how to set a Windows server tween-homed as a VPN and someone said: ddwrt+OpenVPN
There seems to be cool stuff in the little black and blue box. Currently the router only does aes wifi and gateway for the office, but I'm afraid it could be overloaded with VPN at the same time, so I figure using another wrt54gl1.1 (I have a bunch of them in my garage) for the VPN.
Is it a good idea? The friend has a /29 subnet public ip from his ISP that comes into the office as an Ethernet cable.
Is it better to pick an ip in this subnet than seating the VPN behind the main router (I think about the maximum throughput of a single box)?
Thank you for comments. _________________ ): FoReVeR nEwB
Just my opinion but I think you're over complicating things. Since you've got a WRT54GL I'd say it probably has enough NVRAM to handle the OpenVPN connection. I usually run OpenVPN on the Asus RT-N16 and it works very well once you get everything configured. Good news is that you have the Wrt54GL and unlike the RT-N16 you can probably find some really good tutorials of setting it up entirely through the DD-WRT GUI. With the RT-N16 I have had no luck using the GUI and instead have to enter in all the Commands for OpenVPN.
But keep this in mind, if these guys are going to travel around it would probably be far easier to setup a PPTP VPN and have them connect in that way. Granted PPTP VPN's are not as secure as an OpenVPN connection but a heck of a lot easier to setup.
Hi
One month of heavy learning/working later I reached to have an OpenVPN link working.
After uncomplete (I found this later ) tests at home, I sat a vpn build 25179 with it's own public IP in my friend's office, beside the main router (ddwrt 14896).
Unfortunately, clients (only me from home with linux at the moment) can ping the lan IP of the vpn server, but they can't neither ping nor http anything else in the office lan.... which is really not the aim
Once connected I can ping/http/ssh to the OpenVPN server's lan IP and tunnel IP, but that's all, I can't do the same e.g. to the main router.
Maybe there are specific things in my config that do not match with the standard tutos/wikis:
GW box: static public IP/29, gateway mode, dhcp (lan) disabled
VPN box: static public IP'/29, gateway mode (should be router?), dhcp (lan) disabled (should be forwarder to the box below?), Network SetupGateway field left blank, Start Type: "WAN Up", Config as: "Server", Server mode: Router (TUN)
The other box is dhcp server in the lan (win2003 server, wins+dns)
Firewall disabled for tests in server and client
from client:
Code:
...
SENT CONTROL [Serveur]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0 10.0.64.81,dhcp-option DNS 192.168.0.250,dhcp-option WINS 192.168.0.250,route-gateway 10.0.64.81,topology subnet,ping 10,ping-restart 120,ifconfig 10.0.64.82 255.255.255.248'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
ROUTE_GATEWAY 192.168.22.254/255.255.255.0 IFACE=wlan0 HWADDR=b4:b6:76:2a:e4:82
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 10.0.64.82/29 broadcast 10.0.64.87
/sbin/ip route add 192.168.0.0/24 via 10.0.64.81
GID set to nogroup
UID set to nobody
Initialization Sequence Completed
route -n
Kernel IP routing table
Destination Gateway Genmask Indic Metric Ref Use Iface
0.0.0.0 192.168.22.254 0.0.0.0 UG 0 0 0 wlan0 (client lan gw)
10.0.64.80 0.0.0.0 255.255.255.248 U 0 0 0 tun0
192.168.0.0 10.0.64.81 255.255.255.0 UG 0 0 0 tun0
192.168.22.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0 (client lan IP)
tracepath 192.168.0.252 (OpenVPN server lan IP)
1?: [LOCALHOST] pmtu 1500
1: 192.168.0.252 63.350ms reached
1: 192.168.0.252 64.407ms reached
Resume: pmtu 1500 hops 1 back 1
tracepath 192.168.0.254 (another device in the lan)
1?: [LOCALHOST] pmtu 1500
1: 10.0.64.81 63.603ms (OpenVPN server ip)
1: 10.0.64.81 64.937ms
2: no reply
3: no reply
4: no reply
5: no reply
And from server:
Code:
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.64.80 0.0.0.0 255.255.255.248 U 0 0 0 tun2
pub.isp.net.72 0.0.0.0 255.255.255.248 U 0 0 0 vlan1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 pub.isp.gw.73 0.0.0.0 UG 0 0 0 vlan1
Wan info, just to show I know them:
Code:
ISP net (/29): pub.isp.net.72
ISP gw : pub.isp.net.73
main router : pub.isp.net.74
OpenVPN : pub.isp.net.78
ISP broadcast: pub.isp.net.79
Any idea what is my mistake please? Thank you for advises. _________________ ): FoReVeR nEwB
into the main router makes my client ping OK anything in the remote lan.
Now please I need your advises/comments for the best way:
1 - make this persistent from the main ddwrt gateway GUI ?
and/or
2 - add this static route in the lan to the machine(s) the clients will need to use?
I feel a bit puzzled with this setup: I'd thought inside the lan there is no need to route, I mean pings coming from client to the OpenVPN server virtual IP then to the lan IP (.252) to the target, say .250, the reply from the .250 machine would go the the .252 source
More, although ping now works with this strange tweak, tracepath from home still shows
Code:
^C
--- 192.168.0.253 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 65.889/69.816/74.889/3.774 ms
~$ tracepath 192.168.0.253
1?: [LOCALHOST] pmtu 1500
1: 10.0.64.81 72.874ms
1: 10.0.64.81 63.864ms
2: no reply
3: no reply
4: no reply
Va comprendre
And a last thing please. I'd rather like to set clients to use the web through the VPN when they are connected to, so that as soon as they don't need the lan anymore they disconnect to retrieve their own gateway with better throughput (and also so that there is always a single entry point from wan to lan, I'd feel the lan more secure... maybe an illusion). I tried to enable "Redirect default Gateway" option, but my client (linux) fails to resolve web names although I set/push a DNS as
Code:
push "dhcp-option DNS 192.168.0.250"
"Redirect default Gateway" adds some more routes to my client and I can still ping full lan _________________ ): FoReVeR nEwB
Once you decide to run the OpenVPN server on some device other than the primary router...
Thanks for your reply eibgrad. You were faster to post than I was to write the above discovery
However, some mysteries remains (see just above) _________________ ): FoReVeR nEwB
Fortunately in my case, the (my friend's) main router being ddwrt too, I can (I did) add the OpenVPN network route to it. I first met a problem while adding it with the GUI, but in the end I succeeded, even with the GUI (I rather like using the GUI when a feature exists... and works, instead of startup script to workaround). I don't know why in the beginning route -n didn't show the route added with the GUI (maybe some delay is required).
About the DNS again, an other scenario could be to completely prevent Internet access to VPN clients (with enabling “Redirect default gateway” AND NOT setting DNSMasq correctly) what I'm seriously considering (because clients will need the VPN only for short shots).
In my case DNSMasq is disabled on both routers as the friend has it own internal DHCP/DNS win2k3 server. This will be for me the opportunity to try to understand the difference (if ever) between the DNSMasq settings in Network Setup and Services GUI pages. Unfortunately, if I set DNSMasq correctly to allow the VPN clients to resolve lan DNS names, I'm afraid this will also magically allow them to resolve wan DNS: this is my life with networking: fighting to make something to work, and when fighting for something else to not work finding when it's done that it makes the first thing working
I'll let know here the rest of the story (also for my own memory )
Bye bye and thank you for being there. _________________ ): FoReVeR nEwB
Last edited by Bib on Tue Sep 01, 2015 7:28; edited 1 time in total
Hi eibgrad
Reading your first help about the missing route, I dug further and I feel puzzled: in fact adding the route to the VPN in the main gateway now allows clients to ping the whole LAN.
But before I go on with DNS and "Redirect default gateway" I wanted to make sure I'm on right way. As said in my first and 3rd posts, I have 2 routers in server's location. So I remembered dd-wrt advises to set the non-gateway ones as simple "Router" instead of "Gateway", what I completely forgot when setting the OpenVPN box. So reading again your post I guess at the moment I added the route in the gateway, the VPN router was yet doing NAT (but maybe only between WAN and LAN, not between VPN and LAN, I have to check this point). This could explain why the added route did the job.
Now I've set the VPN box as recommended "Router", the added route seems not to be enough as I'm back in same pings from vpn clients limited to vpn box, not beyond it's lan IP.
Comparing the two routing tables, I can't see what is missing, I only wander if the same route "x.y.z.72 0.0.0.0 255.255.255.248 U 0 0 0 vlan1"
in both boxes is something very clean (could duplicate some packets to the WAN?)
Code:
root@VPN:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.64.80 0.0.0.0 255.255.255.248 U 0 0 0 tun2
x.y.z.72 0.0.0.0 255.255.255.248 U 0 0 0 vlan1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 x.y.z.73 0.0.0.0 UG 0 0 0 vlan1
Code:
root@Gateway:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
x.y.z.73 0.0.0.0 255.255.255.255 UH 0 0 0 vlan1
10.0.64.80 192.168.0.252 255.255.255.248 UG 0 0 0 br0
x.y.z.72 0.0.0.0 255.255.255.248 U 0 0 0 vlan1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 x.y.z.73 0.0.0.0 UG 0 0 0 vlan1
As you see, the dd-wrt guru flag I got yesterday or about is somewhat usurped. It seems I entered the Elevated Knowledge Area with my same old newb skills. That kind of guru lacks basic routing know-how, last straw for a dd-wrt guru The funny thing is I thought when I began that setting the OpenVPN pki/server/clients would be the hardest _________________ ): FoReVeR nEwB
I switched back the OpenVPN server to gateway mode because router mode lacked too much iptables entries whose the tun ones.
I hope this not a bad idea.
I also allowed in the remote DNS server firewall the vpn subnet to query the DNS server (maybe not usefull).
It seems I have a problem with my ubuntu client when I run nslookup without specifying the remote DNS server: I always get a server error.
It's OK when I specify the server.
It's also always OK when I connect with the network-manager-openvpn-plugin (manually created connection or imported from my client.conf file,
both with/without filling the fields "Additional DNS servers" and/or "Additional domains for search").
Errors are when I use command line to connect. _________________ ): FoReVeR nEwB
) tests at home, I sat a vpn build 25179 with it's own public IP in my friend's office, beside the main router (ddwrt 14896).
)
The funny thing is I thought when I began that setting the OpenVPN pki/server/clients would be the hardest 