Posted: Tue Oct 18, 2011 20:50 Post subject: Routing all traffic through DD-WRT OpenVPN client to VPS
So I believe I've paid my due diligence with 8+ hours of fiddling and googling...so I ask for the help of the forums.
I don't think my situation is that complicated...but I just can't get it to work and can't find any definitive answers from searching.
Here is my setup:
CLIENT: WRT54GL router with DD-WRT w/ OpenVPN
SERVER:
Remote VPS running OpenVPN on Debian.
GOAL:
All computers connecting to the router/client should have ALL traffic routed through the VPN to the server, with the possible exception of DNS resolution (if that makes things easier)
I can post my .conf files when I get back home, but I feel like I'm missing something more general.
Here's where I am currently (note that I'm running everything interactively for now. I'll worry about automating/saving it later):
I can get the VPN (using tun) to connect and then after adding this rule on the client/router:
Code:
iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE
then I can ping the remote VPS from a computer connected to the router. However, since I am using the 'push "redirect-gateway def1"' directive, I can't reach any external websites.
I've seen the push "dhcp-option DNS <blah>" directive, but it sounds like this only works on windows?
I've also made sure to add an iptables rule to the server to route traffic to the regular ethernet ( believe this is correct):
Code:
iptables -t nat -A POSTROUTING -s <same IP used in 'server' directive> -o venet0 -j MASQUERADE
I've also seen some sites mention needing to edit /etc/resolv.conf? Is this necessary?
I must admit I'm still confused on how iptables and `route` (kernel routing tables) work together to get everything done. And then there's also `ip route`?
Surely this is not that complicated of a set-up. Can someone give any advice? Or list what information/commands you need to debug more (route, iptables, etc)
What I was missing was handling DNS. I was able to get it working but I'm not sure what the "correct" solution is.
Basically, I found the script to update resolv.conf, so then the router itself can successfully resolve domain names. [b]But how do I propagate the new nameserver details to the clients connected to the router?[\b]
What I did for now was to manually edit dnsmasq.conf to send a dhcp-option,6 directive to set the dns servers to something public, eg 8.8.8.8.
Before, it was sending the routers address as the DNS server and I guess the router wasn't properly handling the DNS requests? Or maybe they were getting tunneled?
Anyway, what is the proper way to "update" the router, once the OpenVPN link is up, to set the correct/new nameservers and/or forward/route DNS requests from the connected clients? Should I just set the "Static DNS" options in the GUI? Or is there a better way?
Posted: Fri Mar 02, 2012 15:05 Post subject: RE: Routing all traffic through DD-WRT OpenVPN client to VPS
After a while I finally have working scenario:
My work subnet: 192.168.x.x
My home subnet: 10.0.2.x
OpenVPN listens on port TCP 1723 (as PPTP), assigns subnet: 10.0.3.x
When I connect from work to home's DD-WRT router, all the trafic Internet including goes through my home router, only 192.168.x.x subnet is excluded, so I can access to company servers same as have access to home servers.
I followed the DD-WRT Wiki steps "VPN (the easy way) v24+"
My OpenVPN configuration:
Code:
dev tun0
proto tcp
port 1723
keepalive 10 120
comp-lzo yes
server 10.0.3.0 255.255.255.0
push "route 10.0.2.0 255.255.255.0"
# INTERNET ROUTING
push "dhcp-option DNS 10.0.2.1"
push "redirect-gateway def1"
# EXCLUDE FROM ROUTING
push "route 192.168.0.0 255.255.0.0 net_gateway"
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
# management parameter allows DD-WRT's OpenVPN Status web page to access the server's management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001