OpenVPN tunnel not working :(

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3
Author Message
Worthatry
DD-WRT Novice


Joined: 06 Jan 2012
Posts: 29

PostPosted: Thu Jun 14, 2012 15:43    Post subject: Reply with quote
Hello,

192.168.0.1 is the WAN static IP adress of the client WRT54GL ; it's also the DMZ of my broadband modem.

192.168.3.1 is the LAN IP address of the client WRT54GL, and 192.168.2.1 is the LAN IP adress of the server WRT54GL.

It's good to know that I'm not the only one having an access issue when starting OpenVPN ; can you provide me the iroute which is working for you ?

I will check again for the common-name, but I'm pretty sure that parameters are OK.

Thanks !

Baptiste
Sponsor
MrFidget
DD-WRT User


Joined: 15 Jul 2010
Posts: 378

PostPosted: Fri Jun 15, 2012 10:55    Post subject: Reply with quote
I looked at your previous post re the iroute and it looks fine to me.
Configs look good too.

Hmm, ceritificates & such I expect.

You could try the whole certificate generation again.
I am asuming that you downloaded OpenVPN for your PC and used Easy RSA to generate the cerificates.

If you have Windoze, like me, I Edit the vars.bat to set up all of the basic stuff and just change the common name. If you get stuck, I can generate a set an publish them here for you to try.

That way, if you have any doubts about your setup, at least you have something from someone else that you know works Smile

Triple check your certificates. If they dont, reply and I'll knock up a set for you.

Good luck
/C
Worthatry
DD-WRT Novice


Joined: 06 Jan 2012
Posts: 29

PostPosted: Sun Jun 17, 2012 10:02    Post subject: Reply with quote
Hi,

You are right, I'm using OpenVPN on windows and I use Easy RSA to generate certificates.

It's a good idea to let you generate certificates, it would be great for me to be sure that my problems are not coming from this...

Thank you !
kennsington
DD-WRT Novice


Joined: 08 Jun 2012
Posts: 11
Location: Fayetteville, TN

PostPosted: Fri Jun 29, 2012 14:31    Post subject: Reply with quote
Here is my setup and routes:
Code:
Home Gateway: 10.51.1.1
Home VPN server: 10.51.1.5
Remote Gateway: 10.51.2.1
Remote VPN Client: 10.51.2.5

VPN Network: 10.50.25.0

on server:
route 10.51.2.0 255.255.255.0
push "route 10.51.1.0 255.255.255.0"

iroute:
iroute 10.51.2.0 255.255.255.0


Just curious, what is your WAN gateway on the WRT54GL?

I think your DMZ is the problem. Your WRT54GL is doing some NATing that is making all traffic look like it's coming from it's WAN address (it's called MASQUERADE, and it's supposed to do that).

Basically, your modem has an external IP address, it is then passing traffic on to the WRT54GL on address 192.168.0.1. The WRT54GL then passes traffic to the whole subnet 192.168.3.0(everything connected to the LAN).

Because your client external IP is what is seen by the VPN server, that is included in the VPN. You also have defined the client LAN in your config file, so that is fine. But since you have another IP as a middle-man inbetween the external IP and the LAN, it's getting rejected.

If your modem is handing out 192 addresses, that means it's probably a router as well. Unless you just really want another router in there you can:
1. Take the cable that is in the WAN port of your WRT54GL and plug it in to a LAN port.
2. Turn off DHCP and let all clients to the WRT54GL get addresses from the modem.
3. Change your server config file to
Code:
route 192.168.0.0 255.255.255.0

4. And change your iroute to
Code:
iroute 192.168.0.0 255.255.255.0


If your really want to have the extra router in there, that is going to require some NAT configurations. I'm not very fluent in NAT so someone else would need to help you there.
Worthatry
DD-WRT Novice


Joined: 06 Jan 2012
Posts: 29

PostPosted: Fri Jul 06, 2012 12:29    Post subject: Reply with quote
kennsington wrote:

Just curious, what is your WAN gateway on the WRT54GL?


You mean, the WAN IP adress of my client WRT54GL ? It's 192.168.0.1.

Thank you for your answer, I understand better what is going on... I think you are right, it's my DMZ which is responsible of all my troubles here...

But I prefer to keep the firewall on the WRT54GL ; router functionnalities of the box provided by my ISP are quite limited... It's make me think about another thing I would like to implement : I'm routing all my traffic on the VPN, including internet traffic and I would like to create a rule like that in the WRT54GL firewall (on the client side) : only allowing outgoing traffic towards my WRT54GL server, and blocking everyhting else. Then, if my VPN connection is lost, all my traffic going on the WAN will be blocked.

I think that the way to go is to use iptable POSTROUTING, could somebody confirm that ?

Thanks
kennsington
DD-WRT Novice


Joined: 08 Jun 2012
Posts: 11
Location: Fayetteville, TN

PostPosted: Fri Jul 06, 2012 14:01    Post subject: Reply with quote
If the assigned IP of your WRT54GL is 192.168.0.1 then what is the address of the server that assigned it(your modem)?

Just like 192.168.3.1 is the gateway address for your LAN clients. The WRT54GL is a gateway for all of the traffic on the LAN. Your modem is acting as a gateway for all of the traffic coming from the WRT54GL.

Anyway, knowing the gateway address is not really that important. I was just curious if address 192.168.0.1 was being used by the client, what was the servers address.


Now, on to the main point. To block client traffic to the local WAN you probably can do it all with FORWARD rules. It might look something like this:

iptables -A FORWARD -i br0 -o eth0 -j DROP
iptables -A FORWARD -i br0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o br0 -j ACCEPT

where the devices are your actual configured devices (check ifconfig to see what they are).
Worthatry
DD-WRT Novice


Joined: 06 Jan 2012
Posts: 29

PostPosted: Sat Jul 07, 2012 12:08    Post subject: Reply with quote
kennsington wrote:
If the assigned IP of your WRT54GL is 192.168.0.1 then what is the address of the server that assigned it(your modem)?


Ok, I see ; the ip adress of my broadband modem/router is 192.168.0.254

kennsington wrote:

Now, on to the main point. To block client traffic to the local WAN you probably can do it all with FORWARD rules. It might look something like this:

iptables -A FORWARD -i br0 -o eth0 -j DROP
iptables -A FORWARD -i br0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o br0 -j ACCEPT

where the devices are your actual configured devices (check ifconfig to see what they are).


I checked the devices with ifconfig and it's ok.

I have one question ; according to the internal schema of a wrt54gl with DD-wrt on it :

http://www.dd-wrt.com/wiki/index.php/Default_internal_device_network

It seems that if I would like to block traffic for going outside (on the WAN), it would be :

iptables -A FORWARD -i eth0 -o br0 -j DROP

instead of

iptables -A FORWARD -i br0 -o eth0 -j DROP

Or I'm wrong somewhere ?

Thanks
kennsington
DD-WRT Novice


Joined: 08 Jun 2012
Posts: 11
Location: Fayetteville, TN

PostPosted: Fri Jul 13, 2012 15:32    Post subject: Reply with quote
It really doesn't matter since you must have 2-way communication to do anything. If you block one direction, it will block it all.

I just did bridge to WAN because your clients on the bridge are much more likely to initiate a connection to the internet, than from the internet to your clients.
Worthatry
DD-WRT Novice


Joined: 06 Jan 2012
Posts: 29

PostPosted: Sat Jul 14, 2012 21:14    Post subject: Reply with quote
I'm writing this message with my dd-wrt firewall dropping my internet connection... it seems that it doesn't work so well Smile

Any idea are welcome !
Goto page Previous  1, 2, 3 Display posts from previous:    Page 3 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum