Posted: Mon Jun 25, 2012 10:36 Post subject: OpenVPN Router to Router
I'm setting up 2 Buffalo WZR-HP-G300NH2 routers running DD-WRT (Brainslayer 18777) and want them to be linked via OpenVPN.
Using the Wiki, I've setup one router as a server and the other as a client and the OpenVPN connection works.
Each router is a DHCP and the internet gateway for it's own network.
What I want to do now is to setup the routers so that:
1) Each machine on both the client and server networks can see all other machines on both network.
2) Stop DHCP from one router assigning addresses to PCs on the other network. (I've read this could happen).
3) Make sure each router is always the gateway and DNS provider for each of it's network.
So, 2 separate networks that are linked via OpenVPN to allow each machine to be accessible to each other.
The client DHCP address range is: 192.168.150.x
The server network address range is: 192.168.200.x
The OpenVPN network address range is: 192.168.250.x
I've used the GUI for the configuration. What I think I'm missing is additional config lines such as:
push "route 192.168.200.0 255.255.255.0"
Could someone tell me what config lines I'd need? I know there's a lot of information about this but I can't figure out what I'd need to put in as a lot presume you are using the config file, not the GUI.
I've attached the settings of the server router.
Also, would I need to add hosts file entries on the machines to be able to access the machines by name?
Is the client router using the server router as the gateway? Whatever the case you need to use "topology subnet" to have full mesh vpn in tun mode. I don't see this option available in the gui, so do it manually. echo out the config in the administration>commands page. You need to have the following added something like so on the server;
Code:
server 192.168.250.0 255.255.255.0
ifconfig 192.168.250.1 255.255.255.0
topology subnet
client-config-dir /tmp/etc/ccd
Then for the ccd files, echo "iroute 192.168.200.0 255.255.255.0" > /tmp/etc/ccd/CLIENTNAME
If you arent using redirect-gateway for the client, then the ccd file also needs something like
push-reset
push "topology subnet"
push "route 192.168.250.0 255.255.255.0"
You will also need to set up the server to add a route to that subnet on the tun interface. You can use the config route command, client-connect/disconnect script, or a routing protocol with bird. All 3 work fine on dd-wrt.
Finally, also make sure that the tun interface on the client has no mention of an iptables MASQEURADE or SNAT command, so that hosts on the client router have use their own ip address to talk to the server router.
I don't have experience of it, but you can alternatively just use tap mode without much of the above. The problem is that I think you'll need to block port 67/68 to prevent dhcp requests traversing the vpn. Using tun mode is reportedly a good bit faster.
Yes you need to change the hosts files another way. I suggest using mini_httpd and using route-up (client) and client-connect (server) scripts to wget the hosts files from each other on connection and using addn-hosts option on dnsmasq, followed by killall -HUP dnsmasq to reinit and read the hosts file. Alternatively just echo out the host names and IPs into the hosts file if they aren't going to change any time soon.
Thanks for the reply. I'll have to do a lot more reading to understand most of what you have posted!
The server router isn't going to be the gateway, I want each router to be it's own gateway, DHCP server etc. but then be able to browse each network at both locations.
