Joined: 02 Aug 2017 Posts: 29 Location: Cambridge, UK and Rouen, France
Posted: Wed Aug 02, 2017 19:52 Post subject: Connecting DD-WRT OpenVPN to Netgear R7000 standard VPN
Long Post - I have tried to provide the sort of information I've seen asked for in other posts.
I want to create a link between a “Remote” location (In France) and a “Home” location (in the UK) over two regular domestic ISP connections so I can access network facilities at the “home” location. I am hoping using a DD-WRT router set up as an OpenVPN client will connect to a Netgear OpenVPN server at the home location. (NB The Netgear is NOT DD-WRT it is Netgear’s own locked down implementation)
Kit/basic description
1. “Remote” PCs/devices/laptop- Windows PCs
Wired and/or wireless connection to:
2. “DD-WRT Router provides “Remote Devices” with IP Addresses via DHCP from a TP-LINK N600 wireless router
Wired connection to:
4. “Home” ISP cable modem (UK ISP Virgin Media Super hub 3 in “Modem Mode” i.e. not a router)
Wired connection to
5. “Home Router” – Netgear R7000 running STANDARD Netgear firmware (latest version 2 weeks ago)
I want to setup a connection from my “Remote PCs and devices” to my “Home network”.
I am trying to use the inbuilt OpenVPN SERVER in my home Netgear router. This server is not accessible and I can only change two parameters – the connection port number and the connection type TUN or TAP. I want TAP so that all traffic from my Remote Devices is routed via my Home Network.
Remote PCs and devices
• DHCP assigned IP address
• 192.168.39.x
• 255.255.255.0
Remote DD-WRT router
• DHCP Server scope starts at 192.168.39.100 mask 255.255.255.0
• DD-WRT OpenVPN CLIENT configured to connect to Home Netgear OpenVPN server.
• The checked options are “NAT” Enabled
• The only additional config line is: route-gateway 192.168.10.1
NB: Other than route-gateway there is no non-standard stuff added to routing tables/firewalls etc. if OpenVPN, Windows 10 or DHCP doesn’t provide it, it won’t be set/changed)
Remote ISP Router
• DHCP Server scope192.168.10.2 and upwards mask 255.255.255.0
• ADSL
Home ISP modem
“dumb” Cable Modem – no non- standard settings.
Home Router
• DHCP assigned IP address
• 192.168.0.x
• 255.255.255.0
Client1.ovpn file generated by Netgear firmware : NB TAP
client
dev tap
proto udp
dev-node NETGEAR-VPN
remote PUBLICNAMEHIDDEN.ddns.net 12974
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
comp-lzo
verb 5
I have matched the client1.ovpn settings in the Remote DD-WRT client config to the above.
The dd-wrt VPN status page looks like this:
Serverlog Clientlog 20170801 21:37:08 I OpenVPN 2.3.0 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 25 2013
20170801 21:37:08 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20170801 21:37:08 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20170801 21:37:08 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
20170801 21:37:08 Socket Buffers: R=[163840->131072] S=[163840->131072]
20170801 21:37:08 I UDPv4 link local: [undef]
20170801 21:37:08 I UDPv4 link remote: [AF_INET]PUBLICIPHIDDEN:12974
20170801 21:37:08 TLS: Initial packet from [AF_INET]PUBLICIPHIDDEN:12974 sid=4bcdb8bb 396a2484
20170801 21:37:09 VERIFY OK: depth=1 C=TW ST=TW L=Taipei O=netgear OU=netgear CN=netgear emailAddress=mail@netgear.com
20170801 21:37:09 VERIFY OK: nsCertType=SERVER
20170801 21:37:09 NOTE: --mute triggered...
20170801 21:37:16 6 variation(s) on previous 3 message(s) suppressed by --mute
20170801 21:37:16 I [netgear] Peer Connection Initiated with [AF_INET]PUBLICIPHIDDEN:12974
20170801 21:37:18 SENT CONTROL [netgear]: 'PUSH_REQUEST' (status=1)
20170801 21:37:18 PUSH: Received control message: 'PUSH_REPLY route 192.168.0.0 255.255.255.0 route-delay 5 redirect-gateway def1 route-gateway dhcp ping 10 ping-restart 120'
20170801 21:37:18 OPTIONS IMPORT: timers and/or timeouts modified
20170801 21:37:18 NOTE: --mute triggered...
20170801 21:37:18 2 variation(s) on previous 3 message(s) suppressed by --mute
20170801 21:37:18 ROUTE_GATEWAY 192.168.10.1/255.255.255.0 IFACE=vlan2 HWADDR=f8:1a:67:5a:ce:41
20170801 21:37:18 I TUN/TAP device tap1 opened
20170801 21:37:18 TUN/TAP TX queue length set to 100
20170801 21:37:23 /sbin/route add -net PUBLICIPHIDDEN netmask 255.255.255.255 gw 192.168.10.1
20170801 21:37:23 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.10.1
20170801 21:37:23 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 192.168.10.1
20170801 21:37:23 /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.10.1
20170801 21:37:23 I Initialization Sequence Completed
20170801 21:37:56 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170801 21:37:56 D MANAGEMENT: CMD 'state'
20170801 21:37:56 MANAGEMENT: Client disconnected
20170801 21:37:56 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170801 21:37:56 D MANAGEMENT: CMD 'state'
20170801 21:37:56 MANAGEMENT: Client disconnected
20170801 21:37:56 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170801 21:37:56 D MANAGEMENT: CMD 'state'
20170801 21:37:56 MANAGEMENT: Client disconnected
20170801 21:37:56 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170801 21:37:56 D MANAGEMENT: CMD 'log 500'
19700101 00:00:00
So it looks like the connection was successful. The Route to 192.168.0.x was pushed from my home netgear and is in the routing table in the DD-WRT router:
Routing Table Entry List (from Remote DD-WRT)
Destination LAN NET Subnet Mask Gateway Flags Metric Interface
0.0.0.0 128.0.0.0 192.168.10.1 UG 0 WAN
0.0.0.0 0.0.0.0 192.168.10.1 UG 0 WAN
PUBLICIPHIDDEN 255.255.255.255 192.168.10.1 UGH 0 WAN
128.0.0.0 128.0.0.0 192.168.10.1 UG 0 WAN
169.254.0.0 255.255.0.0 0.0.0.0 U 0 LAN & WLAN
192.168.0.0 255.255.255.0 192.168.10.1 UG 0 WAN
192.168.10.0 255.255.255.0 0.0.0.0 U 0 WAN
192.168.39.0 255.255.255.0 0.0.0.0 U 0 LAN & WLAN
BUT I can’t see any devices on my home network. Pings to 192.168.0.x from my remote PCs all fail.
I’ve tried every suggestion I can find on the web including lots of suggestions that I need to setup firewall rules, and add a config statement redirect-gateway def1 bypass-dhcp.
Over the course of my attempts I have tried all of the following:
With or without these statements behaviour is identical - except some make things fail altogether.
My knowledge in this area is limited. I only just understand most of what I have written but NOTHING at all about the firewall iptables.
The bottom line (finally) Can anyone tell me what I am doing wrong or what I need to do to fix this?
Two final points which may or may not help:
An attempt to tracert from a laptop connected to the remote dd-wrt router (192.168.39.0/24 to my home network 192.168.0.0/24 gets as far as my Remote ISP’s first hop (i.e. through my French ISP router (192.168.10.0/24) to the first hop at 80.x.y.z where tracert reports unreachable.
If I run the OpenVPN windows client software set up as Netgear suggest (it uses the client1.ovpn settings I gave above) I can connect my windows 10 laptop to my home network and everything works fine. This tells me there’s nothing between here and there that prevents it working. It must be a settings problem somewhere…
Joined: 02 Aug 2017 Posts: 29 Location: Cambridge, UK and Rouen, France
Posted: Thu Aug 03, 2017 17:40 Post subject:
Can anyone provide me with a pointer on this please?
I have searched long and hard before I posted here. from my searches it seams this is not an isolated case - but none of the "solutions" posted work for me...
My own suspicion is I have a setting wrong or I have missed something very simple - but as I said I don't fully understand all this stuff and some (many?) of the explanations people give I just don't understand. There's so much technical language used I get easily lost.
Thanks in advance
====
Old_Codger
(An aging geek who wrote his first programs in Machine Code and Basic on Intel 8080 CPUs and Motorola 6502's...)
Joined: 13 Aug 2013 Posts: 6868 Location: Romerike, Norway
Posted: Thu Aug 03, 2017 18:24 Post subject:
You got it all wrong. Tap is a bridged interface. The routed is tun.
With a bridged tunnel, both LANs must have the same sub-net i.e 192.168.39.0. Use 192.168.39.1 and 192.168.39.2 for the routers.
Since both sides have the same sub-net, there is no routes to push and no NAT.
With a routed VPN over tun, you need 3 networks. One for each side and one for the tunnel itself. When you push the routes, you do not enable any NAT except for outgoing to the Internet.
Your gateway is also wrong as it have to be on the same sub-net as the hosts own address.
Joined: 02 Aug 2017 Posts: 29 Location: Cambridge, UK and Rouen, France
Posted: Fri Aug 04, 2017 18:17 Post subject:
In my excitement** that you helped me to get it working I overlooked a "small" matter - I couldn't actually connect to the internet through the bridge.
Last night I noticed my Laptop (currently connected to my Remote DD-WRT router) had an ip address assigned by my home router - but no default gateway was assigned.
Tonight the same laptop with the exact same config remote router is getting an IP address from the DD-WRT DHCP server.
So i disabled the Remote DHCP (which thinking about it, i should have done earlier...)
Now I can't browse via my Home network again and I can't now ping anything off the LAN (8.8.8.8 etc)
How do I get the Home netgear router to send the gateway and dns details acrossto my remote laptop?
I suspect its another setting i am missing..
Use DNSMasq for DHCP
Use DNSMasq for DNS
DHCP-Authoritative are all checked (default)
The DNS settings on the Home netgear router are 8.8.8.8 and 8.8.4.4
Laptop (Windows) is set to get IP and DNS automatically (DHCP)
DOSBox (New Windows 10 Creator Powershell!)
PS C:\WINDOWS\system32> ipconfig /all
Pinging 192.168.0.2 with 32 bytes of data:
Reply from 192.168.0.2: bytes=32 time=47ms TTL=64
Reply from 192.168.0.2: bytes=32 time=50ms TTL=64
Reply from 192.168.0.2: bytes=32 time=50ms TTL=64
Reply from 192.168.0.2: bytes=32 time=47ms TTL=64
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 47ms, Maximum = 50ms, Average = 48ms
BUT AN ATTEMPT TO PING THE GOOGLE NAMESERVERS DIES AT AN IP ADDRESS ON MY REMOTE ISP's ROUTER (FRENCH END)
PS C:\WINDOWS\system32> ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 192.168.10.3: Destination host unreachable.
Reply from 192.168.10.3: Destination host unreachable.
Reply from 192.168.10.3: Destination host unreachable.
Reply from 192.168.10.3: Destination host unreachable.
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
PS C:\WINDOWS\system32>
Given this is supposed to be in a tunnel I do not know how the ping got there (tracert dies with this as the first hop as well)
I've already tried several things but made no difference....
** Excited? I know, I know I really should get out more...
===
Joined: 02 Aug 2017 Posts: 29 Location: Cambridge, UK and Rouen, France
Posted: Fri Aug 04, 2017 20:50 Post subject:
OK - I've been playing.
The problem is definitely the lack of a default goateway.
If I give my laptop (connected to the remote dd-wrt router) a fixed IP address, everything works fine - so why isn't my gateway coming across the bridge with DHCP data? On the home network the gateway gets assigned properly.
The problem is definitely the lack of a default goateway.
If I give my laptop (connected to the remote dd-wrt router) a fixed IP address, everything works fine - so why isn't my gateway coming across the bridge with DHCP data? On the home network the gateway gets assigned properly.
i have tried adding the
route-gateway 192.168.10.2
to the extra commands but that doesn't fix this.
====
Old_Codger
I think you need to explicitly define the dhcp gateway, like this:
push "dhcp-option DNS xxx.xxx.xxx.xxx"
Where xxx.. is the local IP of the router, in your case 192.168.0.1 _________________ R6400v2 (boardID:30) - Kong 36480 running since 03/09/18 - (AP - DNSMasq - AdBlocking - QoS) R7800 - BS 31924 running since 05/26/17 - (AP - OpenVPN Client - DNSMasq - AdBlocking - QoS) R7000 - BS 30771 running since 12/16/16 - (AP - NAS - FTP - SMB - OpenVPN Server - Transmission - DDNS - DNSMasq - AdBlocking - QoS) R6250 - BS 29193 running since 03/20/16 - (AP - NAS - FTP - SMB - DNSMasq - AdBlocking)
I'm away from the router for a few days and will try next time I am there
Can I just check? Does the IP address need to be remote/secondary/DD-WRT address or the home/primary/server address?
I'm not completely sure what you mean but the address must point to where your dchp server is,8 this case if I understood correctly should be your ddwrt ip address 0.1 from what you said. _________________ R6400v2 (boardID:30) - Kong 36480 running since 03/09/18 - (AP - DNSMasq - AdBlocking - QoS) R7800 - BS 31924 running since 05/26/17 - (AP - OpenVPN Client - DNSMasq - AdBlocking - QoS) R7000 - BS 30771 running since 12/16/16 - (AP - NAS - FTP - SMB - OpenVPN Server - Transmission - DDNS - DNSMasq - AdBlocking - QoS) R6250 - BS 29193 running since 03/20/16 - (AP - NAS - FTP - SMB - DNSMasq - AdBlocking)
Normal ovpn TAP using r33006 for server and client.
Once TAP bridge is made:
Turn off DHCP on the client router. It will make your life much easier using TAP.
All clients should get DHCP from server router pool --- not ovpnserver IPs.. that is
for TAP clients for more than one VPN client.
All clients connected behind a dd-wrt ovpn client TAP router should get DHCP from main server.
There are various ways to do this but what I mentioned is the easiest and usually the best.
Server setup should have:
'Block DHCP across the tunnel' should be disabled.
'DHCP-Proxy mode' should be disabled.
Shouldn't be any need for Additional Config.
ovpn client turn off DHCP let server do this.
Gateway should point to ovpn server LAN IP
ovpn client settings:
'Bridge TAP to br0' should be enabled
'Tunnel UDP MSS-Fix' should only be enabled on server or client, Not both. Server usually good place for this.
If you go tinkering with this you will find out quickly you will lose the server if changes are made on it.
Usually restart the client (click apply settings on services/vpn) on client router will reconnect and renew
all DHCP ... unless you made a bad booboo on the server.
It is actually simple to setup with two dd-wrt devices no need for bunch extra rules and such.
Don't know about the netgear ovpn server?????
This of course puts everything connected to the client router going thru the TAP bridge.
Create an unbridged VAP on client router for devices to connect straight thru out of the TAP.
EDIT:
You can also set static leases and use local DNS and everything you need on main server router....
This will all work fairly good if you have decent UL/DL internet connecttion at each end.
Joined: 02 Aug 2017 Posts: 29 Location: Cambridge, UK and Rouen, France
Posted: Fri Aug 18, 2017 7:42 Post subject:
First of all, @Xeon2k8 and @mrjcd thanks for the help guys I appreciate it.
My apologies for the delay in responding I've not been in France for a week.
Xenon2k8 - I tried your suggestion with the dhcp-option but it made no difference (with either my client router address 192.168.0.1 or the server address 192.168.0.2) - thanks for taking the time.
mrjcd - I've tried your LONG list of settings - again thanks for taking the time:
> Normal ovpn TAP using r33006 for server and client.
My Firmware: DD-WRT v24-sp2 (03/25/13) std
If there's a reasonably stable beta Ican use I'm willing to try!
> Turn off DHCP on the client router. It will make your life much easier using TAP.
It's off
> All clients should get DHCP from server router pool
DONE clients at remote end get IP addresses BUT no Gateway address (that is my problem!)
>Server setup should have:
>'Block DHCP across the tunnel' should be disabled.
>'DHCP-Proxy mode' should be disabled.
> Shouldn't be any need for Additional Config.
Here's the catch, The server at Home is not DD-WRT it is on a netgear OpenVPN server which is not configurable in any way. so unless the settings you suggest are the defaults then I am screwed. However as I get dhcp supplied IP addresses in the home scope I think this is OK?
Buried in the server log (from webgui) is:
20170818 08:14:01 PUSH: Received control message: 'PUSH_REPLY route 192.168.0.0 255.255.255.0 route-delay 5 redirect-gateway def1 route-gateway dhcp ping 10 ping-restart 120'
20170818 08:14:01 OPTIONS IMPORT: timers and/or timeouts modified
20170818 08:14:01 OPTIONS IMPORT: route options modified
20170818 08:14:01 OPTIONS IMPORT: route-related options modified
>ovpn client turn off DHCP let server do this.
It's off
> Gateway should point to ovpn server LAN IP
This is set to 192.168.0.2 (NB: the Server (home) is .2 the client (remote) is .1 - I know it is more usually the other way round!)
>ovpn client settings:
>'Bridge TAP to br0' should be enabled
Enabled
>'Tunnel UDP MSS-Fix' should only be enabled on server or client,
Tried this on client - no difference in behavior enabled or disabled. .
> It is actually simple to setup with two dd-wrt devices
Thats what everyone keeps telling me
> This of course puts everything connected to the client router going thru the TAP bridge.
Yes for this router that's what I want!
> Create an unbridged VAP on client router for devices to connect straight thru out of the TAP.
Thanks for the Tip - but the ISP router provides a direct way out.
EDIT:
> You can also set static leases and use local DNS and everything you need on main server router....
> This will all work fairly good if you have decent UL/DL internet connection at each end.
At least one device will use this once I get the gateway working! _________________ =========
Old_Codger
Aging geek who learned programming on Intel 8080 and Motorola 6502.
Joined: 13 Aug 2013 Posts: 6868 Location: Romerike, Norway
Posted: Fri Aug 18, 2017 8:02 Post subject:
Old_Codger wrote:
Buried in the server log (from webgui) is:
20170818 08:14:01 PUSH: Received control message: 'PUSH_REPLY route 192.168.0.0 255.255.255.0 route-delay 5 redirect-gateway def1 route-gateway dhcp ping 10 ping-restart 120'
It's here where your gateway get lost. ROUTE-PUSH is for routed VPN, not bridged. Remove the option from the config.
Joined: 02 Aug 2017 Posts: 29 Location: Cambridge, UK and Rouen, France
Posted: Fri Aug 18, 2017 8:16 Post subject:
Per, Thank you.
Unfortunately I can't make changes to anything on the server end(netgear lock everything down) is there anyway I can reverse the effect from the client end?
On the netgear server there are just these settings I can use:
Advanced Configurations
TUN Mode Service Type UDP or TCP (UDP selected)
TUN Mode Service Port 12973 (Netgear's deafult)
TAP Mode Service Type UDP TCP (UDP selected)
TAP Mode Service Port 12974 (Netgear's deafult)
Clients will use this VPN connection to access
3 Radio buttons:
All sites on the Internet & Home Network (Selected on my Router - sets TAP in OVPN file, I set TAP also at client end)
Home Network only
Auto _________________ =========
Old_Codger
Aging geek who learned programming on Intel 8080 and Motorola 6502.