Joined: 02 Aug 2017 Posts: 29 Location: Cambridge, UK and Rouen, France
Posted: Fri Aug 18, 2017 8:51 Post subject:
I had thought about using non-overlapping DHCP scopes. I will try it. How do I stop the "wrong" DHCP server supplying an address? In the early days I was trying this approach and occasionally my remote laptop got an address from the "home" DHCP server across the bridge. I guess there's a reverse risk as well - a home device ends up with an address from the remote pool.
As to installing DD-WRT on my R7000 - that may come next although i am a little reluctant as I am the only one who can support the setup on DD-WRT. My son can just about cope with the Netgear interface! _________________ =========
Old_Codger
Aging geek who learned programming on Intel 8080 and Motorola 6502.
If using two DHCP servers ----- In the past I have set static leases on both routers within the DHCP range of the one you want the client to use.
I remember doing that with tomato firmware and it worked for the most part was not as good as having only one DHCP server doing all on both sides of TAP.
Is there a reason you can't install dd-wrt on this Netgear router.... Is it not supported?
Edit:
I remember having to do that for printers on either end of TAP....using local DNS, having to have static leases set same in both routers if using two DHCP. twas only way could access reliably from both sides ....such may not help you...just dunno
More edit.... I'm still thinking
Shouldn't matter who does DHCP as long as gateway is pointing to where you want it to go.....and most likely with dd-wrt you will have to disable 'No DNS Rebind'..... probably wouldn't hurt to just disable DNSMasq .... can't see why it's needed if you want everything to go thru TAP
ok.... that's all I know
Joined: 02 Aug 2017 Posts: 29 Location: Cambridge, UK and Rouen, France
Posted: Sun Sep 17, 2017 16:14 Post subject:
Per Yngve Berg wrote:
You can try to have a dhcp server on each side with address ranges that does not overlap.
Site A: 192.168.0.1-150
site B: 192.168.0.151-250
I've been away on vacation and have continued to work on this since I got back.
It seems that in a TAP configuration OpenVPN does remove the gateway, https://forums.openvpn.net/viewtopic.php?t=13494 although a little argumentative, explains it. The "fix" if there is one is to add
--server-bridge nogw
to the server config. This inhibits a
push "route-gateway dhcp"
However in this case I can't do that as the Netgear OpenVPN implementation is completely locked down and there is no access to the server config.
So the questions are: Can I inhibit "push" or is there a way to re-instate the gateway from CLIENT end? If so, which Gateway should I use – the client/remote end or the server end?
I have found a workaround: I've defined two IP ranges roughly as you suggested above. By letting my devices at the client end get IP address from the remote (client end) DHCP scope complete with gateway, then enabling the VPN I get the connectivity over the VPN as I want.
BUT (there’s always a but) if I enable the VPN first, my remote (client end) devices don’t get IP addresses from the remote DHCP server – they get them from the OpenVPN server end – minus a gateway!
And just to add to the list, Once I re-enable the VPN I lose the ability to access the router via the web GUI….. Not sure what that’s about but my guess is it tells us something. The router seems to work properly otherwise – data flows at normal speeds, IP addresses get assigned – all across over the VPN.
Any ideas? _________________ =========
Old_Codger
Aging geek who learned programming on Intel 8080 and Motorola 6502.
Joined: 02 Aug 2017 Posts: 29 Location: Cambridge, UK and Rouen, France
Posted: Sat Aug 04, 2018 14:07 Post subject:
I was contacted recently to see if I got this working - I thought I’d let everyone know my workaround, in case anyone else is looking.
I got it working but there is a BIG problem which I will cover at the end.
The obvious stuff: (to be sure we start from the same place)
The two routers are:
Home: Netgear R7000 running standard Netgear firmware at the current version. This has a locked down OpenVPN server on it.
Remote: TP-Link N600 router running DD-WRT V23-SP2 (03/25/13) configured in TAP mode running the OpenVPN client built into DD-WRT.
(I know its old but it works and I don’t know which of the current beta is currently considered stable)
• The home/server router MUST be flashed with the latest official firmware: mines a Netgear R7000 currently running firmware 1.0.9.34. There was a change in OpenVPN which Netgear only support from 1.0.9.30
• You are setting up the router to be the “client” – Make sure that VPN CLIENT is enabled selected on the DD-WRT “SERVICES” TAB, “VPN”- the Server is on the “home” R7000.
• On my setup I am only using the Open VPN client section of that page - the others are disabled.
• Reset the Remote router to its basic/default setup – google 30-30-30 reset to be sure. (This may not be necessary but I did it to be sure there were no odd ball settings lying around)
• On the Netgear check “Clients will use this VPN connection to access ALL SITES ON THE INTERNET & HOME NETWORK” and reboot.
• Make sure you have the correct OVPN/Certificates from the Netgear router after that last change)
All the following changes are to the DD-WRT/Remote end router.
SET LOCAL NETWORK IP on the “SETUP” “BASIC SETUP” tab
Router IP 192.168.0.1
Subnet mask 255.255.255.0
(NB: My home router is 192.168.0.2 with a DHCP range of 192.168.0.3-99, my Remote DHCP Range is 192.168.0.100-199 – I keep the 200+ range for static/fixed IPS - These were chosen to not overlap)
ENABLE DHCP
Gateway 192.168.0.1
DHCP Start IP address 192.168.0.100
Set CLIENT LEASE TIME to 77760 minutes
(50+ days – necessary to fix work around the problem I mentioned)
TIME SERVER (USE THIS IP at first) 194.164.127.6
TIME SERVER Domain Name 2.europe.pool.ntp.org
[[APPLY SETTINGS]] & Reboot PC
(I found that somethings didn’t work correctly if the time wasn’t right on the Remote router)
Allow all devices you want to connect to the Remote router to get valid IP addresses from the Remote DHCP end
DISABLE DHCP SERVER
Enable OpenVPN CLIENT
SERVER IP/NAME Your Home / SERVER Internet facing public IP address
PORT 12974
TUNNEL DEVICE TAP
(My choice – what I want to do only works with TAP. All my internet traffic from my remote end gets rerouted out via my router at home. This is set when you check the “All sites on the internet…. etc” option on the Netgear router. The other option “Home network only” is TUN. Never tried Auto…)
Change the following – all the rest remains as the defaults.
TLS CIPHER AES-128 SHA
LZO COMPRESSION ADAPTIVE
NAT DISABLE
BRIDGE TAP TO BR0 ENABLE
I also added
verb 5
mute 10
to the additional config box – its optional and it just puts more info in the log which helped me while figuring this out.
You then need to copy/paste the TEXT from the *.crt files in the zip you downloaded from the R7000. (In windows I dragged them into notepad.exe)
The text from CA.CRT goes in the CA Cert box. Copy everything including all the ----
-----BEGIN CERTIFICATE-----
ALL THOSE CHARACTERS
-----END CERTIFICATE-----
Public Client (CLIENT.CRT)
ONLY copy the text between and including
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE----
You don’t need the rest of the info
Private Client (CLIENT.KEY)
-----BEGIN PRIVATE KEY-----
and
-----END PRIVATE KEY-----
Hit Apply Settings (Save just saves them; Apply saves them and enables the new settings)
The catch (and it’s a big one)
For reasons I don’t understand the VPN client strips the gateway address from the DHCP information when it sent across the VPN connection. So instead of getting
192.168.0.x/255.255.255.0/192.168.0.1 as an IP address you get just
192.168.0.x/255.255.255.0 with the gateway address blank. None of the remote devices can find the internet!
The work around I suggested above of letting all the remote/client VPN devices get IP addresses with a 50-day lease gets around this (For 50 days at least, or until you reboot your remote devices of course).
I hope this makes sense and works for you.
And if any of the wizards round here know a CLIENT end command I can add to force OpenVPN to pass the Home gateway address or add it back to the DHCP packet do let me know.
I've tried a few commands but they haven't worked. _________________ =========
Old_Codger
Aging geek who learned programming on Intel 8080 and Motorola 6502.
Last edited by Old_Codger on Sat Aug 04, 2018 14:50; edited 1 time in total
Joined: 02 Aug 2017 Posts: 29 Location: Cambridge, UK and Rouen, France
Posted: Sat Aug 04, 2018 14:39 Post subject:
Per Yngve Berg wrote:
Why don't you install dd-wrt on your R7000?
Thanks Per. Its a question of support! If there's internet problems at home and I'm here my son can do most things with the R7000 web interface, but he can't help with DD-WRT. So it stays with the Netgear firmware until I am finished working in France.
I have started building an R7000 with DD-WRT on it - but frankly its hard work. I don't know how to create the certificates.
All of this stuff is actually at the limit (or even beyond it) of my networking knowledge. I'm learning by trail and error.
And if I really did learn from my mistakes I'd be a genius by now! _________________ =========
Old_Codger
Aging geek who learned programming on Intel 8080 and Motorola 6502.
