OpenVPN routing

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
GeoVik
DD-WRT Novice


Joined: 06 Aug 2017
Posts: 2
PostPosted: Mon Aug 07, 2017 9:30    Post subject: OpenVPN routing Reply with quote
Hello,

I am having some issue with my site-to-site OpenVPN set-up and I was hoping you can provide me some guidance. In a nutshell, connection gets established, but I cannot access the client lan from the server lan (or from the Openvpn server/router itself), it only works the other way around.


Set-up:

CLIENT LAN (192.168.2.x) >>> ASUS AC66U with OpenVPN client >>> INTERNET <<< DD-WRT Netgear R8500 with OpenVPN server <<< SERVER LAN (192.168.1.x)

- OpenVPN Network: 10.8.0.0/24

- Server Network 1: 192.168.1.0/24
Router and OpenVPN server: 192.168.1.1 (Netgear R8500, DD-WRT r32170M) / OpenVPN address: 10.8.0.1

- Client Network 2: 192.168.2.0/24
Router and OpenVPN client: 192.168.2.1 (Asus AC66U, Merlin build) / OpenVPN address: 10.8.0.2


Traceroute from a pc on the server network (192.168.1.x) to the client network 8192.168.2.x) times out at the Netgear:

C:\Users\Geo>tracert 192.168.2.110


1 3 ms 2 ms 2 ms 192.168.1.1
2 * * * Request timed out.

however, the other VPN end IP (10.8.0.2) on the Asus AC66U, is reachable from the same server network pc:

C:\Users\Geo>tracert 10.8.0.2

1 3 ms 2 ms 2 ms 192.168.1.1
2 64 ms 63 ms 65 ms 10.8.0.2

Traceroute from a pc on the client network (192.168.2.x) to the server network (192.168.1.x) works:

admin@NSA310:~$ sudo traceroute 192.168.1.120
traceroute to 192.168.1.120 (192.168.1.120), 30 hops max, 38 byte packets
1 RT-AC66U-1548 (192.168.2.1) 0.415 ms 0.296 ms 0.261 ms
2 10.8.0.1 (10.8.0.1) 61.472 ms 60.495 ms 61.507 ms
3 192.168.1.120 (192.168.1.120) 60.373 ms 58.556 ms 59.249 ms


Final OpenVPN server.conf:

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto udp4
cipher aes-128-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /jffs/etc/openvpn/ccd
comp-lzo adaptive
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
client-to-client
fast-io
tun-mtu 1500
mtu-disc yes
server 10.8.0.0 255.255.255.0
dev tun2
ifconfig 10.8.0.1 255.255.255.0
route 192.168.2.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "topology subnet"
persist-key
persist-tun
verb 5


There is an iroute that gets created with a startup script (Client1 name matches the cn of the client from the certificate)

mkdir -p /tmp/openvpn/ccd
echo 'ifconfig-push 10.8.0.2 255.255.255.0
iroute 192.168.2.0 255.255.255.0' > /tmp/openvpn/ccd/Client1


Firewall config:

iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br+ -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -o br+ -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I INPUT -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -s 192.168.2.0/24 -j ACCEPT

OpenVPN Server/Router Routing Table

The routing table on the Netgear (OpenVPN server) side:

default via MY PUBLIC IP dev vlan2
10.8.0.0/24 dev tun2 proto kernel scope link src 10.8.0.1
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
MY PUBLIC IP/24 dev vlan2 proto kernel scope link src 188.194.4.46
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
192.168.2.0/24 via 10.8.0.2 dev tun2

OpenVPN Client/Router Routing Table

admin@RT-AC66U-1548:/tmp/home/root# ip route
MY PUBLIC IP dev ppp0 proto kernel scope link
192.168.3.0/24 via 10.8.0.1 dev tun11
192.168.2.0/24 dev br0 proto kernel scope link src 192.168.2.1
192.168.1.0/24 via 10.8.0.1 dev tun11
10.8.0.0/24 dev tun11 proto kernel scope link src 10.8.0.2
169.254.0.0/16 dev eth0 proto kernel scope link src 169.254.181.161
127.0.0.0/8 dev lo scope link
default via MY PUBLIC IP dev ppp0


A small glitch, perhaps it is a cosmetic issue in DD-WRT, the remote and local IP in the the VPN status seem to be the same.


Any idea what could be the issue here?

Thank you
Back to top View user's profile Send private message
Sponsor
GeoVik
DD-WRT Novice


Joined: 06 Aug 2017
Posts: 2
PostPosted: Mon Aug 07, 2017 10:49    Post subject: Reply with quote
On a closer look in the debugs, it seems that the path for creating the ccd was incorrect. DDWRT creates by default the path under /jffs/etc/openvpn/ccd and not /tmp/openvpn and the path cannot be overwritten via the server conf.
So I have adjusted the start up script to these lines only:

echo 'ifconfig-push 10.8.0.2 255.255.255.0
iroute 192.168.2.0 255.255.255.0' > /jffs/etc/openvpn/ccd/Client1

All works fine now.
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum