Posted: Fri Feb 23, 2018 22:47 Post subject: OpenVPN Server Only Accesible from LAN
I have an OpenVPN server setup on my DD-WRT router. Under the NAT/QoS tab I have it configured as such forward `0.0.0.0` on port `11941` to `0.0.0.0` on port `11941`. With this configuration all VPN Clients connect just fine when they are not connected to my LAN, the Clients on my LAN though are unable to connect.
If I change the port forwarding to be '0.0.0.0' `11941` forwarded to `192.168.0.1` on `11941`, all my Clients on the LAN are able to connect but now the Clients not on the LAN are unable to connect.
If `192.168.0.1` gets put into the DMZ everything works for everybody all the time and life is great, though a little scary.
So I know its a port forwarding problem. How do I fix this?!
My Firewall script are as follows:
Code:
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
Simplest terms, I want to have a working VPN that all the computers on it can see and talk to one another and connect via a common Internet connection.
This mess of code in there was from what I have pieced together was required to make the Port Forwarding tab actually work
Code:
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
Which it seemed to work because I was able to forward ports where I was unable to before.
The last half was just another attempt to maybe make it work I dunno.
First I wanted to make sure I said thank you for taking the time to help me out.
So this is the error I get when trying to connect to the VPN.
Code:
20180223 19:53:02 N 192.168.0.158:38474 TLS Error: TLS handshake failed
20180223 19:53:02 192.168.0.158:38474 SIGUSR1[soft tls-error] received client-instance restarting
20180223 19:53:02 N 192.168.0.158:37579 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20180223 19:53:02 N 192.168.0.158:37579 TLS Error: TLS handshake failed
20180223 19:53:02 192.168.0.158:37579 SIGUSR1[soft tls-error] received client-instance restarting
It only occurs when I don't do the proper port forwarding. At least that is my assumption since I don't receive it when I put the router IP in the DMZ or I forward ports in the NAT/QoS tab as mentioned in the original post.
Here are all of my VPN settings with respect to the VPN:
OpenVPN: Enable
Start Type: WAN Up
Config as: Server
Server mode: Router (TUN)
Network: 10.8.0.0
Netmask: 255.255.255.0
Port: 11941
Tunnel Protocol: UDP
Encryption Cipher: AES-256-CBC
Hash Algorithm: SHA256
Advanced Options: Disable
@egc Thanks for the guide! I'm still having the same issues I am on a Linksys wrt3200acm running the only firmware on the dd-wrt site, Firmware: DD-WRT v3.0-r33215 std (08/25/17).
@eibgrad you said something about a second router? I only have my one, unless there is a second software router in DD-WRT or something. I have my Advanced Routing > Operating Mode set to Gateway and the Dynamic Routing Disabled.
I've torn everything down to the bare minimum and it always seems to be stuck giving me a TLS Error which I interpret as some port not being open that needs to be. So when I go to open up the VPN port to `0.0.0.0` it works for external stuff but not internal and when I open it to `192.168.0.1` it works on the local network but not from things like my phone. [/b]
Ahh! I think I understand now.. I think I was trying to do a NAT loopback. I am sorry to have drug this out for so long. Thank you for helping! Doing some more Goggling I think what I need to do next is a bridged VPN cause ideally I'd like my VPN clients to receive an IP that is on the same IP range as my LAN. Again so sorry to have been a big dumb oaf and THANK YOU all very much for helping me out!