[Solved] OpenVPN on server on same subnet as DD-WRT

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
stevennic
DD-WRT Novice


Joined: 08 Feb 2018
Posts: 5
PostPosted: Sun Mar 25, 2018 19:41    Post subject: [Solved] OpenVPN on server on same subnet as DD-WRT Reply with quote
I have started an OpenVPN server on a machine on my local network. I'm able to connect to it from both inside and outside of the network, but once connected I don't seem to see any other devices or out to the internet.

DD-WRT running on a Buffalo WZR-1750DHP (DD-WRT v3.0-r33555 std (10/20/17))
Router DHCP -> 192.168.1.0
Subnet of OpenVPN server -> 10.20.30.0 (IP from DD-WRT 192.168.1.23)

I can ping the server from the local network (192.168.1.0).

Server config is below (commented sections removed):
Code:

port 11940
proto tcp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/MiniServer.crt
key /usr/local/etc/openvpn/keys/MiniServer.key
dh /usr/local/etc/openvpn/keys/dh.pem
topology subnet
server 10.20.30.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "route 10.20.30.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.1.1"
client-to-client
keepalive 10 120
cipher AES-256-GCM
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 5
remote-cert-tls client


Client config:
Code:

client
dev tun
proto tcp
remote myserver.website.com 11940
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-256-G GCM
comp-lzo
verb 3


I've also set up a static route and some firewall commands, but they do not seem to change the connection that the VPN has to the network.

Any suggestions would be much appreciated as I'm at a bit of a loss. It seems like an issue with the routing on the DD-WRT side of things, but the changes I'm making don't seem to be sticking.

Last edited by stevennic on Mon May 07, 2018 1:50; edited 1 time in total
Back to top View user's profile Send private message
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6867
Location: Romerike, Norway
PostPosted: Sun Mar 25, 2018 21:48    Post subject: Reply with quote
It has itself as gateway (192.168.1.1).
Change it to 192.168.1.23

Is the route active? Press the Show Routing Table Button.
Back to top View user's profile Send private message
stevennic
DD-WRT Novice


Joined: 08 Feb 2018
Posts: 5
PostPosted: Sun Mar 25, 2018 22:10    Post subject: Reply with quote
The route appears to be active (attached). To be more clear, the images are from the router which is being used for DNS and DHCP on the local network.

The OpenVPN server is a completely separate (non-DDWRT) machine.

I've set the gateway (on the router) to 0.0.0.0.
Back to top View user's profile Send private message
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6867
Location: Romerike, Norway
PostPosted: Mon Mar 26, 2018 16:09    Post subject: Reply with quote
Enable NAT for all networks including the VPN.

Code:
iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE


Put in the Commands field and save as Firewall.
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12885
Location: Netherlands
PostPosted: Tue Mar 27, 2018 7:57    Post subject: Reply with quote
For what it is worth, I also use a non DDWRT openVPN server (QNAP pro NAS). The only thing needed is a port forwarding on my primary DDWRT router to that OpenVPN server and nothing else.

To get local access the firewall of my openVPN server has to be tweaked and a postnatting rule akin to the one from Per Yngve has to be in place on the OpenVPN server (there is no wan interface on the server so you need an snat to the lan)

The rule (from Per Yngve) might also work to get internet access when placed on the router so that is definitely worth a try
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
stevennic
DD-WRT Novice


Joined: 08 Feb 2018
Posts: 5
PostPosted: Thu Apr 05, 2018 0:26    Post subject: Reply with quote
I tried a few different firewall commands (to see if it was something related to that), but none seemed to pan out.

The original three and the new command provided by Per Yngve Berg.

Without the first three lines, with only the first and last line and altogether. Still the not being forwarded to the local network or to the internet.

Code:

iptables -I FORWARD -s 10.20.30.0/24 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 11940 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 11940 -j ACCEPT
iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE
Back to top View user's profile Send private message
stevennic
DD-WRT Novice


Joined: 08 Feb 2018
Posts: 5
PostPosted: Thu Apr 05, 2018 1:05    Post subject: Reply with quote
I did upgrade the router to a newer build (from 33555 to 35531) and there is a new option under Static Routing labeled 'Masquerade Route (NAT)'.

Selecting this option didn't appear to change anything. Firewall rules were removed to prevent overlap if there was any issue of that happening.
Back to top View user's profile Send private message
stevennic
DD-WRT Novice


Joined: 08 Feb 2018
Posts: 5
PostPosted: Mon May 07, 2018 1:49    Post subject: Reply with quote
It turns out the issue was actually on the OpenVPN server (FreeBSD) side of things instead of DD-WRT.

I added the lines below to /etc/rc.conf and all was well.
Code:

gateway_enable="YES"
natd_enable="YES"
natd_interface="epair1b"
natd_flags="-dynamic -m"



Current firewall commands (DD-WRT router):

Code:

iptables -I FORWARD -s 10.20.30.0/24 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 11940 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 11940 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.20.30.0/24 -j MASQUERADE


Static route in place forwarding 10.20.30.0/24 subnet through 10.10.10.23 (server).
IPs were changed across the network to be from 10.10.10.0/24 instead of 192.168.1.0/24 (moreso to protect on the OpenVPN side of things than anything else).


Code:
push "redirect-gateway def1 bypass-dhcp"
on server config changed to
Code:
push "redirect-gateway autolocal"
at some point.
It works, I'm not going to change it.

All else remains the same and is working.
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum