Solved

Routing issues with OpenVPN on DD-WRT routed tunnel

Posted on 2008-10-24
2
2,744 Views
Last Modified: 2012-05-05
I have been trying to setup a routed vpn tunnel between two sites on a pair of WRT54GL's to replace the OpenVPN software implementation previously in place.
10.0.0.0 is the host network, 192.168.0.0 is the client network, 172.16.8.0 is the tunnel's subnet. The client connects and the entire client network can access the host network, however when I attempt to ping 192.168.0.1 (the client router) from the host router (using ssh) it times out. I can ping 172.16.8.6 (it's address on the tunnel subnet). The old software implementation did not have this problem.
In short:
Host --> Client : Fails
Client --> Host : Works


I've been fighting this thing for nearly two days now, any help would be appreciated.
My host conf:
---------------------
push "route 10.0.0.0 255.255.255.0"
server 172.16.8.0 255.255.255.0
port 1195
dev tun0
proto udp
 
comp-lzo
client-to-client
keepalive 10 60
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem 
verb 5
-----------------------
 
My Host firewall:
-----------------------
iptables -I INPUT 1 -p tcp --dport 1195 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1195 -j ACCEPT
iptables -I FORWARD 1 --source 172.16.8.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun0 -j MASQUERADE 
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
-----------------------
 
Host Route table:
-----------------------
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.16.8.2      *               255.255.255.255 UH    0      0        0 tun0
10.0.0.0        *               255.255.255.0   U     0      0        0 br0
192.168.0.0     *               255.255.255.0   U     0      0        0 tun0
172.16.8.0      172.16.8.2      255.255.255.0   UG    0      0        0 tun0
74.219.99.0     *               255.255.255.0   U     0      0        0 vlan1
169.254.0.0     *               255.255.0.0     U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         rrcs-*-*-*- 0.0.0.0         UG    0      0        0 vlan1
-----------------------
 
Client Routing table:
-----------------------
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
75.60.191.254   *               255.255.255.255 UH    0      0        0 ppp0
172.16.8.5      *               255.255.255.255 UH    0      0        0 tun0
10.0.0.0        172.16.8.5      255.255.255.0   UG    0      0        0 tun0
192.168.0.0     *               255.255.255.0   U     0      0        0 br0
172.16.8.0      172.16.8.5      255.255.255.0   UG    0      0        0 tun0
169.254.0.0     *               255.255.0.0     U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         adsl-*-*-*- 0.0.0.0         UG    0      0        0 ppp0
-----------------------

Open in new window

0
Comment
Question by:ccadsales
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 19

Accepted Solution

by:
Gabriel Orozco earned 500 total points
ID: 22801841
First, I would say your firewall can be simpler:
iptables -I INPUT 1 -p udp --dport 1195 -j ACCEPT
iptables -I FORWARD 1  -j ACCEPT
iptables -I FORWARD 1 -i tun+  -j ACCEPT
iptables -I FORWARD -i br0 -o tun+ -j ACCEPT
iptables -I FORWARD 1 -s 192.168.0.0/24 -o tun+ -j ACCEPT
### Why masquerading? iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun0 -j MASQUERADE

Next, you need the server lan to access the client lan. this is pretty well explained in the OpenVPN howto:
http://openvpn.net/howto.html#scope
scroll for the entry: "Including multiple machines on the client side when using a routed VPN (dev tun)"

This is an extract.. in the site it is more clear I guess:
------------------------------------------------------------------

this is basically add in the server.conf file
client-config-dir ccd

The next step is to create a file called client2 in the ccd directory. This file should contain the line:
    iroute 192.168.0.0 255.255.255.0

Next, add the following line to the main server config file (not the ccd/client2 file):
    route 192.168.0.0 255.255.255.0

Why the redundant route and iroute statements, you might ask? The reason is that route controls the routing from the kernel to the OpenVPN server (via the TUN interface) while iroute controls the routing from the OpenVPN server to the remote clients. Both are necessary.

Next, ask yourself if you would like to allow network traffic between client2's subnet (192.168.4.0/24) and other clients of the OpenVPN server. If so, add the following to the server config file.

    client-to-client
    push "route 192.168.4.0 255.255.255.0"

This will cause the OpenVPN server to advertise client2's subnet to other connecting clients.

The last step, and one that is often forgotten, is to add a route to the server's LAN gateway which directs 192.168.0.0/24 to the OpenVPN server box (you won't need this if the OpenVPN server box is the gateway for the server LAN).
------------------------------------------------------------------


hope this help
0
 

Author Closing Comment

by:ccadsales
ID: 31509714
I apologize for the late response, this project was abandoned by the client.
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question