Routing issues with OpenVPN on DD-WRT routed tunnel

Posted on 2008-10-24
Medium Priority
Last Modified: 2012-05-05
I have been trying to setup a routed vpn tunnel between two sites on a pair of WRT54GL's to replace the OpenVPN software implementation previously in place. is the host network, is the client network, is the tunnel's subnet. The client connects and the entire client network can access the host network, however when I attempt to ping (the client router) from the host router (using ssh) it times out. I can ping (it's address on the tunnel subnet). The old software implementation did not have this problem.
In short:
Host --> Client : Fails
Client --> Host : Works

I've been fighting this thing for nearly two days now, any help would be appreciated.
My host conf:
push "route"
port 1195
dev tun0
proto udp
keepalive 10 60
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem 
verb 5
My Host firewall:
iptables -I INPUT 1 -p tcp --dport 1195 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1195 -j ACCEPT
iptables -I FORWARD 1 --source -j ACCEPT
iptables -t nat -A POSTROUTING -s -o tun0 -j MASQUERADE 
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
Host Route table:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface      *      UH    0      0        0 tun0        *        U     0      0        0 br0     *        U     0      0        0 tun0   UG    0      0        0 tun0     *        U     0      0        0 vlan1     *          U     0      0        0 br0       *            U     0      0        0 lo
default         rrcs-*-*-*-         UG    0      0        0 vlan1
Client Routing table:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface   *      UH    0      0        0 ppp0      *      UH    0      0        0 tun0   UG    0      0        0 tun0     *        U     0      0        0 br0   UG    0      0        0 tun0     *          U     0      0        0 br0       *            U     0      0        0 lo
default         adsl-*-*-*-         UG    0      0        0 ppp0

Open in new window

Question by:ccadsales
LVL 19

Accepted Solution

Gabriel Orozco earned 1500 total points
ID: 22801841
First, I would say your firewall can be simpler:
iptables -I INPUT 1 -p udp --dport 1195 -j ACCEPT
iptables -I FORWARD 1  -j ACCEPT
iptables -I FORWARD 1 -i tun+  -j ACCEPT
iptables -I FORWARD -i br0 -o tun+ -j ACCEPT
iptables -I FORWARD 1 -s -o tun+ -j ACCEPT
### Why masquerading? iptables -t nat -A POSTROUTING -s -o tun0 -j MASQUERADE

Next, you need the server lan to access the client lan. this is pretty well explained in the OpenVPN howto:
scroll for the entry: "Including multiple machines on the client side when using a routed VPN (dev tun)"

This is an extract.. in the site it is more clear I guess:

this is basically add in the server.conf file
client-config-dir ccd

The next step is to create a file called client2 in the ccd directory. This file should contain the line:

Next, add the following line to the main server config file (not the ccd/client2 file):

Why the redundant route and iroute statements, you might ask? The reason is that route controls the routing from the kernel to the OpenVPN server (via the TUN interface) while iroute controls the routing from the OpenVPN server to the remote clients. Both are necessary.

Next, ask yourself if you would like to allow network traffic between client2's subnet ( and other clients of the OpenVPN server. If so, add the following to the server config file.

    push "route"

This will cause the OpenVPN server to advertise client2's subnet to other connecting clients.

The last step, and one that is often forgotten, is to add a route to the server's LAN gateway which directs to the OpenVPN server box (you won't need this if the OpenVPN server box is the gateway for the server LAN).

hope this help

Author Closing Comment

ID: 31509714
I apologize for the late response, this project was abandoned by the client.

Featured Post

Managed Security Services Webinar - March 15

Selecting the right managed security services platform to grow your business can be a huge undertaking. Join WatchGuard and Frost & Sullivan in an upcoming webinar as we dive into the key elements of selecting a vendor platform and partnership to fuel a successful MSSP business.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question