Solved

Routing issues with OpenVPN on DD-WRT routed tunnel

Posted on 2008-10-24
2
2,739 Views
Last Modified: 2012-05-05
I have been trying to setup a routed vpn tunnel between two sites on a pair of WRT54GL's to replace the OpenVPN software implementation previously in place.
10.0.0.0 is the host network, 192.168.0.0 is the client network, 172.16.8.0 is the tunnel's subnet. The client connects and the entire client network can access the host network, however when I attempt to ping 192.168.0.1 (the client router) from the host router (using ssh) it times out. I can ping 172.16.8.6 (it's address on the tunnel subnet). The old software implementation did not have this problem.
In short:
Host --> Client : Fails
Client --> Host : Works


I've been fighting this thing for nearly two days now, any help would be appreciated.
My host conf:
---------------------
push "route 10.0.0.0 255.255.255.0"
server 172.16.8.0 255.255.255.0
port 1195
dev tun0
proto udp
 
comp-lzo
client-to-client
keepalive 10 60
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem 
verb 5
-----------------------
 
My Host firewall:
-----------------------
iptables -I INPUT 1 -p tcp --dport 1195 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1195 -j ACCEPT
iptables -I FORWARD 1 --source 172.16.8.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun0 -j MASQUERADE 
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
-----------------------
 
Host Route table:
-----------------------
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.16.8.2      *               255.255.255.255 UH    0      0        0 tun0
10.0.0.0        *               255.255.255.0   U     0      0        0 br0
192.168.0.0     *               255.255.255.0   U     0      0        0 tun0
172.16.8.0      172.16.8.2      255.255.255.0   UG    0      0        0 tun0
74.219.99.0     *               255.255.255.0   U     0      0        0 vlan1
169.254.0.0     *               255.255.0.0     U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         rrcs-*-*-*- 0.0.0.0         UG    0      0        0 vlan1
-----------------------
 
Client Routing table:
-----------------------
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
75.60.191.254   *               255.255.255.255 UH    0      0        0 ppp0
172.16.8.5      *               255.255.255.255 UH    0      0        0 tun0
10.0.0.0        172.16.8.5      255.255.255.0   UG    0      0        0 tun0
192.168.0.0     *               255.255.255.0   U     0      0        0 br0
172.16.8.0      172.16.8.5      255.255.255.0   UG    0      0        0 tun0
169.254.0.0     *               255.255.0.0     U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         adsl-*-*-*- 0.0.0.0         UG    0      0        0 ppp0
-----------------------

Open in new window

0
Comment
Question by:ccadsales
2 Comments
 
LVL 19

Accepted Solution

by:
Gabriel Orozco earned 500 total points
ID: 22801841
First, I would say your firewall can be simpler:
iptables -I INPUT 1 -p udp --dport 1195 -j ACCEPT
iptables -I FORWARD 1  -j ACCEPT
iptables -I FORWARD 1 -i tun+  -j ACCEPT
iptables -I FORWARD -i br0 -o tun+ -j ACCEPT
iptables -I FORWARD 1 -s 192.168.0.0/24 -o tun+ -j ACCEPT
### Why masquerading? iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun0 -j MASQUERADE

Next, you need the server lan to access the client lan. this is pretty well explained in the OpenVPN howto:
http://openvpn.net/howto.html#scope
scroll for the entry: "Including multiple machines on the client side when using a routed VPN (dev tun)"

This is an extract.. in the site it is more clear I guess:
------------------------------------------------------------------

this is basically add in the server.conf file
client-config-dir ccd

The next step is to create a file called client2 in the ccd directory. This file should contain the line:
    iroute 192.168.0.0 255.255.255.0

Next, add the following line to the main server config file (not the ccd/client2 file):
    route 192.168.0.0 255.255.255.0

Why the redundant route and iroute statements, you might ask? The reason is that route controls the routing from the kernel to the OpenVPN server (via the TUN interface) while iroute controls the routing from the OpenVPN server to the remote clients. Both are necessary.

Next, ask yourself if you would like to allow network traffic between client2's subnet (192.168.4.0/24) and other clients of the OpenVPN server. If so, add the following to the server config file.

    client-to-client
    push "route 192.168.4.0 255.255.255.0"

This will cause the OpenVPN server to advertise client2's subnet to other connecting clients.

The last step, and one that is often forgotten, is to add a route to the server's LAN gateway which directs 192.168.0.0/24 to the OpenVPN server box (you won't need this if the OpenVPN server box is the gateway for the server LAN).
------------------------------------------------------------------


hope this help
0
 

Author Closing Comment

by:ccadsales
ID: 31509714
I apologize for the late response, this project was abandoned by the client.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

805 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question