Solved

Routing issues with OpenVPN on DD-WRT routed tunnel

Posted on 2008-10-24
2
2,734 Views
Last Modified: 2012-05-05
I have been trying to setup a routed vpn tunnel between two sites on a pair of WRT54GL's to replace the OpenVPN software implementation previously in place.
10.0.0.0 is the host network, 192.168.0.0 is the client network, 172.16.8.0 is the tunnel's subnet. The client connects and the entire client network can access the host network, however when I attempt to ping 192.168.0.1 (the client router) from the host router (using ssh) it times out. I can ping 172.16.8.6 (it's address on the tunnel subnet). The old software implementation did not have this problem.
In short:
Host --> Client : Fails
Client --> Host : Works


I've been fighting this thing for nearly two days now, any help would be appreciated.
My host conf:

---------------------

push "route 10.0.0.0 255.255.255.0"

server 172.16.8.0 255.255.255.0

port 1195

dev tun0

proto udp
 

comp-lzo

client-to-client

keepalive 10 60

dh /tmp/openvpn/dh.pem

ca /tmp/openvpn/ca.crt

cert /tmp/openvpn/cert.pem

key /tmp/openvpn/key.pem 

verb 5

-----------------------
 

My Host firewall:

-----------------------

iptables -I INPUT 1 -p tcp --dport 1195 -j ACCEPT

iptables -I INPUT 1 -p udp --dport 1195 -j ACCEPT

iptables -I FORWARD 1 --source 172.16.8.0/24 -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun0 -j MASQUERADE 

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT

iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

-----------------------
 

Host Route table:

-----------------------

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

172.16.8.2      *               255.255.255.255 UH    0      0        0 tun0

10.0.0.0        *               255.255.255.0   U     0      0        0 br0

192.168.0.0     *               255.255.255.0   U     0      0        0 tun0

172.16.8.0      172.16.8.2      255.255.255.0   UG    0      0        0 tun0

74.219.99.0     *               255.255.255.0   U     0      0        0 vlan1

169.254.0.0     *               255.255.0.0     U     0      0        0 br0

127.0.0.0       *               255.0.0.0       U     0      0        0 lo

default         rrcs-*-*-*- 0.0.0.0         UG    0      0        0 vlan1

-----------------------
 

Client Routing table:

-----------------------

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

75.60.191.254   *               255.255.255.255 UH    0      0        0 ppp0

172.16.8.5      *               255.255.255.255 UH    0      0        0 tun0

10.0.0.0        172.16.8.5      255.255.255.0   UG    0      0        0 tun0

192.168.0.0     *               255.255.255.0   U     0      0        0 br0

172.16.8.0      172.16.8.5      255.255.255.0   UG    0      0        0 tun0

169.254.0.0     *               255.255.0.0     U     0      0        0 br0

127.0.0.0       *               255.0.0.0       U     0      0        0 lo

default         adsl-*-*-*- 0.0.0.0         UG    0      0        0 ppp0

-----------------------

Open in new window

0
Comment
Question by:ccadsales
2 Comments
 
LVL 19

Accepted Solution

by:
Redimido earned 500 total points
Comment Utility
First, I would say your firewall can be simpler:
iptables -I INPUT 1 -p udp --dport 1195 -j ACCEPT
iptables -I FORWARD 1  -j ACCEPT
iptables -I FORWARD 1 -i tun+  -j ACCEPT
iptables -I FORWARD -i br0 -o tun+ -j ACCEPT
iptables -I FORWARD 1 -s 192.168.0.0/24 -o tun+ -j ACCEPT
### Why masquerading? iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun0 -j MASQUERADE

Next, you need the server lan to access the client lan. this is pretty well explained in the OpenVPN howto:
http://openvpn.net/howto.html#scope
scroll for the entry: "Including multiple machines on the client side when using a routed VPN (dev tun)"

This is an extract.. in the site it is more clear I guess:
------------------------------------------------------------------

this is basically add in the server.conf file
client-config-dir ccd

The next step is to create a file called client2 in the ccd directory. This file should contain the line:
    iroute 192.168.0.0 255.255.255.0

Next, add the following line to the main server config file (not the ccd/client2 file):
    route 192.168.0.0 255.255.255.0

Why the redundant route and iroute statements, you might ask? The reason is that route controls the routing from the kernel to the OpenVPN server (via the TUN interface) while iroute controls the routing from the OpenVPN server to the remote clients. Both are necessary.

Next, ask yourself if you would like to allow network traffic between client2's subnet (192.168.4.0/24) and other clients of the OpenVPN server. If so, add the following to the server config file.

    client-to-client
    push "route 192.168.4.0 255.255.255.0"

This will cause the OpenVPN server to advertise client2's subnet to other connecting clients.

The last step, and one that is often forgotten, is to add a route to the server's LAN gateway which directs 192.168.0.0/24 to the OpenVPN server box (you won't need this if the OpenVPN server box is the gateway for the server LAN).
------------------------------------------------------------------


hope this help
0
 

Author Closing Comment

by:ccadsales
Comment Utility
I apologize for the late response, this project was abandoned by the client.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now