Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Routing issues with OpenVPN on DD-WRT routed tunnel

Posted on 2008-10-24
Medium Priority
Last Modified: 2012-05-05
I have been trying to setup a routed vpn tunnel between two sites on a pair of WRT54GL's to replace the OpenVPN software implementation previously in place. is the host network, is the client network, is the tunnel's subnet. The client connects and the entire client network can access the host network, however when I attempt to ping (the client router) from the host router (using ssh) it times out. I can ping (it's address on the tunnel subnet). The old software implementation did not have this problem.
In short:
Host --> Client : Fails
Client --> Host : Works

I've been fighting this thing for nearly two days now, any help would be appreciated.
My host conf:
push "route"
port 1195
dev tun0
proto udp
keepalive 10 60
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem 
verb 5
My Host firewall:
iptables -I INPUT 1 -p tcp --dport 1195 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1195 -j ACCEPT
iptables -I FORWARD 1 --source -j ACCEPT
iptables -t nat -A POSTROUTING -s -o tun0 -j MASQUERADE 
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
Host Route table:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface      *      UH    0      0        0 tun0        *        U     0      0        0 br0     *        U     0      0        0 tun0   UG    0      0        0 tun0     *        U     0      0        0 vlan1     *          U     0      0        0 br0       *            U     0      0        0 lo
default         rrcs-*-*-*-         UG    0      0        0 vlan1
Client Routing table:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface   *      UH    0      0        0 ppp0      *      UH    0      0        0 tun0   UG    0      0        0 tun0     *        U     0      0        0 br0   UG    0      0        0 tun0     *          U     0      0        0 br0       *            U     0      0        0 lo
default         adsl-*-*-*-         UG    0      0        0 ppp0

Open in new window

Question by:ccadsales
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 19

Accepted Solution

Gabriel Orozco earned 1500 total points
ID: 22801841
First, I would say your firewall can be simpler:
iptables -I INPUT 1 -p udp --dport 1195 -j ACCEPT
iptables -I FORWARD 1  -j ACCEPT
iptables -I FORWARD 1 -i tun+  -j ACCEPT
iptables -I FORWARD -i br0 -o tun+ -j ACCEPT
iptables -I FORWARD 1 -s -o tun+ -j ACCEPT
### Why masquerading? iptables -t nat -A POSTROUTING -s -o tun0 -j MASQUERADE

Next, you need the server lan to access the client lan. this is pretty well explained in the OpenVPN howto:
scroll for the entry: "Including multiple machines on the client side when using a routed VPN (dev tun)"

This is an extract.. in the site it is more clear I guess:

this is basically add in the server.conf file
client-config-dir ccd

The next step is to create a file called client2 in the ccd directory. This file should contain the line:

Next, add the following line to the main server config file (not the ccd/client2 file):

Why the redundant route and iroute statements, you might ask? The reason is that route controls the routing from the kernel to the OpenVPN server (via the TUN interface) while iroute controls the routing from the OpenVPN server to the remote clients. Both are necessary.

Next, ask yourself if you would like to allow network traffic between client2's subnet ( and other clients of the OpenVPN server. If so, add the following to the server config file.

    push "route"

This will cause the OpenVPN server to advertise client2's subnet to other connecting clients.

The last step, and one that is often forgotten, is to add a route to the server's LAN gateway which directs to the OpenVPN server box (you won't need this if the OpenVPN server box is the gateway for the server LAN).

hope this help

Author Closing Comment

ID: 31509714
I apologize for the late response, this project was abandoned by the client.

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question