Torturing myself with site to site VPN

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.
Zulgrib
OpenVpn Newbie
Posts: 2
Joined: Tue Jan 24, 2017 12:04 pm

Torturing myself with site to site VPN

Postby Zulgrib » Tue Jan 24, 2017 12:06 pm

Hello,

I'm torturing myself with site to site VPN and i'm now pulling my hairs because i'm out of idea.

Computers on the client side can talk to computers on the remote side (Ping, SMB shares)
Computers on the server side cannot talk to computers on the client side. (Pings times out)

OpenVPN server uses subnet 192.168.6.0/24 powered by Synology SRM
OpenVPN client uses subnet 192.168.5.0/24 powered by Asuswrt-Merlin

Configuration of the OpenVPN server

Code: Select all

push "route 192.168.200.0 255.255.255.0"
push "route 192.168.6.0 255.255.255.0"
route 192.168.5.0 255.255.255.0
dev tun

management 127.0.0.1 1195

server 192.168.200.0 255.255.255.0


dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh1024.pem
ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key

max-clients 3

comp-lzo

persist-tun
persist-key

verb 3

#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf
client-cert-not-required
username-as-common-name
duplicate-cn

status /tmp/ovpn_status_2_result 30
status-version 2
proto udp
port 1194


And has this client specific config file

Code: Select all

ifconfig-push 192.168.200.6 255.255.255.0
iroute 192.168.5.0 255.255.255.0


The client has this config

Code: Select all

daemon
client
dev tun11
proto udp
remote dnsnameofremote.dns 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo adaptive
script-security 2
route-delay 2
route-up vpnrouting.sh
route-pre-down vpnrouting.sh
verb 3
ca ca.crt
auth-user-pass up
status-version 2
status status 10

# Custom Configuration
tls-client
script-security 2
reneg-sec 0
keepalive 10 60
persist-key
persist-tun


vpnrouting.sh

Code: Select all

#!/bin/sh

PARAM=$*
if [ "$PARAM" == "" ]
then
   # Add paramaters equivalent to those passed for up command
   PARAM="$dev $tun_mtu $link_mtu $ifconfig_local $ifconfig_remote"
fi

create_client_list(){
   IFS="<"

   for ENTRY in $VPN_IP_LIST
   do
      if [ "$ENTRY" = "" ]
      then
         continue
      fi
      TARGET_ROUTE=$(echo $ENTRY | cut -d ">" -f 4)
      if [ "$TARGET_ROUTE" = "WAN" ]
      then
         TARGET_LOOKUP="main"
         WAN_PRIO=$((WAN_PRIO+1))
         RULE_PRIO=$WAN_PRIO
         TARGET_NAME="WAN"
      else
         TARGET_LOOKUP=$VPN_TBL
         VPN_PRIO=$((VPN_PRIO+1))
         RULE_PRIO=$VPN_PRIO
         TARGET_NAME="VPN client "$VPN_UNIT
      fi
      VPN_IP=$(echo $ENTRY | cut -d ">" -f 2)
      if [ "$VPN_IP" != "0.0.0.0" ]
      then
         SRCC="from"
         SRCA="$VPN_IP"
      else
         SRCC=""
         SRCA=""
      fi
      DST_IP=$(echo $ENTRY | cut -d ">" -f 3)
      if [ "$DST_IP" != "0.0.0.0" ]
      then
         DSTC="to"
         DSTA="$DST_IP"
      else
         DSTC=""
         DSTA=""
      fi
      if [ "$SRCC" != "" -o "$DSTC" != "" ]
      then
         ip rule add $SRCC $SRCA $DSTC $DSTA table $TARGET_LOOKUP priority $RULE_PRIO
         logger -t "openvpn-routing" "Adding route for $VPN_IP to $DST_IP through $TARGET_NAME"
      fi
   done
   IFS=$OLDIFS
}

purge_client_list(){
   IP_LIST=$(ip rule show | cut -d ":" -f 1)
   for PRIO in $IP_LIST
   do
      if [ $PRIO -ge $START_PRIO -a $PRIO -le $END_PRIO ]
      then
         ip rule del prio $PRIO
         logger -t "openvpn-routing" "Removing rule $PRIO from routing policy"
      fi
   done
}

run_custom_script(){
   if [ -f /jffs/scripts/openvpn-event ]
   then
      logger -t "custom script" "Running /jffs/scripts/openvpn-event (args: $PARAM)"
      sh /jffs/scripts/openvpn-event $PARAM
   fi
}

init_table(){
   logger -t "openvpn-routing" "Creating VPN routing table"
   ip route flush table $VPN_TBL

# Fill it with copy of existing main table
   ip route show table main | while read ROUTE
   do
      ip route add table $VPN_TBL $ROUTE
   done
}

# Begin
if [ "$dev" == "tun11" ]
then
   VPN_IP_LIST=$(nvram get vpn_client1_clientlist)
   VPN_REDIR=$(nvram get vpn_client1_rgw)
   VPN_FORCE=$(nvram get vpn_client1_enforce)
   VPN_UNIT=1
elif [ "$dev" == "tun12" ]
then
   VPN_IP_LIST=$(nvram get vpn_client2_clientlist)
   VPN_REDIR=$(nvram get vpn_client2_rgw)
   VPN_FORCE=$(nvram get vpn_client2_enforce)
   VPN_UNIT=2
elif [ "$dev" == "tun13" ]
then
   VPN_IP_LIST=$(nvram get vpn_client3_clientlist)
   VPN_REDIR=$(nvram get vpn_client3_rgw)
   VPN_FORCE=$(nvram get vpn_client3_enforce)
   VPN_UNIT=3
elif [ "$dev" == "tun14" ]
then
   VPN_IP_LIST=$(nvram get vpn_client4_clientlist)
   VPN_REDIR=$(nvram get vpn_client4_rgw)
   VPN_FORCE=$(nvram get vpn_client4_enforce)
   VPN_UNIT=4
elif [ "$dev" == "tun15" ]
then
   VPN_IP_LIST=$(nvram get vpn_client5_clientlist)
   VPN_REDIR=$(nvram get vpn_client5_rgw)
   VPN_FORCE=$(nvram get vpn_client5_enforce)
   VPN_UNIT=5
else
   run_custom_script
   exit 0
fi

VPN_TBL="ovpnc"$VPN_UNIT
START_PRIO=$((10000+(200*($VPN_UNIT-1))))
END_PRIO=$(($START_PRIO+199))
WAN_PRIO=$START_PRIO
VPN_PRIO=$(($START_PRIO+100))

export VPN_GW VPN_IP VPN_TBL VPN_FORCE


# webui reports that vpn_force changed while vpn client was down
if [ $script_type = "rmupdate" ]
then
   logger -t "openvpn-routing" "Refreshing policy rules for client $VPN_UNIT"
   purge_client_list

   if [ $VPN_FORCE == "1" -a $VPN_REDIR == "2" ]
   then
      init_table
      logger -t "openvpn-routing" "Tunnel down - VPN client access blocked"
      ip route del default table $VPN_TBL
      ip route add prohibit default table $VPN_TBL
      create_client_list
   else
      logger -t "openvpn-routing" "Allow WAN access to all VPN clients"
      ip route flush table $VPN_TBL
   fi
   ip route flush cache
   exit 0
fi

if [ $script_type == "route-up" -a $VPN_REDIR != "2" ]
then
   logger -t "openvpn-routing" "Skipping, client $VPN_UNIT not in routing policy mode"
   run_custom_script
   exit 0
fi

logger -t "openvpn-routing" "Configuring policy rules for client $VPN_UNIT"

if [ $script_type == "route-pre-down" ]
then
   purge_client_list

   if [ $VPN_FORCE == "1" -a $VPN_REDIR == "2" ]
   then
      logger -t "openvpn-routing" "Tunnel down - VPN client access blocked"
      ip route change prohibit default table $VPN_TBL
      create_client_list
   else
      ip route flush table $VPN_TBL
      logger -t "openvpn-routing" "Flushing client routing table"
   fi
fi   # End route down



if [ $script_type == "route-up" ]
then
   init_table

# Delete existing VPN routes that were pushed by server on table main
   NET_LIST=$(ip route show|awk '$2=="via" && $3==ENVIRON["route_vpn_gateway"] && $4=="dev" && $5==ENVIRON["dev"] {print $1}')
   for NET in $NET_LIST
   do
      ip route del $NET dev $dev
      logger -t "openvpn-routing" "Removing route for $NET to $dev from main routing table"
   done

# Unsure if necessary, but most policy-based routing scripts disable reverse path filtering
   for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
   done

# Update policy rules
        purge_client_list
        create_client_list

# Setup table default route
   if [ "$VPN_IP_LIST" != "" ]
   then
      if [ "$VPN_FORCE" == "1" ]
      then
         logger -t "openvpn-routing" "Tunnel re-established, restoring WAN access to clients"
      fi
      ip route del default table $VPN_TBL
      ip route add default via $route_vpn_gateway table $VPN_TBL
   fi

   if [ "$route_net_gateway" != "" ]
   then
      ip route del default
      ip route add default via $route_net_gateway
   fi
fi   # End route-up

ip route flush cache
logger -t "openvpn-routing" "Completed routing policy configuration for client $VPN_UNIT"
run_custom_script

exit 0


There is an "192.168.5.0/24 via 192.168.200.2 dev tun0" entry server side and "192.168.6.0/24 via 192.168.200.5 dev tun11" client side.
Client side, doing "iptables -nvL FORWARD -t filter |grep tun" shows that no packets are counted there

client iptables -nvL FORWARD -t filter |grep tun

Code: Select all

    0     0 ACCEPT     all  --  tun11  br0     0.0.0.0/0            0.0.0.0/0         
    0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0         
    0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0         
    0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0         
    0     0 ACCEPT     all  --  br0    tun11   0.0.0.0/0            0.0.0.0/0         
    0     0 ACCEPT     all  --  tun11  br0     0.0.0.0/0            0.0.0.0/0         
    0     0 ACCEPT     all  --  br0    tun11   0.0.0.0/0            0.0.0.0/0


I don't know what to do next.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2240
Joined: Fri Jun 03, 2016 1:17 pm

Re: Torturing myself with site to site VPN

Postby TinCanTech » Tue Jan 24, 2017 1:09 pm

Zulgrib wrote:And has this client specific config file
--client-config-dir is missing from server config ..

Zulgrib
OpenVpn Newbie
Posts: 2
Joined: Tue Jan 24, 2017 12:04 pm

Re: Torturing myself with site to site VPN

Postby Zulgrib » Tue Jan 24, 2017 11:00 pm

Since the client config was created by Synology's router manager on some folder, i tough they were using the --client-config-dir switch when starting OpenVPN, looks like I was wrong as adding it did solve my issue.

Thanks


Return to “Routing and Firewall Scripts”

Who is online

Users browsing this forum: No registered users and 1 guest