OpenVPN site-to-site routing

This forum is for all inquiries relating to the installation of OpenVPN from source and with binaries.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please visit (and READ) the OpenVPN HowTo http://openvpn.net/howto prior to asking any questions in here!
Post Reply
GeoVik
OpenVpn Newbie
Posts: 2
Joined: Mon Aug 07, 2017 9:51 am

OpenVPN site-to-site routing

Post by GeoVik » Mon Aug 07, 2017 9:54 am

Hello,

I am having some issue with my site-to-site OpenVPN set-up and I was hoping you can provide me some guidance. In a nutshell, connection gets established, but I cannot access the client lan from the server lan (or from the Openvpn server/router itself), it only works the other way around.


Set-up:

CLIENT LAN (192.168.2.x) >>> ASUS AC66U with OpenVPN client >>> INTERNET <<< DD-WRT Netgear R8500 with OpenVPN server <<< SERVER LAN (192.168.1.x)

- OpenVPN Network: 10.8.0.0/24

- Server Network 1: 192.168.1.0/24
Router and OpenVPN server: 192.168.1.1 (Netgear R8500, DD-WRT r32170M) / OpenVPN address: 10.8.0.1

- Client Network 2: 192.168.2.0/24
Router and OpenVPN client: 192.168.2.1 (Asus AC66U, Merlin build) / OpenVPN address: 10.8.0.2


Traceroute from a pc on the server network (192.168.1.x) to the client network 8192.168.2.x) times out at the Netgear:

C:\Users\Geo>tracert 192.168.2.110


1 3 ms 2 ms 2 ms 192.168.1.1
2 * * * Request timed out.

however, the other VPN end IP (10.8.0.2) on the Asus AC66U, is reachable from the same server network pc:

C:\Users\Geo>tracert 10.8.0.2

1 3 ms 2 ms 2 ms 192.168.1.1
2 64 ms 63 ms 65 ms 10.8.0.2

Traceroute from a pc on the client network (192.168.2.x) to the server network (192.168.1.x) works:

admin@NSA310:~$ sudo traceroute 192.168.1.120
traceroute to 192.168.1.120 (192.168.1.120), 30 hops max, 38 byte packets
1 RT-AC66U-1548 (192.168.2.1) 0.415 ms 0.296 ms 0.261 ms
2 10.8.0.1 (10.8.0.1) 61.472 ms 60.495 ms 61.507 ms
3 192.168.1.120 (192.168.1.120) 60.373 ms 58.556 ms 59.249 ms


Final OpenVPN server.conf:

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto udp4
cipher aes-128-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /jffs/etc/openvpn/ccd
comp-lzo adaptive
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
client-to-client
fast-io
tun-mtu 1500
mtu-disc yes
server 10.8.0.0 255.255.255.0
dev tun2
ifconfig 10.8.0.1 255.255.255.0
route 192.168.2.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "topology subnet"
persist-key
persist-tun
verb 5


There is an iroute that gets created with a startup script (Client1 name matches the cn of the client from the certificate)

mkdir -p /tmp/openvpn/ccd
echo 'ifconfig-push 10.8.0.2 255.255.255.0
iroute 192.168.2.0 255.255.255.0' > /tmp/openvpn/ccd/Client1


OpenVPN Server/Router firewall config:

iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br+ -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -o br+ -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I INPUT -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -s 192.168.2.0/24 -j ACCEPT

OpenVPN Server/Router Routing Table

The routing table on the Netgear (OpenVPN server) side:

default via MY PUBLIC IP dev vlan2
10.8.0.0/24 dev tun2 proto kernel scope link src 10.8.0.1
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
MY PUBLIC IP/24 dev vlan2 proto kernel scope link src 188.194.4.46
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
192.168.2.0/24 via 10.8.0.2 dev tun2

OpenVPN Client/Router Routing Table

admin@RT-AC66U-1548:/tmp/home/root# ip route
MY PUBLIC IP dev ppp0 proto kernel scope link
192.168.3.0/24 via 10.8.0.1 dev tun11
192.168.2.0/24 dev br0 proto kernel scope link src 192.168.2.1
192.168.1.0/24 via 10.8.0.1 dev tun11
10.8.0.0/24 dev tun11 proto kernel scope link src 10.8.0.2
169.254.0.0/16 dev eth0 proto kernel scope link src 169.254.181.161
127.0.0.0/8 dev lo scope link
default via MY PUBLIC IP dev ppp0


A small glitch, perhaps it is a cosmetic issue in DD-WRT, the remote and local IP in the the VPN status seem to be the same.


Any idea what could be the issue here?

Thank you

GeoVik
OpenVpn Newbie
Posts: 2
Joined: Mon Aug 07, 2017 9:51 am

Re: OpenVPN site-to-site routing

Post by GeoVik » Mon Aug 07, 2017 10:48 am

On a closer look in the debugs, it seems that the path for creating the ccd was incorrect. DDWRT creates by default the path under /jffs/etc/openvpn/ccd and not /tmp/openvpn and the path cannot be overwritten vai the server conf.
So I have adjusted the start up script to these lines only:

echo 'ifconfig-push 10.8.0.2 255.255.255.0
iroute 192.168.2.0 255.255.255.0' > /jffs/etc/openvpn/ccd/Client1

All works fine now.

laimison
OpenVpn Newbie
Posts: 1
Joined: Mon Feb 25, 2019 11:29 pm

Re: OpenVPN site-to-site routing

Post by laimison » Mon Feb 25, 2019 11:50 pm

Hi GeoVik,

I have found this on Google search.
Thank you so much that you shared how you solved your site-to-site issue. It helped me to solved my one by using some details from here :)

Advise for everyone:

If you can allow everything through firewall on both sites while you are working (believe me it will save your time):

iptables -I INPUT -j ACCEPT
iptables -I OUTPUT -j ACCEPT
iptables -I FORWARD -j ACCEPT

Use TUN (to me TAP has very specific purpose which is not needed in majority of cases - to keep every IP in the same subnet on both sites ...)

You need to enable jffs

As a minimum OpenVPN server should have this configuration in "Additional Config" field
push "route 192.168.250.0 255.255.255.0"
route 192.168.2.0 255.255.255.0

Also OpenVPN server should have
# cat /jffs/etc/openvpn/ccd/client_user_name_here_or_check_certificate_name
ifconfig-push 10.0.250.4 255.255.255.0
iroute 192.168.2.0 255.255.255.0

So
192.168.2.0 is the subnet on the client site
10.0.250.4 is OpenVPN client IP address (you can find your IP address in Status - OpenVPN section on DD-WRT WEB UI on client router)
10.0.250.0/24 is the subnet for VPN communication only

Interesting thing that client's configuration is basic. My "Additional Config" field is empty and site-to-site is working perfectly :)

Post Reply