[Solved] LAN to LAN over OpenVPN tun (not bridged)

plbertrand · Post by **plbertrand** » Tue Dec 29, 2015 9:06 pm

Hi!

I'm trying to connect two router using OpenVPN and allow machines on both side of the routers to talk to each other. I currently have a mixed success. I've learned quite a bit over the past two days about routing and iptables but I'm really not well versed at it so please bear with me

. I'll describe the problems I currently encounter after describing the topology.

This is my setup:

Code: Select all

Host1            Router            OpenVPN Server       Internet       OpenVPN Client      Router            Host2
TheBeast         MrJones           tun0                                tun1                Pitchounette      MBP
192.168.1.68     192.168.1.1       192.168.69.1         *      *       192.168.69.2        192.168.10.1      192.168.10.100

I'm able to have OpenVPN to connect and setup the tunnel tun0 on the server and tun1 on the client but some machines cannot talk to each other.

MBP

Can ping 192.168.10.100
Can ping 192.168.10.1
Cannot ping 192.168.69.1
Can ping 192.168.69.2
Cannot ping 192.168.1.1
Cannot ping 192.168.1.68

Client

Can ping 192.168.10.100
Can ping 192.168.10.1
Can ping 192.168.69.1
Can ping 192.168.69.2
Can ping 192.168.1.1
Can ping 192.168.1.68

Server

Cannot ping 192.168.10.100
Cannot ping 192.168.10.1
Can ping 192.168.69.1
Can ping 192.168.69.2
Can ping 192.168.1.1
Can ping 192.168.1.68

TheBeast

Cannot ping 192.168.10.100
Cannot ping 192.168.10.1
Can ping 192.168.69.1
Can ping 192.168.69.2
Can ping 192.168.1.1
Can ping 192.168.1.68

I'd like to:
1) Start by debugging why the server cannot ping all hosts on the client side just like the client can.
2) Then I'd like to debug why MBP cannot ping 192.168.69.1 \
3) which should then unlock pinging 192.168.1.1 and 192.168.1.68.
4) Finally, I'd like to have TheBeast able to ping MBP.

This is my server config:

Code: Select all

root@Mr Jones:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         cpe-68-175-16-1 0.0.0.0         UG    0      0        0 vlan2
68.175.16.0     *               255.255.240.0   U     0      0        0 vlan2
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
169.254.0.0     *               255.255.0.0     U     0      0        0 br0
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.168.2.0     *               255.255.255.0   U     0      0        0 wl0.1
192.168.10.0    192.168.69.1    255.255.255.0   UG    0      0        0 tun0
192.168.69.0    *               255.255.255.0   U     0      0        0 tun0

root@Mr Jones:~# ip route
default via 68.175.16.1 dev vlan2 
68.175.16.0/20 dev vlan2  proto kernel  scope link  src 68.175.17.112 
127.0.0.0/8 dev lo  scope link 
169.254.0.0/16 dev br0  proto kernel  scope link  src 169.254.255.1 
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1 
192.168.2.0/24 dev wl0.1  proto kernel  scope link  src 192.168.2.1 
192.168.10.0/24 via 192.168.69.1 dev tun0 
192.168.69.0/24 dev tun0  proto kernel  scope link  src 192.168.69.1 

root@Mr Jones:~# iptables -nvL INPUT
Chain INPUT (policy ACCEPT 33930 packets, 5281K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 8224 1153K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
    0     0 DROP       tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 
    1    40 DROP       tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
    1    52 DROP       tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
    0     0 DROP       tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:69 
    4   200 DROP       tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
   20  1176 DROP       tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:23 
 1383  105K ACCEPT     0    --  tun0   *       0.0.0.0/0            0.0.0.0/0           

root@Mr Jones:~# iptables -nvL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   10   696 ACCEPT     0    --  *      *       192.168.69.0/24      192.168.1.0/24      
   10   696 ACCEPT     0    --  *      *       192.168.1.0/24       192.168.69.0/24     
    0     0 ACCEPT     0    --  tun0   br0     0.0.0.0/0            0.0.0.0/0           
    2   120 ACCEPT     0    --  br0    tun0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  *      *       192.168.69.0/24      0.0.0.0/0           
 146K   14M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  330 29533 ACCEPT     0    --  wl0.1  *       0.0.0.0/0            0.0.0.0/0           
 5899  201K lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0           
 5899  201K ACCEPT     0    --  br0    vlan2   0.0.0.0/0            0.0.0.0/0           
    0     0 TRIGGER    0    --  vlan2  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0 
    0     0 trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW

This is my client config:

Code: Select all

root@Pitchounette:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.69.0    0.0.0.0         255.255.255.0   U     0      0        0 tun1
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 vlan2
192.168.1.0     192.168.69.1    255.255.255.0   UG    0      0        0 tun1
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 br0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.2.1     0.0.0.0         UG    0      0        0 vlan2

root@Pitchounette:~# ip route
192.168.69.0/24 dev tun1  proto kernel  scope link  src 192.168.69.2 
192.168.2.0/24 dev vlan2  proto kernel  scope link  src 192.168.2.12 
192.168.1.0/24 via 192.168.69.1 dev tun1 
192.168.10.0/24 dev br0  proto kernel  scope link  src 192.168.10.1 
169.254.0.0/16 dev br0  proto kernel  scope link  src 169.254.255.1 
127.0.0.0/8 dev lo  scope link 
default via 192.168.2.1 dev vlan2 

root@Pitchounette:~# iptables -nvL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  993  133K ACCEPT     0    --  tun1   *       0.0.0.0/0            0.0.0.0/0           
19349 2248K logaccept  0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 logaccept  udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68 
    0     0 logdrop    udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           udp dpt:520 
    0     0 logdrop    udp  --  br0    *       0.0.0.0/0            0.0.0.0/0           udp dpt:520 
    0     0 logaccept  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520 
    0     0 logdrop    icmp --  vlan2  *       0.0.0.0/0            0.0.0.0/0           
    0     0 logdrop    2    --  *      *       0.0.0.0/0            0.0.0.0/0           
   21  1494 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW 
 4998  436K logaccept  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW 
  524  154K logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0           

root@Pitchounette:~# iptables -nvL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1064 89376 ACCEPT     0    --  *      tun1    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  tun1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  *      *       192.168.69.0/24      192.168.10.0/24     
   15  1260 ACCEPT     0    --  *      *       192.168.10.0/24      192.168.69.0/24     
    0     0 ACCEPT     0    --  tun1   br0     0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  br0    tun1    0.0.0.0/0            0.0.0.0/0           
 133K   20M logaccept  0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 logaccept  47   --  *      vlan2   192.168.10.0/24      0.0.0.0/0           
    0     0 logaccept  tcp  --  *      vlan2   192.168.10.0/24      0.0.0.0/0           tcp dpt:1723 
 5697  358K lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 logaccept  0    --  br0    br0     0.0.0.0/0            0.0.0.0/0           
    0     0 TRIGGER    0    --  vlan2  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0 
 5697  358K trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           
 5512  349K logaccept  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW 
  185  9572 logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0

Thank you very much in advance for looking into this rather long and involved question. Feel free to ask me any clarification if I missed anything along with the command.

Pierre-Luc

plbertrand · Post by **plbertrand** » Wed Dec 30, 2015 5:21 pm

Looking more into it, I'm even more baffled. I've added logaccept rule for OUTPUT on the device tun0 and I see that it does go out with the right source address, destination address and sequence number in the log. Looking on the client side though does not show any lines.

On server side:

Code: Select all

root@Mr Jones:~# iptables -nvL OUTPUT
Chain OUTPUT (policy ACCEPT 473K packets, 61M bytes)
 pkts bytes target     prot opt in     out     source               destination         
  876  343K logaccept  0    --  *      tun0    0.0.0.0/0            0.0.0.0/0       

Chain logaccept (6 references)
 pkts bytes target     prot opt in     out     source               destination         
  356 29904 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW LOG flags 0 level 4 prefix `ACCEPT ' 
 3556  557K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Code: Select all

Dec 30 17:13:02 Mr Jones kern.warn kernel: ACCEPT IN= OUT=tun0 SRC=192.168.69.1 DST=192.168.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=58158 DF PROTO=ICMP TYPE=8 CODE=0 ID=4410 SEQ=0
Dec 30 17:13:03 Mr Jones kern.warn kernel: ACCEPT IN= OUT=tun0 SRC=192.168.69.1 DST=192.168.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=58246 DF PROTO=ICMP TYPE=8 CODE=0 ID=4410 SEQ=1
Dec 30 17:13:04 Mr Jones kern.warn kernel: ACCEPT IN= OUT=tun0 SRC=192.168.69.1 DST=192.168.10.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=58257 DF PROTO=ICMP TYPE=8 CODE=0 ID=4410 SEQ=2

On client side:

Code: Select all

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       icmp --  vlan2  *       0.0.0.0/0            0.0.0.0/0           
    6   504 logaccept  icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0            icmp --  !vlan2 *       0.0.0.0/0            0.0.0.0/0           
 1383  557K logaccept  0    --  tun1   *       0.0.0.0/0            0.0.0.0/0           
 1108  368K ACCEPT     0    --  tun1   *       0.0.0.0/0            0.0.0.0/0           
18372 3338K logaccept  0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 logaccept  udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68 
    0     0 logdrop    udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           udp dpt:520 
    0     0 logdrop    udp  --  br0    *       0.0.0.0/0            0.0.0.0/0           udp dpt:520 
    0     0 logaccept  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520 
    0     0 logdrop    icmp --  vlan2  *       0.0.0.0/0            0.0.0.0/0           
    0     0 logdrop    2    --  *      *       0.0.0.0/0            0.0.0.0/0           
   18  1194 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW 
12630 1063K logaccept  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW 
 1034  339K logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0

And cannot find anything in the log with a source 192.168.69.1.

Thanks for you help again.

Traffic · Post by **Traffic** » Wed Dec 30, 2015 5:38 pm

Can you post any OpenVPN configs or log files (at verb 4) ?

plbertrand · Post by **plbertrand** » Wed Dec 30, 2015 6:33 pm

Sure! I left it out because I thought the VPN is working properly but here it is.

Server:

Code: Select all

verb 4

push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.69.1"
server 192.168.69.0 255.255.255.0

dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

# Only use crl-verify if you are using the revoke list - otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl

# management parameter allows DD-WRT's OpenVPN Status web page to access the server's management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001

Since we are at it, are these two lines useful? I feel the dhcp option might not be a good idea since both routers should have their own dhcp and DNS lookup mechanism. Not sure what server is meant for here.

Code: Select all

push "dhcp-option DNS 192.168.69.1"
server 192.168.69.0 255.255.255.0

For client I'm using dd-wrt builtin OpenVPN client.

Code: Select all

Device is TUN
Protocol is UDP
Cipher blowfish CBC
Hash sha1
user pass auth disabled
Advanced options enabled
LZO compression yes
NAT disabled
IP Address 192.168.69.0
Mask 255.255.255.0
Tunnel MTU 1400
Tunnel UDP MSS-FIx disabled

Everything else should be default.

Traffic · Post by **Traffic** » Wed Dec 30, 2015 8:35 pm

At least we can see how you have configured openvpn ... that is what we support and recognise.

plbertrand wrote:I'm trying to connect two router using OpenVPN and allow machines on both side of the routers to talk to each other

I am not 100% positive (I have not tried to use openvpn on routers as you are) but I believe
you need to run openvpn in a peer-to-peer configuration.
This means you do not use the server/client model.

Something like this:
https://openvpn.net/index.php/open-sour ... howto.html

Or you can implement this solution, which is known to work in server/client model:
HOWTO: Expanding the scope of the VPN to include additional machines

plbertrand · Post by **plbertrand** » Sat Jan 02, 2016 4:19 am

Thanks a lot for your pointers. I've been hard at reading for the past five days and made me learn about iroute which was the key to get it working. I also stumbled upon a post that had the exact same problem as I did here topic15768.html. Hope these two posts can help.

For future reference: the single issued I had was the missing iroute in the ccd file.

Traffic · Post by **Traffic** » Mon Jan 04, 2016 10:05 pm

Excellent .. thanks for letting us know

OpenVPN Support Forum

[Solved] LAN to LAN over OpenVPN tun (not bridged)

[Solved] LAN to LAN over OpenVPN tun (not bridged)

Re: LAN to LAN over OpenVPN tun (not bridged)

Re: LAN to LAN over OpenVPN tun (not bridged)

Re: LAN to LAN over OpenVPN tun (not bridged)

Re: LAN to LAN over OpenVPN tun (not bridged)

Re: LAN to LAN over OpenVPN tun (not bridged)

Re: LAN to LAN over OpenVPN tun (not bridged)