I've just spent the last 2 days reading several hundred pages and sites trying to set up a TUN VPN on the buffalo WZR-300HP with DD-WRT v24SP2-MULTI (07/09/12) std - build 19438 preinstalled. I've reached varying stages of success but with each piece of anecdotal info I find in my research, either it doesn't work, or breaks something else. There are also a few strange anomalies which I've pointed out below.
My current config is as follows:
iptables on the Buffalo router. Currently empty. I reset the router during my testing and haven't added any iptables rules.
non-VPN subnet - 192.168.53.0
VPN subnet - 192.168.8.0
OpenVPN server config on the Buffalo DD-WRT (done by GUI)
start type: system
mode: router (TUN)
network: 192.168.8.0
netmask: 255.255.255.0
port 1194
protocol: udp
cipher: AES-256 CBC
hash: SHA256
tls: none
LZO-compression: yes
redirect default gateway: yes
allow client to client: yes
allow duplicate cn: no
MTU 1500
MSS-Fix/Fragment: blank
additional config:
push "route 192.168.8.0 255.255.255.0";
push "redirect-gateway def1"
keepalive 10 120 (I think this is the default anyway, but I included it)
Now my testing:
the client (a rooted android phone connected to the buffalo router via wi-fi, so for now it's on the LAN)
client
dev tun0
proto udp
remote 192.168.8.1 1194
keepalive 10 120
cipher AES-256-CBC
auth SHA256
resolv-retry infinite
nobind
persist-key
persist tun
ns-cert-type server
comp-lzo
verb 3
float
ca /sdcard/openvpn/ca.crt
cert /sdcard/openvpn/andrd.crt
key /sdcard/openvpn/andrd.crt
This connects and authenticates almost instantly. I can ping 192.168.8.1 and 192.168.53.1.
I can also ping the cable provider's upstream router (67.x.y.1) and I can ping yahoo.com by name.
However, when I traceroute the cable provider's upstream router, the first hop is 192.168.53.1, and the second/final hop is 10.240.x.y
If traffic were going through the VPN, wouldn't the first hop be the VPN gateway at 192.168.8.1?
And isn't 10.240.x.y a private range? Is that what I should be seeing there? I would have expected the second/final hop to be the 67.x.y.1 address of my upstream router.
Next, I disable wifi on the phone so I can get a T-Mobile data IP to test the VPN from outside. The client config is identical to above, except for the remote address being changed to my external IP address.
Again, it connects fairly quickly. Once it's connected, I can ping yahoo.com by name and IP and I get proper replies back.
However, when I ping 192.168.8.1 and 192.168.53.1 I get no replies.
When I try to traceroute 192.168.53.1 the first hop is, again, a 10.170.x.y address. Isn't that also a private range? After that it's just rows of * * * until I kill it.
When I try to traceroute yahoo.com, the first 8 hops are in the 10.170, 10.164, and 10.177 ranges, after which it goes out to 4.59.20.105 which it shows as Level3.net and then continues on until it reaches yahoo.com. I'm not sure why the first 8 are private addresses and then it starts showing public addresses.
Also, here's a bit of (maybe unrelated) weirdness.. When I try to ping google.com while connected to the VPN via T-Mobile, this is what I get back:
# ping google.com
PING google.com (208.54.87.57) 56(84) bytes of data.
64 bytes from m395736d0.tmodns.net (208.54.87.57): icmp_seq=1 ttl=56 time=280ms
64 bytes from m395736d0.tmodns.net (208.54.87.57): icmp_seq=2 ttl=56 time=260ms
64 bytes from m395736d0.tmodns.net (208.54.87.57): icmp_seq=3 ttl=56 time=247ms
and so on... As far as I can tell, that IP address is not google. It's something from t-mobile. So is this also showing that DNS is not coming from my cable provider, but instead is coming from the cell network, which means traffic isn't going through the VPN again?
In any case, here's a chunk of the connection log from the router itself:
Serverlog 20130630 13:20:21 Diffie-Hellman initialized with 1024 bit key
20130630 13:20:21 W WARNING: file '/tmp/openvpn/key.pem' is group or others accessible
20130630 13:20:21 TLS-Auth MTU parms [ L:1570 D:138 EF:38 EB:0 ET:0 EL:0 ]
20130630 13:20:21 Socket Buffers: R=[163840->131072] S=[163840->131072]
20130630 13:20:21 I TUN/TAP device tun2 opened (Not sure why tun2 when client config says tun0)
20130630 13:20:21 TUN/TAP TX queue length set to 100
20130630 13:20:21 I /sbin/ifconfig tun2 192.168.8.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.8.255
20130630 13:20:22 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:135 ET:0 EL:0 AF:3/1 ]
20130630 13:20:22 I UDPv4 link local (bound): [undef]:1194
20130630 13:20:22 I UDPv4 link remote: [undef]
20130630 13:20:22 MULTI: multi_init called r=256 v=256
20130630 13:20:22 IFCONFIG POOL: base=192.168.8.2 size=252
20130630 13:20:22 IFCONFIG POOL LIST
20130630 13:20:22 andrd 192.168.8.2
20130630 13:20:22 I Initialization Sequence Completed
20130630 13:21:57 MULTI: multi_create_instance called
20130630 13:21:57 I MY.CELLULAR.DATA.IP:27107 Re-using SSL/TLS context
20130630 13:21:57 I MY.CELLULAR.DATA.IP:27107 LZO compression initialized
20130630 13:21:57 MY.CELLULAR.DATA.IP:27107 Control Channel MTU parms [ L:1570 D:138 EF:38 EB:0 ET:0 EL:0 ]
20130630 13:21:57 MY.CELLULAR.DATA.IP:27107 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:135 ET:0 EL:0 AF:3/1 ]
20130630 13:21:57 MY.CELLULAR.DATA.IP:27107 Local Options String: 'V4 dev-type tun link-mtu 1570 tun-mtu 1500 proto UDPv4 comp-lzo cipher AES-256-CBC auth SHA256 keysize 256 key-method 2 tls-server'
20130630 13:21:57 MY.CELLULAR.DATA.IP:27107 Expected Remote Options String: 'V4 dev-type tun link-mtu 1570 tun-mtu 1500 proto UDPv4 comp-lzo cipher AES-256-CBC auth SHA256 keysize 256 key-method 2 tls-client'
20130630 13:21:57 MY.CELLULAR.DATA.IP:27107 Local Options hash (VER=V4): '79a26cd9'
20130630 13:21:57 MY.CELLULAR.DATA.IP:27107 Expected Remote Options hash (VER=V4): 'fc8ba345'
20130630 13:21:57 MY.CELLULAR.DATA.IP:27107 TLS: Initial packet from MY.CELLULAR.DATA.IP:27107 sid=c7f4e95e ad11aa07
20130630 13:22:09 MY.CELLULAR.DATA.IP:27107 VERIFY OK: depth=1 REMOVED IDENTS HERE BECAUSE THEY WERE CAUSING A PROBLEM WITH THE EMAIL ADDRESS
20130630 13:22:09 MY.CELLULAR.DATA.IP:27107 VERIFY OK: depth=0 REMOVED IDENTS HERE BECAUSE THEY WERE CAUSING A PROBLEM WITH THE EMAIL ADDRESS
20130630 13:22:10 MY.CELLULAR.DATA.IP:27107 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
20130630 13:22:10 MY.CELLULAR.DATA.IP:27107 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
20130630 13:22:10 MY.CELLULAR.DATA.IP:27107 NOTE: --mute triggered...
20130630 13:22:11 MY.CELLULAR.DATA.IP:27107 3 variation(s) on previous 5 message(s) suppressed by --mute
20130630 13:22:11 I MY.CELLULAR.DATA.IP:27107 [andrd] Peer Connection Initiated with MY.CELLULAR.DATA.IP:27107
20130630 13:22:11 andrd/MY.CELLULAR.DATA.IP:27107 MULTI: Learn: 192.168.8.2 -> andrd/MY.CELLULAR.DATA.IP:27107
20130630 13:22:11 andrd/MY.CELLULAR.DATA.IP:27107 MULTI: primary virtual IP for andrd/MY.CELLULAR.DATA.IP:27107: 192.168.8.2
20130630 13:22:12 andrd/MY.CELLULAR.DATA.IP:27107 PUSH: Received control message: 'PUSH_REQUEST'
20130630 13:22:12 andrd/MY.CELLULAR.DATA.IP:27107 SENT CONTROL [andrd]: 'PUSH_REPLY redirect-gateway def1 route 192.168.8.0 255.255.255.0 redirect-gateway def1 route-gateway 192.168.8.1 topology subnet ping 10 ping-restart 120 ifconfig 192.168.8.2 255.255.255.0' (status=1)
20130630 13:27:33 MANAGEMENT: Client connected from 127.0.0.1:5002
20130630 13:27:33 D MANAGEMENT: CMD 'state'
20130630 13:27:33 MANAGEMENT: Client disconnected
20130630 13:27:33 MANAGEMENT: Client connected from 127.0.0.1:5002
20130630 13:27:33 D MANAGEMENT: CMD 'state'
20130630 13:27:34 MANAGEMENT: Client disconnected
20130630 13:27:34 MANAGEMENT: Client connected from 127.0.0.1:5002
20130630 13:27:34 D MANAGEMENT: CMD 'state'
20130630 13:27:34 MANAGEMENT: Client disconnected
20130630 13:27:34 MANAGEMENT: Client connected from 127.0.0.1:5002
20130630 13:27:34 D MANAGEMENT: CMD 'status 2'
20130630 13:27:34 MANAGEMENT: Client disconnected
20130630 13:27:34 MANAGEMENT: Client connected from 127.0.0.1:5002
20130630 13:27:34 D MANAGEMENT: CMD 'log 500'
Basically, what I want to be able to do is connect to my home network while out of the house, using my cellphone and also a Linux Mint laptop. I'd like to be able to use VNC inside the VPN to control specific windows machines on the network, and also possibly to copy files, access a file share, etc. I'm actually not sure if TUN is the way I should even be going, or if I should be using TAP for this, but I've also experimented with TAP and got similar issues with being unable to ping my internal gateways, etc. I'm hoping someone here can help me with what I suspect is a routing and/or firewall issue on the router itself. I'm about ready to throw things over here though because I'm making no progress. Any additional info you need me to paste, please let me know and thanks in advance for your help!
graf
Buffalo DD-WRT VPN client can't ping LAN, and other issues
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
grafical
- OpenVpn Newbie
- Posts: 3
- Joined: Sun Jun 30, 2013 2:32 pm
-
grafical
- OpenVpn Newbie
- Posts: 3
- Joined: Sun Jun 30, 2013 2:32 pm
Re: Buffalo DD-WRT VPN client can't ping LAN, and other issu
Actually, in my orig post, when I said the iptables is empty, that's not correct. I haven't added any custom rules to the firewall after I reset the router, but here is the output of 'iptables -L'
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:1194
ACCEPT 0 -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:route
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT udp -- anywhere anywhere udp dpt:route
DROP icmp -- anywhere anywhere
DROP igmp -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
ACCEPT 0 -- anywhere anywhere state NEW
DROP 0 -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT gre -- 192.168.53.0/24 anywhere
ACCEPT tcp -- 192.168.53.0/24 anywhere tcp dpt:1723
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
lan2wan 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
TRIGGER 0 -- anywhere anywhere TRIGGER type:in match:0 relate:0
trigger_out 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
DROP 0 -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain advgrp_1 (0 references)
target prot opt source destination
Chain advgrp_10 (0 references)
target prot opt source destination
Chain advgrp_2 (0 references)
target prot opt source destination
Chain advgrp_3 (0 references)
target prot opt source destination
Chain advgrp_4 (0 references)
target prot opt source destination
Chain advgrp_5 (0 references)
target prot opt source destination
Chain advgrp_6 (0 references)
target prot opt source destination
Chain advgrp_7 (0 references)
target prot opt source destination
Chain advgrp_8 (0 references)
target prot opt source destination
Chain advgrp_9 (0 references)
target prot opt source destination
Chain grp_1 (0 references)
target prot opt source destination
Chain grp_10 (0 references)
target prot opt source destination
Chain grp_2 (0 references)
target prot opt source destination
Chain grp_3 (0 references)
target prot opt source destination
Chain grp_4 (0 references)
target prot opt source destination
Chain grp_5 (0 references)
target prot opt source destination
Chain grp_6 (0 references)
target prot opt source destination
Chain grp_7 (0 references)
target prot opt source destination
Chain grp_8 (0 references)
target prot opt source destination
Chain grp_9 (0 references)
target prot opt source destination
Chain lan2wan (1 references)
target prot opt source destination
Chain logaccept (0 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
DROP 0 -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
Chain trigger_out (1 references)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:1194
ACCEPT 0 -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:route
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT udp -- anywhere anywhere udp dpt:route
DROP icmp -- anywhere anywhere
DROP igmp -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
ACCEPT 0 -- anywhere anywhere state NEW
DROP 0 -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT gre -- 192.168.53.0/24 anywhere
ACCEPT tcp -- 192.168.53.0/24 anywhere tcp dpt:1723
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
lan2wan 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
TRIGGER 0 -- anywhere anywhere TRIGGER type:in match:0 relate:0
trigger_out 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
DROP 0 -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain advgrp_1 (0 references)
target prot opt source destination
Chain advgrp_10 (0 references)
target prot opt source destination
Chain advgrp_2 (0 references)
target prot opt source destination
Chain advgrp_3 (0 references)
target prot opt source destination
Chain advgrp_4 (0 references)
target prot opt source destination
Chain advgrp_5 (0 references)
target prot opt source destination
Chain advgrp_6 (0 references)
target prot opt source destination
Chain advgrp_7 (0 references)
target prot opt source destination
Chain advgrp_8 (0 references)
target prot opt source destination
Chain advgrp_9 (0 references)
target prot opt source destination
Chain grp_1 (0 references)
target prot opt source destination
Chain grp_10 (0 references)
target prot opt source destination
Chain grp_2 (0 references)
target prot opt source destination
Chain grp_3 (0 references)
target prot opt source destination
Chain grp_4 (0 references)
target prot opt source destination
Chain grp_5 (0 references)
target prot opt source destination
Chain grp_6 (0 references)
target prot opt source destination
Chain grp_7 (0 references)
target prot opt source destination
Chain grp_8 (0 references)
target prot opt source destination
Chain grp_9 (0 references)
target prot opt source destination
Chain lan2wan (1 references)
target prot opt source destination
Chain logaccept (0 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
DROP 0 -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
Chain trigger_out (1 references)
target prot opt source destination
-
grafical
- OpenVpn Newbie
- Posts: 3
- Joined: Sun Jun 30, 2013 2:32 pm
Re: Buffalo DD-WRT VPN client can't ping LAN, and other issu
I should have also included the current routing table.. my bad:
1.2.3.1 replaces my cable provider upstream router
1.2.3.0 replaces my cable provider subnet
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 vlan2
1.2.3.0 0.0.0.0 255.255.252.0 U 0 0 0 vlan2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 tun2
192.168.53.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
239.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 br01.2.3.0 replaces my cable provider subnet