I'm torturing myself with site to site VPN and i'm now pulling my hairs because i'm out of idea.
Computers on the client side can talk to computers on the remote side (Ping, SMB shares)
Computers on the server side cannot talk to computers on the client side. (Pings times out)
OpenVPN server uses subnet 192.168.6.0/24 powered by Synology SRM
OpenVPN client uses subnet 192.168.5.0/24 powered by Asuswrt-Merlin
Configuration of the OpenVPN server
Code: Select all
push "route 192.168.200.0 255.255.255.0"
push "route 192.168.6.0 255.255.255.0"
route 192.168.5.0 255.255.255.0
dev tun
management 127.0.0.1 1195
server 192.168.200.0 255.255.255.0
dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh1024.pem
ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key
max-clients 3
comp-lzo
persist-tun
persist-key
verb 3
#log-append /var/log/openvpn.log
keepalive 10 60
reneg-sec 0
plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf
client-cert-not-required
username-as-common-name
duplicate-cn
status /tmp/ovpn_status_2_result 30
status-version 2
proto udp
port 1194
Code: Select all
ifconfig-push 192.168.200.6 255.255.255.0
iroute 192.168.5.0 255.255.255.0
Code: Select all
daemon
client
dev tun11
proto udp
remote dnsnameofremote.dns 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo adaptive
script-security 2
route-delay 2
route-up vpnrouting.sh
route-pre-down vpnrouting.sh
verb 3
ca ca.crt
auth-user-pass up
status-version 2
status status 10
# Custom Configuration
tls-client
script-security 2
reneg-sec 0
keepalive 10 60
persist-key
persist-tun
Code: Select all
#!/bin/sh
PARAM=$*
if [ "$PARAM" == "" ]
then
# Add paramaters equivalent to those passed for up command
PARAM="$dev $tun_mtu $link_mtu $ifconfig_local $ifconfig_remote"
fi
create_client_list(){
IFS="<"
for ENTRY in $VPN_IP_LIST
do
if [ "$ENTRY" = "" ]
then
continue
fi
TARGET_ROUTE=$(echo $ENTRY | cut -d ">" -f 4)
if [ "$TARGET_ROUTE" = "WAN" ]
then
TARGET_LOOKUP="main"
WAN_PRIO=$((WAN_PRIO+1))
RULE_PRIO=$WAN_PRIO
TARGET_NAME="WAN"
else
TARGET_LOOKUP=$VPN_TBL
VPN_PRIO=$((VPN_PRIO+1))
RULE_PRIO=$VPN_PRIO
TARGET_NAME="VPN client "$VPN_UNIT
fi
VPN_IP=$(echo $ENTRY | cut -d ">" -f 2)
if [ "$VPN_IP" != "0.0.0.0" ]
then
SRCC="from"
SRCA="$VPN_IP"
else
SRCC=""
SRCA=""
fi
DST_IP=$(echo $ENTRY | cut -d ">" -f 3)
if [ "$DST_IP" != "0.0.0.0" ]
then
DSTC="to"
DSTA="$DST_IP"
else
DSTC=""
DSTA=""
fi
if [ "$SRCC" != "" -o "$DSTC" != "" ]
then
ip rule add $SRCC $SRCA $DSTC $DSTA table $TARGET_LOOKUP priority $RULE_PRIO
logger -t "openvpn-routing" "Adding route for $VPN_IP to $DST_IP through $TARGET_NAME"
fi
done
IFS=$OLDIFS
}
purge_client_list(){
IP_LIST=$(ip rule show | cut -d ":" -f 1)
for PRIO in $IP_LIST
do
if [ $PRIO -ge $START_PRIO -a $PRIO -le $END_PRIO ]
then
ip rule del prio $PRIO
logger -t "openvpn-routing" "Removing rule $PRIO from routing policy"
fi
done
}
run_custom_script(){
if [ -f /jffs/scripts/openvpn-event ]
then
logger -t "custom script" "Running /jffs/scripts/openvpn-event (args: $PARAM)"
sh /jffs/scripts/openvpn-event $PARAM
fi
}
init_table(){
logger -t "openvpn-routing" "Creating VPN routing table"
ip route flush table $VPN_TBL
# Fill it with copy of existing main table
ip route show table main | while read ROUTE
do
ip route add table $VPN_TBL $ROUTE
done
}
# Begin
if [ "$dev" == "tun11" ]
then
VPN_IP_LIST=$(nvram get vpn_client1_clientlist)
VPN_REDIR=$(nvram get vpn_client1_rgw)
VPN_FORCE=$(nvram get vpn_client1_enforce)
VPN_UNIT=1
elif [ "$dev" == "tun12" ]
then
VPN_IP_LIST=$(nvram get vpn_client2_clientlist)
VPN_REDIR=$(nvram get vpn_client2_rgw)
VPN_FORCE=$(nvram get vpn_client2_enforce)
VPN_UNIT=2
elif [ "$dev" == "tun13" ]
then
VPN_IP_LIST=$(nvram get vpn_client3_clientlist)
VPN_REDIR=$(nvram get vpn_client3_rgw)
VPN_FORCE=$(nvram get vpn_client3_enforce)
VPN_UNIT=3
elif [ "$dev" == "tun14" ]
then
VPN_IP_LIST=$(nvram get vpn_client4_clientlist)
VPN_REDIR=$(nvram get vpn_client4_rgw)
VPN_FORCE=$(nvram get vpn_client4_enforce)
VPN_UNIT=4
elif [ "$dev" == "tun15" ]
then
VPN_IP_LIST=$(nvram get vpn_client5_clientlist)
VPN_REDIR=$(nvram get vpn_client5_rgw)
VPN_FORCE=$(nvram get vpn_client5_enforce)
VPN_UNIT=5
else
run_custom_script
exit 0
fi
VPN_TBL="ovpnc"$VPN_UNIT
START_PRIO=$((10000+(200*($VPN_UNIT-1))))
END_PRIO=$(($START_PRIO+199))
WAN_PRIO=$START_PRIO
VPN_PRIO=$(($START_PRIO+100))
export VPN_GW VPN_IP VPN_TBL VPN_FORCE
# webui reports that vpn_force changed while vpn client was down
if [ $script_type = "rmupdate" ]
then
logger -t "openvpn-routing" "Refreshing policy rules for client $VPN_UNIT"
purge_client_list
if [ $VPN_FORCE == "1" -a $VPN_REDIR == "2" ]
then
init_table
logger -t "openvpn-routing" "Tunnel down - VPN client access blocked"
ip route del default table $VPN_TBL
ip route add prohibit default table $VPN_TBL
create_client_list
else
logger -t "openvpn-routing" "Allow WAN access to all VPN clients"
ip route flush table $VPN_TBL
fi
ip route flush cache
exit 0
fi
if [ $script_type == "route-up" -a $VPN_REDIR != "2" ]
then
logger -t "openvpn-routing" "Skipping, client $VPN_UNIT not in routing policy mode"
run_custom_script
exit 0
fi
logger -t "openvpn-routing" "Configuring policy rules for client $VPN_UNIT"
if [ $script_type == "route-pre-down" ]
then
purge_client_list
if [ $VPN_FORCE == "1" -a $VPN_REDIR == "2" ]
then
logger -t "openvpn-routing" "Tunnel down - VPN client access blocked"
ip route change prohibit default table $VPN_TBL
create_client_list
else
ip route flush table $VPN_TBL
logger -t "openvpn-routing" "Flushing client routing table"
fi
fi # End route down
if [ $script_type == "route-up" ]
then
init_table
# Delete existing VPN routes that were pushed by server on table main
NET_LIST=$(ip route show|awk '$2=="via" && $3==ENVIRON["route_vpn_gateway"] && $4=="dev" && $5==ENVIRON["dev"] {print $1}')
for NET in $NET_LIST
do
ip route del $NET dev $dev
logger -t "openvpn-routing" "Removing route for $NET to $dev from main routing table"
done
# Unsure if necessary, but most policy-based routing scripts disable reverse path filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
# Update policy rules
purge_client_list
create_client_list
# Setup table default route
if [ "$VPN_IP_LIST" != "" ]
then
if [ "$VPN_FORCE" == "1" ]
then
logger -t "openvpn-routing" "Tunnel re-established, restoring WAN access to clients"
fi
ip route del default table $VPN_TBL
ip route add default via $route_vpn_gateway table $VPN_TBL
fi
if [ "$route_net_gateway" != "" ]
then
ip route del default
ip route add default via $route_net_gateway
fi
fi # End route-up
ip route flush cache
logger -t "openvpn-routing" "Completed routing policy configuration for client $VPN_UNIT"
run_custom_script
exit 0
Client side, doing "iptables -nvL FORWARD -t filter |grep tun" shows that no packets are counted there
client iptables -nvL FORWARD -t filter |grep tun
Code: Select all
0 0 ACCEPT all -- tun11 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun11 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun11 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun11 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 tun11 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun11 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 tun11 0.0.0.0/0 0.0.0.0/0