Server on second router in the same LAN

[jarul777]

Hello, I have two routers with OpenWRT and I have OpenVPN server on second one. The way from the internet is: router from ISP -> Linksys with OpenWRT -> TP-Link with OpenWRT and OpenVPN server. All routers are in one LAN (192.168.0.1 ISP -> 192.168.0.3 Linksys -> 192.168.0.2 TP-Link) and I can't connect to the server on TP-Link. I know that redirecting ports doesn't make sense, because there is one subnet so I have to do this with iptables and DNAT / SNAT. I've tried some entries but I'm probably too stupid to make it work Maybe someone has this kind of configuration and knows what to do?

[mwandelaar]

I guess there's some information about your network missing.

You can't connect to to the openvpn-server in the TP-Link. Where? From outside? From the local lan?
Are the other routers actually routing in the lan or are they acting as servers in the same lan?

If you cannot connect from the local lan, you probably have to search for an issue in the configuration, i guess

[jarul777]

I can't connect from LAN and from outside. ISP router has DMZ set to Linksys. Clients are connected (when in LAN) to Linksys, and from outside I think packets are stopping at Linksys too. So there is a problem in redirecting traffic from Linksys to TP-Link which I can't solve.

[Jlennemann]

Why do you have two routers on your network?

[jarul777]

One is main now (Linksys), second works as switch and before I had Linksys it worked as VPN server. Now I want it to still work as this server, but I can't connect...

[mwandelaar]

Do you have configfiles and logfiles from client and server for us?

[jarul777]

This is configuration that worked before changes in my LAN. A.B.C.D is my external IP.

View OriginalServer Config

mode server
port 1194
proto udp
tls-server
ifconfig 10.8.0.1 255.255.255.0
topology subnet
client-config-dir /etc/openvpn/ccd





cipher BF-CBC
keysize 128

dev tun
keepalive 25 180
status /var/openvpn/current_status
verb 3


dh /etc/openvpn/dh1024.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
tls-auth /etc/openvpn/ta.key 0

persist-key
persist-tun
comp-lzo

push "topology subnet"
push "route-gateway 10.8.0.1"
push "redirect-gateway def1"

View OriginalClient Config

client
remote A.B.C.D 1194
dev tun
proto udp
status current_status
resolv-retry infinite
ns-cert-type server
topology subnet
verb 3

cipher BF-CBC
keysize 128

ca ca.crt
cert j7l.crt
key j7l.key
tls-auth ta.key 1

nobind
persist-key
persist-tun
comp-lzo

Client log

Code: Select all

Sat Jan 07 18:26:41 2017 OpenVPN 2.3.12 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 23 2016
Sat Jan 07 18:26:41 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Sat Jan 07 18:26:41 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.09
Sat Jan 07 18:26:41 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Sat Jan 07 18:26:41 2017 Need hold release from management interface, waiting...
Sat Jan 07 18:26:41 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Sat Jan 07 18:26:41 2017 MANAGEMENT: CMD 'state on'
Sat Jan 07 18:26:41 2017 MANAGEMENT: CMD 'log all on'
Sat Jan 07 18:26:41 2017 MANAGEMENT: CMD 'hold off'
Sat Jan 07 18:26:41 2017 MANAGEMENT: CMD 'hold release'
Sat Jan 07 18:26:41 2017 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Sat Jan 07 18:26:41 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 07 18:26:41 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 07 18:26:41 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Jan 07 18:26:41 2017 UDPv4 link local: [undef]
Sat Jan 07 18:26:41 2017 UDPv4 link remote: [AF_INET]A.B.C.D:1194
Sat Jan 07 18:26:41 2017 MANAGEMENT: >STATE:1483810001,WAIT,,,
Sat Jan 07 18:27:41 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 07 18:27:41 2017 TLS Error: TLS handshake failed
Sat Jan 07 18:27:41 2017 SIGUSR1[soft,tls-error] received, process restarting
Sat Jan 07 18:27:41 2017 MANAGEMENT: >STATE:1483810061,RECONNECTING,tls-error,,
Sat Jan 07 18:27:41 2017 Restart pause, 2 second(s)

[mwandelaar]

It looks like the client is sending at least something to te server.
Can you increase the logging (verb 5) and post the logs from both client and server?
There should be a hint there.

[jarul777]

How to get server logs? Where are they? I pointed to a file in config file, but nothing appeared there.

[mwandelaar]

In your posting from january 7 there's no logfile entry, so openvpn logs them to the normal syslog. Depending on your linux distro, it can be in /var/log/daemon.log, /var/log/messages, /var/log/syslog

[trevmlt]

Did you ever solve this? I have a similar issue. I can connect to the OpenVPN server on the second router from within my network, but I cannot reach the server from outside the network. I have ISP modem---->router 1 in subnet 10.168.2.1 ------->router 2 IP in same subnet 10.168.2.2. THey are connected lan to lan. Gateway and DNS on router 2 set to IP of router 1. Port for server in router 2 settings is set to UDP 1195. Exported Config file is using the DDNS setup on router 1 (xxxxxx.asuscomm.com) and port 1195. I also have router 2 in the DMZ of router 1. Any suggestions as to why this doesn't work?