Force all clients of a router through ONE OpenVPN connection

[joy13975]

Hello people ,
I would like to achieve what the title says, but after following the wiki guide on

http://www.dd-wrt.com/wiki/index.php/Op ... wo_routers Nothing still.
Traffics from the local router's clients don't go through the VPN connection established by my local router.

My intended network structure looks like so:

[Remote OpenVPN Server] >---- [Remote Router] ------ [Internet] ------ [Security Router] ----< [Local Router] < [Local LAN Clients]

OpenVPN server works for individual computers (establishes connection and will redirect all traffic through). Now I want just the local router (DD-WRT) to make one OpenVPN connection and make all its clients go through it without having to configure on each single client's computer (to access the internet, not just the remote LAN).

So far what I am able to achieve is set the local DD-WRT router up for being an OpenVPN client; it successfully connects and its traffics do go through the vpn. However, I have found no solution to make all the clients-of-the-local-router go through the same connection(by default it doesn't).

Please note that I would like to stay away from bridging (tap) as much as possible because the current routed configuration took me a lot of time to carve, and I am very afraid that it screws up the configurations. But of course if you can point me a working configuration I'll try.

My server config:

Code: Select all

dev tun
tls-server
management 127.0.0.1 1195
server 10.8.0.0 255.255.255.0
port 1194
push "route 192.168.0.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
dh /usr/local/synovpn/etc/openvpn/keys/dh1024.pem
ca /usr/local/synovpn/etc/openvpn/keys/ca.crt
cert /usr/local/synovpn/etc/openvpn/keys/server.crt
key /usr/local/synovpn/etc/openvpn/keys/server.key
max-clients 20
comp-lzo
persist-tun
persist-key
verb 7
keepalive 10 60
reneg-sec 0
tls-auth /usr/local/synovpn/etc/openvpn/keys/ta.key 0
user nobody
group nobody
duplicate-cn

My client (individual PCs) config:

Code: Select all

dev tun
client
remote my_server_ip 1194
redirect-gateway
resolv-retry infinite
pull
proto udp
script-security 2
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
ns-cert-type server
cipher BF-CBC
comp-lzo
reneg-sec 0
verb 7

My local DD-WRT router client config:

Code: Select all

ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
management 127.0.0.1 5001
management-log-cache 50
verb 4
mute 5
log-append /var/log/openvpncl
client
tls-client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
mtu-disc yes
dev tun1
proto udp
cipher bf-cbc
auth sha1
remote my_server_ip 1194
tun-mtu 1500
comp-lzo adaptive
ns-cert-type server
fast-io
tun-ipv6
tls-auth /tmp/openvpncl/ta.key 1
tls-cipher AES128-SHA

Remote LAN is 192.168.0.0/24
Local LAN is 192.168.1.0/24
VPN LAN is 10.8.0.0/24

By the way, what's the difference between bridged and routed ? If I use bridging can my other individual PCs still go through it ?

I really appreciate your effort to help.
Thanks!

[janjust]

read up on
http://openvpn.net/index.php/open-sourc ... html#scope

what you want is possible, it's just a matter of configuring the openvpn server and the DD-WRT client in the right manner. In short

1) add the following lines to the server config:

Code: Select all

route 192.168.1.0 255.255.255.0
client-config-dir /etc/openvpn/ccd

2) inside this directory add a file with the name of the DD-WRT client cert , e.g. 'dd-wrt' (NO extension!)
3) this file needs to contain

Code: Select all

iroute 192.168.1.0 255.255.255.0

4) make sure the file and the directory path are readable to the user under which openvpn is running (user 'openvpn' or 'nobody')
5) restart the server and reconnect the client

now make sure that the *server* can reach the LAN IP of the dd-wrt box. After that, the rest is routing

[joy13975]

Thanks for your prompt reply.

I did all you and the documentation offered,right now the clients of the local router can reach the server side LAN but no traffic goes through it. On the server the route -n gives:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.1.0     10.8.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0

[janjust]

right now the clients of the local router can reach the server side LAN but no traffic goes through it.

please be more specific - I do not understand what this means.

can the server ping a host on the client-side LAN
can a host on the client-side LAN ping the server 10.8.0.1 address? the server's 192.169.0.x address ?

what kind of firewalling/routing is in place?

[joy13975]

Sorry I meant, the remote server side (192.168.0.0/24) can ping both the VPN pool (10.8.0.1) and also the local router clients side (192.168.1.0/24).

The local router clients side (192.168.1.0/24) can ping both the remote server side (192.168.0.0/24) and also the VPN pool (10.8.0.1)

Basically the LANs are connected together, but not the internet.

[janjust]

ah, I missed the 'internet connectivity' part in your first post

try adding

Code: Select all

push "redirect-gateway def1"

to the server configuration, restart the server and the client, then try again.

It might be necessary to add some masquerading/routing rules to ensure that traffic coming from the client-side LAN (192.168.1.0/24) is forwarded out onto the internet properly. If the openvpn server is also the server-side router then this should not be an issue. Otherwise, add something like

Code: Select all

iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

[joy13975]

I did exactly what you said, still no internet access.

I'll try to give more information:
On my PC I can access the internet through the VPN if I run the OpenVPN client on the PC, but not on the router
(This was already done before I posted this thread (before adding the redirect-gateway, meaning that the posted configuration served that purpose)

Both LANs can ping each other's machines, including both routers.
On both LANs, there are no firewall restrictions at all.

The remote VPN server is not a router itself, it's behind a router which doesn't support static routing.

The local router isn't the router that directly connects to the internet, it's a router behind a main router (On the LAN of 192.168.6.0/24) that I have no access to.

Here are the route tables when local router is connected using OpenVPN client:

[Remote VPN Server]

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.1.0     10.8.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0

[Local DD-WRT Router]

Code: Select all

10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun1
192.168.6.254   0.0.0.0         255.255.255.255 UH    0      0        0 vlan2
192.168.6.0     0.0.0.0         255.255.255.0   U     0      0        0 vlan2
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.0.0     10.8.0.5        255.255.255.0   UG    0      0        0 tun1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.6.254   0.0.0.0         UG    0      0        0 vlan2

[Local PC]

Code: Select all

Routing tables

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            192.168.1.1        UGSc           11        2     en1
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH             25   276012     lo0
169.254            link#5             UCS             0        0     en1
192.168.1          link#5             UCS             5        0     en1
192.168.1.1        0:c:43:30:52:77    UHLWIi         23      225     en1   1193
192.168.1.142      4c:f:6e:6c:48:d5   UHLWIi          3       16     en1   1170
192.168.1.147      127.0.0.1          UHS             0        0     lo0
192.168.1.255      ff:ff:ff:ff:ff:ff  UHLWbI          0        6     en1

Thank you for your patience!

[janjust]

the dd-wrt box did NOT pick up the default gateway, hence it is not redirecting all internet traffic via the VPN. This needs to be fixed first (check the routing tables on the dd-wrt box after the VPN client connects) before continuing.

[Mimiko]

May be this will help:

Code: Select all

iptables -A FORWARD -s 192.168.1.0/24 -o tun1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun1 -j MASQUERADE

What "br0" on dd-wrt contains?

[joy13975]

I checked the local DD-WRT router's routes table which is what I posted... But what to do with that ?

Here are the results after following your instructions (local DD-WRT router):

Code: Select all

root@Sandy:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun1
192.168.6.254   0.0.0.0         255.255.255.255 UH    0      0        0 vlan2
192.168.6.0     0.0.0.0         255.255.255.0   U     0      0        0 vlan2
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.0.0     10.8.0.5        255.255.255.0   UG    0      0        0 tun1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.6.254   0.0.0.0         UG    0      0        0 vlan2
root@Sandy:~# iptables -A FORWARD -s 192.168.1.0/24 -o tun1 -j ACCEPT
root@Sandy:~# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun1 -j MASQUERADE
root@Sandy:~# route -n 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun1
192.168.6.254   0.0.0.0         255.255.255.255 UH    0      0        0 vlan2
192.168.6.0     0.0.0.0         255.255.255.0   U     0      0        0 vlan2
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.0.0     10.8.0.5        255.255.255.0   UG    0      0        0 tun1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.6.254   0.0.0.0         UG    0      0        0 vlan2
root@Sandy:~# ifconfig
br0       Link encap:Ethernet  HWaddr 00:0C:43:30:52:77  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:93008 errors:0 dropped:0 overruns:0 frame:0
          TX packets:38568 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:17665580 (16.8 MiB)  TX bytes:16671617 (15.8 MiB)

br0:0     Link encap:Ethernet  HWaddr 00:0C:43:30:52:77  
          inet addr:169.254.255.1  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

Unresolved..
P.S.:Everything in codes are after the VPN connection established.

[Mimiko]

Well, drop the rules I took for you. Establish connection from dd-wrt to OpenVPN server. The use dd-wrt Web GUI to configure internet access for LAN PCs as if the tun adapter is an real ethernet adapter.