STILL unable to reach LAN, having tried many things!

[Audax Dreik]

I have done much reading on the subject and attempted many of the solutions I have seen for this issue, but to date nothing has worked. I'm afraid I don't fully understand networking and VPNs as well as I should, so I may very well be going about the changes in the wrong way. I will outline my current situation and setup as best as possible here. If any additional information is required, please let me know what is needed (and possibly how to retrieve it) and I will post it.

Right now I currently have OpenVPN set up on my DD-WRT router (Netgear WNDR4300 running SVN revision 23919 patched for Heartbleed). The LAN is 10.0.0.0/16 and the VPN subnet is 10.8.0.0/24. I'm using primarily the OpenVPN Connect app for Android on my Nexus 7 (4.4.4) and my Galaxy S4 (4.4.2) and having the same issues on both. I can connect to the VPN just fine and browse the internet, but I am unable to ping anything on the network, including the router itself at 10.0.0.1

Router Config

Code: Select all

port 1194
proto udp
dev tun0
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
server 10.8.0.0 255.255.255.0
comp-lzo
persist-key
persist-tun
verb 5

push "route 10.0.0.0 255.255.255.0"
push "route 10.0.3.0 255.255.255.0"
push "route 10.0.5.0 255.255.255.0"

management localhost 5001

Screenshot of DD-WRT VPN config: for some configurations not directly specified above,
http://i.imgur.com/osk3G5h.png

Client Config

Code: Select all

client
dev tun
proto udp
remote [MY DYNDNS] 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert phone.crt
key phone.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 4
auth MD5

Firewall

Code: Select all

iptables -I INPUT 1 -p udp -dport=1194 -j ACCEPT
iptables -I FORWARD 1 -source=10.0.0.0/16 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

On both Android devices I'm able to successfully connect and browse the internet. It looks like it is pulling the routes I'm pushing (10.0.3.0/24 and 10.0.5.0/24, various servers and workstations I want access to) but they are not showing up in ip route. For what it's worth, I've also tried OpenVPN for Android with the exact same results (browsing, but no LAN). In log files, I see,

Code: Select all

17:32:36.128 -- Sending PUSH_REQUEST to server...
17:32:36.246 -- OPTIONS
0 [route] [10.0.0.0] [255.255.255.0]
1 [route] [10.0.3.0] [255.255.255.0]
2 [route] [10.0.5.0] [255.255.255.0]
3 [route-gateway] [10.8.0.1]
4 [topology] [subnet]
5 [ping] [10]
6 [ping-restart] [120]
7 [ifconfig] [10.8.0.5] [255.255.255.0]

This is a non-rooted device, is it possible that it's not able to configure it locally? I've also tried adding push "redirect-gateway def1" but fail to get even internet access at that point. Please help?

[Audax Dreik]

Sorry it was unclear, the contents of "Additional Config" are exactly as what I have posted under Router Config.

[Audax Dreik]

Quick update, here's a route print I did at work. This is a little convoluted, I'm running the OpenVPN client within a Windows 8.1 VM. Exact same symptoms. VPN connects and successfully assigns IP of 10.8.0.4 and I can browse but am still unable to ping anything on the remote LAN including the router at 10.0.0.1

I notice that here the routing does seem to include the routes I have requested, wondering if this is perhaps a separate issue? The Android clients are by far more important to me.

[Audax Dreik]

Thank you so much for your help so far! I'm making progress and feeling like I'm understanding this a little better.

First off, I dropped the VM since that was needlessly complicating things and was the cause of the messed up route print that didn't seem like it was really going anywhere. I'm home now using a neighbor's unsecured wifi on a Win 7 laptop to test,


Censored is my home IP.

I can tell this looks much better. I'm able to browse the internet still, but am unsure if that is because I'm still using the local connection or if it is being directed through the VPN? How would I tell? For the first time since I've started messing with this I am able to ping my router (and even bring up the webgui) at 10.0.0.1, however I am still unable to reach any of my servers or workstations on the 10.0.3.0/24 and 10.0.5.0/24 subnets.

I added

Code: Select all

push "redirect-gateway def1"

to the Additional Config section in DD-WRT. I also updated my firewall as follows,

Code: Select all

iptables -I INPUT 1 -i tun+ -j ACCEPT
iptables -I OUTPUT 1 -i tun+ -j ACCEPT
iptables -I FORWARD 1 -i tun+ -j ACCEPT

My understanding is that this is extremely open and also extremely vulnerable, but it's working. I'll tighten that up later, maybe someone could help me with that.

As to your Howto's, debbie10t, it looks like I'm already fully compliant with the first one. I've verified that IP forwarding is enabled on my router and I'm pushing the subnets that I want. I haven't set up any routing on the server-side LAN gateway (this is only necessary if the OpenVPN server and the LAN gateway are different machines) since my DD-WRT router is the OpenVPN server. As of right now all my results are consistent across all Windows and Android devices, so tablet and phone are looking good.

[Audax Dreik]

Issue has been resolved! Again, thank you very much!

After giving your latest suggestion a try and reading more about NAT routing, I found this guide (http://www.teksec.org/2013/openvpn-tuto ... ly-part-2/) and was able to fit the firewall rules provided to meet my needs (for anyone facing the same issue, verify the name of your tun interface, I'm not sure why his was tun2 but mine was definitely tun0). Browsing and LAN access are functional, but now curiously, I cannot ping my router or access its webgui. I think this is some security setting in DD-WRT (?) but I will investigate this later and I'm not even sure I require that functionality.