OpenVPN Support Forum

Hi thanks for a wonderful piece of solution.

My scenario:
A. VPS in US with openvpn server (Openvpn 10.0.2.0/24)
B. Router 1 with ddwrt in country A (LAN 10.0.1.0/24)
C. Router 2 with ddwrt in country B (LAN 10.0.3.0/24) is not deployed as of now.

Currently what is working:
a. Server can ping Router 1 on both ips 10.0.2.2 and 10.0.1.1
b. Router 1 can ping Server on ip 10.0.2.1
c. Nodes behind Router 1 can access Server at 10.0.2.10

What is not working:
a. Server unable to access nodes and services behind Router 1
b. I have a node with samba running which i want to map to my server is that possible?

and what I want:
a. Node behind router 1 should be able to access nodes behind router 2
b. Creating RDP session (from nodes behind router 1) for remote assisstance to nodes behind router 2
xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx
My server configuration:
========================
local xx.xx.xx.xx # Server IP address through which you connect, replace this with yours
port 1194 # Port the server runs on (default)
proto udp # Protocol to use (default)
#dev tap
dev tun
#push "redirect-gateway def1" # Push some options to the client
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
topology subnet
#topology p2p

keepalive 10 120 # When should we disconnect a client?
comp-lzo # Enable compression
user nobody # Run as user nobody
group nogroup # Run as group nobody
persist-key # Avoid trying to access unavailable resources after a restart
persist-tun # Avoid trying to access unavailable resources after a restart
status openvpn-status.log # Status log for active connections
verb 3 # Log verbosity level
mute 20 # Limit the number of repeating messages
script-security 2 # Set the security level for the usage of external programs and scripts

tun-mtu 1590

tls-server
ca /etc/openvpn/rsa/keys/ca.crt
dh /etc/openvpn/rsa/keys/dh1024.pem
cert /etc/openvpn/rsa/keys/cmtp.server.crt
key /etc/openvpn/rsa/keys/cmtp.server.key

tls-auth /etc/openvpn/rsa/keys/ta.key 0
server 10.0.2.0 255.255.255.0
status openvpn-status.log # Status log for active connection
log /var/log/openvpn.log # Append the OpenVPN log rather then starting with a new one every time you restart
cipher aes-128-cbc
client-config-dir /etc/openvpn/ccd
client-to-client

#ROUTING TABLES
route 10.0.1.0 255.255.255.0 10.0.1.1
push "route 10.0.2.0 255.255.255.0"

xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx
My client configuration:
========================
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
management 127.0.0.1 16
management-log-cache 100
verb 3
mute 3
syslog
writepid /var/run/openvpncl.pid
client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
dev tun1
proto udp
cipher aes-128-cbc
auth sha1
remote xx.xx.xx.xx 1194
comp-lzo no
tun-mtu 1590
mtu-disc yes
fast-io
tun-ipv6
tls-auth /tmp/openvpncl/ta.key 1
route-nopull
route xx.xx.xx.xx 255.255.255.255 net_gateway

###
### OpenVPN routes
###
# amazon ec2 (us)
# https://forums.aws.amazon.com/ann.jspa?annID=1528 & extended via whois
route 23.20.0.0 255.252.0.0 vpn_gateway
route 50.16.0.0 255.252.0.0 vpn_gateway
route 50.112.0.0 255.255.0.0 vpn_gateway
route 54.224.0.0 255.240.0.0 vpn_gateway
route 54.240.0.0 255.240.0.0 vpn_gateway
route 67.202.0.0 255.255.192.0 vpn_gateway
route 72.44.32.0 255.255.224.0 vpn_gateway
route 75.101.128.0 255.255.128.0 vpn_gateway
route 107.20.0.0 255.252.0.0 vpn_gateway
route 174.129.0.0 255.255.0.0 vpn_gateway
route 184.72.0.0 255.254.0.0 vpn_gateway
route 184.169.128.0 255.255.128.0 vpn_gateway
route 204.236.128.0 255.255.128.0 vpn_gateway

# amazon ec2 (eu)
# https://forums.aws.amazon.com/ann.jspa?annID=1528 & extended via whois
route 46.51.128.0 255.255.192.0 vpn_gateway
route 46.51.192.0 255.255.240.0 vpn_gateway
route 46.137.0.0 255.255.128.0 vpn_gateway
route 46.137.128.0 255.255.192.0 vpn_gateway
route 79.125.0.0 255.255.128.0 vpn_gateway
route 176.34.64.0 255.255.192.0 vpn_gateway
route 176.34.128.0 255.255.128.0 vpn_gateway

# netflix
route 108.175.32.0 255.255.240.0 vpn_gateway
route 208.75.76.0 255.255.252.0 vpn_gateway
route 64.212.0.0 255.252.0.0 vpn_gateway
route 199.92.0.0 255.252.0.0 vpn_gateway
route 206.32.0.0 255.252.0.0 vpn_gateway
route 209.244.0.0 255.252.0.0 vpn_gateway
route 68.142.64.0 255.255.192.0 vpn_gateway
route 69.28.128.0 255.255.192.0 vpn_gateway
route 69.164.0.0 255.255.192.0 vpn_gateway
route 208.111.128.0 255.255.192.0 vpn_gateway
route 128.242.0.0 255.255.0.0 vpn_gateway
route 204.0.0.0 255.252.0.0 vpn_gateway
route 204.141.0.0 255.255.0.0 vpn_gateway
route 204.200.0.0 255.252.0.0 vpn_gateway
route 208.44.0.0 255.252.0.0 vpn_gateway

first correct this:

from:
to this:
also you need to create a ccd file named after your router1 CN name with the following
Michael.

Did as you indicated here is the server and client log along with ccd for router 1
--------------------------------------
cat /etc/openvpn/ccd/ddwrt
comp-lzo no
push "comp-lzo no"
iroute 10.0.1.0 255.255.255.0
--------------------------------------

Openvpn Server Log
Thu Nov 27 12:27:26 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Nov 27 12:27:26 2014 /sbin/ip link set dev tun0 up mtu 1590
Thu Nov 27 12:27:26 2014 /sbin/ip addr add dev tun0 10.0.2.1/24 broadcast 10.0.2.255
Thu Nov 27 12:27:26 2014 GID set to nogroup
Thu Nov 27 12:27:26 2014 UID set to nobody
Thu Nov 27 12:27:26 2014 UDPv4 link local (bound): [AF_INET]xx.xx.xx.xx:1194
Thu Nov 27 12:27:26 2014 UDPv4 link remote: [undef]
Thu Nov 27 12:27:26 2014 MULTI: multi_init called, r=256 v=256
Thu Nov 27 12:27:26 2014 IFCONFIG POOL: base=10.0.2.2 size=252, ipv6=0
Thu Nov 27 12:27:26 2014 Initialization Sequence Completed
Thu Nov 27 12:28:25 2014 yy.yy.yy.yy:32777 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1590)
Thu Nov 27 12:28:25 2014 yy.yy.yy.yy:32777 TLS: Initial packet from [AF_INET]yy.yy.yy.yy:32777, sid=96459b2c 85f478dd
Thu Nov 27 12:28:26 2014 yy.yy.yy.yy:32777 VERIFY OK: depth=1, C=CA, ST=Ontario, L=Toronto, O=CMTP, OU=IS, CN=cmtp.org, name=CMTP, emailAddress=harshal.c@cmtp.org
Thu Nov 27 12:28:26 2014 yy.yy.yy.yy:32777 VERIFY OK: depth=0, C=CA, ST=Ontario, L=Toronto, O=CMTP, OU=IT, CN=ddwrt, name=ddwrt, emailAddress=harshal.chandorkar@gmail.com
Thu Nov 27 12:28:26 2014 yy.yy.yy.yy:32777 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Nov 27 12:28:26 2014 yy.yy.yy.yy:32777 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Nov 27 12:28:26 2014 yy.yy.yy.yy:32777 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Nov 27 12:28:26 2014 yy.yy.yy.yy:32777 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Nov 27 12:28:26 2014 yy.yy.yy.yy:32777 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Nov 27 12:28:26 2014 yy.yy.yy.yy:32777 [ddwrt] Peer Connection Initiated with [AF_INET]yy.yy.yy.yy:32777
Thu Nov 27 12:28:26 2014 ddwrt/yy.yy.yy.yy:32777 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/ddwrt
Thu Nov 27 12:28:26 2014 ddwrt/yy.yy.yy.yy:32777 MULTI_sva: pool returned IPv4=10.0.2.2, IPv6=(Not enabled)
Thu Nov 27 12:28:26 2014 ddwrt/yy.yy.yy.yy:32777 OPTIONS IMPORT: LZO parms modified
Thu Nov 27 12:28:26 2014 ddwrt/yy.yy.yy.yy:32777 MULTI: Learn: 10.0.2.2 -> ddwrt/yy.yy.yy.yy:32777
Thu Nov 27 12:28:26 2014 ddwrt/yy.yy.yy.yy:32777 MULTI: primary virtual IP for ddwrt/yy.yy.yy.yy:32777: 10.0.2.2
Thu Nov 27 12:28:26 2014 ddwrt/yy.yy.yy.yy:32777 MULTI: internal route 10.0.1.0/24 -> ddwrt/yy.yy.yy.yy:32777
Thu Nov 27 12:28:26 2014 ddwrt/yy.yy.yy.yy:32777 MULTI: Learn: 10.0.1.0/24 -> ddwrt/yy.yy.yy.yy:32777
Thu Nov 27 12:28:28 2014 ddwrt/yy.yy.yy.yy:32777 PUSH: Received control message: 'PUSH_REQUEST'
Thu Nov 27 12:28:28 2014 ddwrt/yy.yy.yy.yy:32777 send_push_reply(): safe_cap=940
Thu Nov 27 12:28:28 2014 ddwrt/yy.yy.yy.yy:32777 SENT CONTROL [ddwrt]: 'PUSH_REPLY,route 10.0.2.0 255.255.255.0,route-gateway 10.0.2.1,topology subnet,ping 10,ping-restart 120,comp-lzo no,ifconfig 10.0.2.2 255.255.255.0' (status=1)

OPEVPN Client Log
Clientlog:
20141127 12:28:26 I OpenVPN 2.3.5 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 20 2014
20141127 12:28:26 I library versions: OpenSSL 1.0.1j 15 Oct 2014 LZO 2.08
20141127 12:28:26 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20141127 12:28:26 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20141127 12:28:26 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20141127 12:28:26 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
20141127 12:28:26 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
20141127 12:28:26 I Control Channel Authentication: using '/tmp/openvpncl/ta.key' as a OpenVPN static key file
20141127 12:28:26 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
20141127 12:28:26 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
20141127 12:28:26 W WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1590)
20141127 12:28:26 Socket Buffers: R=[114688->131072] S=[114688->131072]
20141127 12:28:26 I UDPv4 link local: [undef]
20141127 12:28:26 I UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1194
20141127 12:28:26 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194 sid=33d00e9f 89a032ee
20141127 12:28:26 VERIFY OK: depth=1 C=CA ST=Ontario L=Toronto O=CMTP OU=IS CN=cmtp.org name=CMTP emailAddress=harshal.c@cmtp.org
20141127 12:28:26 VERIFY OK: depth=0 C=CA ST=Ontario L=Toronto O=CMTP OU=IS CN=cmtp.server name=changeme emailAddress=harshal.c@cmtp.org
20141127 12:28:27 NOTE: --mute triggered...
20141127 12:28:27 5 variation(s) on previous 3 message(s) suppressed by --mute
20141127 12:28:27 I [cmtp.server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
20141127 12:28:29 SENT CONTROL [cmtp.server]: 'PUSH_REQUEST' (status=1)
20141127 12:28:29 PUSH: Received control message: 'PUSH_REPLY route 10.0.2.0 255.255.255.0 route-gateway 10.0.2.1 topology subnet ping 10 ping-restart 120 comp-lzo no ifconfig 10.0.2.2 255.255.255.0'
20141127 12:28:29 OPTIONS IMPORT: timers and/or timeouts modified
20141127 12:28:29 NOTE: --mute triggered...
20141127 12:28:29 4 variation(s) on previous 3 message(s) suppressed by --mute
20141127 12:28:29 I TUN/TAP device tun1 opened
20141127 12:28:29 TUN/TAP TX queue length set to 100
20141127 12:28:29 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0
20141127 12:28:29 I /sbin/ifconfig tun1 10.0.2.2 netmask 255.255.255.0 mtu 1590 broadcast 10.0.2.255
20141127 12:28:29 /sbin/route add -net 10.0.2.0 netmask 255.255.255.0 gw 10.0.2.1
20141127 12:28:29 I Initialization Sequence Completed