I've register because I've problem with the configuration on my router with OpenVPN Client.
I've Netgear DGND4000 with custom firmware that included openvpn client.
I've this situation:
Network A: 192.168.1.0 with Router A 192.168.1.254
Network B: 192.168.2.0 with Router B 192.168.2.253
The Router B is the Netgear DGND4000, so the "VPN Router", and all network B must be under VPN.
The router B is connected to Router A trought the "Ethernet WAN Port" to the switch port of Router A.
The router A know the router B like 192.168.1.13
Now, I put the config in vpn client, and the I verify with SSH that the config work and the router B is connected to VPN.
The problem is the all network under Router B ( client via eth and wifi ) is not connected to VPN.
I attach some info that can be utils:
OPENVPN Config:
Code: Select all
client
dev tun
proto udp
remote IP_SERVER_VPN 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca /config/xxx/amod/openvpn/ca.crt
tls-remote IP_SERVER_VPN
auth-user-pass /config/xxx/amod/openvpn/auth.conf
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHACode: Select all
openvpn --config /config/xxx/amod/openvpn/openvpn_client.conf
Thu Aug 27 09:21:17 2015 DEPRECATED OPTION: --tls-remote, please update your configuration
Thu Aug 27 09:21:17 2015 OpenVPN 2.3.7 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 24 2015
Thu Aug 27 09:21:17 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Thu Aug 27 09:21:17 2015 Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
Thu Aug 27 09:21:17 2015 Deprecated TLS cipher name 'DHE-DSS-AES256-SHA', please use IANA name 'TLS-DHE-DSS-WITH-AES-256-CBC-SHA'
Thu Aug 27 09:21:17 2015 Deprecated TLS cipher name 'AES256-SHA', please use IANA name 'TLS-RSA-WITH-AES-256-CBC-SHA'
Thu Aug 27 09:21:17 2015 Socket Buffers: R=[122880->131072] S=[122880->131072]
Thu Aug 27 09:21:17 2015 UDPv4 link local: [undef]
Thu Aug 27 09:21:17 2015 UDPv4 link remote: [AF_INET]94.198.97.10:443
Thu Aug 27 09:21:17 2015 TLS: Initial packet from [AF_INET]94.198.97.10:443, sid=66e4e4fb 3f10728c
Thu Aug 27 09:21:17 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Aug 27 09:21:17 2015 VERIFY OK: depth=1, /C=US/ST=FL/L=Winter_Park/O=IPVanish/OU=IPVanish_VPN/CN=IPVanish_CA/emailAddress=support@ipvanish.com
Thu Aug 27 09:21:17 2015 VERIFY X509NAME OK: /C=US/ST=FL/L=Winter_Park/O=IPVanish/OU=IPVanish_VPN/CN=lin-c04.ipvanish.com/emailAddress=support@ipvanish.com
Thu Aug 27 09:21:17 2015 VERIFY OK: depth=0, /C=US/ST=FL/L=Winter_Park/O=IPVanish/OU=IPVanish_VPN/CN=lin-c04.ipvanish.com/emailAddress=support@ipvanish.com
Thu Aug 27 09:21:19 2015 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Aug 27 09:21:19 2015 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Aug 27 09:21:19 2015 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Aug 27 09:21:19 2015 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Aug 27 09:21:19 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Aug 27 09:21:19 2015 [lin-c04.ipvanish.com] Peer Connection Initiated with [AF_INET]94.198.97.10:443
Thu Aug 27 09:21:21 2015 SENT CONTROL [lin-c04.ipvanish.com]: 'PUSH_REQUEST' (status=1)
Thu Aug 27 09:21:21 2015 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 198.18.0.1,dhcp-option DNS 198.18.0.2,rcvbuf 262144,explicit-exit-notify 5,route-gateway 172.20.32.1,topology subnet,ping 20,ping-restart 40,ifconfig 172.20.34.242 255.255.252.0'
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: timers and/or timeouts modified
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Thu Aug 27 09:21:21 2015 Socket Buffers: R=[131072->245760] S=[131072->131072]
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: --ifconfig/up options modified
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: route options modified
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: route-related options modified
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Aug 27 09:21:21 2015 TUN/TAP device tun0 opened
Thu Aug 27 09:21:21 2015 TUN/TAP TX queue length set to 100
Thu Aug 27 09:21:21 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Aug 27 09:21:21 2015 /bin/ip link set dev tun0 up mtu 1500
Thu Aug 27 09:21:21 2015 /bin/ip addr add dev tun0 172.20.34.242/22 broadcast 172.20.35.255
Thu Aug 27 09:21:22 2015 /bin/ip route add 94.198.97.10/32 via 192.168.1.254
Thu Aug 27 09:21:22 2015 /bin/ip route add 0.0.0.0/1 via 172.20.32.1
Thu Aug 27 09:21:22 2015 /bin/ip route add 128.0.0.0/1 via 172.20.32.1
Thu Aug 27 09:21:22 2015 Initialization Sequence Completed
Code: Select all
94.198.97.10 via 192.168.1.254 dev eth4
192.168.2.0/24 dev group1 proto kernel scope link src 192.168.2.253
192.168.1.0/24 dev eth4 proto kernel scope link src 192.168.1.13
172.20.32.0/22 dev tun0 proto kernel scope link src 172.20.34.242
239.0.0.0/8 dev group1 scope link
127.0.0.0/8 dev lo scope link
0.0.0.0/1 via 172.20.32.1 dev tun0
128.0.0.0/1 via 172.20.32.1 dev tun0
default via 192.168.1.254 dev eth4Code: Select all
94.198.97.10 192.168.1.254 255.255.255.255 UGH 0 0 0 eth4
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 group1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth4
172.20.32.0 0.0.0.0 255.255.252.0 U 0 0 0 tun0
239.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 group1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 172.20.32.1 128.0.0.0 UG 0 0 0 tun0
128.0.0.0 172.20.32.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth4Code: Select all
traceroute to google.it (173.194.40.143), 30 hops max, 38 byte packets
1 172.20.32.1 (172.20.32.1) 56.821 ms 57.138 ms 64.915 ms
2 95.141.37.1 (95.141.37.1) 72.550 ms 57.018 ms 58.854 ms
3 95.141.47.254 (95.141.47.254) 75.322 ms 57.733 ms 59.106 ms
4 google.mix-it.net (217.29.66.96) 66.882 ms 57.846 ms 59.337 ms
5 209.85.249.54 (209.85.249.54) 65.641 ms 58.608 ms 216.239.47.128 (216.239.47.128) 59.467 ms
6 209.85.253.9 (209.85.253.9) 64.777 ms 209.85.253.11 (209.85.253.11) 74.073 ms 64.239 ms
7 209.85.142.249 (209.85.142.249) 74.629 ms 209.85.143.219 (209.85.143.219) 83.182 ms 209.85.142.249 (209.85.142.249) 75.904 ms
8 209.85.245.80 (209.85.245.80) 77.139 ms 74.954 ms 78.684 ms
9 209.85.243.47 (209.85.243.47) 76.669 ms 76.239 ms 75.757 ms
10 par10s10-in-f15.1e100.net (173.194.40.143) 83.902 ms 75.904 ms 79.657 msCode: Select all
DGND4000 ~ # ifconfig
bcmsw Link encap:Ethernet HWaddr 00:8E:F2:90:6A:A6
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:360809 errors:0 dropped:0 overruns:0 frame:0
TX packets:419748 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:73171003 (69.7 MiB) TX bytes:454554819 (433.4 MiB)
Base address:0xda00
eth0 Link encap:Ethernet HWaddr 00:8E:F2:90:6A:A6
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:360809 errors:0 dropped:0 overruns:0 frame:0
TX packets:419748 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:73171003 (69.7 MiB) TX bytes:454554819 (433.4 MiB)
eth1 Link encap:Ethernet HWaddr 00:8E:F2:90:6A:A6
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth2 Link encap:Ethernet HWaddr 00:8E:F2:90:6A:A6
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth3 Link encap:Ethernet HWaddr 00:8E:F2:90:6A:A6
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:28995 errors:0 dropped:0 overruns:0 frame:0
TX packets:12460 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9879274 (9.4 MiB) TX bytes:2832449 (2.7 MiB)
eth4 Link encap:Ethernet HWaddr 00:8E:F2:90:6A:A8
inet addr:192.168.1.13 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: 2a01:e35:2e61:d340:28e:f2ff:fe90:6aa8/64 Scope:Global
inet6 addr: fe80::28e:f2ff:fe90:6aa8/64 Scope:Link
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1400 Metric:1
RX packets:2045026 errors:0 dropped:0 overruns:0 frame:0
TX packets:1674457 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:715461218 (682.3 MiB) TX bytes:198503359 (189.3 MiB)
group1 Link encap:Ethernet HWaddr 00:8E:F2:90:6A:A6
inet addr:192.168.2.253 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::28e:f2ff:fe90:6aa6/64 Scope:Link
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:205851 errors:0 dropped:0 overruns:0 frame:0
TX packets:142593 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:24074630 (22.9 MiB) TX bytes:15737450 (15.0 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6012 errors:0 dropped:0 overruns:0 frame:0
TX packets:6012 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1494620 (1.4 MiB) TX bytes:1494620 (1.4 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.20.34.242 P-t-P:172.20.34.242 Mask:255.255.252.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:24 errors:0 dropped:0 overruns:0 frame:0
TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2046 (1.9 KiB) TX bytes:912 (912.0 B)
wl1 Link encap:Ethernet HWaddr 00:8E:F2:90:6A:A7
inet6 addr: fe80::28e:f2ff:fe90:6aa7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:202802 errors:0 dropped:0 overruns:0 frame:3930
TX packets:143538 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:58948134 (56.2 MiB) TX bytes:17126101 (16.3 MiB)
Interrupt:38
Traceroute perform by a client in Network B
Code: Select all
1 192.168.2.253 (192.168.2.253) 2.436 ms 8.045 ms 1.884 ms
2 192.168.1.254 (192.168.1.254) 2.469 ms 15.007 ms 1.732 ms
3 82.230.29.254 (82.230.29.254) 23.728 ms 28.420 ms 23.826 ms
4 montpellier-6k-1-a5.routers.proxad.net (213.228.12.62) 25.944 ms 37.071 ms 34.704 ms
5 montpellier-crs8-1-be2100.intf.routers.proxad.net (78.254.249.30) 33.926 ms 38.213 ms 35.982 ms
6 p11-cr16-1-be1103.intf.routers.proxad.net (194.149.160.21) 47.050 ms 47.324 ms 58.332 ms
7 cbv-9k-1-be1001.intf.routers.proxad.net (194.149.161.14) 44.040 ms 52.422 ms 52.980 ms
8 72.14.211.26 (72.14.211.26) 52.615 ms 58.753 ms 51.571 ms
9 72.14.239.145 (72.14.239.145) 52.409 ms 50.430 ms 53.787 ms
10 72.14.233.83 (72.14.233.83) 52.349 ms 51.231 ms 51.725 ms
11 par03s15-in-f99.1e100.net (216.58.211.99) 52.618 ms 52.439 ms 53.201 msWith "Check IP" from terminal, the router use the correct IP of VPN, but the client under Network B use the IP provider.
I've already edit the default route with this comand:
replace: default via 192.168.1.254 dev eth0 with: default via IP_VPN_Gateway dev tun0
I've tried also with this command on iptables:
Code: Select all
# Allow traffic initiated from VPN to access LAN
iptables -I FORWARD -i tun0 -o group1 -s 172.20.32.0/22 -d 192.168.2.0/24 -j ACCEPT
# Allow traffic initiated from VPN to access "the world"
iptables -I FORWARD -i tun0 -o eth4 -s 172.20.32.0/22 -j ACCEPT
# Allow traffic initiated from LAN to access "the world"
iptables -I FORWARD -i group1 -o eth4 -s 192.168.2.0/24 -j ACCEPT
# Masquerade traffic from VPN to "the world" -- done in the nat table
iptables -t nat -I POSTROUTING -o eth4 -s 172.20.32.0/22 -j MASQUERADE
# Masquerade traffic from LAN to "the world"
iptables -t nat -I POSTROUTING -o group1 -s 192.168.2.0/24 -j MASQUERADEAny ideas about this?
Thnks in advice at all