Problem with Routing
Posted: Fri Aug 28, 2015 7:46 am
Hi all guys! 
I've register because I've problem with the configuration on my router with OpenVPN Client.
I've Netgear DGND4000 with custom firmware that included openvpn client.
I've this situation:
Network A: 192.168.1.0 with Router A 192.168.1.254
Network B: 192.168.2.0 with Router B 192.168.2.253
The Router B is the Netgear DGND4000, so the "VPN Router", and all network B must be under VPN.
The router B is connected to Router A trought the "Ethernet WAN Port" to the switch port of Router A.
The router A know the router B like 192.168.1.13
Now, I put the config in vpn client, and the I verify with SSH that the config work and the router B is connected to VPN.
The problem is the all network under Router B ( client via eth and wifi ) is not connected to VPN.
I attach some info that can be utils:
OPENVPN Config:
OPENVPN LOG:
IP ROUTE from Router B
Netstat -nr from Router B
Traceroute on Router B
Ifconfig Roouter B:
Traceroute perform by a client in Network B
With "Check IP" from terminal, the router use the correct IP of VPN, but the client under Network B use the IP provider.
I've already edit the default route with this comand:
replace: default via 192.168.1.254 dev eth0 with: default via IP_VPN_Gateway dev tun0
I've tried also with this command on iptables:
I've edit the command from this article: https://community.openvpn.net/openvpn/w ... AndRouting, removing these part "-m conntrack --ctstate NEW" because doesn't work on my router.
Any ideas about this?
Thnks in advice at all
I've register because I've problem with the configuration on my router with OpenVPN Client.
I've Netgear DGND4000 with custom firmware that included openvpn client.
I've this situation:
Network A: 192.168.1.0 with Router A 192.168.1.254
Network B: 192.168.2.0 with Router B 192.168.2.253
The Router B is the Netgear DGND4000, so the "VPN Router", and all network B must be under VPN.
The router B is connected to Router A trought the "Ethernet WAN Port" to the switch port of Router A.
The router A know the router B like 192.168.1.13
Now, I put the config in vpn client, and the I verify with SSH that the config work and the router B is connected to VPN.
The problem is the all network under Router B ( client via eth and wifi ) is not connected to VPN.
I attach some info that can be utils:
OPENVPN Config:
Code: Select all
client
dev tun
proto udp
remote IP_SERVER_VPN 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca /config/xxx/amod/openvpn/ca.crt
tls-remote IP_SERVER_VPN
auth-user-pass /config/xxx/amod/openvpn/auth.conf
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHACode: Select all
openvpn --config /config/xxx/amod/openvpn/openvpn_client.conf
Thu Aug 27 09:21:17 2015 DEPRECATED OPTION: --tls-remote, please update your configuration
Thu Aug 27 09:21:17 2015 OpenVPN 2.3.7 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 24 2015
Thu Aug 27 09:21:17 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Thu Aug 27 09:21:17 2015 Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
Thu Aug 27 09:21:17 2015 Deprecated TLS cipher name 'DHE-DSS-AES256-SHA', please use IANA name 'TLS-DHE-DSS-WITH-AES-256-CBC-SHA'
Thu Aug 27 09:21:17 2015 Deprecated TLS cipher name 'AES256-SHA', please use IANA name 'TLS-RSA-WITH-AES-256-CBC-SHA'
Thu Aug 27 09:21:17 2015 Socket Buffers: R=[122880->131072] S=[122880->131072]
Thu Aug 27 09:21:17 2015 UDPv4 link local: [undef]
Thu Aug 27 09:21:17 2015 UDPv4 link remote: [AF_INET]94.198.97.10:443
Thu Aug 27 09:21:17 2015 TLS: Initial packet from [AF_INET]94.198.97.10:443, sid=66e4e4fb 3f10728c
Thu Aug 27 09:21:17 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Aug 27 09:21:17 2015 VERIFY OK: depth=1, /C=US/ST=FL/L=Winter_Park/O=IPVanish/OU=IPVanish_VPN/CN=IPVanish_CA/emailAddress=support@ipvanish.com
Thu Aug 27 09:21:17 2015 VERIFY X509NAME OK: /C=US/ST=FL/L=Winter_Park/O=IPVanish/OU=IPVanish_VPN/CN=lin-c04.ipvanish.com/emailAddress=support@ipvanish.com
Thu Aug 27 09:21:17 2015 VERIFY OK: depth=0, /C=US/ST=FL/L=Winter_Park/O=IPVanish/OU=IPVanish_VPN/CN=lin-c04.ipvanish.com/emailAddress=support@ipvanish.com
Thu Aug 27 09:21:19 2015 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Aug 27 09:21:19 2015 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Aug 27 09:21:19 2015 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Aug 27 09:21:19 2015 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Aug 27 09:21:19 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Aug 27 09:21:19 2015 [lin-c04.ipvanish.com] Peer Connection Initiated with [AF_INET]94.198.97.10:443
Thu Aug 27 09:21:21 2015 SENT CONTROL [lin-c04.ipvanish.com]: 'PUSH_REQUEST' (status=1)
Thu Aug 27 09:21:21 2015 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 198.18.0.1,dhcp-option DNS 198.18.0.2,rcvbuf 262144,explicit-exit-notify 5,route-gateway 172.20.32.1,topology subnet,ping 20,ping-restart 40,ifconfig 172.20.34.242 255.255.252.0'
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: timers and/or timeouts modified
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Thu Aug 27 09:21:21 2015 Socket Buffers: R=[131072->245760] S=[131072->131072]
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: --ifconfig/up options modified
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: route options modified
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: route-related options modified
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Aug 27 09:21:21 2015 TUN/TAP device tun0 opened
Thu Aug 27 09:21:21 2015 TUN/TAP TX queue length set to 100
Thu Aug 27 09:21:21 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Aug 27 09:21:21 2015 /bin/ip link set dev tun0 up mtu 1500
Thu Aug 27 09:21:21 2015 /bin/ip addr add dev tun0 172.20.34.242/22 broadcast 172.20.35.255
Thu Aug 27 09:21:22 2015 /bin/ip route add 94.198.97.10/32 via 192.168.1.254
Thu Aug 27 09:21:22 2015 /bin/ip route add 0.0.0.0/1 via 172.20.32.1
Thu Aug 27 09:21:22 2015 /bin/ip route add 128.0.0.0/1 via 172.20.32.1
Thu Aug 27 09:21:22 2015 Initialization Sequence Completed
Code: Select all
94.198.97.10 via 192.168.1.254 dev eth4
192.168.2.0/24 dev group1 proto kernel scope link src 192.168.2.253
192.168.1.0/24 dev eth4 proto kernel scope link src 192.168.1.13
172.20.32.0/22 dev tun0 proto kernel scope link src 172.20.34.242
239.0.0.0/8 dev group1 scope link
127.0.0.0/8 dev lo scope link
0.0.0.0/1 via 172.20.32.1 dev tun0
128.0.0.0/1 via 172.20.32.1 dev tun0
default via 192.168.1.254 dev eth4Code: Select all
94.198.97.10 192.168.1.254 255.255.255.255 UGH 0 0 0 eth4
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 group1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth4
172.20.32.0 0.0.0.0 255.255.252.0 U 0 0 0 tun0
239.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 group1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 172.20.32.1 128.0.0.0 UG 0 0 0 tun0
128.0.0.0 172.20.32.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth4Code: Select all
traceroute to google.it (173.194.40.143), 30 hops max, 38 byte packets
1 172.20.32.1 (172.20.32.1) 56.821 ms 57.138 ms 64.915 ms
2 95.141.37.1 (95.141.37.1) 72.550 ms 57.018 ms 58.854 ms
3 95.141.47.254 (95.141.47.254) 75.322 ms 57.733 ms 59.106 ms
4 google.mix-it.net (217.29.66.96) 66.882 ms 57.846 ms 59.337 ms
5 209.85.249.54 (209.85.249.54) 65.641 ms 58.608 ms 216.239.47.128 (216.239.47.128) 59.467 ms
6 209.85.253.9 (209.85.253.9) 64.777 ms 209.85.253.11 (209.85.253.11) 74.073 ms 64.239 ms
7 209.85.142.249 (209.85.142.249) 74.629 ms 209.85.143.219 (209.85.143.219) 83.182 ms 209.85.142.249 (209.85.142.249) 75.904 ms
8 209.85.245.80 (209.85.245.80) 77.139 ms 74.954 ms 78.684 ms
9 209.85.243.47 (209.85.243.47) 76.669 ms 76.239 ms 75.757 ms
10 par10s10-in-f15.1e100.net (173.194.40.143) 83.902 ms 75.904 ms 79.657 msCode: Select all
DGND4000 ~ # ifconfig
bcmsw Link encap:Ethernet HWaddr 00:8E:F2:90:6A:A6
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:360809 errors:0 dropped:0 overruns:0 frame:0
TX packets:419748 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:73171003 (69.7 MiB) TX bytes:454554819 (433.4 MiB)
Base address:0xda00
eth0 Link encap:Ethernet HWaddr 00:8E:F2:90:6A:A6
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:360809 errors:0 dropped:0 overruns:0 frame:0
TX packets:419748 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:73171003 (69.7 MiB) TX bytes:454554819 (433.4 MiB)
eth1 Link encap:Ethernet HWaddr 00:8E:F2:90:6A:A6
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth2 Link encap:Ethernet HWaddr 00:8E:F2:90:6A:A6
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth3 Link encap:Ethernet HWaddr 00:8E:F2:90:6A:A6
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:28995 errors:0 dropped:0 overruns:0 frame:0
TX packets:12460 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9879274 (9.4 MiB) TX bytes:2832449 (2.7 MiB)
eth4 Link encap:Ethernet HWaddr 00:8E:F2:90:6A:A8
inet addr:192.168.1.13 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: 2a01:e35:2e61:d340:28e:f2ff:fe90:6aa8/64 Scope:Global
inet6 addr: fe80::28e:f2ff:fe90:6aa8/64 Scope:Link
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1400 Metric:1
RX packets:2045026 errors:0 dropped:0 overruns:0 frame:0
TX packets:1674457 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:715461218 (682.3 MiB) TX bytes:198503359 (189.3 MiB)
group1 Link encap:Ethernet HWaddr 00:8E:F2:90:6A:A6
inet addr:192.168.2.253 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::28e:f2ff:fe90:6aa6/64 Scope:Link
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:205851 errors:0 dropped:0 overruns:0 frame:0
TX packets:142593 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:24074630 (22.9 MiB) TX bytes:15737450 (15.0 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6012 errors:0 dropped:0 overruns:0 frame:0
TX packets:6012 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1494620 (1.4 MiB) TX bytes:1494620 (1.4 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.20.34.242 P-t-P:172.20.34.242 Mask:255.255.252.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:24 errors:0 dropped:0 overruns:0 frame:0
TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2046 (1.9 KiB) TX bytes:912 (912.0 B)
wl1 Link encap:Ethernet HWaddr 00:8E:F2:90:6A:A7
inet6 addr: fe80::28e:f2ff:fe90:6aa7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:202802 errors:0 dropped:0 overruns:0 frame:3930
TX packets:143538 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:58948134 (56.2 MiB) TX bytes:17126101 (16.3 MiB)
Interrupt:38
Traceroute perform by a client in Network B
Code: Select all
1 192.168.2.253 (192.168.2.253) 2.436 ms 8.045 ms 1.884 ms
2 192.168.1.254 (192.168.1.254) 2.469 ms 15.007 ms 1.732 ms
3 82.230.29.254 (82.230.29.254) 23.728 ms 28.420 ms 23.826 ms
4 montpellier-6k-1-a5.routers.proxad.net (213.228.12.62) 25.944 ms 37.071 ms 34.704 ms
5 montpellier-crs8-1-be2100.intf.routers.proxad.net (78.254.249.30) 33.926 ms 38.213 ms 35.982 ms
6 p11-cr16-1-be1103.intf.routers.proxad.net (194.149.160.21) 47.050 ms 47.324 ms 58.332 ms
7 cbv-9k-1-be1001.intf.routers.proxad.net (194.149.161.14) 44.040 ms 52.422 ms 52.980 ms
8 72.14.211.26 (72.14.211.26) 52.615 ms 58.753 ms 51.571 ms
9 72.14.239.145 (72.14.239.145) 52.409 ms 50.430 ms 53.787 ms
10 72.14.233.83 (72.14.233.83) 52.349 ms 51.231 ms 51.725 ms
11 par03s15-in-f99.1e100.net (216.58.211.99) 52.618 ms 52.439 ms 53.201 msWith "Check IP" from terminal, the router use the correct IP of VPN, but the client under Network B use the IP provider.
I've already edit the default route with this comand:
replace: default via 192.168.1.254 dev eth0 with: default via IP_VPN_Gateway dev tun0
I've tried also with this command on iptables:
Code: Select all
# Allow traffic initiated from VPN to access LAN
iptables -I FORWARD -i tun0 -o group1 -s 172.20.32.0/22 -d 192.168.2.0/24 -j ACCEPT
# Allow traffic initiated from VPN to access "the world"
iptables -I FORWARD -i tun0 -o eth4 -s 172.20.32.0/22 -j ACCEPT
# Allow traffic initiated from LAN to access "the world"
iptables -I FORWARD -i group1 -o eth4 -s 192.168.2.0/24 -j ACCEPT
# Masquerade traffic from VPN to "the world" -- done in the nat table
iptables -t nat -I POSTROUTING -o eth4 -s 172.20.32.0/22 -j MASQUERADE
# Masquerade traffic from LAN to "the world"
iptables -t nat -I POSTROUTING -o group1 -s 192.168.2.0/24 -j MASQUERADEAny ideas about this?
Thnks in advice at all