Routed LAN setup issue with NAT or masquerading

[Scentle5S]

Hello,

I am trying to connect two distant LANs together using a VPN tun setup between their respective router, so that everybody can communicate and (almost) no configuration is required for the end users.

Here's my setup :

Server side :

Code: Select all

# LAN1
Network : 192.168.0.0/24
Gateway : 192.168.0.2
Domain : lan1
Router : Linksys E1200 with DD-WRT
Role : OpenVPN server

View OriginalServer Config

# Server
dev tun
proto udp
port 1194

# Keys / Certs
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
dh /tmp/openvpn/dh.pem
tls-auth /tmp/openvpn/ta.key 0

# Network
server 10.8.2.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /tmp/openvpn/ccd
keepalive 10 60
route 192.168.1.0 255.255.255.0 10.8.2.10
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.2"
push "dhcp-option DOMAIN lan1"
topology subnet
management localhost 5001

# Security
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun

# Log
verb 3
status /var/log/openvpn-status.log
log /var/log/openvpn.log

View OriginalClient CCD

ifconfig-push 10.8.2.10 255.255.255.0
push "route 192.168.0.0 255.255.255.0 10.8.2.1"
iroute 192.168.1.0 255.255.255.0

Client side :

Code: Select all

# LAN2
Network : 192.168.1.0/24
Gateway : 192.168.1.1
Domain : lan2
Router : Linksys WRT1900ACS with OpenWrt
Role : OpenVPN client

View OriginalClient Config

# Client
client
dev tun
proto udp
nobind

# Keys / Certs
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1

# Network
remote my_remote_domain 1194
topology subnet
resolv-retry infinite
mute-replay-warnings

# Security
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun

# Log
verb 3

The client can connect to the server in theory everybody can communicate with everybody. But I'm having trouble understanding the way the routing is being done here. Here are some pinging scenarios with the source/destination IPs for requests/responses that I've gathered with Wireshark :

# Scenario 1
Computer from LAN2 pinging computer in LAN1 (observed from the computer being pinged) :

Code: Select all

Request source IP : 192.168.1.100
Request destination IP : 192.168.0.10
Reply source IP : 192.168.0.10
Reply source IP : 192.168.1.100

# Scenario 2
Router from LAN2 pinging computer in LAN1 (observed from the computer being pinged) :

Code: Select all

Request source IP : 10.8.2.10
Request destination IP : 192.168.0.10
Reply source IP : 192.168.0.10
Reply source IP : 10.8.2.10

# Scenario 3
Computer from LAN1 pinging computer in LAN2 (observed from the computer being pinged) :

Code: Select all

Request source IP : 192.168.0.10
Request destination IP : 192.168.1.100
Reply source IP : 192.168.1.100
Reply source IP : 192.168.0.10

# Scenario 4
Router from LAN1 pinging computer in LAN2 (observed from the computer being pinged) :

Code: Select all

Request source IP : 10.8.2.1
Request destination IP : 192.168.1.100
Reply source IP : 192.168.1.100
Reply source IP : 10.8.2.1

As you can see, when the trafic originates from one of the tunnel nodes, it gets sent with the VPN IP address. But when it originates from the LAN side behind any of the tunnel nodes, it gets sent with the corresponding LAN IP address.

I believe this has something to do with NAT/masquerading, and I've tried fiddling with these options (at least on the LAN2 router, since OpenWrt's GUI is way easier to use for this IMO). But I don't understand everything in this regard. Here are the Firewall general settings of the LAN2 router :


And here are the routing tables of both routers :

Code: Select all

# LAN1
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.0.254   0.0.0.0         UG        0 0          0 br0
10.8.2.0        0.0.0.0         255.255.255.0   U         0 0          0 tun0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 br0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 br0
192.168.1.0     10.8.2.10       255.255.255.0   UG        0 0          0 tun0

Code: Select all

# LAN2
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         wan_ip          0.0.0.0         UG        0 0          0 pppoe-wan
10.8.2.0        0.0.0.0         255.255.255.0   U         0 0          0 tun1
wan_ip          0.0.0.0         255.255.255.255 UH        0 0          0 pppoe-wan
192.168.0.0     10.8.2.1        255.255.255.0   UG        0 0          0 tun1
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 br-lan

What is the "expected" behavior for this use case ? Should every request to the opposite LAN originate from the VPN subnet (scenarios 2 and 4 above) or the LAN one (scenarios 1 and 3 above) ? And why ? Obviously there should be only one behavior and not a mix like I have here.
How can I achieve this expected behavior ?
Also, I wasn't able to join LAN2 from LAN1 until I set the forward dropdown to accept on LAN2's router (see below). I'm having trouble understanding why.


Thanks in advance

Scentle5S

P.S. : I know my choice of network IPs is poor (192.168.*.*/24) but I was just too lazy to change them yet and this shouldn't impact my use of OpenVPN yet since there is no other client than me and from networks I know, that don't belong to these subnets.

[TinCanTech]

I believe this has something to do with NAT/masquerading

And that is the detail you have missed out ..

[Scentle5S]

Could you elaborate please ? Like I said : I think I'm aware of the source of the problem, and you just confirmed it. But I also asked other questions, including how I could achieve this NAT/masquerading. I've read a lot of tutorials and have messed with the masquerade settings you can see on the screenshot of my original post, but couldn't figure how to make this work. That's why I'm asking help here.