[solved] Connecting 3 sites together

[nick1977]

Hello

I am trying to connect 3 sites together with 3 ddwrt routers and openvpn. The 3 routers are connected just fine but there is something strange that I just can't quite understand.

Site 1:
ddwrt with openvpn client
Behind that router, I have 2 PCs

Site 2:
ddwrt with openvpn server
Behind that I have 1 PC and 1 server

Site 3:
ddwrt with openvpn client
Behind that I have 2 PC and 1 server

My goal is that each PC and server can access/ping/RDP/whatever every other PC or server in every sites.
Right now:
Site 1 can see everything in Site 2.
Site 3 can see everything in Site 2.

Site 2 doesn't seem to see anything in site 1 and 3 anymore... hmmm
I don't like that because Site2 and Site3 have been connected together for the past 2 years. I'm basically trying to add Site1

Here are my configs:

Client1:

Code: Select all

ca /tmp/openvpncl/ca.crt 
cert /tmp/openvpncl/client.crt 
key /tmp/openvpncl/client.key 
management 127.0.0.1 5001 
management-log-cache 50 
verb 4 
mute 5 
log-append /var/log/openvpncl 
client 
tls-client 
resolv-retry infinite 
nobind 
persist-key 
persist-tun 
mtu-disc yes 
dev tun1 
proto udp 
cipher bf-cbc 
auth sha1 
remote XX.XX.XX.XX 1194 
tun-mtu 1500 
comp-lzo adaptive 
ns-cert-type server 
fast-io 
tun-ipv6 
float 
script-security 3 system

Client2:

Code: Select all

client 
dev tun 
proto udp 
remote XX.XX.XX.XX 1194 
resolv-retry infinite 
nobind 
persist-key 
persist-tun 
tun-mtu 1500 
tun-mtu-extra 32 
mssfix 1450 
ca /tmp/openvpncl/ca.crt 
cert /tmp/openvpncl/client.crt 
ns-cert-type server 
key /tmp/openvpncl/client.key 
comp-lzo

Server:

Code: Select all

push "route 192.168.0.0 255.255.255.0" 
push "route 192.168.1.0 255.255.255.0" 
push "route 192.168.2.0 255.255.255.0" 
server 192.168.66.0 255.255.255.0 
route 192.168.2.0 255.255.255.0 
route 192.168.0.0 255.255.255.0 

dev tun0 
proto udp 
keepalive 10 120 
verb 5 
comp-lzo 
client-to-client 
float 
client-config-dir /tmp/openvpn/ccd 
dh /tmp/openvpn/dh.pem 
ca /tmp/openvpn/ca.crt 
cert /tmp/openvpn/cert.pem 

I have created the ccd directory with the 2 files with
iroute 192.168.2.0 255.255.255.0
iroute 192.168.0.0 255.255.255.0

I hope you guys can help me!

[nick1977]

Forgot to post my firewall settings:

Client1:
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT

Client2:
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Server:
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

[Bebop]

You say there is 2 servers, but you have only provided 1 server.conf, and only 1 set of ccd/iroutes.. Is there another server.conf + another set of iroutes?

Also, you didn't mention if '1' can see all of '3' and if '3' can see all of '1'.

Who knows, maybe there's enough info there to solve the problem, but I'm first trying to fill in those blanks.

[nick1977]

Client1 netstat -nr:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
XX.XX.XX.XX 0.0.0.0 255.255.255.255 UH 0 0 0 vlan2
192.168.66.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
192.168.1.0 192.168.66.5 255.255.255.0 UG 0 0 0 tun1
192.168.66.0 192.168.66.5 255.255.255.0 UG 0 0 0 tun1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
XX.XX.XX.XX 0.0.0.0 255.255.255.0 U 0 0 0 vlan2
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 XX.XX.XX.XX 0.0.0.0 UG 0 0 0 vlan2

Client2 netstat -nr:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.66.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
XX.XX.XX.XX 0.0.0.0 255.255.255.252 U 0 0 0 vlan2
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.1.0 192.168.66.9 255.255.255.0 UG 0 0 0 tun0
192.168.66.0 192.168.66.9 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 XX.XX.XX.XX 0.0.0.0 UG 0 0 0 vlan2

Server netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.66.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
XX.XX.XX.XX 0.0.0.0 255.255.255.252 U 0 0 0 vlan2
192.168.2.0 192.168.66.2 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.0.0 192.168.66.2 255.255.255.0 UG 0 0 0 tun0
192.168.66.0 192.168.66.2 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 XX.XX.XX.XX 0.0.0.0 UG 0 0 0 vlan2

[nick1977]

You say there is 2 servers, but you have only provided 1 server.conf, and only 1 set of ccd/iroutes.. Is there another server.conf + another set of iroutes?

Also, you didn't mention if '1' can see all of '3' and if '3' can see all of '1'.

Who knows, maybe there's enough info there to solve the problem, but I'm first trying to fill in those blanks.

Thanks for the reply...

There is 1 openvpn server, the 2 servers I was talking about are regular servers (Mail server, Application server....), nothing to do with openvpn.

That is my problem... 1 cannot see 3 and 3 cannot see 1...
Yes I have both files with the iroutes in the CCD directory. Both have the same entries in them.

I made a little schema of the whole network if u wanna see it, I just can't seem to attach it to the thread.

[Bebop]

I was talking about are regular servers

I see now.. ovpn server on site 2.. cool.

1-->2=ok
1-->3=no
2-->1=no
2-->3=no
3-->1=no
3-->2=yes

for now, assuming clients confs are ok.

can you make a backup of the server.conf and then do some changes.

delete all the push and all the route commands from the server.

also, to verify your ccd is correct, can you confirm that client1 is owner of "192.168.2.0 255.255.255.0" and client2 is owner of "192.168.0.0 255.255.255.0".....

After that it shoudl be working (restart openvpn).

[nick1977]

Deleted the push and route commands.

What do you mean by verifying the ownership of the ccd files?
Permissions are root:root 644
When it connects I can see in the logs:
Jul 31 11:02:54 Router-Granby daemon.notice openvpn[636]: client1/XX.XX.XX.XX:1028 MULTI: internal route 192.168.0.0/24 -> client1/XX.XX.XX.XX:1028
Jul 31 11:02:54 Router-Granby daemon.notice openvpn[636]: client1/XX.XX.XX.XX:1028 MULTI: Learn: 192.168.0.0/24 -> client1/XX.XX.XX.XX:1028
Jul 31 11:02:54 Router-Granby daemon.notice openvpn[636]: client1/XX.XX.XX.XX:1028 MULTI: internal route 192.168.2.0/24 -> client1/XX.XX.XX.XX:1028
Jul 31 11:02:54 Router-Granby daemon.notice openvpn[636]: client1/XX.XX.XX.XX:1028 MULTI: Learn: 192.168.2.0/24 -> client1/XX.XX.XX.XX:1028

Same with the other client

new server .conf

server 192.168.66.0 255.255.255.0
dev tun0
proto udp
keepalive 10 120
verb 5
comp-lzo
client-to-client
float
client-config-dir /tmp/openvpn/ccd
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem


After the changes, Site1 and Site3 can no longer ping the server and PC that are in Site2.

[Mimiko]

Hello. I will try to make myself usefull.

Something I'm not certain:

iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT

Can't this be done in one line?

iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT

You don't need this on client side, because you don't have any services there so accepting to nowhere on this ports may be a secuirity. Accepting external acess to tcp,udp 1194 is needed only where OpenVPN server is installed. When the tunnel will work fine, you will have to remove one input: tcp or udp, that you will not use.

Do a good understanding and confirming:
Serves LAN IP pool is 192.168.1.0.
Client 1 LAN IP pool is 192.168.0.0
Client 2 LAN IP pool is 192.168.2.0

Do you use same certificate on clients? Common name used to generate the certificates for clients are different?

Do you want to route IPv6? Are you using IPv6? If not, remove "tun-ipv6" from config for now. When all will work fine - you could practice with it.

Your clients does not recive route option for accessing other client. In routing table of client 1 you have to have

Code: Select all

192.168.2.0 192.168.66.5 255.255.255.0 UG 0 0 0 tun1

On client 2 you have to have

Code: Select all

192.168.0.0 192.168.66.5 255.255.255.0 UG 0 0 0 tun1

That's why you clients cant see each other.

In you server's config you have:

Code: Select all

push "route 192.168.0.0 255.255.255.0" # Give client 2 aware of LAN on client 1, which seems does not work
push "route 192.168.1.0 255.255.255.0" # Give clients aware of server's LAN, which work
push "route 192.168.2.0 255.255.255.0" # Give client 1 aware of LAN on client 2, which seems does not work

route 192.168.2.0 255.255.255.0 # Give server aware of client's 2 LAN
route 192.168.0.0 255.255.255.0 # Give server aware of client's 1 LAN

But in order to have real routes work, you have to create in that ccd folder to files with COMMON NAME givet to client 1 and client 2 when creating the certificates for them.

In file with common name of client 1 you have to write only:

Code: Select all

iroute 192.168.0.0 255.255.255.0

In file with common name of client 2 you have to write only:

Code: Select all

iroute 192.168.2.0 255.255.255.0

Not both "iroute" in both files.

It's more about on clients not all routes are added. You have to leave those "route" and "push route" in first server config you have and show the connection log of each client and server, to find where the routes af LAN's pool are failing.

[nick1977]

Do a good understanding and confirming:
Serves LAN IP pool is 192.168.1.0.
Client 1 LAN IP pool is 192.168.0.0
Client 2 LAN IP pool is 192.168.2.0

Correct

Do you use same certificate on clients?

No, different certificate. Client1 and Client2, which are the same name as the files in the ccd directory.

Do you want to route IPv6

No I don't, but with ddwrt, some setting are there by defaults, I will remove it.

you have to write only

That was my problem, now everything is working just fine.
Thank you so much!

[Bebop]

Well done Mimi ^^ (and nick1977 too)

Solved / closed