OpenVPN Support Forum

Hi,
I hope someone could help me. I'm trying to configure a new Openvpn client on my Openwrt router which should act as a client for am already working server on a vps.
I've been able to configure correctly . Client tap0 is correctly created. I can ping it internally. But I can't ping server and vice versa. Probably a routing or firewall issue. I'm pretty sure it's a problem related to routing. I'm absolutely newbie in that. Here's my configs: (thanks a lot).

server.conf
port 1194
proto udp
dev tap
ca ./keys/ca.crt
cert ./keys/pippo.crt
key ./keys/pippo.key # This file should be kept secret
dh ./keys/dh1024.pem
tls-auth ./keys/secret-pippo.key 0
server 10.8.0.0 255.255.255.0
tls-server
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 192.168.1.0 255.255.255.0
client-to-client
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
mute 20
route 192.168.1.0 255.255.255.0


client.conf
;client
ifconfig 10.8.0.6 255.255.255.0
ifconfig-nowarn
dev tap
tls-client
proto udp
remote xxx.xxx.xxx.xxx 1194
persist-key
persist-tun
mute-replay-warnings
ca ./keys/ca.crt
cert ./keys/pippo2.org.crt
key ./keys/pippo2.org.key # This file should be kept secret
ns-cert-type server
dh ./keys/dh1024.pem
tls-auth ./keys/secret-pippo2.key 1
keepalive 15 120
verb 3
mute 20
comp-lzo
status /etc/openvpn/openvpn-status.log
tun-mtu 1500
tun-mtu-extra 32
mlock
nobind


these are my firewall.user config
iptables -A input_rule -i tun+ -j ACCEPT
iptables -A output_rule -o tun+ -j ACCEPT
iptables -A forwarding_rule -i tun+ -j ACCEPT
iptables -A forwarding_rule -o tun+ -j ACCEPT

iptables -A input_rule -i tap+ -j ACCEPT
iptables -A output_rule -o tap+ -j ACCEPT
iptables -A forwarding_rule -i tap+ -j ACCEPT
iptables -A forwarding_rule -o tap+ -j ACCEPT


iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables -A input_wan -p udp --dport 1194 -j ACCEPT

route -n server
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 venet0
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 venet0

router -n client
151.***.***.* 0.0.0.0 255.255.255.255 UH 0 0 0 pppoe-wan
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan

ccd config content for my client:
iroute 192.168.1.0 255.255.0.0
push "route 10.8.0.0 255.255.0.0"

hi there,

better use tun not tap,

on server side

remove the route 192.168.1.0 directive (you have it twice)

on clients ccd file
remove push route (openvpn does it automatically)
add
ifconfig-push 10.8.0.10 10.8.0.9
fix the mask on iroute to 255.255.255.0

on client side

remove ifconfig command (you are using server mode with ccd)
uncomment client directive
also if you want to create lan-to-lan scenario you must:
enable ip forwarding in *both* openvpn endpoints

you are using DIFFERENT tls-auth key..this is wrong
can you also tell us the command sequence you used to create your certs?

my advice
disable for start firewall on both ends ,then enable and try to troubleshoot
firewalling issues.


Michael.