OpenVPN Clients connected to router running openvpn client cant see network

Hi All

Been having a headache of a time to get openvpn working between our shop router on openwrt 21.0.2.3 and the openvpn server on an Asus RT-AX88U running latest Merlin 386.7 firmware

The desire is for devices at home to be able to see the shop router = Working
Any device connected on the vpn can see the shop router and my home router = Working
Shop router able to see the home router = Working
Devices connected to the router over DHCP able to see the home router = Not Working -> connection refused

OpenVPN is setup as LAN access only so shop router internet still goes through the 4g dongle

here is my config. Thanks

openvpn

daemon ovpn-server1
topology subnet
server 10.8.0.0 255.255.255.0
proto udp4
multihome
port 1194
dev tun21
txqueuelen 1000
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
data-ciphers-fallback AES-128-CBC
auth SHA1
compress lzo
keepalive 15 60
verb 3
list push "route 192.168.0.0 255.255.255.0 vpn_gateway 500"
client-config-dir ccd
client-to-client
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
verify-client-cert none
username-as-common-name
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up 'ovpn-up 1 server'
down 'ovpn-down 1 server'
status-version 2
status status 5

# Custom Configuration
client-config-dir /jffs/scripts

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'wan'
	list network 'wan6'
	list network 'lte'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpn'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'vpn'
	option dest 'wan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Huewei'
	option src 'lan'
	option src_dport '8088'
	option dest_ip '192.168.8.100'
	option dest_port '80'

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd64:3473:1860::/48'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config device
	option name 'eth0'
	option macaddr 'c2:3f:0e:77:3a:2a'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.0.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'
	option blinkrate '2'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5'

config switch_port
	option device 'switch0'
	option port '1'
	option led '6'

config switch_port
	option device 'switch0'
	option port '2'
	option led '9'

config switch_port
	option device 'switch0'
	option port '5'
	option led '2'

config interface 'vpn'
	option device 'tun0'
	option proto 'none'

config interface 'lte'
	option device 'eth2'
	option proto 'dhcp'

FWIW I have already changed settings in the firewall allowing LAN -> VPN and VPN -> LAN but I took those off on advice from another old thread but didnt change any of the stuff that was already working whether they were on or not. Also tried a bunch of forwarding rules

my home router running VPN server is 192.168.0.1
my shop router on openwrt running vpn client is 10.0.0.1
the ip the router gets over the VPN is 10.8.0.6

I have a custom script running on the openvpn server that statically assigns an ip address based on user which looks like this:

ifconfig-push 10.8.0.6 255.255.255.0

many thanks

I don't see any lan-> vpn forwarding.
Also it is not clear if there are routes installed when the vpn is up, so that both routers know where to find the lan subnets of each other.

The home router must have a route to the shop LAN, such as 10.0.0.1/24 via 10.8.0.6. (10.8.0.6 is the IP the OpenVPN server has assigned to the shop). Similarly the shop router needs a route to the home LAN such as 192.168.0.1/24 via 10.8.0.1. This can be pushed by the OpenVPN server if configured to do so. In the case where all shop Internet usage would be redirected through home (which you aren't doing), the shop default route being via VPN also encompasses the home LAN. Since you're not redirecting default, you need a specific route for the home LAN.

NAT must not be enabled on either of the lan to vpn forwards. This situation calls for symmetric routing.

The firewall in the home router must allow forwarding from its lan to vpn. If you can ping 10.8.0.6 from a home LAN machine that is probably true.

thanks that actually fixed it, however it was the final piece of the puzzle after I changed my open VPN server setup to have clients use individual certs and also to push the forwarding as mk24 already told me to in another thread lol. I actually couldn't do that before but I just flashed my Asus router to Merlin which allows it

so here ends 4 days of trial and error and much cussing I'm done I think

@babai93 - since your issue is almost certainly different than the OP, please open your own thread. The community will help you there.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.