Openvpn routing problem#2

Serj-47 · January 15, 2024, 2:40pm

Earlier, I had a similar problem with routing and then you guys helped me. Time has passed, I have not used openvpn for a long time and now I have re-installed it on the newly installed firmware 23.05. The scenario is the same as it was in my previous post. R1 is an openwrt router, a provider cable is inserted into the wan port, the router distributes Internet over lan and wlan. R2 is an openwrt routerwith openvpn installed, the wan port is not used, dhcp is disabled on the lan interface, instead a static lan ip address 192.168.1.96 is simply installed. Openvpn port forwarded from R1 to R2. In order for the local network 192.168.1.0/24 to work, I added a route on R1, namely
route add -net 10.8.0.0/24 gw 192.168.1.96, as well as to R2
uci set openvpn.sample_server.push=route 192.168.1.0 255.255.255.0'
Now when I connect from my phone to my server using the 'OpenVPN for Android' application I I can ping from my phone only R1 and R2, other devices on the home network do not ping for some reason.

*On R2 firewall is disable

egc · January 15, 2024, 3:28pm

Other devices might have a firewall which does not allow traffic from 10.8.0.0/24 e.g from your Android phone.

To test if this is the case enable MASQUERADE on the lan firewall zone of R2

Serj-47 · January 15, 2024, 3:55pm

One of the devices in the home network is the Nas, it has the address 192.168.1.94. I tried to register a route on it the same as on R1,
route add -net 10.8.0.0/24 gw 192.168.1.96
after that the nas successfully pings from the phone. The problem is that, as I wrote earlier in a previous post on the link, then it was enough to register the route only on r1, and after that all the devices of the home network immediately became available from the phone, and now I have to register the route on each of my devices separately. I don't know much about MASQUERADE, I'll read about it later.

egc · January 15, 2024, 4:02pm

That could indicate that the route has not registered at all on R1
If you can SSH into R1 you can simply check with (assuming it is some form of linux):
ip route show
or for old versions:
route -n

Edit: I am not sure if route support CIDR notation so try with:
route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.1.96

Edit2: I checked and it can use CIDR notation

Serj-47 · January 15, 2024, 7:50pm

The route is registered on R1.

root@OpenWrt:~# ip route show
...
10.8.0.0/24 via 192.168.1.96 dev br-lan
...

Once again, I will clarify that after adding the route on r1, only r1 and r2 are ping from the phone. Nas is ping, only after I register a similar route on the nas itself.

egc · January 15, 2024, 9:18pm

Try the following, on router 1 in the firewall lan zone under conntrack settings: enable Allow "invalid" traffic

If you still have the firewall enabled on router 2 do the same on router 2

Reboot afterwards

Serj-47 · January 15, 2024, 10:53pm

It helped! I remembered that a long time ago I turned on "Drop invalid traffic" in the firewall zone settings. It seemed to me that this option is harmful to security. The firewall is turned off on R2, so it was enough to allow invalid traffic on R1. Now the entire 192.168.1.0/24 network is visible from the phone.

system · January 25, 2024, 10:57pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.