OpenVPN site-to-site troubleshooting

Hello! Could you please help me to solve my situation...

I have to LANs which I want to join via OpenVPN tunnel (site-to-site).

First LAN: 192.168.1.0 255.255.255.0
Second LAN: 192.168.0.0 255.255.255.0

First LAN runs with AdvancedTomato router. Second LAN - with OpenWRT 19.0.7.2.

AdvancedTomato is the OpenVPN server and OpenWRT is the client.

Static routes is added on both routers.
On OpenWRT via LuCI Network>Static Routes (tun0, 192.168.1.0, 255.255.255.0),
On AdvancedTomato via OpenVPN configuration (route 192.168.0.0 255.255.255.0).

At now I can access 192.168.1.0 network from 192.168.0.0 network (client can access servers LAN), but I can't access 192.168.0.0 network from 192.168.1.0 network (server can't acess clients LAN).

Could you please say to me, what I can double check to solve this problem?

P.S.: as I think, the problem might be in Firewall settings of OpenWRT but I have no ideas how to setup it properly...
At now tun0 added to "wan" zone, which is reject/accept/reject (input/output/forward).
I tried to assign new zone exclusively to tun0 and make it accept/accept/accept but with no effect at all...

P.P.S: sorry for my English... :slight_smile:

Post up these configs.. ssh into your router and copy/paste

cat /etc/config/network

cat /etc/config/firewall
1 Like

I would recommend putting the VPN into its own zone. But let's see your config as Bill requested and we'll go from there.

1 Like

Here it is.

cat /etc/config/network

config defaults
		option syn_flood '1'
		option input 'ACCEPT'
		option output 'ACCEPT'
		option forward 'REJECT'

    config zone
		option name 'lan'
		list network 'lan'
		option input 'ACCEPT'
		option output 'ACCEPT'
		option forward 'ACCEPT'

	config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 TUN1 tun0'
        option input 'REJECT'
        option forward 'REJECT'

    config forwarding
        option src 'lan'
        option dest 'wan'
    
	config	rule
		option name 'Allow-DHCP-Renew'
		option src 'wan'
		option proto 'udp'
		option dest_port '68'
		option target 'ACCEPT'
		option family 'ipv4'

    config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'                                                 
		option family 'ipv4'
		option target 'ACCEPT'

	config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

    config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'                                                        
		option dest_ip 'fc00::/6'
		option dest_port '546'
		option family 'ipv6'
        option target 'ACCEPT'

    config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'                                                          
		option family 'ipv6'
		option target 'ACCEPT'

	config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'                                        
		list icmp_type 'packet-too-big'
		list icmp_type 'time-exceeded'
		list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

    config rule
        option name 'Allow-ICMPv6-Forward'                                              option
		src 'wan'
		option dest '*'
		option proto 'icmp'
        list icmp_type 'echo-request'
		list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

    config rule
        option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

    config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

    config include
        option path '/etc/firewall.user'
    config forwarding
	option dest 'lan'
        option src 'tun0Tomato'

    config forwarding
        option dest 'tun0Tomato'
        option src 'lan'

    config forwarding
        option dest 'lan'
        option src 'tun0tomato'
        config forwarding
        option dest 'tun0tomato'                                                        
	option src 'lan'

cat /etc/config/firewall

    config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

    config globals 'globals'
        option ula_prefix 'fd1d:9a61:2586::/48'
		
    config interface 'lan'
		option type 'bridge'
		option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        boption ipaddr '192.168.0.1'

    config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

    config interface 'wan6'
        option ifname 'eth0.2'                                                          
		option proto 'dhcpv6'
		
    config switch
		option name 'switch0'
        option reset '1'
        option enable_vlan '1'

    config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

    config switch_vlan
		option device 'switch0'
        option vlan '2'
        option ports '10t'
                                                             
	config 
		interface 'tun0'
		option ifname 'tun0'
        option proto 'none'
        option auto '0'

    config route
        option target '192.168.1.0'
        option netmask '255.255.255.0'
        option interface 'tun0'

    config interface 'TUN1'
        option ifname 'tun1'
        option proto 'none'                                                             
		option auto '0'

Don't pay attention on "tun1" - it's another OpenVPN connection.
I'm intersted in "tun0" ("tun0tomato").

As I said previously, will be much easier to put the VPN in its own fireawll zone. That means removing TUN1 and tun0 from the wan zone.

This has some indentation issues... not sure if this is just a copy-paste issue, and not positive if it will cause problems, but best to make sure it is clean.

These don't do anything as tun0tomato is not defined as a zone or a network. They are also suffering from formatting issues. Just delete these.

Create a new zone for tun0 (call it vpn), the create forwarding from vpn > lan and lan > vpn.

Yes, it's formatting issue when copying from terminal...

As you can see in topic I tried to create new zone for vpn and make it accept/accept/accept (input/output/forward) for LAN with no effect. Then I rolled back those changes.

Try this:

Delete all of this:

and delete this:

then add the following to the firewall file:

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'
        option input 'REJECT'
        option forward 'REJECT'

    config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option device 'tun0'
        option input 'REJECT'
        option forward 'REJECT'

    config forwarding
        option src 'lan'
        option dest 'vpn'

    config forwarding
        option src 'vpn'
        option dest 'lan'

Typically the routes are either added as part of the VPN connection itself, or if you need to manually specify it, it is done with different syntax than you have specified in your network config.

See if these modifications help. If they don't, post your latest config files (don't roll these back).

Okay.

Had to create its own firewall zone and called it "tomatovpn".
Then the firewall rules to accept input/output/forwarding with LAN was created.

No effect - I can't access 192.168.0.0 network from 192.168.1.0 network.
But can access 192.168.1.0 network from 192.168.0.0 without any issues (ping, web servers, RDP and so on).

Please note: I'm using LuCI to config my OpenWRT, so configs listed below is machine created.

~# cat /etc/config/network

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd1d:9a61:2586::/48'

config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'

config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'

config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'

config interface 'tun0'
option ifname 'tun0'
option proto 'none'
option auto '0'

config route
option target '192.168.1.0'
option netmask '255.255.255.0'
option interface 'tun0'
option gateway '192.168.1.1'

config interface 'TUN1'
option ifname 'tun1'
option proto 'none'
option auto '0'

~# cat /etc/config/firewall

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option network 'tun0'
option input 'ACCEPT'
option name 'tomatovpn'
option output 'ACCEPT'
option masq '1'
option forward 'ACCEPT'

config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option network 'wan wan6 TUN1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config forwarding
option dest 'lan'
option src 'tun0Tomato'

config forwarding
option dest 'tun0Tomato'
option src 'lan'

config forwarding
option dest 'lan'
option src 'tun0tomato'

config forwarding
option dest 'tun0tomato'
option src 'lan'

config forwarding
option dest 'lan'
option src 'tomatovpn'

config forwarding
option dest 'tomatovpn'
option src 'lan'

If I remove manually created Static route I'm lost access to 192.168.1.0 network from 192.168.0.0 (it's logical!).

On the other side the same route was created by OpenVPN config command
route 192.168.0.0 255.255.255.0

and this route created and visible through route -n command:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.9.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun21
[WAN_NETWORK]   0.0.0.0         255.255.255.255 UH    0      0        0 vlan2
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.0.0     10.9.0.2        255.255.255.0   UG    0      0        0 tun21
[WAN_NETWORK]   0.0.0.0         255.255.255.0   U     0      0        0 vlan2
10.9.0.0        10.9.0.2        255.255.255.0   UG    0      0        0 tun21
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         [WAN_GATEWAY]   0.0.0.0         UG    0      0        0 vlan2

As you can see, I have the route to 192.168.0.0 network via tun21 (which is my OpenVPN server).

Any suggestions?...

Does your other router (the far end) have a static route defined? That is probably the issue.

When you NAT into the tunnel (option masq 1), it is inherently a one-way connection. You need to not use NAT and have static routes at both sides to interconnect the two LANs symmetrically.

In OpenVPN this is done with a client config directory and iroutes to make the server aware of the client LAN(s) so the OpenVPN server process will automatically add them to the server routing table (with the correct client's IP on the tunnel as the gateway) when a client connects.

On the firewall it is not complicated, you will just need one new zone holding the tunnel interface, and two config forwarding -- to and from this zone to lan. Or if you're not going to try to control traffic in the VPN at all (trusting everything on both ends) you can simply add the tunnel to the lan zone and make sure default lan-lan forwarding is allowed.