Hello! Could you please help me to solve my situation...
I have to LANs which I want to join via OpenVPN tunnel (site-to-site).
First LAN: 192.168.1.0 255.255.255.0
Second LAN: 192.168.0.0 255.255.255.0
First LAN runs with AdvancedTomato router. Second LAN - with OpenWRT 19.0.7.2.
AdvancedTomato is the OpenVPN server and OpenWRT is the client.
Static routes is added on both routers.
On OpenWRT via LuCI Network>Static Routes (tun0, 192.168.1.0, 255.255.255.0),
On AdvancedTomato via OpenVPN configuration (route 192.168.0.0 255.255.255.0).
At now I can access 192.168.1.0 network from 192.168.0.0 network (client can access servers LAN), but I can't access 192.168.0.0 network from 192.168.1.0 network (server can't acess clients LAN).
Could you please say to me, what I can double check to solve this problem?
P.S.: as I think, the problem might be in Firewall settings of OpenWRT but I have no ideas how to setup it properly...
At now tun0 added to "wan" zone, which is reject/accept/reject (input/output/forward).
I tried to assign new zone exclusively to tun0 and make it accept/accept/accept but with no effect at all...
As I said previously, will be much easier to put the VPN in its own fireawll zone. That means removing TUN1 and tun0 from the wan zone.
This has some indentation issues... not sure if this is just a copy-paste issue, and not positive if it will cause problems, but best to make sure it is clean.
These don't do anything as tun0tomato is not defined as a zone or a network. They are also suffering from formatting issues. Just delete these.
Create a new zone for tun0 (call it vpn), the create forwarding from vpn > lan and lan > vpn.
Yes, it's formatting issue when copying from terminal...
As you can see in topic I tried to create new zone for vpn and make it accept/accept/accept (input/output/forward) for LAN with no effect. Then I rolled back those changes.
Typically the routes are either added as part of the VPN connection itself, or if you need to manually specify it, it is done with different syntax than you have specified in your network config.
See if these modifications help. If they don't, post your latest config files (don't roll these back).
Had to create its own firewall zone and called it "tomatovpn".
Then the firewall rules to accept input/output/forwarding with LAN was created.
No effect - I can't access 192.168.0.0 network from 192.168.1.0 network.
But can access 192.168.1.0 network from 192.168.0.0 without any issues (ping, web servers, RDP and so on).
Please note: I'm using LuCI to config my OpenWRT, so configs listed below is machine created.
When you NAT into the tunnel (option masq 1), it is inherently a one-way connection. You need to not use NAT and have static routes at both sides to interconnect the two LANs symmetrically.
In OpenVPN this is done with a client config directory and iroutes to make the server aware of the client LAN(s) so the OpenVPN server process will automatically add them to the server routing table (with the correct client's IP on the tunnel as the gateway) when a client connects.
On the firewall it is not complicated, you will just need one new zone holding the tunnel interface, and two config forwarding -- to and from this zone to lan. Or if you're not going to try to control traffic in the VPN at all (trusting everything on both ends) you can simply add the tunnel to the lan zone and make sure default lan-lan forwarding is allowed.