Openvpn site2site cannot route the subnets from client

profi · September 28, 2021, 5:04pm

Hi, since 1 week I am trying to figure the the setup and I am still not able to ping / route my client subnet

This is my /etc/config/openvpn

The roadwarrior myvpnserver is working well on port 1200

config openvpn 'myvpnerver'
       option enabled '1'
       option dev 'tun'
       option topology subnet
       option proto 'tcp'
       option log '/tmp/openvpn_myvpnserver.log'
       option verb '3'
       option ca '/etc/openvpn/ca_openwrt.crt'
       option cert '/etc/openvpn/server.crt'
       option key '/etc/openvpn/server.key'
       option dh '/etc/openvpn/dh4096.pem'
       option server '10.20.30.0 255.255.255.0'
       option cipher 'AES-256-CBC'
       option data-ciphers 'AES-256-CBC'
       option data-ciphers-fallback 'AES-256-CBC'
       option auth 'SHA512'
       option tls_auth '/etc/openvpn/ta.key 0'
       option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
       option port '1200'
       option keepalive '10 120'
       option tls_server '1'
       option tls_version_min '1.2'
       list push 'route 192.168.134.0 255.255.255.0'


#The site2site is not routing my local subnet 192.168.134.0/24

# Client site2site
config openvpn 'dasite2site'
        option client '1'
        option tls-client '1'
        option enabled '1'
        option dev 'tun'
        #option topology subnet
        option proto 'tcp-client'
        option log '/tmp/openvpn_dasite2site.log'
        option verb '3'
        option ca '/etc/openvpn/OpenVPN+CA.crt'
        option cert '/etc/openvpn/OpenVPN+Client.crt'
        option key '/etc/openvpn/OpenVPN+Client.key'
        option remote 'opnsense.public.com 1201'
        option cipher 'AES-256-CBC'
        option data-ciphers 'AES-256-CBC'
        option data-ciphers-fallback 'AES-256-CBC'
        option auth 'SHA256'
        option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
        option keepalive '10 120'
        option tls_client '1'
        option remote-cert-tls server
        option tls_version_min '1.2'
        option auth-nocache '0'
        
root@OpenWrt:/etc/config#


The keys are exchanged and the tunnel is up

root@OpenWrt:/etc/config# cat /tmp/openvpn_dasite2site.log
2021-09-28 10:56:19 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-09-28 10:56:19 OpenVPN 2.5.3 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2021-09-28 10:56:19 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2021-09-28 10:56:19 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2021-09-28 10:56:19 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-09-28 10:56:19 TCP/UDP: Preserving recently used remote address: [AF_INET]92.xx.xx.246:1201
2021-09-28 10:56:19 Socket Buffers: R=[131072->131072] S=[16384->16384]
2021-09-28 10:56:19 Attempting to establish TCP connection with [AF_INET]92.xx.xx.246:1201 [nonblock]
2021-09-28 10:56:19 TCP connection established with [AF_INET]92.xx.xx.246:1201
2021-09-28 10:56:19 TCP_CLIENT link local: (not bound)
2021-09-28 10:56:19 TCP_CLIENT link remote: [AF_INET]92.xx.xx.246:1201
2021-09-28 10:56:19 TLS: Initial packet from [AF_INET]92.xx.xx.246:1201, sid=cac71287 d874e094
2021-09-28 10:56:19 VERIFY OK: depth=1, C=DE, ST=DE, L=xxxxxxxxxxxxx, CN=internal-ca
2021-09-28 10:56:19 VERIFY OK: depth=0, C=DE, ST=DE, Lxxxxxxxxxxxxxx, CN=Server
2021-09-28 10:56:20 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2021-09-28 10:56:20 [Server] Peer Connection Initiated with [AF_INET]92.xx.xx.246:1201
2021-09-28 10:56:20 PUSH: Received control message: 'PUSH_REPLY,route 10.1.10.0 255.255.255.0,route 10.1.1.0 255.255.255.0,route 10.77.77.0 255.255.255.0,route 10.20.40.1,topology net30,ping 10,ping-restart 60,ifconfig 10.20.40.6 10.20.40.5,peer-id 0,cipher AES-256-GCM'
2021-09-28 10:56:20 OPTIONS IMPORT: timers and/or timeouts modified
2021-09-28 10:56:20 OPTIONS IMPORT: --ifconfig/up options modified
2021-09-28 10:56:20 OPTIONS IMPORT: route options modified
2021-09-28 10:56:20 OPTIONS IMPORT: peer-id set
2021-09-28 10:56:20 OPTIONS IMPORT: adjusting link_mtu to 1626
2021-09-28 10:56:20 OPTIONS IMPORT: data channel crypto options modified
2021-09-28 10:56:20 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-09-28 10:56:20 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-09-28 10:56:20 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-09-28 10:56:20 net_route_v4_best_gw query: dst 0.0.0.0
2021-09-28 10:56:20 net_route_v4_best_gw result: via 62.214.63.87 dev pppoe-wan
2021-09-28 10:56:20 TUN/TAP device tun1 opened
2021-09-28 10:56:20 net_iface_mtu_set: mtu 1500 for tun1
2021-09-28 10:56:20 net_iface_up: set tun1 up
2021-09-28 10:56:20 net_addr_ptp_v4_add: 10.20.40.6 peer 10.20.40.5 dev tun1
2021-09-28 10:56:20 /usr/libexec/openvpn-hotplug up dasite2site tun1 1500 1554 10.20.40.6 10.20.40.5 init
2021-09-28 10:56:20 net_route_v4_add: 10.1.10.0/24 via 10.20.40.5 dev [NULL] table 0 metric -1
2021-09-28 10:56:20 net_route_v4_add: 10.1.1.0/24 via 10.20.40.5 dev [NULL] table 0 metric -1
2021-09-28 10:56:20 net_route_v4_add: 10.77.77.0/24 via 10.20.40.5 dev [NULL] table 0 metric -1
2021-09-28 10:56:20 net_route_v4_add: 10.20.40.1/32 via 10.20.40.5 dev [NULL] table 0 metric -1
2021-09-28 10:56:20 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-09-28 10:56:20 Initialization Sequence Completed

And the routes are available

root@OpenWrt:/etc/config# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         dor1901aihr001. 0.0.0.0         UG    0      0        0 pppoe-wan
10.1.1.0        10.20.40.5      255.255.255.0   UG    0      0        0 tun1
10.1.10.0       10.20.40.5      255.255.255.0   UG    0      0        0 tun1
10.9.0.0        192.168.134.1   255.255.255.0   UG    0      0        0 br-lan
10.10.10.0      *               255.255.255.0   U     0      0        0 wg1
10.20.30.0      *               255.255.255.0   U     0      0        0 tun0
10.20.40.1      10.20.40.5      255.255.255.255 UGH   0      0        0 tun1
10.20.40.5      *               255.255.255.255 UH    0      0        0 tun1
10.77.77.0      10.20.40.5      255.255.255.0   UG    0      0        0 tun1
62.214.63.87    *               255.255.255.255 UH    0      0        0 pppoe-wan
172.31.0.0      *               255.255.255.0   U     0      0        0 wg0
192.168.134.0   *               255.255.255.0   U     0      0        0 br-lan
root@OpenWrt:/etc/config#

from my openwrt openvpn client I am able to ping the remote subnets from the Interface tun1, which is the right setup .. I think,.

root@OpenWrt:~# ping -I tun1 10.77.77.1
PING 10.77.77.1 (10.77.77.1): 56 data bytes
64 bytes from 10.77.77.1: seq=0 ttl=63 time=25.174 ms
64 bytes from 10.77.77.1: seq=1 ttl=63 time=23.907 ms
64 bytes from 10.77.77.1: seq=2 ttl=63 time=23.709 ms
^C
--- 10.77.77.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 23.709/24.263/25.174 ms
root@OpenWrt:~# ping -I tun0 10.77.77.1
PING 10.77.77.1 (10.77.77.1): 56 data bytes
^C
--- 10.77.77.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~# ping -I br-lan 10.77.77.1
PING 10.77.77.1 (10.77.77.1): 56 data bytes
^C
--- 10.77.77.1 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~# ping -I tun1 10.1.1.182
PING 10.1.1.182 (10.1.1.182): 56 data bytes
64 bytes from 10.1.1.182: seq=0 ttl=127 time=23.522 ms
64 bytes from 10.1.1.182: seq=1 ttl=127 time=22.716 ms
64 bytes from 10.1.1.182: seq=2 ttl=127 time=22.945 ms
^C
--- 10.1.1.182 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 22.716/23.061/23.522 ms
root@OpenWrt:~# ping -I tun1 10.77.77.1
PING 10.77.77.1 (10.77.77.1): 56 data bytes
64 bytes from 10.77.77.1: seq=0 ttl=63 time=24.183 ms
64 bytes from 10.77.77.1: seq=1 ttl=63 time=23.973 ms
^C
--- 10.77.77.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 23.973/24.078/24.183 ms
root@OpenWrt:~#

I have created the iroute to my local subnet in this file like described in the docu.

root@OpenWrt:/etc/openvpn/ccd# cat client
iroute 192.168.134.0 255.255.255.0
push-remove redirect-gateway
root@OpenWrt:/etc/openvpn/ccd#


My local subnet is 192.168.134.0/24.

root@OpenWrt:/etc/config# ifconfig
br-lan    Link encap:Ethernet  HWaddr E8:DF:70:62:1F:96
          inet addr:192.168.134.230  Bcast:192.168.134.255  Mask:255.255.255.0
          inet6 addr: fe80::eadf:70ff:fe62:1f96/64 Scope:Link
          inet6 addr: 2001:16b8:a1f:d00::1/60 Scope:Global
          inet6 addr: fd8e:3a0d:bc8b::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2148050 errors:0 dropped:157663 overruns:0 frame:0
          TX packets:1917699 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:486489495 (463.9 MiB)  TX bytes:996332506 (950.1 MiB)

dsl0      Link encap:Ethernet  HWaddr E8:DF:70:62:1F:9A
          inet6 addr: fe80::eadf:70ff:fe62:1f9a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1947007 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1889417 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1063989518 (1014.6 MiB)  TX bytes:550409591 (524.9 MiB)

dsl0.7    Link encap:Ethernet  HWaddr E8:DF:70:62:1F:9A
          inet6 addr: fe80::eadf:70ff:fe62:1f9a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:251676 errors:0 dropped:0 overruns:0 frame:0
          TX packets:224069 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:110379787 (105.2 MiB)  TX bytes:57506934 (54.8 MiB)

eth0      Link encap:Ethernet  HWaddr E8:DF:70:62:1F:96
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2373794 errors:0 dropped:5397 overruns:0 frame:0
          TX packets:1917707 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:549364691 (523.9 MiB)  TX bytes:1007977596 (961.2 MiB)

ifb4pppoe-wan Link encap:Ethernet  HWaddr DA:C7:5C:28:C1:4E
          inet6 addr: fe80::d8c7:5cff:fe28:c14e/64 Scope:Link
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:250760 errors:0 dropped:0 overruns:0 frame:0
          TX packets:250760 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:108158791 (103.1 MiB)  TX bytes:108158791 (103.1 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:13 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1288 (1.2 KiB)  TX bytes:1288 (1.2 KiB)

pppoe-wan Link encap:Point-to-Point Protocol
          inet addr:87.122.217.140  P-t-P:62.214.63.87  Mask:255.255.255.255
          inet6 addr: 2001:16b8:b01:1c3e:89af:9244:681e:234c/64 Scope:Global
          inet6 addr: fe80::89af:9244:681e:234c/128 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:251108 errors:0 dropped:0 overruns:0 frame:0
          TX packets:223494 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:108338563 (103.3 MiB)  TX bytes:52572219 (50.1 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.20.30.1  P-t-P:10.20.30.1  Mask:255.255.255.0
          inet6 addr: fe80::d739:8c06:e0bf:cb50/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 B)  TX bytes:640 (640.0 B)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.20.40.6  P-t-P:10.20.40.5  Mask:255.255.255.255
          inet6 addr: fe80::f037:7711:4f02:9bc8/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:72 errors:0 dropped:0 overruns:0 frame:0
          TX packets:644 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:6048 (5.9 KiB)  TX bytes:35984 (35.1 KiB)

wg0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.31.0.2  P-t-P:172.31.0.2  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wg1       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.10.10.1  P-t-P:10.10.10.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr E8:DF:70:62:1F:98
          inet6 addr: fe80::eadf:70ff:fe62:1f98/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:100870 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:12986746 (12.3 MiB)

wlan0-1   Link encap:Ethernet  HWaddr EA:DF:70:62:1F:98
          inet6 addr: fe80::e8df:70ff:fe62:1f98/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:100869 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:12986658 (12.3 MiB)

root@OpenWrt:/etc/config#

When I use my 2 x windows boyes on 192.168.134.23 and 192.168.134.39  and try to ping the remote subnets, I get timeout.

Microsoft Windows [Version 10.0.19043.1237]
(c) Microsoft Corporation. Alle Rechte vorbehalten.

C:\Windows\system32>ping 10.1.1.182

Ping wird ausgeführt für 10.1.1.182 mit 32 Bytes Daten:
Antwort von 192.168.134.230: Zielport nicht erreichbar.
Antwort von 192.168.134.230: Zielport nicht erreichbar.
Antwort von 192.168.134.230: Zielport nicht erreichbar.
Antwort von 192.168.134.230: Zielport nicht erreichbar.

Ping-Statistik für 10.1.1.182:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),


What do I have forgotten ?

I am not really familar with tools like tcpdump or other tolls to figure out, why no pakets from local 192.168.134.0/24 are routed into my tun1 interface.

btw :
ip.forward is enabled.

root@OpenWrt:/etc/config# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
root@OpenWrt:/etc/config#

mk24 · September 28, 2021, 5:26pm

Can you cut this down to be only the two sites and one VPN instance? I'm confused what is going on with all those networks.

The important thing about site to site routing is that both sides need to know the gateway to get over to the other LAN. There are two ways to do this.

For a "road warrior" requiring only one way routing back to the home office, the client can NAT its traffic into the VPN tunnel. This makes it unnecessary for the server to know about the client's LAN. The server uses the IP of the client's end of the tunnel as the return IP.
For true two-way routing between both LANs, the server needs to know the subnet of the client's LAN and install a route back to it via the VPN tunnel. This is usually done with a client config directory keyed to the clients' certificates.

profi · September 28, 2021, 5:34pm

Hi, as I said the roadwarrior is working.

This is the config which doesn't work.

# Client site2site
config openvpn 'dasite2site'
        option client '1'
        option tls-client '1'
        option enabled '1'
        option dev 'tun'
        #option topology subnet
        option proto 'tcp-client'
        option log '/tmp/openvpn_dasite2site.log'
        option verb '3'
        option ca '/etc/openvpn/OpenVPN+CA.crt'
        option cert '/etc/openvpn/OpenVPN+Client.crt'
        option key '/etc/openvpn/OpenVPN+Client.key'
        option remote 'opnsense.xxxx.com 1201'
        option cipher 'AES-256-CBC'
        option data-ciphers 'AES-256-CBC'
        option data-ciphers-fallback 'AES-256-CBC'
        option auth 'SHA256'
        option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
        option keepalive '10 120'
        option tls_client '1'
        option remote-cert-tls server
        option tls_version_min '1.2'
        option auth-nocache '0'


tun1 interface can ping everything on remote side
local LAN cannot ping cause it is not routed.

br-lan    Link encap:Ethernet  HWaddr E8:DF:70:62:1F:96
          inet addr:192.168.134.230  Bcast:192.168.134.255  Mask:255.255.255.0


root@OpenWrt:~# ping -I tun1 10.77.77.1
PING 10.77.77.1 (10.77.77.1): 56 data bytes
64 bytes from 10.77.77.1: seq=0 ttl=63 time=24.183 ms
64 bytes from 10.77.77.1: seq=1 ttl=63 time=23.973 ms
^C
--- 10.77.77.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 23.973/24.078/24.183 ms
root@OpenWrt:~# ^C
root@OpenWrt:~# ping -I br-lan  10.77.77.1
PING 10.77.77.1 (10.77.77.1): 56 data bytes
^C
--- 10.77.77.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~#

mk24 · September 28, 2021, 5:38pm

Again, when the client network originates a packet from its local LAN (and doesn't NAT it), the remote router (server) needs to have in its routing table an explicit route back to that LAN. The client config directory functionality of OpenVPN is usually used to store these routes and install them as clients connect.

profi · September 28, 2021, 6:08pm

OK, the remote Router is an OPNSense box and I hae checked the Setup with an OPNSense OpenVPN client. It is working.

I tried the same setup on openwrt box with openvpn, Same Certs same setup.
The Openwrt OpenVPN Client is identical.

The only differnce is the routing and perhaps the firewall.
This is why I am asking.

The error needs to be located in the routing.. The is no NAT on the box (only the lan Inteface to the WAN Interface cause of Internet Access.

Does someone knows how to identify by tcpdump or other tools.

Cause when the openwrt openvpn client itselve is able to ping every subnet on the remote host, but the local lan is not possible, I do not know how to identify the error.

I am only aware of ping from both interface on the openwrt box. The tun1 interface is able to ping everything on remote site but the local lan interface br-lan is not able.
How is the routing done between this interfaces. ?

I will provide more infos if they are requested.

This

profi · September 28, 2021, 6:17pm

I am wondering about this.

root@OpenWrt:/etc/openvpn/ccd# cat client
iroute 192.168.134.0 255.255.255.0
push-remove redirect-gateway
root@OpenWrt:/etc/openvpn/ccd#

But i do not have iroute available on that box.

root@OpenWrt:/etc/openvpn/ccd# iroute
-ash: iroute: not found
root@OpenWrt:/etc/openvpn/ccd#


And btw : The routes were pushed from the server, cause I can see that in the client log.

LOG:

2021-09-28 10:56:19 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or ch>
2021-09-28 10:56:19 OpenVPN 2.5.3 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2021-09-28 10:56:19 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
x
x
x

2021-09-28 10:56:20 [Server] Peer Connection Initiated with [AF_INET]92.xx.xx.246:1201
2021-09-28 10:56:20 PUSH: Received control message: 'PUSH_REPLY,route 10.1.10.0 255.255.255.0,route 10.1.1.0 255.255.255.0,route 10.77.77.0 255.255.255.0,route 10.20.40.1,topology net30,ping 10,ping-restart 60,ifconfig 10.20.40.6 10.20.>
2021-09-28 10:56:20 OPTIONS IMPORT: timers and/or timeouts modified
2021-09-28 10:56:20 OPTIONS IMPORT: --ifconfig/up options modified
2021-09-28 10:56:20 OPTIONS IMPORT: route options modified
2021-09-28 10:56:20 OPTIONS IMPORT: peer-id set
2021-09-28 10:56:20 OPTIONS IMPORT: adjusting link_mtu to 1626
2021-09-28 10:56:20 OPTIONS IMPORT: data channel crypto options modified
2021-09-28 10:56:20 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-09-28 10:56:20 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-09-28 10:56:20 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-09-28 10:56:20 net_route_v4_best_gw query: dst 0.0.0.0
2021-09-28 10:56:20 net_route_v4_best_gw result: via 62.214.63.87 dev pppoe-wan
2021-09-28 10:56:20 TUN/TAP device tun1 opened
2021-09-28 10:56:20 net_iface_mtu_set: mtu 1500 for tun1
2021-09-28 10:56:20 net_iface_up: set tun1 up
2021-09-28 10:56:20 net_addr_ptp_v4_add: 10.20.40.6 peer 10.20.40.5 dev tun1
2021-09-28 10:56:20 /usr/libexec/openvpn-hotplug up dasite2site tun1 1500 1554 10.20.40.6 10.20.40.5 init
2021-09-28 10:56:20 net_route_v4_add: 10.1.10.0/24 via 10.20.40.5 dev [NULL] table 0 metric -1
2021-09-28 10:56:20 net_route_v4_add: 10.1.1.0/24 via 10.20.40.5 dev [NULL] table 0 metric -1
2021-09-28 10:56:20 net_route_v4_add: 10.77.77.0/24 via 10.20.40.5 dev [NULL] table 0 metric -1
2021-09-28 10:56:20 net_route_v4_add: 10.20.40.1/32 via 10.20.40.5 dev [NULL] table 0 metric -1
2021-09-28 10:56:20 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-09-28 10:56:20 Initialization Sequence Completed


And when the openwrt tun1 itself can use the route and ping, why is the local br-lan interface not able ?

profi · September 28, 2021, 6:24pm

I did exactly what is written in the docu

profi · September 28, 2021, 7:50pm

Ok, I have checked with an linux box and openvpn client .. here it works.

The diffenrence is.

On Linux Box I can do the following in config:

#es werden aber somit auch die anderen routen nicht auf den Tunnel gesetzt, also manuell setzen
route 192.168.134.0 255.255.255.0

On the openwrt config I would like to use;
# Achtung; Dann hängt sich dasinterne Lan weg .. warum ?
#option route '192.168.134.0 255.255.255.0'

But it complains for a gateway ?

This config is easier then 

/etc/openvpn/ccd/client01

Does anybody is able to point me in the right direction ?

mk24 · September 29, 2021, 1:49am

I think the networks involved are:
Server LAN: 10.77.77.0/24 Server is that network's main router .1
Client LAN: 192.168.134.0/24 Client is that network's main router .1
VPN Tunnel: 10.20.40.0/24 Server is .5, client is .6

Since you have four(!) VPNs loaded on this machine it's really hard to parse. When asking for help with a problem you should strip out unnecessary stuff and present the single thing that is not working.

Anyway the end result should be these entries in the routing tables:

Server: 192.168.134.0/24 via 10.20.40.6 This is created in the client config directory. Since as multiple clients connect their tunnel IP will not be deterministic, OpenVPN dynamically creates this local route after the client connects and has its tunnel IP assigned. (Also, the route will be removed should the client disconnect). The 'iroute' syntax in the client config file is just an OpenVPN keyword to define the remote LAN. It isn't actually a runnable command.
Client: 10.77.77.0/24 via 10.20.40.5. OpenVPN server pushes this route to the client, advertising its tunnel IP (.5) is the gateway to the server's LAN. Assuming of course you have that configured in the main OpenVPN config.

If you confirm those routes exist properly at both ends, it is likely a firewalling issue.

vgaetera · September 29, 2021, 3:35am

Just tested the wiki how-tos on OpenWrt 21.02.0, and it works for me.
You'd best use native OpenVPN syntax to minimize possible mistakes.

profi · September 29, 2021, 5:25pm

Yes I got it working. Finally I have a site 2 site setup with OPNSense Server.

On Openwrt this is my client setup and it works. The subnets are routet.
No Firewall chages needed. Only the config of the openvpn client-

/etc/config/openvpn

# Client site2site
config openvpn 'dasite2site'
        option client '1'
        option tls-client '1'
        option enabled '1'
        option dev 'tun'
        option proto 'tcp'
        option log '/tmp/openvpn_dasite2site.log'
        option verb '3'
        option ca '/etc/openvpn/OpenVPN+CA.crt'
        option cert '/etc/openvpn/OpenVPN+Client.crt'
        option key '/etc/openvpn/OpenVPN+Client.key'
        option remote 'opnsense.XXXXXX.com 1201'
        option cipher 'AES-256-CBC'
        option data-ciphers 'AES-256-CBC'
        option data-ciphers-fallback 'AES-256-CBC'
        option auth 'SHA256'
        option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
        option keepalive '10 120'
        option remote-cert-tls 'server'
        option tls_version_min '1.2'
        option auth-nocache '1'
        option connect_retry '5 60'
        option nobind '1'
        option persist_key '1'
        option persist_tun '1'
        option reneg_sec '0'

system · October 9, 2021, 5:26pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.