Openvpn tunnel behind client router

ximosegi · September 27, 2019, 9:39pm

Hi,
i am trying to do a tunnel between two openwrt routers with openvpn and my goal is that devices behind client router could access to server subnet.

I mean openvpn setup is correct, or almost done, and the issue is in the routing side.

My goal is to access to a specific services in a server subnet.
Firstly i generated a .ovpn file and i could connect an android device importing the .ovpn file in the openvpn app. I could access to target services throught lte network successfully.
Secondly i configures a client router and tunnel is stablished and i receive ping responses from both sides, server side (10.8.0.1) response to client side (10.8.0.2) and from server to client also. But if i connect some device to the client router i have not ping response from this device. And this is my mainly issue, i need access from devices connected behind client router to server subnet and i do not know how to route it.

I detailed my set up below and i hope somebody can help me to reach my goal, please comment if i need to add or remove parametters:

My test scenario is:

Server Router TPLINK C7 - 18.06 - Subnet 192.168.5.0 VPN gateway 10.8.0.1
Client Router TPLINK WD8970 - 18.06 - WAN port is a dsl port and is unused
Subnet 192.168.1.0 IP 192.168.1.100 VPN IP 10.8.0.2
**** I use a another TPLINK archer MR200, lte router to stablish client connection thought lte. This router has the dhcp server of the 192.168.1.0 client subnet **** IP 192.168.1.1 ****

Server side config
Interfaces


config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'eth0.1'

config interface 'wan'
	option proto 'dhcp'
	option ifname 'eth0.1074'
	option type 'bridge'
	option peerdns '0'
	option dns '8.8.8.8 8.8.8.4'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'XXXXXXX'

config interface 'wan6'
	option proto 'dhcpv6'
	option ifname 'eth0.XXXX'
	option auto '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 1t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid 'XXXX'
	option ports '0t 1t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '2'
	option ports '0t 1t 2 3 4 5'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option type 'bridge'
	option ifname 'eth0.2'
	option ipaddr '192.168.5.1'

config interface 'vpnserver'
	option proto 'none'
	option ifname 'ovpns0'
	option auto '1'

config route
	option interface 'vpnserver'
	option target '192.168.1.0'
	option netmask '255.255.255.0'
	option gateway '10.8.0.1'
	option metric '1'
	option mtu '1500'

openvpn config

config openvpn 'vpnserver'
	option enabled '1'
	option dev_type 'tun'
	option dev 'ovpns0'
	option port '1194'
	option proto 'udp'
	option comp_lzo 'yes'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/OpenVPN.crt'
	option key '/etc/openvpn/OpenVPN.key'
	option dh '/etc/openvpn/dh2048.pem'
	option tls_auth '/etc/openvpn/tls-auth.key 0'
	option mode 'server'
	option tls_server '1'
	option server '10.8.0.0 255.255.255.0'
	option topology 'subnet'
	option route_gateway 'dhcp'
	option client_to_client '0'
	list push 'comp-lzo yes'
	list push 'persist-key'
	list push 'persist-tun'
	list push 'topology subnet'
	list push 'route-gateway dhcp'
	list push 'redirect-gateway def1'
	list push 'route 10.8.0.0 255.255.255.0'
	list push 'dhcp-option DNS 192.168.5.1'
	option log '/var/log/openvpn.log'

firewall

config rule
	option name 'Allow-OpenVPN-Inbound'
	option target 'ACCEPT'
	option src '*'
	option proto 'tcpudp'
	option dest_port '1194'

config zone
	option name 'vpnserver'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option network 'vpnserver'

config forwarding
	option src 'vpnserver'
	option dest 'wan'

config forwarding
	option src 'vpnserver'
	option dest 'guest'

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0        MY EXTERNAL IP      0.0.0.0         UG    0      0        0 br-wan
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 ovpns0
 MY EXTERNAL IP     0.0.0.0         255.255.252.0   U     0      0        0 br-wan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 br-guest

Client side config
Interfaces

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'dhcp'

config interface 'wan'
	option proto 'dhcp'
	option hostname 'Openwrt_test'
	option ifname 'eth0'
	option auto '0'

config device 'wan_dev'
	option name 'dsl0'
	option macaddr 'XXXXXXXXXXX'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'
	option auto '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 2 4 5 6t'

config interface 'vpnclient'
	option proto 'none'
	option ifname 'tun0'
	option auto '1'

config route
	option interface 'vpnclient'
	option target '192.168.5.0'
	option netmask '255.255.255.0'
	option gateway '10.8.0.1'
	option metric '1'
	option mtu '1500'

openvpn config

config openvpn 'sample_client'
	option client '1'
	option proto 'udp'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option ca '/etc/openvpn/ca.crt'
	option compress 'lzo'
	list remote 'ximonet.ddns.net'
	option tls_client '1'
	option cert '/etc/openvpn/cliente.crt'
	option key '/etc/openvpn/cliente.key'
	option log '/var/log/openvpn.log'
	option tls_auth '/etc/openvpn/tls-auth.key'
	option verb '3'
	option enabled '1'
	option key_method '2'
	option cipher 'BF-CBC'
	option key_direction '1'
	option dev 'tun0'
	option dev_type 'tun'

firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun0'
	option network 'wan wan6'
config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'vpn'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'vpnclient'

config forwarding
	option dest 'vpn'
	option src 'lan'

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.1        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 br-lan
10.8.0.0        10.8.0.1        255.255.255.0   UG    0      0        0 tun0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
MY EXTERNAL IP      192.168.1.1     255.255.255.255 UGH   0      0        0 br-lan
128.0.0.0       10.8.0.1        128.0.0.0       UG    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.5.0     10.8.0.1        255.255.255.0   UG    1      0        0 tun0

Log

Fri Sep 27 20:37:00 2019 /sbin/ifconfig tun0 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Fri Sep 27 20:37:00 2019 /sbin/route add -net MY EXTERNAL IP netmask 255.255.255.255 gw 192.168.1.1
Fri Sep 27 20:37:00 2019 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Fri Sep 27 20:37:00 2019 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Fri Sep 27 20:37:00 2019 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.1
Fri Sep 27 20:37:00 2019 UID set to nobody
Fri Sep 27 20:37:00 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Sep 27 20:37:00 2019 Initialization Sequence Completed

vgaetera · September 27, 2019, 10:33pm

Main issues:

Use different subnets for server and client side LANs.
Convert your client from AP to router, or make sure you have the necessary static routes on the client side main router.

You can also set up site-to-site connection, disable redundant masquerading, avoid vulnerable and degraded security options as well as potential race conditions.

There are working and tested how-tos:

OpenVPN: server + client + site-to-site
WireGuard: server + client + site-to-site

jeff · September 27, 2019, 10:53pm

If you wanted to bridge the two network segments, on the same subnet, then configuring a "tap" (Layer 2 tunnel) rather than a "tun" (Layer 3, routable tunnel) would be an approach as well. While OpenVPN supports this, the throughput on an Archer C7 for OpenVPN is likely on the order of 10-20 Mbps throughput. WireGuard on that device is about 3x faster, but does not directly support Layer 2 tunnels (they can be configured using GRE through the WireGuard tunnel, but it is not a "trivial" thing and there is virtually no LuCI support for GRE tunnels, last I checked).

Bottom line?

Unless you need to bridge the two networks (meaning broadcast traffic, like mDNS, multicast, and the like), a routed setup as described by vgaetera would be the most straightforward. If you need more than 10-15 Mbps, considering WireGuard as an alternative may be valuable.