Hi,
i am trying to do a tunnel between two openwrt routers with openvpn and my goal is that devices behind client router could access to server subnet.
I mean openvpn setup is correct, or almost done, and the issue is in the routing side.
My goal is to access to a specific services in a server subnet.
Firstly i generated a .ovpn file and i could connect an android device importing the .ovpn file in the openvpn app. I could access to target services throught lte network successfully.
Secondly i configures a client router and tunnel is stablished and i receive ping responses from both sides, server side (10.8.0.1) response to client side (10.8.0.2) and from server to client also. But if i connect some device to the client router i have not ping response from this device. And this is my mainly issue, i need access from devices connected behind client router to server subnet and i do not know how to route it.
I detailed my set up below and i hope somebody can help me to reach my goal, please comment if i need to add or remove parametters:
My test scenario is:
-
Server Router TPLINK C7 - 18.06 - Subnet 192.168.5.0 VPN gateway 10.8.0.1
-
Client Router TPLINK WD8970 - 18.06 - WAN port is a dsl port and is unused
Subnet 192.168.1.0 IP 192.168.1.100 VPN IP 10.8.0.2
**** I use a another TPLINK archer MR200, lte router to stablish client connection thought lte. This router has the dhcp server of the 192.168.1.0 client subnet **** IP 192.168.1.1 ****
Server side config
Interfaces
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth0.1'
config interface 'wan'
option proto 'dhcp'
option ifname 'eth0.1074'
option type 'bridge'
option peerdns '0'
option dns '8.8.8.8 8.8.8.4'
config device 'wan_dev'
option name 'eth0.2'
option macaddr 'XXXXXXX'
config interface 'wan6'
option proto 'dhcpv6'
option ifname 'eth0.XXXX'
option auto '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 1t'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid 'XXXX'
option ports '0t 1t'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '2'
option ports '0t 1t 2 3 4 5'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option type 'bridge'
option ifname 'eth0.2'
option ipaddr '192.168.5.1'
config interface 'vpnserver'
option proto 'none'
option ifname 'ovpns0'
option auto '1'
config route
option interface 'vpnserver'
option target '192.168.1.0'
option netmask '255.255.255.0'
option gateway '10.8.0.1'
option metric '1'
option mtu '1500'
openvpn config
config openvpn 'vpnserver'
option enabled '1'
option dev_type 'tun'
option dev 'ovpns0'
option port '1194'
option proto 'udp'
option comp_lzo 'yes'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/OpenVPN.crt'
option key '/etc/openvpn/OpenVPN.key'
option dh '/etc/openvpn/dh2048.pem'
option tls_auth '/etc/openvpn/tls-auth.key 0'
option mode 'server'
option tls_server '1'
option server '10.8.0.0 255.255.255.0'
option topology 'subnet'
option route_gateway 'dhcp'
option client_to_client '0'
list push 'comp-lzo yes'
list push 'persist-key'
list push 'persist-tun'
list push 'topology subnet'
list push 'route-gateway dhcp'
list push 'redirect-gateway def1'
list push 'route 10.8.0.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.5.1'
option log '/var/log/openvpn.log'
firewall
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'tcpudp'
option dest_port '1194'
config zone
option name 'vpnserver'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option network 'vpnserver'
config forwarding
option src 'vpnserver'
option dest 'wan'
config forwarding
option src 'vpnserver'
option dest 'guest'
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 MY EXTERNAL IP 0.0.0.0 UG 0 0 0 br-wan
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ovpns0
MY EXTERNAL IP 0.0.0.0 255.255.252.0 U 0 0 0 br-wan
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 br-guest
Client side config
Interfaces
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'dhcp'
config interface 'wan'
option proto 'dhcp'
option hostname 'Openwrt_test'
option ifname 'eth0'
option auto '0'
config device 'wan_dev'
option name 'dsl0'
option macaddr 'XXXXXXXXXXX'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
option auto '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 2 4 5 6t'
config interface 'vpnclient'
option proto 'none'
option ifname 'tun0'
option auto '1'
config route
option interface 'vpnclient'
option target '192.168.5.0'
option netmask '255.255.255.0'
option gateway '10.8.0.1'
option metric '1'
option mtu '1500'
openvpn config
config openvpn 'sample_client'
option client '1'
option proto 'udp'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option ca '/etc/openvpn/ca.crt'
option compress 'lzo'
list remote 'ximonet.ddns.net'
option tls_client '1'
option cert '/etc/openvpn/cliente.crt'
option key '/etc/openvpn/cliente.key'
option log '/var/log/openvpn.log'
option tls_auth '/etc/openvpn/tls-auth.key'
option verb '3'
option enabled '1'
option key_method '2'
option cipher 'BF-CBC'
option key_direction '1'
option dev 'tun0'
option dev_type 'tun'
firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
option network 'wan wan6'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'vpn'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'vpnclient'
config forwarding
option dest 'vpn'
option src 'lan'
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 br-lan
10.8.0.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
MY EXTERNAL IP 192.168.1.1 255.255.255.255 UGH 0 0 0 br-lan
128.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.5.0 10.8.0.1 255.255.255.0 UG 1 0 0 tun0
Log
Fri Sep 27 20:37:00 2019 /sbin/ifconfig tun0 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Fri Sep 27 20:37:00 2019 /sbin/route add -net MY EXTERNAL IP netmask 255.255.255.255 gw 192.168.1.1
Fri Sep 27 20:37:00 2019 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Fri Sep 27 20:37:00 2019 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Fri Sep 27 20:37:00 2019 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.1
Fri Sep 27 20:37:00 2019 UID set to nobody
Fri Sep 27 20:37:00 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Sep 27 20:37:00 2019 Initialization Sequence Completed