I have an OpenVPN server. I'd like to get the access from there to the resources available on the client's network. The client network is managed by an OpenWrt-based router; it serves as an OpenVPN client.
Network for the server has 192.168.3.0/24 mask, local network on the OpenWrt router is 192.168.1.0/24, so there should be no conflicts.
I configured this setup using the official manual.
The connection is successful, and I can ping my router from the server (ping 192.168.1.1
) and backward (ping 192.168.3.1
from the router).
But for some reason, all devices in the client's network are not available from the server.
OpenVPN: Server configuration
port 1194
proto udp4
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
client-config-dir ccd
route 192.168.1.0 255.255.255.0
push "route 192.168.3.0 255.255.255.0"
ccd/client
iroute 192.168.1.0 255.255.255.0
OpenVPN: Client configuration (/etc/config/openvpn)
package openvpn
config openvpn 'client'
option enabled 1
option client '1'
option dev 'tun'
option proto 'udp4'
list remote 'myvpnserver 1194'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/client.crt'
option key '/etc/openvpn/client.key'
option remote_cert_tls 'server'
option cipher 'AES-256-CBC'
option verb '3'
option status /etc/openvpn/openvpn-status.log
option log /var/log/openvpn.log
I've added a corresponding interface and firewall rules on the router (based on the official manual):
/etc/config/network
config interface 'VPN'
option proto 'none'
option ifname 'tun0'
/etc/config/firewall
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'vpn'
option forward 'ACCEPT'
option masq '1'
option network 'VPN'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
Client log
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
/sbin/route add -net 192.168.3.0 netmask 255.255.255.0 gw 10.8.0.5
/sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.5
UID set to nobody
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Initialization Sequence Completed
Server log
MULTI: Learn: 192.168.1.219 -> client/83.220.239.243:21301 # 192.168.1.219 is one of the devices connected to the client network (to the router)
MULTI: Learn: 192.168.1.1 -> client/83.220.239.243:21301 # 192.168.1.1 is the router
These records appeared when I tried to ping 192.168.1.219 and 192.168.1.1 respectively.
I've enabled IP Forwarding on the server and on the client as this article recommends.
I've also tried to disable the firewall on the router by using this command: /etc/init.d/firewall stop
, but it didn't help either.
I did tracert 192.168.1.219
on the server:
1 34 ms 39 ms 34 ms 10.8.0.6
2 * * * Request timed out.
10.8.0.6 is IP address of the router inside the VPN network.
What am I doing wrong?
Any advice would be much appreciated.