TAP Openvpn between two openwrt

Get up a TAP tunnel between two Openwrt devices

192.168.231.0 <> tap0 <> openwrt1 openwrt2 <> tap0 <> 192.168.235.0

Tunnel works, connection eastablished, openwrt2 tap0 get adress of 192.168.231.0 network.

Ping all addresses of openwrt1 from openwrt2 network is succesfull.

But ping addresses of openwrt2 from openwrt1 netwok is unsuccessful even assigned address of openwrt tap0. What should i do to configure see openwrt2 network adresses from openwrt1 netwok? In first time to able ping asigned address of openwrt2 tap0.

Here is my confs:

OPENWRT1

network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdca:3689:9848::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'tap0'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.231.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname ' tap0'

config interface 'WAN'
        option proto 'pppoe'
        option device 'eth0'
        option username '*****'
        option password '*****'
        option ipv6 '0'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config device
        option name 'tap0'
        option acceptlocal '1'

firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'WAN'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'SSHtoShit'
        option family 'ipv4'
        option src 'wan'
        option src_dport '45444'
        option dest_ip '192.168.231.20'
        option dest_port '22'

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '8545'
        option proto 'udp'
        option target 'ACCEPT'

openvpn_server

config openvpn 'sinsrv'
        option verb '3'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/polsrv.crt'
        option key '/etc/openvpn/polsrv.key'
        option dh '/etc/openvpn/dh.pem'
        option client_to_client '1'
        option log '/tmp/openvpn.log'
        option keepalive '10 120'
        option status '/tmp/openvpn.status 5'
        option mute '20'
        option enabled '1'
        option persist_tun '1'
        option persist_key '1'
        option dev 'tap0'
        option dev_type 'tap'
        option port '8545'
        option tun_ipv6 '0'
        option server_bridge '192.168.231.1 255.255.255.0 192.168.231.200 192.168.231.254'
        option duplicate_cn '1'
        option sndbuf '393216'
        option rcvbuf '393216'

OPENWRT2

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'tap0'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.235.1'
        option netmask '255.255.255.0'
        option ip6assign '60'


config interface 'WAN'
        option proto 'pppoe'
        option device 'eth0'
        option username '*****'
        option password '*****'
        option ipv6 '0'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config device
        option name 'tap0'
        option acceptlocal '1'

firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'WAN'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

openvpn_client

dev tap                                                                                                      

proto udp                                                                                                 

log openvpn.log                                                                                           

verb 3                                                                                                    

client                                                                                                    

remote-cert-tls server                                                                                    

remote ******.ydns.eu 8545 

A cursory skim through the config files does not show a route from openwrt1 to openwrt2. This may be relevant, or it may be a red herring.

In addition, you don’t appear to tie your OpenVPN interfaces to firewall zones. This may also be relevant, or may also be a red herring.

Is there a particular requirement for OpenVPN over other VPN options? I use both OpenVPN and WireGuard and prefer the latter; I find it faster and more performant in use, plus I also find it easier to set up. It’s ideal for site-to-site scenarios, which yours appears to be on the face of it.

You probably mean 192.168.231.0/24.

tap means Layer 2 bridge, so both interfaces must be on the same IP subnet. OWRT2 gets an IP address from OWRT1 (network 192.168.231.0/24), so you can ping everything on that subnet from OWRT2.

You cannot access 192.168.235.0/24 from OWRT1 unless you change the subnet mask (on both devices) or switch to tun and set some openvpn routing rules.

Thanks for reply! Yep, 192.168.231.0 is a goal. Subnet mask must be changed to 255.255.254.0?

To cover both subnets, you need to use 255.255.240.0 or change the IP address of one of the sites.

After changing the subnet mask(s), you may omit the args after the server-bridge directive.