I'm having trouble configuring my openwrt router to use a static route to forward traffic back to vpn clients, but I'm not sure what the next steps to take are in debugging or fixing the problem.
I setup an OpenVPN server in tun mode on a Raspberry PI on my LAN. My router has fkwnop (spa port knocking) that forwards vpn connection requests to the OpenVPN server. Routing rules on the OpenVPN Server and Router are supposed to be bridging the two subnets.
- my ovpn server config pushes a route for the LAN to clients
- I set a static route on my router for the VPN subnet pointing at the VPN server
- my ovpn server has ip forwarding enabled, with routes defined.
Currently, I can successfully
- connect the vpn client to the vpn server through the port knocking
- From the vpn client, ping the vpn server using either its VPN address or LAN address.
- from the vpn client, ping the router LAN address
- from the router, ping the vpn client
- from the vpn server, ping the vpn client
The problem is, I don't seem to be able to fully talk to other devices on the LAN. Ping messages from the vpn client to other LAN clients don't get returned. However...
- On a LAN client running Wireshark, I can see ping messages being received from the VPN client. When the LAN client sends its reply, it gets a ICMP redirect message back from the router, with a gateway address defined as the vpn server's LAN ip address. NOTE: I don't think this is what I want - What I really want is for the router to just forward the packets to the vpn server.
- On a LAN client, If I manually set a route definition with the vpn server as a gateway for the vpn subset (e.g. route add), I have full connectivity between the VPN client and that particular LAN client.
Why is my router sending redirect messages instead of forwarding packets?
Here is a diagram of the network.
VPN CLIENT ROUTER OVPNServer MediaPC NAS <============== LAN 10.10.1.x/24 ========================> <==== OVPN TUNNEL 172.31.1.x/24 =======> <--conn working --------> <--conn working (ssh/ping/etc) --------> <-- Not working (ssh/ping/etc) --------------------> <-- Not working (ssh/ping/etc) ------------------------------->
eth0: xx.xx.xx.xx(public ip)
Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 xx.xx.xx.xx 0.0.0.0 UG 0 0 0 eth0 10.10.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan xx.xx.xx.xx 0.0.0.0 255.255.240.0 U 0 0 0 eth0 172.31.1.0 10.10.1.21 255.255.255.0 UG 0 0 0 br-lan
IP Tables forwards VPN connections to OVPNServer (verified, working)
tun0: P-t-P 172.31.1.2
Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.10.1.1 0.0.0.0 UG 0 0 0 eth0 10.10.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 172.31.1.0 172.31.1.2 255.255.255.0 UG 0 0 0 tun0 172.31.1.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
/etc/openvpn/server.conf # IP address of the interface OpenVPN should listen on (optional) local 10.10.1.21 proto tcp port 1194 dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/xx.crt key /etc/openvpn/xx.key dh /etc/openvpn/xx.pem # OpenVPN Subnet - server will take 172.31.1.1 server 172.31.1.0 255.255.255.0 route 172.31.1.0 255.255.255.0 push "route 10.10.1.0 255.255.255.0" push "dhcp-option DNS 10.10.1.1" # Tell Client to route all traffic through VPN push "redirect-gateway" # Allow clients to see each other client-to-client # Allow multiple clients to connect with the same cert/key files # Less secure but you have to manage less keys duplicate-cn # Ping every 10 seconds, client is gone if no response afer 120s keepalive 10 120 persist-key persist-tun verb 1 log-append /var/log/openvpn.log