Unable to access Client Side Lan on OpenVPN between routers

orthobot · April 11, 2025, 12:11pm

Hi everyone.

I'm relatively new to Openwrt having come from Tomato previously. Not much of a power user, but i'm able to find my way around relatively ok.

My setup is as such,

I have a server side OpenVPN server running off OpenWRT, that is currently connected to a Client side OpenVPN running off Tomato Firmware.

My Client side PCs are on 192.168.1.x subnet and are able to access the PC's on the Server's side which are on the 192.168.0.x subnet. The Server side PC's however aren't able to access the client side's subnet.

Would appreciate some help.. Thanks!

egc · April 11, 2025, 12:20pm

To route from the server side to the client side you not only need to set a route but also an iroute

I have some notes about it maybe they are helpful:

Site-to-site

In a setup where a single server can handle many clients, it is sometimes necessary to set per-client options that overrule the global options, or to add extra options to a particular client. The option client-config-dir is very useful for this. It allows the VPN administrator to assign a specific IP address to a client, in order to push specific options such as a DNS server to a particular client or to temporarily disable a client altogether.

This option is also vital if you want to route a subnet from the server side to the client side.

Add to the OpenVPN servers config file:

#set option for CCD dir in openvpn config:

client-config-dir /etc/openvpn/ccd

This example has the LAN subnet of the server to be 192.168.6.0/24, the LAN subnet of the client is 172.18.18.0/24

Push server side LAN subnet to clients by adding redirect default gateway or

push "route 192.168.6.0 255.255.255.0 vpn_gateway"

Instruct server to add a route to the client-side LAN for all local server side clients:

route 172.18.18.0 255.255.255.0 vpn_gateway

From Command line:

#Make ccd directory

mkdir /etc/openvpn/ccd

#Make DEFAULT file which is used if no named file is used so only suitable if there is just one VPN client, If the server serves multiple clients, certificate authentication must be used with a unique certificate for each client. The CN of the certificate matches the file name for that client in the ccd.

touch /etc/openvpn/ccd/DEFAULT

#Add iroute to DEFAULT ccd file

echo "iroute 172.18.118.0 255.255.255.0" > /etc/openvpn/ccd/DEFAULT

Firewall

The firewall on the Client side must be setup as if it is a OpenVPN Server, so with ACCEPT on INPUT and FORWARD and no Masquerading.

orthobot · April 11, 2025, 4:39pm

Hi! Thanks for the reply!

I'll try to implement what you suggested. I'm just a bit confused on the firewall bit cos Tomato doesn't seem to have the same implementation as Openwrt when it comes to routing/firewall settings

egc · April 11, 2025, 5:07pm

Normally for a client you enable the firewall for the vpn but your firewall should be setup as if it is a vpn server.

It is a long time ago since I used FT so cannot give specific instructions

wilsonyan · April 11, 2025, 11:15pm

Generally the simplest way (not sure about openvpn):

Make sure the client side router grabs a static address for it's connection to the 192.168.0.x network (ie don't use dhcp or set the dhcp to issue the same address every time to that mac)
On the server side router add a static route to route 192.168.1.0 netmask 255.255.255.0 via gateway 192.168.0.x (the x being whatever you've set it to statically)
On the client side router just change the firewall zone for the connection (to the 192.168.0.x network) from wan to lan (in the interfaces section, not the separate firewall section)

egc · April 12, 2025, 5:46am

exactly that needs special care

mk24 · April 12, 2025, 10:39am

OpenVPN installs addresses and routes into the local kernel automatically. When running as client, it takes instructions for addresses and routes from the server, thus the server config has some control of remote addresses and routes (the client can be configured to restrict this, but by default it does not). OpenVPN does not configure the firewall. That must be done separately.

The iroute will become a route in the server kernel. No additional routes are needed in the client when the VPN is the default route that also includes any LANs at the server.

For a server side LAN device to reach the client lan, both the server and client firewalls must allow such forwarding.

orthobot · April 12, 2025, 2:30pm

For some strange reason, whenever I include

client-config-dir /etc/openvpn/ccd

into /etc/config/openvpn, my preconfigured server disappears from my LuCI interface. It only reappears when removed.

This is my openvpn config under /etc/config/openvpn

config openvpn 'Test'
        option proto 'udp'
        option cipher 'AES-256-GCM'
        option client_to_client '1'
        option comp_lzo 'no'
        option dev 'tunketchup'
        option duplicate_cn '1'
        option keepalive '10 120'
        option mode 'server'
        option mssfix '1450'
        option persist_key '1'
        option persist_tun '1'
        option port '7500'
        option remote_cert_tls 'client'
        option reneg_sec '0'
        option server '10.100.0.0 255.255.255.0'
        option topology 'subnet'
        option verb '3'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/Server_SiteA.crt'
        option dh '/etc/openvpn/dh.pem'
        option key '/etc/openvpn/Server_SiteA.key'
        option dev_type 'tun'
        list push 'comp-lzo no'
        list push 'route 192.168.0.0 255.255.255.0'
        list push '#redirect-gateway def1'
        list push ''\''redirect-gateway def1'\'''
        option enabled '1'

logs don't seem to show anything

egc · April 12, 2025, 2:51pm

Have you created it?

mkdir /etc/openvpn/ccd

orthobot · April 12, 2025, 2:59pm

Hi thanks for the quick reply. Yeah i've already created that

egc · April 12, 2025, 3:17pm

Oh I see the problem you use LuCi to setup, I tried that once and ran away, it is so much easier to directly use the openvpn config file, but that is probably me.

So my instructions are for directly manipulating a vpn config, maybe it is possible to do it in LuCi but I found some options missing

orthobot · April 12, 2025, 3:26pm

i used a hybrid method. cli and LuCI. Really strange... maybe the syntax is different? did you use openvpn.conf or openvpn in config folder?

egc · April 13, 2025, 6:32am

In etc/config/openvpn I have the reference to my openvpn config file:

config openvpn 'ovpnserver1'
	option config '/etc/openvpn/ovpnserver1.ovpn'

In /etc/openvpn I have my config files e.g. ovpnserver1.ovpn:

server 10.8.0.0 255.255.255.0
topology subnet
verb 5
proto udp4
mode server
port 1196
client-to-client
duplicate-cn
fast-io
dev tun2
dev-type tun
dh none
ecdh-curve secp384r1
keepalive 10 60

push "redirect-gateway def1"
push "route 192.168.9.0 255.255.255.0"
push "dhcp-option DNS 192.168.9.1"
push "dhcp-option DOMAIN home9"

data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC

tun-mtu 1400
mssfix 1300

<ca>
-----BEGIN CERTIFICATE-----
MIIEnjCCA4agAwIBAgIJAIBjix88TJyWMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYD
VQQGEwJOTDELMAkGA1UECBMCTkIxEjAQBgNVBAcTCVJvdHRlcmRhbTEQMA4GA1UE
TlfcYMujaQkMQJIIDZidJzw3wfnAgm84dhr+nbIot2V0lZI5dPdpET4/GY59H7gh
23QgS+09Flq6MIE+NrtfhfnX+dTcGpb755GcWcSR/C+AOGFAACkDMyp/9yiHCOF7
KTVgi2Jcb16uRYTp4vASvSkDHnZFPwZh2Vlj+omlOUMp8g==
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
MIIE/jCCA+agAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMCTkwx
CzAJBgNVBAgTAk5CMRIwEAYDVQQHEwlSb3R0ZXJkYW0xEDAOBgNVBAoTB09wZW5W
s2mKVJhPfH0Bf+2f34LAl3Pgbrd5AZvkns/BQkOh7H5IgzsFyNa7D4/BXDw+GxvT
DRWlvXWYI0ODVhPNoDNM7oBlfFMMiTs/cSqe8YYaW02c0Q==
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDRQIEVX20Qx+p4
2i2XXUU60tnlFY+SXe2mtKMzeKyEhR9xrb5uX0EmjzRWDVbj4Ow+XsXY+i1Vc0Ra
VnsAbBXAf2vvWqZaE+f5h5Y24s3fUOdHqDvi83QTLEJcjSJZWteTnCqs/dFb+x3a
EW3Ah/oRC/r4aWczqtiPYwW/FNeJWN9KQeq3LRVlQqQPbbcVZSeZJHK+CoO5Rkct
NCELHVCOBLd5kRlFHg5RziI=
-----END PRIVATE KEY-----
</key>

In the config I place my settings for a site-to-site setup as posted

orthobot · April 14, 2025, 12:59pm

Thanks for sharing. I managed to get most of my config sorted out. My openwrt throws out this error

read UDPv4 [ECONNREFUSED]: Connection refused (fd=6,code=111)

I suspect it might be a client side firewall issue. Not very good with iptables in Freshtomato.

egc · April 14, 2025, 1:23pm

It means the port is not open.
Have you made a traffic rule on the OpenWRT router opening up the port you have set in the openvpn config?

mk24 · April 14, 2025, 1:30pm

It would be useful to know which device refused the connection. A router will return connection refused if its firewall does not allow forwarding to the destination. One setting of Windows firewall is to refuse connections from IPs other than its own LAN.

orthobot · April 14, 2025, 4:19pm

I think I have the corresponding UDP port open. I'm using 7500 for VPN.

On a sidenote, on the client side, I might have messed up my iptables trying while experimenting. Now my DDNS doesn't work lol. I've got a lot of reading to do before getting this running properly sadly.

I'll try resetting and starting from scratch tomorrow. This thing is both fun and depressing XD.

orthobot · April 15, 2025, 2:26pm

just a quick update. I managed to get bidirectional access working. Turns out the issue was with my firewall on the client side all along. None of my scripts were working, because on reboot, the scripts were being applied when the interface was not yet up, most likely due to the WAN not being connected yet.

Many thanks to @egc @mk24 @wilsonyan for all the pointers!