Topic: Openvpn routing issue with Backfire on Netgear WNDR3700

I installed backfire on a Netgear WNDR3700 with the intention to use it as a VPN gateway.

However, up to now I did not succeed to get OpenVPN working properly on Backfire.  Although I try to implement the same OpenVPN configuration as I used on Kamikaze, there seems to be a routing problem with my configuration on Backfire.

I did already a lot of testing, first I'll provide some of my findings, at the end I included the configuration details.

I don't know where I have to look any further.  I have the feeling to be very close to a resolution, but I just can't find it. 
Could someone give me some advice?

many, many thanks in advance !!!


FINDINGS:

After booting the router I can open a VPN connection on the WAN port, and I can ping the IP address of the router that is associated the DMZ VLAN.  However, a ping to another system in the DMZ does not work.

When I do "/etc/init.d/network restart", the issue is gone and I can use VPN to connect to any system in the DMZ.  The only change I could notice before and after the network restart is the routing table.

After booting the device I get following output of "netstat -rn"

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.18.0.2       0.0.0.0         255.255.255.255 UH        0 0          0 tun0
10.18.0.0       10.18.0.2       255.255.255.0   UG        0 0          0 tun0
192.168.22.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0.2
192.168.33.0    0.0.0.0         255.255.255.0   U         0 0          0 eth1
192.168.10.0    0.0.0.0         255.255.255.0   U         0 0          0 br-lan
0.0.0.0         192.168.33.1    0.0.0.0         UG        0 0          0 eth1

After executing "/etc/init.d/network restart", I get following output of "netstat -rn"

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.18.0.0       0.0.0.0         255.255.255.0   U         0 0          0 tun0
192.168.22.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0.2
192.168.33.0    0.0.0.0         255.255.255.0   U         0 0          0 eth1
192.168.10.0    0.0.0.0         255.255.255.0   U         0 0          0 br-lan
0.0.0.0         192.168.33.1    0.0.0.0         UG        0 0          0 eth1

As you can see the routing entry related to the tun0 has changed.

So, checked if I could obtain the same result by changing the routing table manually.  After rebooting the router, I executed following commands to manipulate the routing table:

route del -net 10.18.0.0 netmask 255.255.255.0
route del -net 10.18.0.2 netmask 255.255.255.255
route add -net 10.18.0.0 netmask 255.255.255.0 tun0

output of these ccommands and "netstat -rn"  executed on the router, see below:

root@netgear:/etc/init.d# route del -net 10.18.0.0 netmask 255.255.255.0
root@netgear:/etc/init.d# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.18.0.2       0.0.0.0         255.255.255.255 UH        0 0          0 tun0
192.168.22.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0.2
192.168.33.0    0.0.0.0         255.255.255.0   U         0 0          0 eth1
192.168.10.0    0.0.0.0         255.255.255.0   U         0 0          0 br-lan
0.0.0.0         192.168.33.1    0.0.0.0         UG        0 0          0 eth1
root@netgear:/etc/init.d# route del -net 10.18.0.2 netmask 255.255.255.255
root@netgear:/etc/init.d# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.22.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0.2
192.168.33.0    0.0.0.0         255.255.255.0   U         0 0          0 eth1
192.168.10.0    0.0.0.0         255.255.255.0   U         0 0          0 br-lan
0.0.0.0         192.168.33.1    0.0.0.0         UG        0 0          0 eth1
root@netgear:/etc/init.d# route add -net 10.18.0.0 netmask 255.255.255.0 tun0
root@netgear:/etc/init.d# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.18.0.0       0.0.0.0         255.255.255.0   U         0 0          0 tun0
192.168.22.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0.2
192.168.33.0    0.0.0.0         255.255.255.0   U         0 0          0 eth1
192.168.10.0    0.0.0.0         255.255.255.0   U         0 0          0 br-lan
0.0.0.0         192.168.33.1    0.0.0.0         UG        0 0          0 eth1
root@netgear:/etc/init.d#

… Then I do some test on a VPN client system and I try to ping the DMZ, first the router (DMZ interface 192.168.22.1) with success:

stefan@stefan-desktop:/etc/openvpn/config$ ping 192.168.22.1
PING 192.168.22.1 (192.168.22.1) 56(84) bytes of data.
64 bytes from 192.168.22.1: icmp_seq=1 ttl=64 time=3.21 ms
64 bytes from 192.168.22.1: icmp_seq=2 ttl=64 time=4.17 ms
^C
--- 192.168.22.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1005ms
rtt min/avg/max/mdev = 3.219/3.695/4.171/0.476 ms

… Then I ping a system in DMZ, without success:

stefan@stefan-desktop:/etc/openvpn/config$ ping 192.168.22.10
PING 192.168.22.10 (192.168.22.10) 56(84) bytes of data.
From 10.18.0.1 icmp_seq=1 Destination Port Unreachable
From 10.18.0.1 icmp_seq=2 Destination Port Unreachable
From 10.18.0.1 icmp_seq=3 Destination Port Unreachable
From 10.18.0.1 icmp_seq=4 Destination Port Unreachable
^CFrom 10.18.0.1 icmp_seq=5 Destination Port Unreachable

--- 192.168.22.10 ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4016ms

... on the router I launch the command "ifup -a"

root@netgear:~# ifup -a

... then again I try to ping a system in DMZ, this time with success:

stefan@stefan-desktop:/etc/openvpn/config$ ping 192.168.22.10
PING 192.168.22.10 (192.168.22.10) 56(84) bytes of data.
64 bytes from 192.168.22.10: icmp_seq=1 ttl=63 time=3.59 ms
64 bytes from 192.168.22.10: icmp_seq=2 ttl=63 time=4.41 ms
^C
--- 192.168.22.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 3.599/4.009/4.419/0.410 ms

BUT, now the wireless doesn't work anymore.  I do "/etc/init.d/network restart" and everything works again, VPN included.

CONFIGURATION:

I configured VLANs:

WAN        192.168.33.0/24
LAN        192.168.10.0/24
DMZ        192.168.22.0/24

*** NETWORK ***

root@netgear:/etc/config# cat network

config 'interface' 'lan'
    option 'ifname' 'eth0.1'
    option 'type' 'bridge'
    option 'proto' 'static'
    option 'ipaddr' '192.168.10.1'
    option 'netmask' '255.255.255.0'
    list 'dhcp_option' 'option:dns-server,192.168.10.1'
    list 'dhcp_option' 'option:router,192.168.10.1'

config 'interface' 'vpn'
    option 'ifname' 'tun0'
    option 'proto' 'static'
    option 'netmask' '255.255.255.0'
    option 'ipaddr' '10.18.0.1'

config 'interface' 'dmz'
    option 'ifname' 'eth0.2'
    option 'proto' 'static'
    option 'ipaddr' '192.168.22.1'
    option 'netmask' '255.255.255.0'

config 'interface' 'wan'
    option 'ifname' 'eth1'
    option 'proto' 'static'
    option 'ipaddr' '192.168.33.254'
    option 'netmask' '255.255.255.0'
    option 'peerdns' '0'
    option 'dns' '192.168.33.1'
    option 'gateway' '192.168.33.1'

config 'interface' 'loopback'
    option 'ifname' 'lo'
    option 'proto' 'static'
    option 'ipaddr' '127.0.0.1'
    option 'netmask' '255.0.0.0'

config 'switch'
    option 'name' 'rtl8366s'
    option 'reset' '1'
    option 'enable_vlan' '1'
    option 'blinkrate' '2'

config 'switch_vlan'
    option 'device' 'rtl8366s'
    option 'vlan' '0'
    option 'ports' '5*'

config 'switch_vlan'
    option 'device' 'rtl8366s'
    option 'vlan' '1'
    option 'ports' '0 1 5t'

config 'switch_vlan'
    option 'device' 'rtl8366s'
    option 'vlan' '2'
    option 'ports' '2 3 5t'

config 'switch_port'
    option 'device' 'rtl8366s'
    option 'port' '1'
    option 'led' '9'

config 'switch_port'
    option 'device' 'rtl8366s'
    option 'port' '2'
    option 'led' '6'

config 'switch_port'
    option 'device' 'rtl8366s'
    option 'port' '5'
    option 'led' '6'

*** OPENVPN ***

root@netgear:/etc/config# cat openvpn

config 'openvpn' 'NetgearGW'
    option 'enable' '1'
    option 'local' '192.168.33.254'
    option 'port' '1194'
    option 'proto' 'udp'
    option 'dev' 'tun0'
    option 'ca' '/etc/easy-rsa/keys/ca.crt'
    option 'cert' '/etc/easy-rsa/keys/netgear.crt'
    option 'key' '/etc/easy-rsa/keys/netgear.key'
    option 'dh' '/etc/easy-rsa/keys/dh1024.pem'
    option 'ifconfig_pool_persist' '/etc/openvpn/ipp.txt'
    option 'server' '10.18.0.0 255.255.255.0'
    list 'push' 'route 192.168.22.0  255.255.255.0'
    option 'keepalive' '10 120'
    option 'tls_auth' '/etc/easy-rsa/keys/ta.key 0'
    option 'comp_lzo' '1'
    option 'persist_key' '1'
    option 'persist_tun' '1'
    option 'status' '/var/log/openvpn-status.log'
    option 'verb' '5'
    option 'management' 'localhost 7505'

*** FIREWALL ***

:/etc/config# cat firewall
config defaults
    option syn_flood    1
    option input        ACCEPT
    option output        ACCEPT
    option forward        REJECT

config zone
    option name        lan
    option input    ACCEPT
    option output    ACCEPT
    option forward    REJECT
   
config zone
    option name        vpn
        option input    ACCEPT
        option output   ACCEPT
        option forward  ACCEPT
    option masq        1
       
config zone
       option name         dmz
       option input     REJECT # By default, stop anything coming from the DMZ
       option output    ACCEPT
       option forward     REJECT

config zone
    option name        wan
    option input    REJECT
    option output    ACCEPT
    option forward    REJECT
    option masq        1
    option mtu_fix    1
   
# Allow LAN to access the internet           
config forwarding
    option src      lan
    option dest     wan
   
# Allow DMZ to access the internet           
config 'forwarding'                               
       option 'src' 'dmz'                         
       option 'dest' 'wan'                       
                                                 
# Allow LAN to access the DMZ                 
config 'forwarding'                               
       option 'src' 'lan'                         
       option 'dest' 'dmz'                       

# Allow the VPN to access DMZ
config forwarding
    option src      vpn
    option dest     dmz
       
config rule                       
        option src              wan
        option dest_port        22
        option target           ACCEPT
        option proto            tcp   
                                     
config rule                           
        option src              wan   
        option dest_port        1194 
        option target           ACCEPT
        option proto            udp   

# Allow the DMZ to use the router as a DNS server                             
config 'rule'                                                                 
       option 'src' 'dmz'                                                     
       option 'proto' 'tcpudp'                                               
       option 'dest_port' '53'                                               
       option 'target' 'ACCEPT'                                               
                                                                             
# Allow the DMZ to use the router as a DHCP server                           
config 'rule'                                                                 
       option 'src' 'dmz'                                                     
       option 'proto' 'udp'                                                   
       option 'dest_port' '67'                                               
       option 'target' 'ACCEPT'                                               
                                                 
#Allow ping during testing, remove afterwards
#
config rule
    option src dmz
    option proto icmp
    option icmp_type echo-request
    option target ACCEPT
               
config rule
    option src vpn
    option proto icmp
    option icmp_type echo-request
    option target ACCEPT

config 'rule'                                                                 
       option 'src' 'vpn'                                                     
       option 'proto' 'tcp'                                               
       option 'dest_port' '22'                                               
       option 'target' 'ACCEPT'                                               
               
config rule
    option src lan
    option proto icmp
    option icmp_type echo-request
    option target ACCEPT
               
config rule
    option src wan
    option proto icmp
    option icmp_type echo-request
    option target ACCEPT
               
# include a file with users custom iptables rules                             
config include                                                               
       option path /etc/firewall.user                                       

*** /etc/firewall.user ***

root@netgear:/etc/config# cat /etc/firewall.user 
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
root@netgear:/etc/config#


*** WIRELESS ***

root@netgear:/etc/config# cat wireless

config 'wifi-device' 'radio0'
    option 'country' 'BE'
    option 'type' 'mac80211'
    option 'channel' '5'
    option 'macaddr' 'c0:3f:0e:78:37:15'
    option 'hwmode' '11ng'
    option 'htmode' 'HT20'
    list 'ht_capab' 'SHORT-GI-40'
    list 'ht_capab' 'DSSS_CCK-40'
    option 'disabled' '0'

config 'wifi-iface'
    option 'device' 'radio0'
    option 'ssid' 'BIC762'
    option 'network' 'lan'
    option 'mode' 'ap'
    option 'encryption' 'psk2'
    option 'key' 'XXXXXXXXXXXXX'

config 'wifi-device' 'radio1'
    option 'country' 'BE'
    option 'type' 'mac80211'
    option 'channel' '36'
    option 'macaddr' 'c0:3f:0e:78:37:17'
    option 'hwmode' '11na'
    option 'htmode' 'HT20'
    list 'ht_capab' 'SHORT-GI-40'
    list 'ht_capab' 'DSSS_CCK-40'
    option 'disabled' '1'

config 'wifi-iface'
    option 'device' 'radio1'
    option 'network' 'lan'
    option 'mode' 'ap'
    option 'ssid' 'Netgear11n'
    option 'encryption' 'psk2'
    option 'key' 'XXXXXXXXXXXXXX'


*** OUTPUT of "ifconfig -a" ***

root@netgear:/etc/config# ifconfig -a
br-lan    Link encap:Ethernet  HWaddr C0:3F:0E:78:37:15 
          inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2100 errors:0 dropped:0 overruns:0 frame:0
          TX packets:876 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:200621 (195.9 KiB)  TX bytes:277280 (270.7 KiB)

eth0      Link encap:Ethernet  HWaddr C0:3F:0E:78:37:15 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1046 errors:0 dropped:0 overruns:0 frame:0
          TX packets:984 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:174064 (169.9 KiB)  TX bytes:157228 (153.5 KiB)
          Interrupt:4

eth0.1    Link encap:Ethernet  HWaddr C0:3F:0E:78:37:15 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:509 errors:0 dropped:0 overruns:0 frame:0
          TX packets:751 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:46108 (45.0 KiB)  TX bytes:115149 (112.4 KiB)

eth0.2    Link encap:Ethernet  HWaddr C0:3F:0E:78:37:15 
          inet addr:192.168.22.1  Bcast:192.168.22.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:484 errors:0 dropped:0 overruns:0 frame:0
          TX packets:231 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:96260 (94.0 KiB)  TX bytes:40994 (40.0 KiB)

eth1      Link encap:Ethernet  HWaddr C0:3F:0E:78:37:16 
          inet addr:192.168.33.254  Bcast:192.168.33.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1555 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2180 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:459271 (448.5 KiB)  TX bytes:281334 (274.7 KiB)
          Interrupt:5

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:155 errors:0 dropped:0 overruns:0 frame:0
          TX packets:155 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:12840 (12.5 KiB)  TX bytes:12840 (12.5 KiB)

mon.wlan0 Link encap:UNSPEC  HWaddr C0-3F-0E-78-37-15-00-00-00-00-00-00-00-00-00-00 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:726 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:63675 (62.1 KiB)  TX bytes:0 (0.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.18.0.1  P-t-P:10.18.0.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:45 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:5751 (5.6 KiB)  TX bytes:2507 (2.4 KiB)

wlan0     Link encap:Ethernet  HWaddr C0:3F:0E:78:37:15 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1995 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1255 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:219462 (214.3 KiB)  TX bytes:325354 (317.7 KiB)

root@netgear:/etc/config#

Re: Openvpn routing issue with Backfire on Netgear WNDR3700

You need this fix: https://dev.openwrt.org/changeset/21641

Re: Openvpn routing issue with Backfire on Netgear WNDR3700

Thanks jow,
indeed, this solved the issue,

Cool... OpenWrt rocks !!

Many thanks

4 (edited by tintiifax 2010-09-06 10:50:32)

Re: Openvpn routing issue with Backfire on Netgear WNDR3700

i have the same problem but i dont know how to solve the problem with the link.

maybe someone can help me ?

i have backfire 10.03

Re: Openvpn routing issue with Backfire on Netgear WNDR3700

The link jow is referring to is the place where you can find the patch to solve this issue.
  (https://dev.openwrt.org/changeset/21641)

This page provides you with the new version of the file 'trunk/package/base-files/files/etc/hotplug2-common.rules' and the changes (in red) since release 20785 of the file.  When displayed in the unified diff format you see the patch file itself.

To know more about the version control used here, have a look at 'subversion' documentation.

Patches are applied to the source code and obviously require you to compile the code again.  I hope you are familiar with 'buildroot', otherwise look for documentation on how to set up buildroot on the openwrt wiki pages.

To know how to apply the patch, you are best with the man page of the patch command (which is very simple).

Hope this helps you any further...