OpenWrt Forum Archive

Topic: How to configure openvpn (route mode) and routing tables?

The content of this topic has been archived on 2 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I'm running openvpn on openwrt white russian RC3 on a WRT54G linksys
router. When I go to a wireless café with my SuSE 10 notebook, I
cannot ping my Windows desktop machine at 10.169.1.8. However, I can
ssh to my router at 10.169.1.2 using openwrt in route mode.

Where can I read about the documentation for the syntax for the
firewall.user file? What distro was openwrt derived from?

Is this syntax with the slashes legal in openwrt's firewall.user?

iptables -A FORWARD -i tun0 -s 10.8.1.0/24 -d 10.66.4.0/24 -j ACCEPT


This (following) FAQ fragment seems to describe me!  Bridging mode works fine.

openvpn FAQ>I've successfully set up OpenVPN and can ping between both OpenVPN
openvpn FAQ>peers, however I cannot reach any of the other machines on the remote
openvpn FAQ>subnet. What's the problem?
openvpn FAQ>
openvpn FAQ>Make sure that the firewall is not filtering the TUN/TAP interface.

How do I do that?  10.169.1.8 is the desktop
machine I cannot ping. I tried adding these lines but they did not fix the problem:

iptables -A FORWARD -i tun0 -s 10.169.6.8 -d 10.169.1.8 -j ACCEPT

# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT

# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT


openvpn FAQ>
openvpn FAQ>Make sure you have IP forwarding enabled on the server.

Yeah, I checked that with "cat /proc/sys/net/ipv4/ip_forward". It produces a 1.

openvpn FAQ>
openvpn FAQ>If you are using routing (not ethernet bridging), make sure the
openvpn FAQ>clients (or LAN gateway) have a route back to the server for the
openvpn FAQ>packets coming in over the tunnel.

openvpn FAQ>This can be done by: adding a route
openvpn FAQ>in your default gateway for the VPN network IP subnet pointing to the
openvpn FAQ>OpenVPN machine,

Ah hah! This is probably the solution to my problem. What might this
look like? What if the gateway is the VPN server? What do they mean by
"openVPN" machine? Is that my linksys router running openvpn?

openvpn FAQ>adding a route to every client,

What might this look like? Would this be the "add route" command?

openvpn FAQ>or NATing all VPN
openvpn FAQ>traffic to the local address of the OpenVPN machine for network
openvpn FAQ>traffic which leaves the OpenVPN machine for the local net.

What might this look like? I think this would be some iptables
commands in the firewall.user?

openvpn FAQ>
openvpn FAQ>If you are still stumped, use tcpdump, ethereal, or WinDump to
openvpn FAQ>determine where packets are being dropped.
openvpn FAQ>

I guess that enabling the line "client-to-client" in your OpenVPN config file will fix the problem. Have a look at settings from my setup below.   

Internal IP-range 192.168.1.1 /255.255.255.0
OpenVPN IP-range 172.17.2.0 /255.255.255.0

In server.ovpn (your openvpn config file) I have the usual stuff but the following might be of interest to you:
........
# Routed
server 172.17.2.0 255.255.255.0

# Push route to client (might give you problems at a internet cafe with range 192.168.1.0 /255.255.255.0?? never tried don't know)
push "route 192.168.1.0 255.255.255.0"

# WINS (only applicable if you have samba running and configured as WINS on the router)
push "dhcp-option WINS 192.168.1.1"

# Allow traffic from one client to other clients on the VPN (probably you don't have this configured!)
# Uncomment this directive to allow different clients to be able to "see" each other.
# By default, clients will only see the server!!!
client-to-client
........

I added the following lines to firewall.user:
.......
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
.......

In this way I can reach all systems on my local network and or connected true OpenVPN. I never tried Samba client-to-client with two OpenVPN connected systems as this is a not very often occuring scenario in my setup.

500gx: Thanks but that (adding the client-to-client) did not help. I'm not using the WINS feature. Should I be?

Anybody have any other ideas?

Don't I have to do a "add route" on the clients so the ping (and all other packets) know how to get back to their sender?

Thanks,
Siegfried

I have a notebook computer at a wireless café that can connect to my openwrt router on my home network and see my desktop computer in bridging mode.
Because I was running in bridging mode, I don't need to run openvpn on my desktop computer.

Now I need to run openvpn in routing mode (as I described above). Is the reason I cannot ping anyone else on my home office LAN (from the notebook at the wireless cafe) because I am not running the openvpn client anywhere except the router and the notebook computer?

Thanks,
Siegfried

siegfried wrote:

500gx: Thanks but that (adding the client-to-client) did not help. I'm not using the WINS feature. Should I be?

Anybody have any other ideas?

Don't I have to do a "add route" on the clients so the ping (and all other packets) know how to get back to their sender?

Thanks,
Siegfried

Forget the WINS option if you are not using Samba (Windows Filesharing) it it won't be of any help.
The option: push "route 192.168.1.0 255.255.255.0"  takes care of adding a route from the clients to the subnet. Did you add that as well?

(Last edited by 500gx on 14 Aug 2006, 17:32)

Yes but in the documentation (openvpn FAQ) it says I have to add something (firewall command or "route add" on the windows desktop machine) to show the ping (for example) packet how to get back to its origen (the notebook at the wireless cafe).

This could explain why I am not seeing anything.

Problem solved. Both the pool and the server and the push route command must specify the same subnet outside the subnet of your LAN. The reason you can get to it is because of the "route add" command. This seems very strange to me but it works!

I'd like to install an openvpn client on the router and use it only for outgoing (not incoming) ssh and irc traffic. How does one implement such a setting? All the documents in the wiki describe the openvpn as a server in openwrt.

Edit: Well. There was one, but it was something about Cisco VPN. And I really want to use WAN access as a default, so VPN only for ssh and irc. I don't mind sharing the VPN access for the whole Access Point.

(Last edited by solarflare on 18 Aug 2006, 17:23)

Maybe you could elborate a bit on what your trying to achieve. I have completely no clue. To what server are you going to connect your router cq client? And after connecting your client, you want to tunnel ssh and irc traffic from your router over this VPN to this other server? You do understand you need some kind of remote endpoint also running OpenVPN?

The OpenVPN package in OpenWRT will give you BOTH the client and the server. Actually only the configuration file determines how the package is going to behave. You could even have a client and server running along side eachother using a different port. One in client mode connecting to your office network and the other in server mode waiting for you to connect as a client with your laptop from the internet cafe. 

To install the package just type:
ipkg install openvpn

And then give the package a try with the configuration files on OpenVPN.org

Server: http://openvpn.net/howto.html#server
Client: http://openvpn.net/howto.html#client

Needless to say you do also need a remote endpoint running either one of the opposites OpenVPN modes.

Do you want to connect two dynamic ip addresses? Have a look at http://openvpn.net/faq.html#dynamic-address for fixing this.

(Last edited by 500gx on 18 Aug 2006, 17:55)

500gx wrote:

Maybe you could elborate a bit on what your trying to achieve. I have completely no clue. To what server are you going to connect your router cq client? And after connecting your client, you want to tunnel ssh and irc traffic from your router over this VPN to this other server?

The other side is the University openvpn 2.0 server, which of course has a fixed public address. Now I'm running the VPN connection directly on my PowerBook with Tunnelblick, but that's not nice since I really don't want to route all the traffic via the University.

The configuration which works anyway, looks like this on the Mac OS X:

verb 3
mlock

mtu-test
ping 60
ping-exit 180
ping-timer-rem

dev tap
client
remote public.static.foo
nobind
redirect-gateway def1

auth-user-pass

ca liteca.crt

comp-lzo

Basically I'd like show the VPN address the University happens to assign each time on connect, instead my ADSL dynamic public IP address at home. There are also a couple of [science library] WWW destinations which would benefit being accessed via the VPN connection.

So:

       => ssh port 22
Router => smtp port 25
       => irc port 6667

and http access to ACM, IEEE Xplore, LNCS/LNAI (Springer-Verlag) and IFIP would make a perfect combination via the established VPN connection.

Now I complete get what you are trying to achieve.

Your current option: "redirect-gateway def1" takes care of routing all your traffic over the gateway. You probably need to remove this option and replace it by a different option, i am thinking of the options "route", "route-gateway" etc.
In addition I think you are going to have to create a static tap device on your router and create some custom routing using iptables to do the forwarding of only the ports 22, 25 and 6667.
To go through the VPN for only certain websites/DNS names you will have to do some additional wizardry using a transparent proxy. But all this is getting pretty advanced and I can't really help you out here. For the proxy you could have a look at one of the packages, tinyproxy, privoxy or squid.

One might just write the rules for these destination addresses:

63.118.7.200
63.118.7.207
140.98.193.112
140.234.29.12
193.170.71.25

So no need to go the transparent proxy route, I think. Thanks for pointing out the possible redirect-gateway def1 problem line. Time to read the documentation. cool

The discussion might have continued from here.