Hi,
I setup a tun based OpenVPN Server/Client connection between two Routers (running openwrt/lede). Server side LAN is on subnet 192.168.1.1/24 and Client side LAN is on subnet 192.168.3.1/24. I am able to ping the servers lan (all devices) from the client network but not vice versa. I already made a ccd file to tell the OpenVPN-Server that 192.168.3.1/24 subnet is on "Client3" (currently no client1 or client2 in use).
This made me able to ping the client router (192.168.3.1) but trying to ping other lan members 192.168.3.1/24 gets me stuck in the tunnel.
I am using mwan3 to forward all traffic from the server with dest 192.168.3.1/24 to use tun0.
On the client I have a mwan3 rule ass well making destinations to 192.168.1.1/24 use tun0 as well.
I feel like I am missing the last piece.
Two Tracroutes from a lan pc on the server subnet to theVPN-Client subnet indicate the problem:
traceroute 192.168.3.1
traceroute to 192.168.3.1 (192.168.3.1), 64 hops max, 52 byte packets
1 lede (192.168.1.1) 7.034 ms 0.759 ms 0.712 ms
2 192.168.3.1 (192.168.3.1) 2.653 ms 2.235 ms 3.562 ms
traceroute 192.168.3.110
traceroute to 192.168.3.110 (192.168.3.110), 64 hops max, 52 byte packets
1 lede (192.168.1.1) 5.638 ms 0.829 ms 0.774 ms
2 10.8.0.6 (10.8.0.6) 14.173 ms 2.029 ms 1.840 ms
3 10.8.0.6 (10.8.0.6) 3149.064 ms !H 3071.258 ms !H 3071.644 ms !H
Server:
cat /etc/config/openvpn
config openvpn 'vpnTUN'
option enabled '1'
option verb '3'
option port '1194'
option proto 'udp'
option dev 'tun'
option server '10.8.0.0 255.255.255.0'
option keepalive '10 120'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/my-server.crt'
option key '/etc/openvpn/my-server.key'
option dh '/etc/openvpn/dh2048.pem'
option client_to_client '1'
option log 'openvpn.log'
list 'route' '192.168.3.0 255.255.255.0'
list 'push' 'route 192.168.1.0 255.255.255.0'
list 'push' 'route 192.168.3.0 255.255.255.0'
option client_config_dir '/etc/openvpn/ccd'
cat /etc/openvpn/ccd/client3
iroute 192.168.3.0 255.255.255.0
cat /etc/config/network
...
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option _orig_ifname 'eth1 wlan0 wlan1 wlan1-1'
option _orig_bridge 'true'
option ifname 'eth1'
config interface 'vpn0'
option proto 'none'
option ifname 'tun0'
...
cat /etc/config/firewall
...
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config rule 'Allow_OpenVPN_Inbound'
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '1194'
config zone 'vpn'
option name 'vpn'
option network 'vpn0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config forwarding 'vpn_forwarding_lan_in'
option src 'vpn'
option dest 'lan'
config forwarding 'vpn_forwarding_lan_out'
option src 'lan'
option dest 'vpn'
cat /etc/config/mwan3
config rule 'wg_route'
option proto 'all'
option sticky '0'
option use_policy 'tap0_only'
option dest_ip '192.168.3.0/24'
config rule 'default_rule'
option dest_ip '0.0.0.0/0'
option proto 'all'
option sticky '0'
option use_policy 'wan_only'
config policy 'wan_only'
list use_member 'wan1'
config member 'wan1'
option interface 'wan'
config interface 'wan'
option enabled '1'
config interface 'vpn0'
option enabled '1'
config member 'tap01' #thats just the old name where I used tap
option interface 'vpn0'
config policy 'tap0_only' #thats just the old name where I used tap
list use_member 'tap01'
option last_resort 'unreachable'
Client
cat /etc/config/openvpn
config openvpn 'vpnTUN'
option enabled '1'
option dev 'tun'
option proto 'udp'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/my-client-3.crt' # has common name client3
option key '/etc/openvpn/my-client-3.key'
option client '1'
option remote_cert_tls 'server'
option remote '130.xx.x.x' #Servers public ip
option port '1194'
option log 'openvpn.log'
option verb '3'
option pull '1'
cat /etc/config/network
...
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option _orig_ifname 'eth1 wlan0 wlan1 wlan1-1'
option _orig_bridge 'true'
option ipaddr '192.168.3.1'
option ifname 'eth1'
config interface 'vpn0'
option proto 'none'
option ifname 'tun0'
cat /etc/config/firewall
...
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone 'vpn'
option name 'vpn'
option network 'vpn0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config forwarding 'vpn_forwarding_lan_in'
option src 'vpn'
option dest 'lan'
config forwarding 'vpn_forwarding_lan_out'
option src 'lan'
option dest 'vpn'
config rule 'Allow_OpenVPN_Inbound'
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '1194'
Based on: community.openvpn.net/openvpn/wiki/RoutedLans
(Last edited by Protestallianz on 17 Mar 2017, 11:55)