OpenWrt Forum Archive

Post #1

marceckos

15 Apr 2017, 09:27

Hello everyone!

Please help me to solve this issue.

I'm killing third day to configure routers to establish link between two offices. I'm trying to avoid the installation of an OpenVPN Client in each computer / server. Instead I'm using OpenWRT routers to create the tunnel (or bridge) where all LAN traffics can be exchanged between like they are connected to one big switch.

The setup should be similar to this:

[i67.tinypic.com/2v3qw05.jpg] - (I couldn't insert image here, 0 allowed links?)

On Windows, It went very easy. But on OpenWrt I'm having difficulties.

I couldn't configure with manuals on forum.

I have already installed both firmware and necessary packages on two routers, generated certificates.

But stuck in configurations (interface, firewall, OpenVPN configurations)

I will be thankful for your recommendations or even full guidance.

Have a nice day!

Post #2

cptdondo

15 Apr 2017, 21:03

Routed connections can get very difficult when trying to tie Windows together.

Use TAP, and assign the devices on the the side of the bridge their own block of DHCP addresses. You can have OpenVPN do this. With TAP, the tunnel becomes "invisible" to the individual machines and broadcasts and such will work.

Post #3

marceckos

16 Apr 2017, 10:47

I will be thankful if you will give some guidance to solve this. I'm novice in OpenWrt configuration (I'm using it for adblock and OpenVPN server with multi-client). However, as I understood, for this situation I have to set new Interface (tap) with unmanaged firewall rules. Am I right? Really, You will make some great job if you will help me

Post #4

ulmwind

16 Apr 2017, 12:03

marceckos, start from official manual https://wiki.openwrt.org/doc/howto/vpn.openvpn
Begin from configuring OpenWRT-router as server, and usual PC as client.
After that configure OpenWRT-router as client.

Post #5

marceckos

16 Apr 2017, 16:56

ulmwind, I did this several times. There is stable VPN connection between server on router and clients from different locations (lan, wifi, two computers in my office, friends), they see each other in LAN and have full interaction. I think the issue is about interface and firewall. I cannot configure interfaces, firewall and server configuration to make two routers connect into one network where everyone has their own private subnets which can see each other like they are connected to the one big switch......

Post #6

ulmwind

16 Apr 2017, 17:07

marceckos, you want to connect two subnets of the same network? Normal configuration is to connect two different subnets. On your picture there are different subntes - X and Y. So you've configured server, and you can connect to it from device running client. Now you want to connect from router running client?

Post #7

marceckos

16 Apr 2017, 18:05

Exactly. What is more, I want that machines behind the server side could see and exchange files through LAN with machines behind client side and verso-versa.

Post #8

nextgo

18 Apr 2017, 09:49

May be my configs will help you:

On OpenVPN server
/etc/config/openvpn
-----------------------------
config openvpn 'VPNserver'
option dev 'tun0'
option comp_lzo 'yes'
option keepalive '10 120'
option server '10.0.100.0 255.255.255.0'
option ifconfig '10.0.100.1 10.0.100.2'
list push 'route 192.168.100.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.100.1'
list route '192.168.104.0 255.255.255.0'
option ifconfig_pool_persist '/etc/openvpn/ipp.txt'
option client_config_dir '/etc/openvpn/ccd'
option client_to_client '1'
option dh '/etc/openvpn/keys/dh4096.pem'
option ca '/etc/openvpn/keys/ca.crt'
option cert '/etc/openvpn/keys/gw1.crt'
option key '/etc/openvpn/keys/gw1.key'
option tls_auth '/etc/openvpn/keys/ta.key 1'
option log '/tmp/openvpn.log'
option status '/tmp/openvpn-status.log'
option verb '1'
option proto 'udp'
option port '1194'
option enabled '1'
----------------------------------
On OpenVPN client
/etc/config/openvpn
-----------------------------
config openvpn 'VPNclient'
option nobind '1'
option float '1'
option dev 'tun0'
option proto 'udp'
option persist_tun '1'
option persist_key '1'
option ca '/etc/openvpn/keys/ca.crt'
option cert '/etc/openvpn/keys/gw2.crt'
option key '/etc/openvpn/keys/gw2.key'
option tls_auth '/etc/openvpn/keys/ta.key 0'
option client '1'
option remote_cert_tls 'server'
option log '/tmp/openvpn.log'
option status '/tmp/openvpn-status.log'
option comp_lzo 'yes'
option reneg_sec '0'
list push 'dhcp-option DNS 8.8.8.8'
list push 'dhcp-option DNS 8.8.4.4'
list push 'dhcp-option NTP 88.147.254.235'
option verb '1'
option remote '111.222.333.444 1194' # ip-address your VPN server & port for access
option enabled '1'
-------------------------------
/etc/openvpn/ipp.txt (on VPN-server)
-------------------------------
gw2,10.0.100.4
--------------------------------
/etc/openvpn/ccd/gw2 (on VPN-server)
--------------------------------
iroute 192.168.104.0 255.255.255.0
--------------------------------
route (any part on VPN server)
--------------------------------
192.168.100.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.104.0 10.0.100.2 255.255.255.0 UG 0 0 0 tun0
--------------------------------
route (any part on VPN client)
--------------------------------
192.168.100.0 10.0.100.5 255.255.255.0 UG 0 0 0 tun0
192.168.104.0 * 255.255.255.0 U 0 0 0 br-lan
--------------------------------
/etc/config/firewall
--------------------------------
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'vpn'
option forward 'ACCEPT'
option network 'vpn0'
option masq '1'

config forwarding
option dest 'lan'
option src 'vpn'

config forwarding
option dest 'vpn'
option src 'lan'

config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '1194'
option name 'Open1194'

Post #9

marceckos

18 Apr 2017, 20:41

nextgo thank you bro. I will test this configs and let you know results.

Post #10

carliedu

2 Aug 2017, 20:01

Hi Nextgo,

I'm having great difficulties to "deciphrate" the samples I'm finding in the net.
I would like to try your config, but I would like to understand each line in the configs.

Can you post an schema or explanation of what each IP or range in you config is? What is the LAN IP of the server and what is the LAN IP of the client?

What are each of the following IPs:
option server '10.0.100.0 255.255.255.0'
option ifconfig '10.0.100.1 10.0.100.2'
list push 'route 192.168.100.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.100.1'
list route '192.168.104.0 255.255.255.0'

The only IP that I can understand is 111.222.333.444 = Server WAN IP.

What you mean with:

/etc/openvpn/ccd/gw2 (on VPN-server)
--------------------------------
iroute 192.168.104.0 255.255.255.0
--------------------------------
route (any part on VPN server) ---> is this part of file /etc/openvpn/ccd/gw2?
--------------------------------
192.168.100.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.104.0 10.0.100.2 255.255.255.0 UG 0 0 0 tun0
--------------------------------
route (any part on VPN client) ---> is this part of file /etc/openvpn/ccd/gw2?
--------------------------------
192.168.100.0 10.0.100.5 255.255.255.0 UG 0 0 0 tun0
192.168.104.0 * 255.255.255.0 U 0 0 0 br-lan

Thank you in advance.

Best regards,
Eduardo

(Last edited by carliedu on 2 Aug 2017, 20:08)