Request: Help on site-to-site OpenVPN

[Newman Jones]

Hi everyone,

I have spent the past week going through the archives looking for an answer before posting my question.

I have 2 Asus ac-68u routers that I want to connect via VPN. The server (192.168.3.1 int. IP) and the client (192.168.11.1 int. IP).

I have configured the OpenVPN server and Client and see that they connect, but of course I cannot ping any 192.168.3.x address from a machine on the 192.168.11.x network. I assume this is because there is no static route defined between them.

How is this done? Can someone provide a step-by-step here? I have seen the Client option that says "Server is on the same subnet" and when I check NO, it says Warning: Cannot bridge distinct subnets. Will default to routed mode. So, what are the steps needed to ensure that there is a route between these two subnets once the OpenVPN connection is made?

Yeah, I am sure it must be something simple. Please be kind, I am just learning

 

[Calisro]

Yes this all can be done with openvpn but might I suggest that you look at tinc instead? It is pretty easy to connect 2 or many sites and its pretty easy on resources.

If you really want to do this with openvpn, then you'll need to set up routing between the two sites. I did find this for openvpn and DDWRT.
http://www.smallnetbuilder.com/othe...et-up-a-site-to-site-vpn-with-openvpn?start=1

If you want to try tinc, reply back and I can give you some info.

 

[Calisro]

Looking through that doc, all you should really have to do is add routes to the "server" side openvpn config like this for openvpn to work.

EDIT: Even better, look here:

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=788738

 

[Newman Jones]

Thanks for your responses. I have tried to apply principles from other solutions, but they don't all match up. For example, I am using TAP, not TUN. And the examples from dd-wrt don't match ASUS Merlin firmware.

More details:
See the server screenshots. This is the config of the openvpn server at 192.168.3.1. The custom config box - is this where routes are specified? Or in the LAN route section? And since I am using TAP, there is no subnet (i.e., 10.x.x.x) DHCP for the VPN like is shown in the dd-wrt example above.

It seems like there should be a really easy, straightforward example on how to establish a site-to-site TAP OpenVPN connection between two Merlin ASUS routers that are on different subnets. The routing issue is what I cannot figure out.

my first preference would be to get this working using the OpenVPN capabilities of the routers.

In the meantime: Tinc? I have not heard of it. While I am running site-to-site, I do have clients that VPN in to one of the servers as well. is that supported by Tinc? Send me info - at this point I will take anything

 

[Calisro]

Is there a reason you want to use TAP? The point of TAP is to bridge networks on the same subnet so that things like broadcast traffic is sent over the VPN. Do you really need this?

If you are going to use TAP with a site-to-site on different subnets, broadcast traffic still won't be sent across the VPN because of the different subnets yet you are stuck with the complexity of TAP.

With TUN, you would have a VPN subnet and you'd end up natting across the VPN. It is easier to set up.

 

[Newman Jones]

When I use TUN, my PC OpenVPN client cannot browse the remote network like it can with TAP. That is the reason I am using TAP. Am I missing something obvious here?

 

[Calisro]

That is true from a client to server perspective. but you aren't trying to do that here. Here as far as I can tell, you want a site to site like this:

PC 1 (192.168.3.101) -> server 1 (192.168.3.1) -> INTERNET <- server 2 ( 192.168.11.1) <- PC 2 (192.168.11.201)

What I am trying to say is in the above example, PC1 will not be able to broadcast traffic to PC 2 because PC1 and PC2 are on different subnets connected via TAP. So the benefit that you are trying to gain by using TAP is diminished because you are trying to bridge two different networks.

Below would accomplish what you wanted with TAP but notice it is much more complex since you have to worry about having different IPs on the same subnet across the two separate networks (changing your all your IPs on that remote subnet and restricting DHCP to specific ranges on either side).

PC 1 (192.168.3.101) -> server 1 (192.168.3.1) -> INTERNET <- server 2 ( 192.168.3.200) <- PC 2 (192.168.3.201)

It would be far easier to skip broadcast traffic and set up a TUN site-to-site and route IP traffic over the TUN VPN instead. You could still access networks shares remotely via IP but you can't "browse" the network like you could if you truely had bridged the networks. broadcast/multicast traffic wont cross subnets unless a helper is used like mDNS or something.

This is why openvpn is complaining when you try to tell it the client is on the same subnet (Warning: Cannot bridge distinct subnets.)

EDIT: Also if you do really pursue TAP site-to-site and you do change your IPs on both sides to be on the same subnet, you'll also need to block DHCP from broadcasting over the VPN.

 

[Newman Jones]

I ended up just changing my subnets to match and then running TAP. That way I can browse both networks. Not idea, but I guess it will have to do. Thanks for the help!

 

[Calisro]

Careful with things like having dhcp on both networks. since broadcast is going across sites, site a and site b cant pull ftom either dhcp server and cause the same ip to be handed out to addresses. site a can receive dhcp from either site a or b unless you block the dhcp traffic across the vpn.

 

[Newman Jones]

Good point. I restricted the range on each so that they wouldn't overlap, but I guess that is not enough. How can you block dhcp across the vpn?

 

[Calisro]

something like this but add dest interface for vpn (get that from ifconfig)

iptables -I FORWARD --proto tcp --dport 67:68 -j REJECT
iptables -I FORWARD --proto tcp --sport 67:68 -j REJECT

here is a post with similar:
http://www.linksysinfo.org/index.php?threads/block-dhcp-over-openvpn-bridge.36739/

you'll need to test it to.make sure its being blocked.

 

[peraburek]

Hello, I have 2x ASUS RT-N66U and I am trying to setup OpenVPN site-to-site link with TUN (routed LANs)

in attach you can see drawing
Office B (Client PC4, PC5, PC6) can ping Office A side (Server PC1, PC2, PC3) - everything works fine
Office A (Server PC1, PC2, PC3) can NOT ping Office B side (Client PC4, PC5, PC6) - I guess I am missing routes?

I have tried to follow this tutorial http://www.smallnetbuilder.com/other/security/security-howto/30353-how-to-set-up-a-site-to-site-vpn-with-openvpn but it does not apply when OpenVPN server is also the router (Asus routers for example)

in attach you can see drawing

I am using Merlin firmware version 378.51
Please help, I would like to create HOW TO OpenVPN Site-to-Site (TUN - routed LANs) guide, but I have to figure out what I am missing at the moment.

one more info: at 5Mbit/sec (novpn - Internet) link, OpenVPN is using about 35-40% cpu (RT-N66U) with real troughput about 4,5Mbit/sec which is great, soon I will get 10Mbit/sec upload so I guess it will be able to saturate 10Mbit/sec link with real VPN troughput of about 9Mbit/sec with cpu use about 80%

This is decent for small business and home use, if you want to go up to 40Mbit/sec of OpenVPN troughput, you have to use RT-AC87U (AC2400) Broadcom BCM4709A0 (1 GHz, 2 cores) because RT-N66U Broadcom BCM4706 (600 MHz, 1 core) doesn't have enough cpu power

 

[Newman Jones]

Here is my ifconfig from the CLIENT:

br0 Link encap:Ethernet HWaddr 38:2C:4A:CC:2F:08
inet addr:192.168.11.1 Bcast:192.168.11.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5462510 errors:0 dropped:0 overruns:0 frame:0
TX packets:6895696 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:740400947 (706.1 MiB) TX bytes:8456953437 (7.8 GiB)

eth0 Link encap:Ethernet HWaddr 38:2C:4A:CC:2F:08
inet addr:162.218.218.99 Bcast:162.218.218.127 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:154973125 errors:678 dropped:0 overruns:0 frame:678
TX packets:147075645 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1578813121 (1.4 GiB) TX bytes:304346207 (290.2 MiB)
Interrupt:179 Base address:0x4000

eth1 Link encap:Ethernet HWaddr 38:2C:4A:CC:2F:08
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:920 errors:0 dropped:0 overruns:0 frame:5601160
TX packets:466110 errors:3 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:151109 (147.5 KiB) TX bytes:48412956 (46.1 MiB)
Interrupt:163

eth2 Link encap:Ethernet HWaddr 38:2C:4A:CC:2F:0C
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:2157552
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:169

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:1673591 errors:0 dropped:0 overruns:0 frame:0
TX packets:1673591 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:293946115 (280.3 MiB) TX bytes:293946115 (280.3 MiB)

tap12 Link encap:Ethernet HWaddr 56:B3:F7:58:FD:4D
inet addr:192.168.11.15 Bcast:192.168.11.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:377281 errors:0 dropped:0 overruns:0 frame:0
TX packets:972786 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:235791579 (224.8 MiB) TX bytes:141106389 (134.5 MiB)

tap21 Link encap:Ethernet HWaddr F6:A3:CA:56:1E:25
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:824867 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:90610912 (86.4 MiB)

vlan1 Link encap:Ethernet HWaddr 38:2C:4A:CC:2F:08
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:59581673 errors:0 dropped:0 overruns:0 frame:0
TX packets:92157511 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5680223006 (5.2 GiB) TX bytes:127835064803 (119.0 GiB)

vlan2 Link encap:Ethernet HWaddr 38:2C:4A:CC:2F:08
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)



You mention using this:
iptables -I FORWARD --proto tcp --dport 67:68 -j REJECT
iptables -I FORWARD --proto tcp --sport 67:68 -j REJECT

Plus the destination. Hmmm. I am dense as I don't see the destination in ifconfig. And, I am not sure where the iptables lines go - in the VPN custom configuration section of client?

The client DHCP is 192.168.11.1 and the server DHCP is 192.168.11.2.

 

[Newman Jones]

OK, here is what I did:

I used SSH and connected to the router and navigated to the /JFFS/scripts folder. I used VI to create the file that looked like the following:

Code:
#!/bin/sh
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

Code:
chmod a+rx /jffs/scripts/*

I think that is working. I need to figure out how to test

 

[Newman Jones]

Not sure this is working. Do I need to change the script to TAP12 above ?

 

[Newman Jones]

I ended up adding this script to both sides and it appears to be working now. For some reason, the log shows the Openvpn connection reconnecting every hour to the second. Is this normal?

 

[ychauhan4u]

Newman Jones, can you pls share your both sides setting and how you added script?