[380.64_2 AC87U] Torturing myself with site to site VPN

[Zulgrib]

Hello,

I'm torturing myself with site to site VPN and i'm now pulling my hairs because i'm out of idea.

Computers on the client side can talk to computers on the remote side (Ping, SMB shares)
Computers on the server side cannot talk to computers on the client side. (Pings times out)

OpenVPN server uses subnet 192.168.6.0/24
OpenVPN client uses subnet 192.168.5.0/24

wrt-merlin powered router is the client.

Configuration of the OpenVPN server

push "route 192.168.200.0 255.255.255.0"
push "route 192.168.6.0 255.255.255.0"
route 192.168.5.0 255.255.255.0
dev tun

management 127.0.0.1 1195

server 192.168.200.0 255.255.255.0


dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh1024.pem
ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key

max-clients 3

comp-lzo

persist-tun
persist-key

verb 3

#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf
client-cert-not-required
username-as-common-name
duplicate-cn

status /tmp/ovpn_status_2_result 30
status-version 2
proto udp
port 1194

And has this client specific config file

ifconfig-push 192.168.200.6 255.255.255.0
iroute 192.168.5.0 255.255.255.0

The client has this config

Start with wan : Yes
Interface type : Tun
Proto : UDP
Server Address and Port : dnsnameoftheserver 1194
Firewall : auto
Auth mode : TLS (Only CA certificate shared)
Username/Password Authentication : Yes
Username / Password Auth. Only (Must define certificate authority) : No
Extra HMAC authorization : Disabled
Auth digest : Default
Create NAT on tunnel : Yes
Log : 3
Poll : 0
Accept DNS Configuration : Disabled
Encryption cipher : Default
Compression : Adaptive
TLS Renegotiation Time : -1
Connection Retry : -1
Verify serv cert : No
Redirect Internet traffic : No

And in the custom config field

tls-client
script-security 2
reneg-sec 0
ifconfig 192.168.200.6 192.168.200.5
route 192.168.6.0 255.255.255.0
keepalive 10 60
persist-key
persist-tun

I don't know what to do next.

I tried to remove all the rules containing "--state INVALID" but they are recreated dynamicly
I tried to add

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT

but the rules aren't actually created when the command is sent

 

[Martineau]

Computers on the server side cannot talk to computers on the client side. (Pings times out)

On the server, does an entry exist?

ip route

192.168.5.0/24 via 10.8.0.1 dev tun21

If I recall, you should be able have the route created automatically via the VPN Server GUI
Specify the COMMON-NAME Client subnet, and it should create the route for you.

 

[Zulgrib]

The OpenVPN server is not running on merlin, it is the client that is on merlin.
On the server (Synology RT1900AC), there is a tun0 interface.

There is an "192.168.5.0/24 via 192.168.200.2 dev tun0" entry server side when checking with "ip route"

Client side (merlin) I have "192.168.6.0/24 via 192.168.200.5 dev tun11"

 

[Martineau]

The OpenVPN server is not running on merlin

Ahhh

Only thing I can suggest is that the server CCD directive ifconfig-push should be removed?

ifconfig-push 192.168.200.6 255.255.255.0
iroute 192.168.5.0 255.255.255.0

Also when trying to ping from the server to router (rather than LAN devices) is it successful?

Have you checked the tun11 firewall rule to see if the packet count is >0 ?

iptables -nvL FORWARD -t filter | grep tun11

       0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0

If rule doesn't exist then add a temp firewall rule on the router

iptables -I FORWARD -i tun+ -j ACCEPT

Also check route table 111 (if it exists) to have valid routes for the Client LAN.

 

[Zulgrib]

iptables -nvL FORWARD -t filter |grep tun
    0     0 ACCEPT     all  --  tun11  br0     0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    tun11   0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun11  br0     0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    tun11   0.0.0.0/0            0.0.0.0/0

Not superior to zero, the only counter increasing is the "TUN/TAP read bytes" when I ping the router using the VPN subnet instead of the local subnet.

So, this means the problem is on server's side and not on the client side ?

 

[Martineau]

Not superior to zero, the only counter increasing is the "TUN/TAP read bytes" when I ping the router using the VPN subnet instead of the local subnet.

So, this means the problem is on server's side and not on the client side ?

Possibly... added temp rule to my system and the rule counters are >0

num   pkts bytes target     prot opt in     out     source               destination       
1    83966  108M ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0

 

[Zulgrib]

The torture can end, Synology router manager create client specific config but don't start openvpn with the --client-config-dir switch. Adding it in the config file solved the problem.

 

[Martineau]

The torture can end, Synology router manager create client specific config but don't start openvpn with the --client-config-dir switch. Adding it in the config file solved the problem.

Typical eh? - computers...only do what you explicity tell them to do!

P.S. Should have stuck with an ASUS/Merlin router!