Access devices in OpenVPN network created by two behind-NAT routers?

[loveleeyoungae]

Hi,

I did try to search on Google for this kind of my network configuration, but couldn't find a possible guide. So I'm posting my questions here. Please have a look at my diagram below (hope you don't mind my artistic skill

My expectation: I'd like that any devices in any subnets can access to one another, without disabling DHCP or bridging the networks. (And it'd be more great if the firewalls can still be enabled).

Current setup:
I*: ISP Wireless-G Router-Modems. PPPoE Dial. Limited features. No toggle for firewall, but have a "Firewall" section which includes URL, Mac Filtering, Port Fortwarding, DMZ, etc... uPNP enabled and DMZ set to N* routers.
N*: Asus RT-N66U Routers with Merlin 374.41. uPNP enabled. Firewall disabled.
Firewalls on all devices are disabled.

Current situation:
+ At *each* Home, devices in both subnets (eg Sub-I1 & Sub-N1) can access one another.
+ The OpenVPN connection is established between the N* routers (Thanks RMerlin, didn't think setup on his firmware is that easy!).
+ The client-side Sub-N1 devices can access the server-side Sub-N2 devices, but not vice versa.
+ Found these two lines from a blog post to put in N1 Custom Configuration box:
ifconfig 10.8.0.1 10.8.0.2
route 192.168.21.0 255.255.255.0
And Sub-N1 devices can access Sub-I2 devices. Obviously, not vice versa.

So, I'd really appreciate if anyone could help me configuring my network. I barely know Linux, so details are welcome as I don't mind reading long post

Thank you in advance!

 

[F5ing]

Never really messed much with VPNs, but don't you need to set up both client and server on each router to allow two-way access?

 

[sinshiva]

this is what you need to play with;

http://www.smallnetbuilder.com/security/security-howto/30353-how-to-set-up-a-site-to-site-vpn-with-openvpn

[edit/]

i just realized i was using the netmask 255.255.255.0 in the actual config, which overwrites the generated config via webui; long story short, 255.255.255.252 is better. sorry about that

 

[loveleeyoungae]

Thank you guys!

My bad! I didn't think ticking the "Manage Client-Specific Options" would expand the two settings below it (Plus English is not my native language, so I got the wrong idea).

sinshiva's example screenshots just got me a bit confused. It seems that you put the VPN pool subnet into the fields(?), but it turned out that I had to add the routers' LAN subnets. For my network, I had to add the three sub-I1, sub-N1 and sub-I2.
- However, at first things didn't work. So, eventhough I'm a bit afraid of ssh, but your screenshots made me think that I got to try taking an adventure into the ssh world Found the iroute line in etc/openvpn/server1/ccd/MY_OPENVPN_AUTHENTICATION_USERNAME(lovelya).
- Realized that using Merlin GUI, the lovelya file is always updated with one iroute line for the last added subnet - I had to manually edit the file for the other two subnets. And voila, things worked as expected! However, edited file is only kept temporarily, a reconnection would make the file reset to its one-line state. So, is this a bug that I need to report to RMerlin or is it the normal default setup design and I have to use jffs scripts?

And actually now I feel there is one more important thing - securing the networks - which I didn't feel its importance until I've seen recent brute force attacks from some IPs originated from India in the log! For now, just for the simple connection i.e from sub-I1 to its corresponding sub-N1, I got to turn off firewall on my N66W. Could you please help me on this part?

 

[sinshiva]

you need to enable the JFFS partition (admin > system; format first time on reboot), then copy the ccd config to /jffs/configs/openvpn/ccd/common_name

 

[loveleeyoungae]

you need to enable the JFFS partition (admin > system; format first time on reboot), then copy the ccd config to /jffs/configs/openvpn/ccd/common_name

Hi sinshiva, yes from your previous post, I understand about the scripts part for permanent settings.
Sorry that my question was a bit misleading. I meant the bug with the GUI is: No matter how many subnets you add, the GUI only sets one "iroute" command for the last subnet! (FYI, the "push route" commands are all set correctly for *all* subnets).