networkNoob42
New Around Here
Hey guys,
Long time lurker, created an account b/c i'm repeatedly hitting a wall (pun intended). I'm a total noob that reads alot, so please bear with me. This seems to be something that should just work...help!
Two issues:
1) I can't access my local network, no matter what i do. I only get as far as pinging the OPENVPN Server on the router (10.8.0.1). Trying to ping my printer 10.1.1.205 or router 10.1.1.1 times out.
2) I can't access the internet from my client (Mac-El Capitan using Tunnelbrick), even though "route all ipv4 traffic through the VPN" is disabled, and no options are selected on the server end either...
It connects/authenticates fine.
End goal: 4 clients connecting for access to local network when traveling for network shares traffic only. Regular internet connections should still flow through the device's normal connection.
OpenVPN Server running on Merlin 384.3 on AC1900 (using 68U)
Local Network: 10.1.1.0/24
Server config.ovpn:
# Automatically generated configuration
daemon ovpn-server1
topology subnet
server 10.8.0.0 255.255.255.0
proto udp
port 41251
dev tun21
ncp-disable
cipher AES-256-CBC
auth SHA512
comp-lzo adaptive
keepalive 15 60
verb 4
push "route 10.1.1.0 255.255.255.0 vpn_gateway 500"
client-config-dir ccd
client-to-client
duplicate-cn
push "dhcp-option DNS 10.1.1.1"
tls-crypt static.key
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status 5
# Custom Configuration
persist-key
persist-tun
Client ovpn:
client
dev tun
proto udp
remote <server> 41251
float
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-CBC
auth SHA512
comp-lzo adaptive
auth-user-pass
remote-cert-tls server
ca ca.crt
cert client.crt
key client.key
<tls-crypt>
--removed--
</tls-crypt>
Both the "Push lan to client" on the merlin page doesn't seem to work, and these iptables commands (with a BIG VARIETY of custom push route options) from the OPENVPN manual don't seem to work either.
iptables -I FORWARD -i tun21 -o eth0 -s 10.8.0.0/24 -d 10.1.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -i tun21 -o eth1 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -i eth0 -o eth1 -s 10.1.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -o eth1 -s 10.8.0.0/24 -j MASQUERADE
iptables -t nat -I POSTROUTING -o eth1 -s 10.1.1.0/24 -j MASQUERADE
Side question - I've tried both 'eth1' and 'br0' above, which is correct? Here's what "IP Route show" spits out (external IP parts & loopback removed)
10.8.0.0/24 dev tun21 proto kernel scope link src 10.8.0.1
10.1.1.0/24 dev br0 proto kernel scope link src 10.1.1.1
iroute 10.1.1.0 255.255.255.0 listed in file stored here:
tmp/etc/openvpn/server1/ccd/<clientcommonname>
I've referenced these two pages a lot:
https://superuser.com/questions/865...vpn-cannot-access-local-machines-while-on-vpn
https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
Other relevant mentions: I have IPSET blocker & ya-malware blocker linked from the wiki installed, have white listed VPN and local range and tested with completely disabling.
Also have tested completely disabling my Mac's firewall and little snitch.
Long time lurker, created an account b/c i'm repeatedly hitting a wall (pun intended). I'm a total noob that reads alot, so please bear with me. This seems to be something that should just work...help!
Two issues:
1) I can't access my local network, no matter what i do. I only get as far as pinging the OPENVPN Server on the router (10.8.0.1). Trying to ping my printer 10.1.1.205 or router 10.1.1.1 times out.
2) I can't access the internet from my client (Mac-El Capitan using Tunnelbrick), even though "route all ipv4 traffic through the VPN" is disabled, and no options are selected on the server end either...
It connects/authenticates fine.
End goal: 4 clients connecting for access to local network when traveling for network shares traffic only. Regular internet connections should still flow through the device's normal connection.
OpenVPN Server running on Merlin 384.3 on AC1900 (using 68U)
Local Network: 10.1.1.0/24
Server config.ovpn:
# Automatically generated configuration
daemon ovpn-server1
topology subnet
server 10.8.0.0 255.255.255.0
proto udp
port 41251
dev tun21
ncp-disable
cipher AES-256-CBC
auth SHA512
comp-lzo adaptive
keepalive 15 60
verb 4
push "route 10.1.1.0 255.255.255.0 vpn_gateway 500"
client-config-dir ccd
client-to-client
duplicate-cn
push "dhcp-option DNS 10.1.1.1"
tls-crypt static.key
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status 5
# Custom Configuration
persist-key
persist-tun
Client ovpn:
client
dev tun
proto udp
remote <server> 41251
float
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-CBC
auth SHA512
comp-lzo adaptive
auth-user-pass
remote-cert-tls server
ca ca.crt
cert client.crt
key client.key
<tls-crypt>
--removed--
</tls-crypt>
Both the "Push lan to client" on the merlin page doesn't seem to work, and these iptables commands (with a BIG VARIETY of custom push route options) from the OPENVPN manual don't seem to work either.
iptables -I FORWARD -i tun21 -o eth0 -s 10.8.0.0/24 -d 10.1.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -i tun21 -o eth1 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -i eth0 -o eth1 -s 10.1.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -o eth1 -s 10.8.0.0/24 -j MASQUERADE
iptables -t nat -I POSTROUTING -o eth1 -s 10.1.1.0/24 -j MASQUERADE
Side question - I've tried both 'eth1' and 'br0' above, which is correct? Here's what "IP Route show" spits out (external IP parts & loopback removed)
10.8.0.0/24 dev tun21 proto kernel scope link src 10.8.0.1
10.1.1.0/24 dev br0 proto kernel scope link src 10.1.1.1
iroute 10.1.1.0 255.255.255.0 listed in file stored here:
tmp/etc/openvpn/server1/ccd/<clientcommonname>
I've referenced these two pages a lot:
https://superuser.com/questions/865...vpn-cannot-access-local-machines-while-on-vpn
https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
Other relevant mentions: I have IPSET blocker & ya-malware blocker linked from the wiki installed, have white listed VPN and local range and tested with completely disabling.
Also have tested completely disabling my Mac's firewall and little snitch.
Last edited:
