openvpn routing question - multiple lans on clients side

[mrskoku]

hello,
i have purchased an ax88u recently. generally it fulfills all my needs. this is my second router with asus-merlin firmware (some time ago i had an ac68u).
i have set up everything except openvpn. well except fine tuning openvpn.

details.
ax88u act as openvpn server. i have public static ip.
ax88u lan - 192.168.2.0/24

client - an openwrt router
client's lan - 192.168.4.0/24, but there is another lan there (192.168.5.0/24 - 4g router)
so setup on client side is 4g_router -> openwrt

openvpn is configured accordign to the manuals

Manage Client-Specific Options	Yes
Allow Client <-> Client	Yes
Allow only specified clients	No

Allowed Clients
common name subnet mask push

​

client

192.168.4.0

255.255.255.0

Yes

client is able to connect. from server's lan i can reach client's lan, from client's lan i can reach server's lan. i have checked this on tun/udp and tun/tcp.

but i want reach 192.168.5.0/24 network as well. when i add this network to allowed clients on top of the entry with 192.168.4.0/24 i'm loosing access to the 192.168.4.0/24 network - and i have an access to the 192.168.5.0/24 one. i do not want to have "or 192.168.4.0 or 192.168.5.0". i need to have an access to both networks at the same time/with one config.

server's side
ip a

tun21: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun21
valid_lft forever preferred_lft forever

ip route
10.8.0.0/24 dev tun0 scope link src 10.8.0.2
192.168.4.0/24 via 10.8.0.2 dev tun21
192.168.5.0/24 via 10.8.0.2 dev tun21

in this scenario i'm able to reach 192.168.5.0/24 only

client's side

ip a
tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
link/[65534]
inet 10.8.0.2/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::e57b:101:400f:ba76/64 scope link
valid_lft forever preferred_lft forever

ip route
10.8.0.0/24 dev tun0 scope link src 10.8.0.2
192.168.2.0/24 via 10.8.0.1 dev tun0 metric 500



using the old router (mikrotik) this works without an issue. here i have a problem. i'm sure that client's config/setup is not an issue because this works fine before.

how it can be set up on asus merlin?

regards

 

[eibgrad]

What you've done seems correct (i.e., using multiple entries under Manage Client Specific Options). Although I don't understand how *either* network (192.168.4.x or 192.168.5.x) could be reached based on the ip route dump on the client.

10.8.0.0/24 dev tun0 scope link src 10.8.0.2
192.168.2.0/24 via 10.8.0.1 dev tun0 metric 500

Seems like you probably edited out those routes (perhaps in an effort to hide your public IP), but that's relevant to whether this is working. Those routes need to be there if you expect them to be reachable from devices on the server side.

 

[eibgrad]

P.S. Just noticed; do NOT push those routes to the client (leave that option unchecked)! Those entries are only for informational purposes on the server.

As an aside, you don't need the Client-to-Client option either. That's only for the purposes of allowing the server to act as a gateway between multiple connected OpenVPN clients, which is rarely used.

 

[mrskoku]

Hello eibgrad,
Thank you for prompt reply.

On client side there is a routing to 192.168.5.0/24 set and it is working fine. I just shortened the output. I have unchecked now client to client. Did not help.
What i observed is that the last entry in Client Options is being picked.
So when it was set
192.168.5.0
192.168.4.0

Network 192.168.5.0 is reachable

But when i set this in the oposite way
192.168.4.0
192.168.5.0

Network 192.168.4.0 is reachable.
As I wrote this setup works fine on mikrotik. I have set up the connection, added routing and nothing more.

Regards

 

[eibgrad]

And did you set the "Push" option for each entry under Manage Client Specific Options to No? According to your original post, this was set to Yes, which is wrong.

 

[mrskoku]

And did you set the "Push" option for each entry under Manage Client Specific Options to No? According to your original post, this was set to Yes, which is wrong.

Correct. I've removed old entries, saved, added new ones with "push" to no, saved. Then i've turned off the ovpn server and started it again.
I have access only to one network on slient side still.

technically it looks ok, but it does not work..

CLIENT

root@OpenWrt:~# ip route
default via 192.168.5.1 dev eth0.2
10.8.0.0/24 dev tun0 scope link  src 10.8.0.2
192.168.2.0/24 via 10.8.0.1 dev tun0  metric 500
192.168.4.0/24 dev br-lan scope link  src 192.168.4.1
192.168.5.0/24 dev eth0.2 scope link  src 192.168.5.2

root@OpenWrt:~# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.2  P-t-P:10.8.0.2  Mask:255.255.255.0
          inet6 addr: fe80::206c:89a9:43e5:cfd7/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:2369 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2403 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:171455 (167.4 KiB)  TX bytes:263290 (257.1 KiB)
         
         
openvpn config

client
dev tun
proto tcp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
cipher AES-128-CBC
keepalive 15 60
auth-user-pass /etc/openvpn/userpass.txt
remote-cert-tls server
.
.
.

SERVER

RT-AX88U-26A0:/tmp/home/root# ip route
default via xxx.xxx.xxx.xxx dev eth0
10.8.0.0/24 dev tun21  proto kernel  scope link  src 10.8.0.1
127.0.0.0/8 dev lo  scope link
192.168.2.0/24 dev br0  proto kernel  scope link  src 192.168.2.1
192.168.4.0/24 via 10.8.0.2 dev tun21
192.168.5.0/24 via 10.8.0.2 dev tun21
xxx.xxx.xxx.xxx/24 dev eth0  proto kernel  scope link  src xxx.xxx.xxx.xxx/
xxx.xxx.xxx.xxx/ dev eth0  proto kernel  scope link

RT-AX88U-26A0:/tmp/home/root# ifconfig tun21

tun21     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:2437 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2489 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:267354 (261.0 KiB)  TX bytes:178572 (174.3 KiB)


server conf:

daemon ovpn-server1
topology subnet
server 10.8.0.0 255.255.255.0
proto tcp-server
port 1194
dev tun21
txqueuelen 1000
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
cipher AES-128-CBC
keepalive 15 60
verb 3
push "route 192.168.2.0 255.255.255.0 vpn_gateway 500"
client-config-dir ccd
route 192.168.5.0 255.255.255.0
route 192.168.4.0 255.255.255.0
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up 'ovpn-up 1 server'
down 'ovpn-down 1 server'
status-version 2
status status 5

# Custom Configuration

traceroute from connected laptop:

traceroute 192.168.4.1
traceroute to 192.168.4.1 (192.168.4.1), 64 hops max, 52 byte packets
1  rt-ax88u-26a0 (192.168.2.1)  2.377 ms  1.042 ms  2.188 ms
2  192.168.4.1 (192.168.4.1)  56.900 ms  55.540 ms  60.014 ms

traceroute 192.168.5.1
traceroute to 192.168.5.1 (192.168.5.1), 64 hops max, 52 byte packets
1  rt-ax88u-26a0 (192.168.2.1)  2.299 ms  1.144 ms  0.983 ms
2  *^C

traceroute from asus

RT-AX88U-26A0:/tmp/home/root# traceroute 192.168.4.1
traceroute to 192.168.4.1 (192.168.4.1), 30 hops max, 38 byte packets
1  192.168.4.1 (192.168.4.1)  53.180 ms  49.184 ms  49.842 ms
RT-AX88U-26A0:/tmp/home/root# traceroute 192.168.5.1
traceroute to 192.168.5.1 (192.168.5.1), 30 hops max, 38 byte packets
1  *  *  *
2^C

connection log

Nov 14 12:01:26 ovpn-server1[4873]: xxx.xxx.xxx.xxx:34104 [client] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:34104
Nov 14 12:01:26 ovpn-server1[4873]: client/xxx.xxx.xxx.xxx:34104 OPTIONS IMPORT: reading client specific options from: ccd/client
Nov 14 12:01:26 ovpn-server1[4873]: client/xxx.xxx.xxx.xxx:34104 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Nov 14 12:01:26 ovpn-server1[4873]: client/xxx.xxx.xxx.xxx:34104 MULTI: Learn: 10.8.0.2 -> client/xxx.xxx.xxx.xxx:34104
Nov 14 12:01:26 ovpn-server1[4873]: client/xxx.xxx.xxx.xxx:34104 MULTI: primary virtual IP for client/xxx.xxx.xxx.xxx:34104: 10.8.0.2
Nov 14 12:01:26 ovpn-server1[4873]: client/xxx.xxx.xxx.xxx:34104 MULTI: internal route 192.168.4.0/24 -> client/xxx.xxx.xxx.xxx:34104
Nov 14 12:01:26 ovpn-server1[4873]: client/xxx.xxx.xxx.xxx:34104 MULTI: Learn: 192.168.4.0/24 -> client/xxx.xxx.xxx.xxx:34104
Nov 14 12:01:27 ovpn-server1[4873]: client/xxx.xxx.xxx.xxx:34104 PUSH: Received control message: 'PUSH_REQUEST'
Nov 14 12:01:27 ovpn-server1[4873]: client/xxx.xxx.xxx.xxx:34104 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0 vpn_gateway 500,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Nov 14 12:01:27 ovpn-server1[4873]: client/xxx.xxx.xxx.xxx:34104 Data Channel: using negotiated cipher 'AES-256-GCM'
Nov 14 12:01:27 ovpn-server1[4873]: client/xxx.xxx.xxx.xxx:34104 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 14 12:01:27 ovpn-server1[4873]: client/xxx.xxx.xxx.xxx:34104 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 14 12:01:29 ovpn-server1[4873]: MULTI: Learn: 192.168.4.171 -> client/xxx.xxx.xxx.xxx:34104
Nov 14 12:01:29 ovpn-server1[4873]: MULTI: Learn: 192.168.4.118 -> client/xxx.xxx.xxx.xxx:34104

 

[eibgrad]

The only thing left unchecked at this point is the contents of the OpenVPN client's CCD file on the server. Let's dump it as well. It should contain two iroute directives, one for each of the other networks.

cat /tmp/etc/openvpn/server1/ccd/client

Given this is likely to look just fine, that tells me this is most likely a firewall issue between the client and access to any devices on those other networks. And since I have no clue about the target device(s), it's hard to even speculate what that issue might be. But all the routing looks correct. And unless the iroute directives are somehow messed up, it has to be a firewall issue.

P.S. Can devices on the 192.168.4.x and 192.168.5.x networks reach devices on the 192.168.2.x network? IOW, is the problem only in one direction, from server to client, wrt those two networks?

 

[mrskoku]

The only thing left unchecked at this point is the contents of the OpenVPN client's CCD file on the server. Let's dump it as well. It should contain two iroute directives, one for each of the other networks.

cat /tmp/etc/openvpn/server1/ccd/client

here might be an issue.
in this file there is only one entry

iroute 192.168.4.0 255.255.255.0

here as well

RT-AX88U-26A0:/tmp/home/root# cat /etc/openvpn/server1/ccd/client
iroute 192.168.4.0 255.255.255.0

i've added second entry to the file /etc/openvpn/server1/ccd/client but after server restart it has been removed.

Given this is likely to look just fine, that tells me this is most likely a firewall issue between the client and access to any devices on those other networks. And since I have no clue about the target device(s), it's hard to even speculate what that issue might be. But all the routing looks correct. And unless the iroute directives are somehow messed up, it has to be a firewall issue.

P.S. Can devices on the 192.168.4.x and 192.168.5.x networks reach devices on the 192.168.2.x network? IOW, is the problem only in one direction, from server to client, wrt those two networks?

firewall looks fine.
when there's only one entry (for 192.168.4.0) in openvpn server config i can reach this network without problems - i can reach hosts in 192.168.4.0/24 from server's lan 192.168.2.0/24.
when there's only one entry (for 192.168.5.0) in openvpn server config i can reach this network without problems - i can reach hosts in 192.168.5.0/24 from server's lan 192.168.2.0/24.
when there are 2 entries (for 192.168.4.0 and 192.168.5.0) i can reach only one network - only 1 iroute is being created in config - it looks like

in every case i can reach hosts on server's lan from client lan



----------------------
edit - i got this working. it looks like that there is an issue in openvpn gui. only 1 entry is being picked.

what i changed:
Manage Client-Specific Options - set to NO

this removed

client-config-dir ccd
client-to-client
route 192.168.5.0 255.255.255.0
route 192.168.4.0 255.255.255.0

from /etc/openvpn/server1/config.ovpn

then in Custom Configuration i added (i do use client-to-client)

client-config-dir /jffs/configs/openvpn/ccd
client-to-client
route 192.168.5.0 255.255.255.0
route 192.168.4.0 255.255.255.0

in ccd

iroute 192.168.4.0 255.255.255.0
iroute 192.168.5.0 255.255.255.0

finally i can reach both networks on client's side

@RT-AX88U-26A0:/tmp/home/root# traceroute 192.168.5.1
traceroute to 192.168.5.1 (192.168.5.1), 30 hops max, 38 byte packets
1  10.8.0.2 (10.8.0.2)  152.305 ms  212.930 ms  54.116 ms
2  192.168.5.1 (192.168.5.1)  142.181 ms  96.905 ms  116.876 ms
@RT-AX88U-26A0:/tmp/home/root# traceroute 192.168.4.1
traceroute to 192.168.4.1 (192.168.4.1), 30 hops max, 38 byte packets
1  192.168.4.1 (192.168.4.1)  97.080 ms  109.339 ms  100.746 ms

 

[mrskoku]

hello eibgrad,

this is what i've done - i've edited my post few minutes ago.
overriding client's ccd works so it looks like it is a bug in GUI.

regards

 

[eibgrad]

Let's try overriding the client's CCD file generated by the GUI and least see if that's indeed the problem (and if it is, then apparently it's a bug in the GUI).

Add the following to the OpenVPN server's Custom Config field.

client-config-dir /jffs/openvpn/server1/ccd

Then execute the following code by pasting it into an ssh window.

mkdir -p /jffs/openvpn/server1/ccd
cat << "EOF" > /jffs/openvpn/server1/ccd/client
iroute 192.168.4.0 255.255.255.0
iroute 192.168.5.0 255.255.255.0
EOF

Then restart the OpenVPN server and try again.

P.S. Of course, make sure you have JFFS enabled (Administration->System).

 

[eibgrad]

hello eibgrad,

this is what i've done - i've edited my post few minutes ago.
overriding client's ccd works so it looks like it is a bug in GUI.

regards

I'm a little surprised to see this is a bug. I just assumed it was correctly configuring the CCD file. We'll have to let @RMerlin know.

 

[eibgrad]

For posterity's sake, here's the bug report and official response.

OpenVPN server: iroute directives not being properly added to CCD file · Issue #636 · RMerl/asuswrt-merlin.ng

When user specifies more than one IP network behind the OpenVPN client in Manage Client Specific Options (i.e., multiple entries) of the OpenVPN server, only one iroute directive gets added to the ...

github.com