OpenVPN server can't see client's LAN on Site to site connection

[mystical]

I have always had Client Specific Options enabled in the OPenVPN server1. Server2 has always been disabled. BTW, what would be the use of 2 Servers?

 

[RMerlin]

I have always had Client Specific Options enabled in the OPenVPN server1. Server2 has always been disabled. BTW, what would be the use of 2 Servers?

In case someone need two servers with different configurations. For instance, you might have one set to redirect Internet access while abroad, and the other only gives you LAN access.

 

[mystical]

In case someone need two servers with different configurations. For instance, you might have one set to redirect Internet access while abroad, and the other only gives you LAN access.

Ok, I can see why it would be useful to have two server instances,

But my reboot earlier today also caused my vpn client routing file to be lost, which was my original problem in this thread.
I have tried to put that 'kaukini' file in /jffs/openvpn/ccd* but after a vpn server restart it is never restored.
I have followed the suggestions of the AIProtection page and changed the root login name from 'admin' to 'rob', but I think I had the same problem before the name change.
As a first try to fix any file permissions problem, I have changed permissions to 660 and see nothing in syslog to suggest what I am doing wrong.

rob@RT-AC68U-7658:/tmp/home/root# ls -l /jffs/openvpn/ccd*
/jffs/openvpn/ccd:
-rw-rw---- 1 rob root 35 Mar 26 16:46 kaukini

/jffs/openvpn/ccd1:
-rw-rw---- 1 rob root 35 Mar 26 16:46 kaukini

rob@RT-AC68U-7658:/tmp/home/root# ls /etc/openvpn/server1/ccd/
rob@RT-AC68U-7658:/tmp/home/root#

 

[mystical]

Ok, I can see why it would be useful to have two server instances,

But my reboot earlier today also caused my vpn client routing file to be lost, which was my original problem in this thread.
I have tried to put that 'kaukini' file in /jffs/openvpn/ccd* but after a vpn server restart it is never restored.
I have followed the suggestions of the AIProtection page and changed the root login name from 'admin' to 'rob', but I think I had the same problem before the name change.
As a first try to fix any file permissions problem, I have changed permissions to 660 and see nothing in syslog to suggest what I am doing wrong.

rob@RT-AC68U-7658:/tmp/home/root# ls -l /jffs/openvpn/ccd*
/jffs/openvpn/ccd:
-rw-rw---- 1 rob root 35 Mar 26 16:46 kaukini

/jffs/openvpn/ccd1:
-rw-rw---- 1 rob root 35 Mar 26 16:46 kaukini

rob@RT-AC68U-7658:/tmp/home/root# ls /etc/openvpn/server1/ccd/
rob@RT-AC68U-7658:/tmp/home/root#

FIXED:

After a careful reading of the previous posts, I learned the per-client route instructions must be saved in /jffs/configs/openvpn/ccd1/...,*not* in /jffs/openvpn/ccd1/...
After saving the files to /jffs/configs/... my fully bi-directional routes now are restored perfectly after a client or server router reboot.
These OpenVPN tunnels now work perfectly for me.

 

[AbOrigine]

Is anyone willing to write a step by step guide to this?
I am trying to have same setup, but I am missing configs and ccd directories (my original post: https://www.snbforums.com/threads/openvpn-site-to-site-problems.37259/ )

 

[Martineau]

Is anyone willing to write a step by step guide to this?
I am trying to have same setup, but I am missing configs and ccd directories (my original post: https://www.snbforums.com/threads/openvpn-site-to-site-problems.37259/ )

Have you tried the GUI?

https://www.snbforums.com/threads/3...self-with-site-to-site-vpn.37067/#post-303706

 

[AbOrigine]

Have you tried the GUI?

https://www.snbforums.com/threads/3...self-with-site-to-site-vpn.37067/#post-303706

Although I had client to client enabled, there still was no connection.
Anyway, I created configs and ccd1 directories, created "client" file, entered iroute "IP of remote lan" 255.255.255.0, added
route remote LAN IP 255.255.255.0 push "route remote LAN IP 255.255.255.0" in Custom Configuration on server side and now server can see clients (I have two clients connected to server via OpenVPN".
Now clients can see server and server can see clients (ping and etc.) but clients can not see each other (server must be blocking them).
Any workaround on this?
Maybe I should add route on client side for remote client (via server?)

Thanks

 

[Martineau]

Now clients can see server and server can see clients (ping and etc.) but clients can not see each other (server must be blocking them). Any workaround on this? Maybe I should add route on client side for remote client (via server?

I believe 'client-to-client' implicitly allows any VPN client connected to the VPN server to 'see' each other - effectively the router doesn't see the packets between the VPN clients. (If you disable 'client-to-client' then you can control tun21 traffic on the router using iptables).

So assuming that expected 'client-to-client' hasn't been compromised by OpenVPN 2.4, then I'd suspect that the firewalls on the clients is preventing access from remote subnets.

 

[AbOrigine]

Thanks Martineau for your help.
Now I am experiencing even stranger issue, I have two sites (clients) which connect to server.
All of them RT-AC68U, running latest firmware from Merlin.
If either client connects to server, both client and server can ping each other, if second client connects to server, then one of the clients can not ping server any more.
What I mean is, that If only client one (192.168.3.x) is connected to server, both client and server can ping each other. Same if only client two is connected, both client two and server can ping each other. But whenevr client one and client two connect to server, then either client one can ping server and server can ping client one, client two can ping server but server can't. This either happens with client one or client two in either direction.
They are all on different subnets, client one - 192.168.3.0, client two - 192.168.4.0, server - 192.168.5.0. VPN hands out IP's in a subnet of: 10.8.0.x (Merlin default).
Can I give clients different names in Server? (they show up under different usernames in VPN status page, but they both have the same common name - "client"). - can this be an issue?
Any idea about this?

 

[Martineau]

Can I give clients different names in Server? (they show up under different usernames in VPN status page, but they both have the same common name - "client"). - can this be an issue?
Any idea about this?

RTFM?

If this directive is 'missing'

--duplicate-cn

then the behaviour you described occurs.
(However OpenVPN 2.4 issues a warning if both directives are present)

Clearly different 'Common names' will 'fix' your issue. I personally generate 15 but whilst secure (easy to revoke if say the phone is lost/stolen etc.) it is tedious.

So the problem is the 'iroute' for each subnet which is contained in the CCD 'client' file.

I believe a script called by directive (remove the '--' when referencing it in the VPN server 'Custom Configuration' GUI)

--client-connect

may save you the hassle of creating the (recommended) separate 'Common names' etc.

So apparently, when each client connects, you could then possibly generate the appropriate 'iroute' command? etc.

 

[AbOrigine]

Thanks for helping me out on this, but I guess because of my lack of knowledge of Linux, I might need more detailed steps from you...
I do like to read, but there does not seem to be a "FM" out there for this kind of stuff
Anyways, what would you recommend, shall I edit "client" file under ccd1?
Sorry for all these detailed questions, still newbie at this and trying to learn.

 

[Martineau]

....but there does not seem to be a "FM" out there for this kind of stuff

Believe it or not there is a little thing called Google?

So I found this https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage and this
https://github.com/RMerl/asuswrt-merlin/wiki which should be read (section Usage->User Scripts -> Creating scripts in particular) so that you can create/enable this VPN Server custom script (based on my original VPN client connect email notification script) .

/jffs/scripts/VPNClientConnect.sh

EDIT: Whilst the original script below is still valid, I have updated the script to allow the 'iroute' directive to be specified in an external CCD configuration file per client

e.g. For VPN Server 1 common name 'client' user 'clientone'

/jffs/configs/openvpn/ccd1/client_clientone

see v3 script here: https://www.snbforums.com/threads/how-to-set-a-static-ip-to-openvpn-tun-clients.37983/#post-315194

#!/bin/sh
#=============================================================================
#
# This VPN Server custom script will create a CCD/tmp_file based on 'User names' when they share the same 'Common name' e.g. 'client'
#
#   i.e. CCD file '/jffs/configs/openvpn/ccd1/client' is inappropriate for multiple concurrent clients
#
# The remote subnets for each individual User (identified by login credentials) will be defined etc.
#
# e.g.  VPN Server 192.168.5.0 will host two clients (each with its own LAN subnet) and all three will communicate with each other over the VPN tunnels
#
# Requires VPN Server directives:
#
#       client-to-client
#       duplicate-cn
#       # Custom Configuration
#       client-connect /jffs/scripts/VPNClientConnect.sh
#
logger -st "($(basename $0))" $$ "VPN Client user '"$username"' CCD configuration starting...." [$@]

# Configure the VPN Client CCD/file dynamically
STATUS="OK"    # Let's be positive! ;-)

# Identify client
case "$username" in
   "clientone")
              echo "iroute 192.168.3.0 255.255.255.0" >>$1
              ;;
   "clienttwo")
              echo "iroute 192.168.4.0 255.255.255.0" >>$1
              ;;
   *)
    STATUS="FAIL"
    ;;
esac

if [ "$STATUS" == "OK" ];then
   logger -st "($(basename $0))" $$ "VPN Client user '"$username"' CCD config:" `cat $1`
else
   echo -e "\a"
   logger -st "($(basename $0))" $$ "**WARNING VPN Client user '"$username"' not defined - dynamic CCD config skipped."
fi

#Send_email [file | "A_single_line_text_message_in_quotes_to_be_emailed" ] [email_method]
TEMPFILE="/tmp/VPNClientConnect"${username}".txt"
echo "Common Name: $common_name" >>$TEMPFILE
echo "Username: $username" >>$TEMPFILE
echo "I/P: $trusted_ip" >>$TEMPFILE
echo "PORT:$trusted_port" >>$TEMPFILE
echo "MTU: $tun_mtu" >>$TEMPFILE
#Send_email $TEMPFILE

logger -st "($(basename $0))" $$ "VPN Client CCD configuration ended."

exit 0

Hopefully, when the clients connect you will see in Syslog the appropriate CCD being applied.

P.S. You will need to edit the script to replace 'clientone' and 'clienttwo'

EDIT: Google brings up this spookily similar example although it assumes "Site B" and "Site C" are also running an OpenVPN server, and consequently can 'see' each other without needing to go via "Site A" unless the direct tunnel route between them is down.

 

[AbOrigine]

Thanks, will try this evening and report back.

 

[AbOrigine]

Martineau, still struggling.
Whenever my Server's custom configuration has this:
route 192.168.3.0 255.255.255.0
push "route 192.168.3.0 255.255.255.0"
route 192.168.4.0 255.255.255.0
push "route 192.168.4.0 255.255.255.0"
duplicate-cn
client-connect
- then I get a following message: Initialinzing the settings of OpenVPN server now, please wait a few minutes to let the server to setup completed before VPN clients establish the connection.
an no clients seem to be able to connect.
I must be doing something wrong...

Do I enter "duplicate cn" in Server's /ccd1/client file and "client connect" in Custom configuration?

Also, latest Merlin firmware seems to have a bug in OpenVpn, whenever VPN is connected, it still shows "disconnected" on the OpenVpn general page.

Thanks again for your help!

 

[Martineau]

I get a following message: Initialinzing the settings of OpenVPN server now, please wait a few minutes to let the server to setup completed before VPN clients establish the connection.
an no clients seem to be able to connect.

Have you checked Syslog for errors? ....and clearly ASUS haven't spell-checked their GUI error message
e.g.

daemon.err openvpn[20335]: Options error: Unrecognized option or missing or extra parameter(s) in config.ovpn:37: client-connect (2.4.0)
and/or
user.info syslog: VPN_LOG_ERROR: 1506: Starting VPN instance failed

I have tested the following in the VPN Server GUI.

and (when my phone connects) Syslog shows:

Spoiler: Syslog client connect with script VPNClientConnect.sh

openvpn[5345]: wan.xxx.xxx.xxx TLS: Initial packet from [AF_INET6]::ffff:wan.xxx.xxx.xxx:47257, sid=zzzzzzzz zzzzzzzzz
wan.xxx.xxx.xxx VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
wan.xxx.xxx.xxx VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
wan.xxx.xxx.xxx peer info: IV_VER=2.5_master
wan.xxx.xxx.xxx peer info: IV_PLAT=android
wan.xxx.xxx.xxx peer info: IV_PROTO=2
wan.xxx.xxx.xxx peer info: IV_NCP=2
wan.xxx.xxx.xxx peer info: IV_LZ4=1
wan.xxx.xxx.xxx peer info: IV_LZ4v2=1
wan.xxx.xxx.xxx peer info: IV_LZO=1
wan.xxx.xxx.xxx peer info: IV_COMP_STUB=1
wan.xxx.xxx.xxx peer info: IV_COMP_STUBv2=1
wan.xxx.xxx.xxx peer info: IV_TCPNL=1
wan.xxx.xxx.xxx peer info: IV_GUI_VER=de.blinkt.openvpn_0.6.64
wan.xxx.xxx.xxx PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
wan.xxx.xxx.xxx TLS: Username/Password authentication succeeded for username 'SGS5'
wan.xxx.xxx.xxx Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
wan.xxx.xxx.xxx [client] Peer Connection Initiated with [AF_INET6]::ffff:wan.xxx.xxx.xxx:47257
wan.xxx.xxx.xxx MULTI_sva: pool returned IPv4=10.188.0.2, IPv6=(Not enabled)
(VPNClientConnect.sh): 6097 VPN Client user 'SGS5' CCD configuration starting.... [/tmp/openvpn_cc_078e278fc86f0c3f396a88b6000df8d8.tmp]
(VPNClientConnect.sh): 6097 VPN Client user 'SGS5' CCD config: iroute 192.168.3.0 255.255.255.0
(VPNClientConnect.sh): 6097 VPN Client CCD configuration ended.
wan.xxx.xxx.xxx OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_078e278fc86f0c3f396a88b6000df8d8.tmp
wan.xxx.xxx.xxx MULTI: Learn: 10.188.0.2 -> client/wan.xxx.xxx.xxx
wan.xxx.xxx.xxx MULTI: primary virtual IP for client/wan.xxx.xxx.xxx: 10.188.0.2
wan.xxx.xxx.xxx MULTI: internal route 192.168.3.0/24 -> client/wan.xxx.xxx.xxx
wan.xxx.xxx.xxx MULTI: Learn: 192.168.3.0/24 -> client/wan.xxx.xxx.xxx
wan.xxx.xxx.xxx REMOVE PUSH ROUTE: 'route 192.168.3.0 255.255.255.0'
wan.xxx.xxx.xxx PUSH: Received control message: 'PUSH_REQUEST'
wan.xxx.xxx.xxx SENT CONTROL [client]: 'PUSH_REPLY,route 10.88.8.0 255.255.255.0,dhcp-option DNS 10.88.8.1,route 192.168.4.0 255.255.255.0,route-gateway 10.188.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.188.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM' (status=1)
wan.xxx.xxx.xxx Data Channel Encrypt: Cipher 'AES-128-GCM' initialized with 128 bit key

resulting in the following screen print showing how the script has added the apparent subnet 'behind' my phone!
NOTE: /etc/openvpn/server1/ccd is empty

 

[AbOrigine]

Hi Martineau, haven't had time to play with OneVPN until now.
So I did as you suggested, had to give rwx permission to vpnconnectclient.sh and folder, but now clients don't connect to server at all and give a following error: Error - Authentication failure )in client GUI
All keys and passwords are the same...
this is the log:

Feb 10 07:28:23 openvpn[26646]: OpenVPN 2.4.0 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb  3 2017
Feb 10 07:28:23 openvpn[26646]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.08
Feb 10 07:28:23 openvpn[26647]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Feb 10 07:28:23 openvpn[26647]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Feb 10 07:28:23 openvpn[26647]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables
Feb 10 07:28:23 openvpn[26647]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Feb 10 07:28:23 openvpn[26647]: Diffie-Hellman initialized with 2048 bit key
Feb 10 07:28:23 openvpn[26647]: TUN/TAP device tun21 opened
Feb 10 07:28:23 openvpn[26647]: TUN/TAP TX queue length set to 100
Feb 10 07:28:23 openvpn[26647]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 10 07:28:23 openvpn[26647]: /usr/sbin/ip link set dev tun21 up mtu 1500
Feb 10 07:28:23 kernel: ADDRCONF(NETDEV_CHANGE): tun21: link becomes ready
Feb 10 07:28:23 openvpn[26647]: /usr/sbin/ip addr add dev tun21 10.8.0.1/24 broadcast 10.8.0.255
Feb 10 07:28:23 openvpn[26647]: /usr/sbin/ip route add 192.168.3.0/24 via 10.8.0.2
Feb 10 07:28:23 openvpn[26647]: /usr/sbin/ip route add 192.168.4.0/24 via 10.8.0.2
Feb 10 07:28:23 openvpn[26647]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Feb 10 07:28:23 openvpn[26647]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Feb 10 07:28:23 openvpn[26647]: setsockopt(IPV6_V6ONLY=0)
Feb 10 07:28:23 openvpn[26647]: UDPv6 link local (bound): [AF_INET6][undef]:1194
Feb 10 07:28:23 openvpn[26647]: UDPv6 link remote: [AF_UNSPEC]
Feb 10 07:28:23 openvpn[26647]: MULTI: multi_init called, r=256 v=256
Feb 10 07:28:23 openvpn[26647]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Feb 10 07:28:23 openvpn[26647]: Initialization Sequence Completed

Thanks...

 

[AbOrigine]

Bump?

 

[Martineau]

Bump?

Your last post simply indicated that you had finally stumbled into Syslog, but unfortunately you have only shown the OpenVPN Server initialisation, which implies you managed to correct the invalid Custom server directives (that you typed), so the yellow error message is no longer shown.

However, the log extract does confirm that the Router has correctly added the two remote subnets as requested by the OpenVPN server directives

You can manually confirm this as there should now be three tun21 lines:

route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.0        *               255.255.255.0   U     0      0        0 tun21
192.168.3.0       10.8.0.2      255.255.255.0   UG    0      0        0 tun21
192.168.4.0       10.8.0.2      255.255.255.0   UG    0      0        0 tun21

If clients were able to successfully authenticate prior to the adding of the custom directive

client-connect /jffs/scripts/VPNClientConnect.sh

then if it is removed, it will no longer call my script and VPN Client connectivity should be as it was originally, albeit in the undesirable single client mode rather than the desired multi-client mode.

If you require further assistance, you will need to show the section of Syslog when the client initiates a (failed) connection.

If there is no sign of a client connection attempt in Syslog, then check the OpenVPN Client device for errors

i.e.
1. The client device may not be able to resolve (by DDNS) your OpenVPN server etc.
or
2. You may have 'inadvertently' modified the Client config file (/etc/openvpn/server1/client.ovpn) encryption/compression etc. so you may need to export the new client.ovpn and resend it to the clients.

 

[AbOrigine]

Thanks for getting back,

here is a log of client side:

Feb 13 20:26:17 openvpn[11644]: OpenVPN 2.4.0 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb  3 2017

Feb 13 20:26:17 openvpn[11644]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.08
Feb 13 20:26:17 openvpn[11645]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 13 20:26:18 openvpn[11645]: TCP/UDP: Preserving recently used remote address: [AF_INET]rem.ote.ipa.ddr:1194
Feb 13 20:26:18 openvpn[11645]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Feb 13 20:26:18 openvpn[11645]: UDP link local: (not bound)
Feb 13 20:26:18 openvpn[11645]: UDP link remote: [AF_INET]rem.ote.ipa.ddr:1194
Feb 13 20:26:18 openvpn[11645]: TLS: Initial packet from [AF_INET]rem.ote.ipa.ddr:1194, sid=b8c7196a 45243e62
Feb 13 20:26:18 openvpn[11645]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Feb 13 20:26:19 openvpn[11645]: VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
Feb 13 20:26:19 openvpn[11645]: VERIFY OK: nsCertType=SERVER
Feb 13 20:26:19 openvpn[11645]: VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
Feb 13 20:26:19 dnsmasq-dhcp[1044]: DHCPDISCOVER(br0) ma:ca:dd:re:ss:11
Feb 13 20:26:19 dnsmasq-dhcp[1044]: DHCPOFFER(br0) 192.168.3.15 ma:ca:dd:re:ss:11
Feb 13 20:26:19 openvpn[11645]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Feb 13 20:26:19 openvpn[11645]: [RT-AC68U] Peer Connection Initiated with [AF_INET]rem.ote.ipa.ddr:1194
Feb 13 20:26:20 openvpn[11645]: SENT CONTROL [RT-AC68U]: 'PUSH_REQUEST' (status=1)
Feb 13 20:26:21 openvpn[11645]: AUTH: Received control message: AUTH_FAILED
Feb 13 20:26:21 openvpn[11645]: SIGTERM[soft,auth-failure] received, process exiting

-
I have Dynamic DNS setup on Server side,,,
Any ideas?

 

[AbOrigine]

Interesting to be stuck in the middle of something that does not work...
Does anyone else have an idea how to proceed with this?