OpenVPN server can't see client's LAN on Site to site connection

[helio58]

@AbOrigine - here is example how to get it working

on my ASUS router VPN Server side (192.168.0.1) I have added client1 entry 192.168.1.0/255.255.255.0
and connection works both ways, no need for additional scripts or anything else

VPN client side and VPN server side can't use the same IP range

Hi peraburek,
Do you have a user log in openvpn with the name client1 ?
Please could you show the all configuration?
Thanks

 

[AbOrigine]

Peraburek, thanks for info.
So my problem is that if two or more different clients connect to a server then client's can't see each other.
I mean if let's say server is 192.168.5.1 , one client is 192.168.3.1 , another - 192.168.4.1 , another 192.168.6.1 and etc. 3.1 can see 5.1 and 4.1 can see 5.1 but 3.1 can not see 4.1 or the other way around.
I am trying to have all clients communicate with each other through one server, but does not seem to be working.

 

[Barefoot]

Hi guys,

I have two routers in different locations, ASUS RT-AC55U with original firmware, 192.168.2.1, which will be referred as server and Asus RT-N10U with AdvancedTomato firmware, 192.168.3.1, which will be referred as client. client will be connected to server permanently using OpenVPN. I think it would be very easy if both would be Tomato/DD-WRT/Merlin firmwares, but AC55U doesn't have neither Tomato, DD-WRT nor Merlin firmwares for it.

Here is manual how I got everything working for myself.

I needed to connect those two networks and
* use TUN protocol (because TAP is not iphone compatible)
* be able to have client - client connections (iphone on mobile network -> OpenVPN to server -> connect to clients router devices)
* have access to Samba share on server from devices on client router, and from other VPN clients(iphone)

Server (Asus fw):
OpenVPN server set up using Asus web interface:
1. General config: two users defined: router(for Tomato VPN client connection) and iphone.
2. Advanced settings: basically all default settings for TUN protocol(TUN, UDP, 1194, Auto Firewall, TLS authorization, User/Pass Auth. Only set to No, HMAC disable, VPN Subnet 10.8.0.0 with mask 255.255.255.0, poll 0, Push Lan to clients yes, direct clients to redirect Internet traffic no, respond to DNS Yes, Advertise DNS no, manage CLient-Specific Options yes, Allow Client <>CLient yes, Allow only specified clients no)
3. Allowed clients must be empty (script will take care of that)
4. Custom configuration

script-security 2
# Assign static I/P addresses to clients (and optionally add ADVANCED CCD directives)
client-connect /jffs/scripts/VPNClientConnect.sh
route 192.168.3.0 255.255.255.0 vpn_gateway
route 192.168.4.0 255.255.255.0 vpn_gateway
push "route 192.168.3.0 255.255.255.0"
push "route 192.168.4.0 255.255.255.0"

Note here - 192.168.4.0 is definet and pushed for iphone client which I later might use for another router. Currently it doesn't mess my iphone connection so I left it like this.
5. Edit Martineau VPNClientConnect.sh script(from https://www.snbforums.com/threads/o...e-to-site-connection.24268/page-4#post-306591). router and iphone usernames from step 1 are configured in script accordingly. router has network 192.168.3.0 which is main part that I need to provide working.

#!/bin/sh
#=============================================================================
#
# This VPN Server custom script will create a CCD/tmp_file based on 'User names' when they share the same 'Common name' e.g. 'client'
#
#   i.e. CCD file '/jffs/configs/openvpn/ccd1/client' is inappropriate for multiple concurrent clients
#
# The remote subnets for each individual User (identified by login credentials) will be defined etc.
#
# e.g.  VPN Server 192.168.5.0 will host two clients (each with its own LAN subnet) and all three will communicate with each other over the VPN tunnels
#
# Requires VPN Server directives:
#
#       client-to-client
#       duplicate-cn
#       # Custom Configuration
#       client-connect /jffs/scripts/VPNClientConnect.sh
#
logger -st "($(basename $0))" $$ "VPN Client user '"$username"' CCD configuration starting...." [$@]

# Configure the VPN Client CCD/file dynamically
STATUS="OK"    # Let's be positive! ;-)

# Identify client
case "$username" in
   "router")
              echo "iroute 192.168.3.0 255.255.255.0" >>$1
              ;;
   "iphone")
              echo "iroute 192.168.4.0 255.255.255.0" >>$1
              ;;
   *)
    STATUS="FAIL"
    ;;
esac

if [ "$STATUS" == "OK" ];then
   logger -st "($(basename $0))" $$ "VPN Client user '"$username"' CCD config:" `cat $1`
else
   echo -e "\a"
   logger -st "($(basename $0))" $$ "**WARNING VPN Client user '"$username"' not defined - dynamic CCD config skipped."
fi

#Send_email [file | "A_single_line_text_message_in_quotes_to_be_emailed" ] [email_method]
TEMPFILE="/tmp/VPNClientConnect"${username}".txt"
echo "Common Name: $common_name" >>$TEMPFILE
echo "Username: $username" >>$TEMPFILE
echo "I/P: $trusted_ip" >>$TEMPFILE
echo "PORT:$trusted_port" >>$TEMPFILE
echo "MTU: $tun_mtu" >>$TEMPFILE
#Send_email $TEMPFILE

logger -st "($(basename $0))" $$ "VPN Client CCD configuration ended."

exit 0

6. Now create /jffs/scripts/VPNClientConnect.sh script which mentioned in Custom configuration.
ssh to server, using admin/pass from web admin.

mkdir /jffs/scripts
vi /jffs/scripts/VPNClientConnect.sh
#in this step paste script into file
#copy script from it's source,
#:set noautoindent
#i
#Shift+Insert, Esq
#:wq
#Enter
chmod +x /jffs/scripts/VPNClientConnect.sh

This seems to be all that is needed for client to connect to server, and iphone vpn client can connect to devices on client router network which is connected through OpenVPN.

Samba share set up using Asus web interface.
Problem in the end is that iphone can connect through VPN-server to Samba share, but client routers clients cannot, because their IPs are 192.168.3.X (iphones IP apparently seems to be 10.8.0.X for Samba server)
Next I used work of https://github.com/dnlongen/ASUSWRT_Samba_Fixer
ssh to server, and

#create copy of original smb.conf
cp /etc/smb.conf /jffs/smb.conf
vi /jffs/smb.conf
#now, find "hosts allow = 127.0.0.1 192.168.2.1/255.255.255.0  10.8.0.0/255.255.255.0" line and add " 192.168.3.1/255.255.255.0" in the end of it
#samba connection for me didn't work until I changed this line in both [global] and [ipc$] sections.
#I created fixsamba file as fix_things.sh in order to add there additional things later
vi /jffs/scripts/fix_things.sh
#put there https://github.com/dnlongen/ASUSWRT_Samba_Fixer/blob/master/fixsamba script same way as it was done in step 6 of VPN server configuration.
#make this script to run on USBmount event, which as I understood only way to execute scripts as close to router startup as possible.
chmod 755 /jffs/scripts/fix_things.sh
nvram set script_usbmount="/jffs/scripts/fix_things.sh"
nvram commit

Now, clients of client router can connect to samba share on server router.

Client (Tomato):
Set up as OpenVPN Client (Start with WAN checked, Interface Type TUN, Protocol UDP, server address and port: those of your server, Firewall automatic, authorization TLS, Username/Password Authentication checked, Username: router, Password: whateverpasswordissetforrouter, Username Authen. Only unchecked, Extra HMAC authorization (tls-auth) Disabled, Create NAT on tunnel unchecked.).
In advanced (Redirect Internet traffic unchecked, Ignore Redirect Gateway (route-nopull) unchecked, Accept DNS configuration Relaxed)
Keys - those keys that are saved in .ovpn gotten from server.

That's basically it. client router connected to server router through OpenVPN. Devices on server router can connect to clients on client router and vice versa. Another VPN client (iphone) can connect to client router clients or server router clients. Devices from both server or client routers have access to samba share on server router, as well as iphone vpn client.

 

[helio58]

Hi guys,

I have two routers in different locations, ASUS RT-AC55U with original firmware, 192.168.2.1, which will be referred as server and Asus RT-N10U with AdvancedTomato firmware, 192.168.3.1, which will be referred as client. client will be connected to server permanently using OpenVPN. I think it would be very easy if both would be Tomato/DD-WRT/Merlin firmwares, but AC55U doesn't have neither Tomato, DD-WRT nor Merlin firmwares for it.

Here is manual how I got everything working for myself.

I needed to connect those two networks and
* use TUN protocol (because TAP is not iphone compatible)
* be able to have client - client connections (iphone on mobile network -> OpenVPN to server -> connect to clients router devices)
* have access to Samba share on server from devices on client router, and from other VPN clients(iphone)

Server (Asus fw):
OpenVPN server set up using Asus web interface:
1. General config: two users defined: router(for Tomato VPN client connection) and iphone.
2. Advanced settings: basically all default settings for TUN protocol(TUN, UDP, 1194, Auto Firewall, TLS authorization, User/Pass Auth. Only set to No, HMAC disable, VPN Subnet 10.8.0.0 with mask 255.255.255.0, poll 0, Push Lan to clients yes, direct clients to redirect Internet traffic no, respond to DNS Yes, Advertise DNS no, manage CLient-Specific Options yes, Allow Client <>CLient yes, Allow only specified clients no)
3. Allowed clients must be empty (script will take care of that)
4. Custom configuration

script-security 2
# Assign static I/P addresses to clients (and optionally add ADVANCED CCD directives)
client-connect /jffs/scripts/VPNClientConnect.sh
route 192.168.3.0 255.255.255.0 vpn_gateway
route 192.168.4.0 255.255.255.0 vpn_gateway
push "route 192.168.3.0 255.255.255.0"
push "route 192.168.4.0 255.255.255.0"

Note here - 192.168.4.0 is definet and pushed for iphone client which I later might use for another router. Currently it doesn't mess my iphone connection so I left it like this.
5. Edit Martineau VPNClientConnect.sh script(from https://www.snbforums.com/threads/o...e-to-site-connection.24268/page-4#post-306591). router and iphone usernames from step 1 are configured in script accordingly. router has network 192.168.3.0 which is main part that I need to provide working.

#!/bin/sh
#=============================================================================
#
# This VPN Server custom script will create a CCD/tmp_file based on 'User names' when they share the same 'Common name' e.g. 'client'
#
#   i.e. CCD file '/jffs/configs/openvpn/ccd1/client' is inappropriate for multiple concurrent clients
#
# The remote subnets for each individual User (identified by login credentials) will be defined etc.
#
# e.g.  VPN Server 192.168.5.0 will host two clients (each with its own LAN subnet) and all three will communicate with each other over the VPN tunnels
#
# Requires VPN Server directives:
#
#       client-to-client
#       duplicate-cn
#       # Custom Configuration
#       client-connect /jffs/scripts/VPNClientConnect.sh
#
logger -st "($(basename $0))" $$ "VPN Client user '"$username"' CCD configuration starting...." [$@]

# Configure the VPN Client CCD/file dynamically
STATUS="OK"    # Let's be positive! ;-)

# Identify client
case "$username" in
   "router")
              echo "iroute 192.168.3.0 255.255.255.0" >>$1
              ;;
   "iphone")
              echo "iroute 192.168.4.0 255.255.255.0" >>$1
              ;;
   *)
    STATUS="FAIL"
    ;;
esac

if [ "$STATUS" == "OK" ];then
   logger -st "($(basename $0))" $$ "VPN Client user '"$username"' CCD config:" `cat $1`
else
   echo -e "\a"
   logger -st "($(basename $0))" $$ "**WARNING VPN Client user '"$username"' not defined - dynamic CCD config skipped."
fi

#Send_email [file | "A_single_line_text_message_in_quotes_to_be_emailed" ] [email_method]
TEMPFILE="/tmp/VPNClientConnect"${username}".txt"
echo "Common Name: $common_name" >>$TEMPFILE
echo "Username: $username" >>$TEMPFILE
echo "I/P: $trusted_ip" >>$TEMPFILE
echo "PORT:$trusted_port" >>$TEMPFILE
echo "MTU: $tun_mtu" >>$TEMPFILE
#Send_email $TEMPFILE

logger -st "($(basename $0))" $$ "VPN Client CCD configuration ended."

exit 0

6. Now create /jffs/scripts/VPNClientConnect.sh script which mentioned in Custom configuration.
ssh to server, using admin/pass from web admin.

mkdir /jffs/scripts
vi /jffs/scripts/VPNClientConnect.sh
#in this step paste script into file
#copy script from it's source,
#:set noautoindent
#i
#Shift+Insert, Esq
#:wq
#Enter
chmod +x /jffs/scripts/VPNClientConnect.sh

This seems to be all that is needed for client to connect to server, and iphone vpn client can connect to devices on client router network which is connected through OpenVPN.

Samba share set up using Asus web interface.
Problem in the end is that iphone can connect through VPN-server to Samba share, but client routers clients cannot, because their IPs are 192.168.3.X (iphones IP apparently seems to be 10.8.0.X for Samba server)
Next I used work of https://github.com/dnlongen/ASUSWRT_Samba_Fixer
ssh to server, and

#create copy of original smb.conf
cp /etc/smb.conf /jffs/smb.conf
vi /jffs/smb.conf
#now, find "hosts allow = 127.0.0.1 192.168.2.1/255.255.255.0  10.8.0.0/255.255.255.0" line and add " 192.168.3.1/255.255.255.0" in the end of it
#samba connection for me didn't work until I changed this line in both [global] and [ipc$] sections.
#I created fixsamba file as fix_things.sh in order to add there additional things later
vi /jffs/scripts/fix_things.sh
#put there https://github.com/dnlongen/ASUSWRT_Samba_Fixer/blob/master/fixsamba script same way as it was done in step 6 of VPN server configuration.
#make this script to run on USBmount event, which as I understood only way to execute scripts as close to router startup as possible.
chmod 755 /jffs/scripts/fix_things.sh
nvram set script_usbmount="/jffs/scripts/fix_things.sh"
nvram commit

Now, clients of client router can connect to samba share on server router.

Client (Tomato):
Set up as OpenVPN Client (Start with WAN checked, Interface Type TUN, Protocol UDP, server address and port: those of your server, Firewall automatic, authorization TLS, Username/Password Authentication checked, Username: router, Password: whateverpasswordissetforrouter, Username Authen. Only unchecked, Extra HMAC authorization (tls-auth) Disabled, Create NAT on tunnel unchecked.).
In advanced (Redirect Internet traffic unchecked, Ignore Redirect Gateway (route-nopull) unchecked, Accept DNS configuration Relaxed)
Keys - those keys that are saved in .ovpn gotten from server.

That's basically it. client router connected to server router through OpenVPN. Devices on server router can connect to clients on client router and vice versa. Another VPN client (iphone) can connect to client router clients or server router clients. Devices from both server or client routers have access to samba share on server router, as well as iphone vpn client.

Thanks Barefoot,
One question if you add user x (road warrior) just in the openvpn server user page
Can user x connect to both sites?

 

[Barefoot]

Thanks Barefoot,
One question if you add user x (road warrior) just in the openvpn server user page
Can user x connect to both sites?

Yes, new user (roadwarrior) can connect to both sites (server router clients and client router clients). If roadwarrior happened to be third router with it's own subnet of users, this subnet would be unavailable without script modification.

 

[TLight]

Hi all,
First post here. I have been lurking and learning over the past week. I am trying to get this going for 3 sites. I followed all steps outlined by several posters here. All is in place, but I am unable to get the VPNClientConnect script to run. Problem is that it appears the username variable is not being passed to the script. Below is relevant lines from the syslog on the server:

Jul 23 18:45:31 (VPNClientConnect.sh): 23404 VPN Client user '' CCD configuration starting.... [/tmp/openvpn_cc_f0b6122bf4b3e88a0545d4b828995b33.tmp]
Jul 23 18:45:31 (VPNClientConnect.sh): 23404 **WARNING VPN Client user '' not defined - dynamic CCD config skipped.
Jul 23 18:45:31 (VPNClientConnect.sh): 23404 VPN Client CCD configuration ended.

Can someone tell me why this is happening? Thanks in advance.

 

[TLight]

Hi all,
First post here. I have been lurking and learning over the past week. I am trying to get this going for 3 sites. I followed all steps outlined by several posters here. All is in place, but I am unable to get the VPNClientConnect script to run. Problem is that it appears the username variable is not being passed to the script. Below is relevant lines from the syslog on the server:

Jul 23 18:45:31 (VPNClientConnect.sh): 23404 VPN Client user '' CCD configuration starting.... [/tmp/openvpn_cc_f0b6122bf4b3e88a0545d4b828995b33.tmp]
Jul 23 18:45:31 (VPNClientConnect.sh): 23404 **WARNING VPN Client user '' not defined - dynamic CCD config skipped.
Jul 23 18:45:31 (VPNClientConnect.sh): 23404 VPN Client CCD configuration ended.

Can someone tell me why this is happening? Thanks in advance.

Never mind. Dumb mistake. Did not have "Username/Password Authentication" enabled on server. Gremlin must have unchecked it for me... Amazing how something so simple can cost one hours and miles driven...

 

[Martineau]

Below is relevant lines from the syslog on the server:

Jul 23 18:45:31 (VPNClientConnect.sh): 23404 VPN Client user '' CCD configuration starting.... [/tmp/openvpn_cc_f0b6122bf4b3e88a0545d4b828995b33.tmp]
Jul 23 18:45:31 (VPNClientConnect.sh): 23404 **WARNING VPN Client user '' not defined - dynamic CCD config skipped.
Jul 23 18:45:31 (VPNClientConnect.sh): 23404 VPN Client CCD configuration ended.

Can someone tell me why this is happening? Thanks in advance.

Are you implying that my script's info and warning message is too cryptic?

Glad you worked it out and kudos for publicly confessing to a PEBKAC moment!

 

[AbOrigine]

Hi All,

Does anyone know how to enable one way access in openvpn?
I mean when multiple clients connect to Openvpn server and they connect to each other too and let's say server is 192.168.5.0 and clients are 192.168.4.0, 192.168.3.0, 192.168.6.0 and etc. If I want to disable 192.168.6.0 from accessing server or any other clients but still have others and server accessing 192.168.6.0, is it possible?

Thanks in advance

 

[MMP76]

I know I am reviving an old post but I could use some advice on getting a 2nd client to work with the site to site VPN. I was able to follow the instructions above and get this to work with the Site A(Server) and Site B(Client1) but Site C is getting a connection issue where it wont connect. Using SSH I was able to create the directories /configs/openvpn/ccd1 and then command vi client to create the client file with the iroute. All 3 sites are on different subnets so there is no conflict. I am using TUN and just pushing the LAN not DNS or Internet Traffic. TLS auth is checked. Added the Route and Push to the custom config box. Client1 works great connecting to the server I can see both LANs from Client > Server and from Server > Client.

I exported the same .ovpn file to Client2. It has client in text at the very top. Since the OP said you need to have separate files for each client the only change I made to the was to rename the .ovpn file to client2 and edit the client part in the file and change it to client2. I created a second client2 file inside /jffs/configs/openvpn/ccd1 and set the iroute for that client2 subnet. Added the additional route and push in the custom config box on the server Saved and restarted both the server and client 1 and client 2.

I tried connecting from client 2 and no dice it fails the connection and I can't figure out why. Any help or ideas on what I need to change to allow it to connect? *Note I did try renaming the line back to client from client2 inside client2.ovpn and it connects but then gets the routing conflict.

Setup:
3 Sites: Server, Client1 and Client2
Server = RT-AC68R on stock ASUSWRT Firmware Version:3.0.0.4.380_7266
Client1 = RT-AC68R on stock ASUSWRT Firmware Version:3.0.0.4.380_7266
Client2 =RT-AC5300 on Merlin's Firmware:380.65_2

Wingsfan87 Do you have a guide for connecting the to routers with OpenVPN on Asus stock firmware???
Default the PC's from the client site, can ping the whole network on the server site but not the other way...
I hope you have the time to help ;-)

 

[Wingsfan87]

Wingsfan87 Do you have a guide for connecting the to routers with OpenVPN on Asus stock firmware???
Default the PC's from the client site, can ping the whole network on the server site but not the other way...
I hope you have the time to help ;-)

@MMP76 I dont have a guide but 7 posts up #103 @Barefoot wrote up very clear step by step instructions. It is for stock Asus firmware. I have tested the steps on 2 Asus routers 1 RT-AC3100 and 1 RT-AC68U running the latest stock version (not Merlin's) and works perfectly.

*note* the ovpn server auto restarts automatically if the router is rebooted and the script stays as well no issues after a reboot. Tested this as well since technically the options for auto server start and auto client connect on WAN isn't in stock but it still does by default.

 

[AbOrigine]

Can someone shed a light on my previous question?

I am trying to disable a specific client connected via OpenVPN to access either server or other client resources.
My current setup is like this:
Server: 192.168.5.1
Client 1: 192.168.3.1
Client 2: 192.168.4.1
Client 3: 192.168.6.1

All clients communicate with server and each other. I am looking for a way to disable one specific client (in this case "client 3" - 192.168.6.1) to access either server or other client's resources, but I would like for server and other clients to be able to access "client 3" LAN.
All routers are running latest (as of May 2018) Merlin firmware.

Thanks!