Narbat
New Around Here
I need help with openvpn. I can't get the openvpn server on my AC66U to route packets to/from the LAN side of the router.
The client *does* connect to the VPN. From the client I can ping the server's VPN address and the LAN address. I can also ssh, http, etc to the server's LAN address from the client. That all works perfectly. I cannot, however, ping or connect to any of the other hosts on the LAN.
To be perfectly clear: From the client I ping 192.168.1.1 and I get a response. I ping 192.168.1.2 and I get nothing back. I can also ssh to 192.168.1.1 but get a timeout when I ssh to 192.168.1.2.
I'm 99% sure my client is configured correctly. The routing tables look right, and I've verified with Wireshark that packets to 192.168.1.0/24 are being sent on the client's VPN interface. Looking at my client's physical interface I can see encrypted packets caused by the pings. So packets are leaving the client.
These packets are not arriving at the hosts on the LAN, with the exception of the router's LAN port. There must be some routing magic not happening on the router.
Here's the openvpn config and the routing tables from the router. I've tried a million variations with and without the custom config lines, with and without the client config file, etc. I can't find anything that works. Suggestions? Please?
Code:
+----------------+ +----------------+
|LAN 192.168.1.2 | |LAN 192.168.1.3 | ....
+----------------+ +----------------+
| |
+-------------------+-------- ....
|
{lan}
|
+----------------+
|LAN 192.168.1.1 |
| | server
|WAN xx.xx.xx.xx | (rt-ac66u)
|VPN 10.150.207.5|
+----------------+
|
{vpn}
|
+----------------+
|VPN 10.150.207.6| client
+----------------+
The client *does* connect to the VPN. From the client I can ping the server's VPN address and the LAN address. I can also ssh, http, etc to the server's LAN address from the client. That all works perfectly. I cannot, however, ping or connect to any of the other hosts on the LAN.
To be perfectly clear: From the client I ping 192.168.1.1 and I get a response. I ping 192.168.1.2 and I get nothing back. I can also ssh to 192.168.1.1 but get a timeout when I ssh to 192.168.1.2.
I'm 99% sure my client is configured correctly. The routing tables look right, and I've verified with Wireshark that packets to 192.168.1.0/24 are being sent on the client's VPN interface. Looking at my client's physical interface I can see encrypted packets caused by the pings. So packets are leaving the client.
These packets are not arriving at the hosts on the LAN, with the exception of the router's LAN port. There must be some routing magic not happening on the router.
Here's the openvpn config and the routing tables from the router. I've tried a million variations with and without the custom config lines, with and without the client config file, etc. I can't find anything that works. Suggestions? Please?
Code:
# Automatically generated configuration
daemon
server 10.150.207.0 255.255.255.0
proto udp
port 1194
dev tun21
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0"
client-config-dir ccd
route 192.168.1.0 255.255.255.0
push "dhcp-option DNS 192.168.1.1"
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status
# Custom Configuration
multihome
route 192.168.1.0 255.255.255.0
route 10.150.207.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "route 10.150.207.0 255.255.255.0"
admin@RT-AC66R:/tmp/etc/openvpn/server1# cat ccd/marimac
iroute 192.168.1.0 255.255.255.0
Code:
admin@RT-AC66R:/tmp/etc/openvpn/server1# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.150.207.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun21
98.209.16.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
10.150.207.0 10.150.207.2 255.255.255.0 UG 0 0 0 tun21
xx.xx.xx.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 xx.xx.xx.1 0.0.0.0 UG 0 0 0 eth0