OpenVPN server route to client lan ..how ?

[Per]

Good people,

I am in urgent need of some help here. It might have a simple solution. Any help is much apriciated.

I've setup a openVPN tunnel between two Asus AC-68U routers. (merlin:378.53)
On the Client router i have a local lan 192.168.1.128/25
On the Server router the loca lan is 192.168.4.0/24

The tunnel is established OK.
The tunnel end-points are 10.9.0.1 (server) and 10.9.0.6 (client)

The server (and PC's on the server lan 192.168.4.0) can ping 10.9.0.6 OK
The client (and PC's on the client lan 192.168.1.128) can ping 10.9.0.1 OK

So far so good.. but then it stops.


PC's on the client 192.168.1.128 network can ping PC's on the 192.168.4.0 lan, but not the other way around.

I suspect it is because of routing. The client Asus get the 192.168.4.0 network pushed, but the server does not get the 192.168.1.128 client network pushed.

i.e. the Asus client routing tabel looks like this:

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.1 * 255.255.255.255 UH 0 0 0 WAN
10.9.0.5 * 255.255.255.255 UH 0 0 0 tun12
10.9.0.0 10.9.0.5 255.255.255.248 UG 0 0 0 tun12
192.168.1.128 * 255.255.255.128 U 0 0 0 LAN
192.168.4.0 10.9.0.5 255.255.255.0 UG 0 0 0 tun12
192.168.1.0 * 255.255.255.0 U 0 0 0 WAN
default 192.168.1.1 0.0.0.0 UG 0 0 0 WAN

The Asus OpenVPN server route table:

Destination Gateway Genmask Flags Metric Ref Use Iface
10.64.64.64 * 255.255.255.255 UH 0 0 0 WAN
10.9.0.2 * 255.255.255.255 UH 0 0 0 tun22
10.9.0.0 10.9.0.2 255.255.255.248 UG 0 0 0 tun22
192.168.4.0 * 255.255.255.0 U 0 0 0 LAN
default 10.64.64.64 0.0.0.0 UG 0 0 0 WAN
​

(I am a bit pusled where 10.9.0.2 comes from, as the remote end has 10.9.0.6. Server can not ping .2, it can ping .6. Same on the client side where 10.9.0.5 pops up, but i guess this is how openvpn works)

As you can see the 192.168.1.128 network does not get pushed from the client to the server, so i need to add that. -this is were i need help.


I try:
route add 192.168.1.128/25 via 10.9.0.6 dev tun22
but that just gives me:

"BusyBox v1.20.2 (2015-04-26 22:38:01 EDT) multi-call binary."

I need to tell the server side that 192.168.1.128 network can be reached via 10.9.0.6
please help.....





btw: i did trace-router from server and client:

On server:
traceroute to 10.9.0.6 (10.9.0.6), 30 hops max, 38 byte packets
1 10.9.0.6 (10.9.0.6) 53.529 ms 91.258 ms 119.747 ms
traceroute to 192.168.1.129 (192.168.1.129), 30 hops max, 38 byte packets
1 212.xx.xx.xxx (212.xx.xx.xxx) 32.466 ms 35.626 ms 39.759 ms
2 * * *
3 * * *
i.e. it goes the the default, public gw not via tun22


On client:
traceroute to 10.9.0.1 (10.9.0.1), 30 hops max, 38 byte packets
1 10.9.0.1 (10.9.0.1) 59.896 ms 64.123 ms 63.375 ms
traceroute to 192.168.4.1 (192.168.4.1), 30 hops max, 38 byte packets
1 192.168.4.1 (192.168.4.1) 62.194 ms 53.282 ms 67.400 ms

Somehow i had expected to see the 10.9.0.0 network on the 192.168.4.1 trace.. (?)

Any help would great..thx

 

[Per]

Well, I can add the client lan route to 10.9.0.2, but it did not get me much futher:

On the server:
admin@RT-AC68U-83A0:/tmp/home/root# ip route add 192.168.1.128/25 via 10.9.0.2

admin@RT-AC68U-83A0:/tmp/home/root# ip route
10.64.64.64 dev ppp0 proto kernel scope link src 94.144.51.223
10.9.0.2 dev tun22 proto kernel scope link src 10.9.0.1
10.8.0.2 dev tun21 proto kernel scope link src 10.8.0.1
10.8.0.0/29 via 10.8.0.2 dev tun21
10.9.0.0/29 via 10.9.0.2 dev tun22
192.168.1.128/25 via 10.9.0.2 dev tun22
192.168.4.0/24 dev br0 proto kernel scope link src 192.168.4.1
127.0.0.0/8 dev lo scope link
default via 10.64.64.64 dev ppp0
admin@RT-AC68U-83A0:/tmp/home/root# ping 192.168.1.129
PING 192.168.1.129 (192.168.1.129): 56 data bytes
^C
--- 192.168.1.129 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

admin@RT-AC68U-83A0:/tmp/home/root# traceroute 192.168.1.129
traceroute to 192.168.1.129 (192.168.1.129), 30 hops max, 38 byte packets
1 * * *
2^C

The client has no problems:

Client: (lan side IP 192.168.1.129)
admin@RT-AC68U:/tmp/home/root# ip route
192.168.1.1 dev eth0 scope link
10.9.0.5 dev tun12 proto kernel scope link src 10.9.0.6
10.9.0.0/29 via 10.9.0.5 dev tun12
192.168.1.128/25 dev br0 proto kernel scope link src 192.168.1.129
192.168.4.0/24 via 10.9.0.5 dev tun12 (pushed by the openvpn server)
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2
127.0.0.0/8 dev lo scope link
default via 192.168.1.1 dev eth0
admin@RT-AC68U:/tmp/home/root# ping 192.168.4.198
PING 192.168.4.198 (192.168.4.198): 56 data bytes
64 bytes from 192.168.4.198: seq=0 ttl=63 time=91.387 ms
64 bytes from 192.168.4.198: seq=1 ttl=63 time=58.813 ms

As mentioned, I do not know openvpn, but it seems 10.9.0.1 and 10.9.0.2 are used at the server end of the tunnel, and 10.9.0.5 and 10.9.0.6 is used at the client end. (?)

Anyhow..... From the server, i can not ping the 192.168.1.128 client lan.

So, from the server side, client IP is 10.9.0.6. , but linking the client LAN to direct this does not work:

admin@RT-AC68U-83A0:/tmp/home/root# ip route add 192.168.1.128/25 via 10.9.0.6
RTNETLINK answers: No such process
also tried .5
admin@RT-AC68U-83A0:/tmp/home/root# ip route add 192.168.1.128/25 via 10.9.0.5
RTNETLINK answers: No such process

I think what is right is to use server tunnel point 10.9.0.2 as the gw for the client 192.168.1.128 network, but when i have that in the server routing table, i do get through still, as shown above.

Any ideas.. ?

thx

ps for people that are visual like I am, have I done this drawing.

 

[mischa]

I have the same question. only i have 2 Asus rt-ac66 routers.
Did you find a solution?

 

[peraburek]

I have the same problem! It is just that I use different subnets. I am also looking for a solution. Something is wrong in routing I would say, but I can not find cause

try to follow this link, but it didn't helped me
maybe you will have more luck, or better idea how to get it done
http://wadihzaatar.com/?p=11

 

[peraburek]

I think I got it!

http://www.snbforums.com/threads/op...on-site-to-site-connection.24268/#post-185204

please try it and reply if it works

 

[mischa]

I give up!!!
Need to add a config file to jffs/configs/openvpn/ccd1 but i'm unable to connect to the router with winSCP
Seems this is a bug or something. tried everything!!

 

[peraburek]

can you enable telnet in GUI and try trough telnet

or try Putty and SSH

 

[mischa]

I have telnet enabled and can access the router with putty.
Tried to alter my config file with vi, but can not save it.

 

[mischa]

Found out that when i try to access the router with winSCP when i'm on WIFI it is not working!

 

[Per]

mischa,

Right now my solution is to set both routers up as servers AND clients.
That works.

PC from 192.168.4.0 can access servers on 192.168.1.128 network (see my drawing in the 2nd post)
AND PC from 192.168.1.128 network can access servers on the 192.168.4.0 network.

It seems stupid, but right now that is the only way i can get this going. i.e. I have 2 tunnels, and the routing table on the 2 routers looks like this:


The server with the 192.168.4.0 local LAN:

The Server with the 192.168.1.128/25 local LAN:

2 things to remember when setting up the servers:

port number and tunnel address must be different, so here i have use 10.5.0.0/24 and 10.7.0.0/24 for tunnel address (DHCP setting on the server). And i used 1194 and 1195 ports.




This is not optimal, as the routers are forced to run a server and a client session. but until i find out what the problem is, it seems i have to live with 2 tunnels.


peraburek, thanks for the link !

I suspect this is the propper solution.

I wil add a ccd file with the info and see if it solves my problem.
I do suspect this is a openVPN issue more than a Merlin thing. (Brilliant software, thanks).

 

[mischa]

Per,

I tried the ccd file but had no success, I do think it is indeed a openVPN issue!
Used you solution, thought of it much earlier in the process, but didn't want to give up trying.

Maybe Merlin will make a Lan-to-Lan option available in a future build.
For now it is working although it isn't the most elegant solution.

If any one has a better solution or answer than using 2 servers an 2 clients, please reply to this topic.

 

[Per]

Per,

I tried the ccd file but had no success, I do think it is indeed a openVPN issue!
Used you solution, thought of it much earlier in the process, but didn't want to give up trying.

Maybe Merlin will make a Lan-to-Lan option available in a future build.
For now it is working although it isn't the most elegant solution.

If any one has a better solution or answer than using 2 servers an 2 clients, please reply to this topic.

I got it working.

Now, the server can see that the client has a network. (picture). Before there was only the tunnel end-point.

I did as you said: (peraburek, thanks !!)

1)
On the server side I entered this:

2)
and i made a directory :
/jffs/configs/openvpn/ccd1
and did a text file 'client' with 1 line entry "iroute 192.168.1.128 255.255.255.128"

Thats it.
The original link you had as quite good:
https://community.openvpn.net/openvpn/wiki/RoutedLans


I did re-boot the router after I had done the file, maybe you need to do that.

good luck

/Per

 

[mischa]

Going to try it later this evening, so your file is client.txt and the iroute line is inbetween quotes?

 

[Per]

Going to try it later this evening, so your file is client.txt and the iroute line is inbetween quotes?

well...file name client (not client.txt)
just do e.g. vi client (need some basic 'vi' editor skills, google is your friend ;-)
..and no "

 

[peraburek]

you don't need to create "client" file in /jffs/configs/openvpn/ccd1 (or ccd2)

here is how I did it:
add CLIENT LAN IP RANGE on SERVER SIDE ROUTER add CLIENT LAN to "Allowed clients"
don't get confused with "User Name" it should be "Common Name" I think this is ASUS typo

reboot

after reboot you should see CLIENT LAN routes (CLIENT LAN 192.168.1.0/24 is listed)

proof that I don't have "client" file - I think this way (GUI config), it is more elegant (and newbie friendly) than through telnet/SSH
ping from SERVER SIDE ROUTER (192.168.0.1) to CLIENT LAN PC (192.168.1.222) works

@moderators - please make sticky post (it could/should help a lot for other users with same OpenVPN issues), and rename it
OpenVPN site-to-site routed LANs - TUN method

 

[RMerlin]

@moderators - please make sticky post (it could/should help a lot for other users with same OpenVPN issues), and rename it
OpenVPN site-to-site routed LANs - TUN method

You should create an article on the Wiki instead, as that's where the official documentation lies. I don't want to fill up the first forum page with stickies that aren't related to the forum itself.