OpenVPN site to site problem

[dsds]

I have two RT-AC66u routers, each in a different location. I'm trying to setup a site to site OpenVPN connection, but am running into what seems to be a routing issue.

The layout is as follows:

Location 1 (OpenVPN server):
- LAN subnet: 10.11.11.0/24
- Router LAN IP: 10.11.11.1

Location 2 (OpenVPN client):
- LAN subnet 10.12.12.0/24
- Router LAN IP: 10.12.12.1

OpenVPN subnet: 10.55.55.0/24

I've configured the server and the client, and they connect successfully. Once connected, I ssh into both routers and try ping various hosts. From the client router, I can ping the LAN IP of the server router (10.11.11.1), as well as anything on the server LAN. However, from the server router I am unable to ping the client router's LAN IP address (10.12.12.1), nor anything on the client LAN.

This seems to me like a routing issue on the server router's side. I added the client router common name, subnet and mask to the allowed clients field on the server router's configuration, but still can't pass traffic. I'm missing something or have just messed something up.

Here's a screenshot of the allowed clients info:

http://imgur.com/7gcoIhQ
http://imgur.com/WTo57ar

If anyone has any suggestions I'd appreciate the help.

EDIT: Do I need to put anything in the Custom configuration area on the server router?

 

[dsds]

Not a ton of responses.

Does anyone have an openvpn site to site setup that's working?

 

[somms]

Not a ton of responses.

Does anyone have an openvpn site to site setup that's working?

OpenVPN site to site here working successfully but I am using Shibby's not Merlin's firmware.

Suggest you start with simplier TAP connection from the same subnet as your OpenVPN server router as this would require no firewall rules in order to ping. Once you verified TAP connection is working 100%, you could then work towards TUN connection if you still wish to....

 

[dsds]

Thanks for the reply. Unfortunately, I can't easily change the client subnet, because it would cause issues on that LAN with existing devices.

Do you think it stands to reason that the problem here is either with the routes or maybe with iptables? If I manually add the route to the server router to define the path to the client LAN and it still doesn't go through, it seems like it would be an iptables issue. At least, that's my current guess.

 

[dsds]

Semi solved

I found that applying the method referenced in the following thread solved the issue for me.

http://forums.smallnetbuilder.com/showthread.php?t=9127&highlight=iroute

After doing the following, I now have full bi-directional connectivity between subnets.

1. Manually created the file "nchouse" in the /etc/openvpn/server1/ccd directory (only exists when the server is running) and adding "iroute 10.12.12.0 255.255.255.0"
2. Manually creating a route with "route add -net 10.12.12.0 netmask 255.255.255.0 gw 10.55.55.2"

This isn't ideal, because if the server goes down for some reason (power outage or whatever) the tunnel won't come back up until I manually redo that config.

Better than nothing I guess.

 

[Job314]

Hi !

I'have the same problem !!
But the first point:
1. Manually created the file "nchouse" in the /etc/openvpn/server1/ccd directory (only exists when the server is running) and adding "iroute 10.12.12.0 255.255.255.0"

How to do this?
In TOOLS -> CMD what command i launch to manually create the file?
And why "nchouse" file? What is this ?


But after discovered this.... is a bug of merlin's firmware or not?
somms say that with two tomato firmware is working...
Thanks for the reply.

 

[dsds]

In my case, the file is called "nchouse" because that's the CN (common name) of my openvpn client. In your case I'm sure it will have a different name. This is the name you gave the client when generating the certificate.

You can see my connected client's name in this screenshot.

I created the file and added the route by ssh'ing into the router. I'm not sure if there's a way to do it from the GUI.

 

[Job314]

Thanks for reply.
Can you tell me step by step how you have created the file, edited with iroute and put in the router?

I'm don't know how to do....

Perhaps with telnet... but the commands?
Thanks a lot

 

[dsds]

You can do it with either telnet or ssh. You can think of SSH as basically an encrypted version of telnet.

So you would:
1. Enable telnet (or ssh) in the router in the Administration -> System menu of the router.
2. Then you connect to the router through telnet (or ssh).
3. At the prompt, you can type the following:

echo "iroute 10.12.12.0 255.255.255.0" > /etc/openvpn/server1/ccd/yourcn

Your subnet probably isn't 10.12.12.0, so you should change it to what it is in your setup. You also need to change the yourcn to the common name of your client.

4. Add the route to the routing table with:

route add -net 10.12.12.0 netmask 255.255.255.0 gw 10.55.55.2

Once again, change the subnet (10.12.12.0) to what is relevant in your setup. You also need to change the gateway address (10.55.55.2) to the correct address in your router. You can find this out by typing:

ip addr sh

In the results, one of the interfaces will start with "tun". Here is the example from my router:

34: tun21: <POINTOPOINT,MULTICAST,NOARP,PROMISC,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100
link/[65534]
inet 10.55.55.1 peer 10.55.55.2/32 scope global tun21

The bolded address is the one you want.

That should do it.

 

[Job314]

Thanks for the reply !

I followed YOUR STEP BY STEP GUIDE, but my problem is still there.
I can not get to my client network.
In my case my common name of the client is JobClientDITTA and the subnet is 192.168.0.0 255.255.255.0

So I went into the router via telnet and I have written exactly this:
echo "iroute 192.168.0.0 255.255.255.0" > /etc/openvpn/server1/ccd/JobClientDITTA

and then I created the route writing
route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.8.0.2

I checked with ip addr sh which is actually the gateway to use the 10.8.0.2

Checking that everything has been created regularly, I went into the folder via telnet etc/openvpn/server1/ccd / and I type cat JobClientDITTA
It actually has stored inside iroute 192.168.0.0 255.255.255.0
The route is created correctly, typing route -e
But if I type ping 192.168.0.1 tells me Request timed out ... I can not reach the same.

 

[dsds]

In the openvpn server gui, check how you have the Manage Client-Specific Options set. I don't know if it's actually doing anything, but it doesn't hurt to try.

Here's what mine looks like:

The other thing I would ask, was whether the client was already connected when you added the JobClientDITTA file and the route. I think it only applies the info from the file when it is first negotiating the connection with the client. I would try to disconnect and reconnect the client, to see if it applies it then.

You can check the system log in the server router to see what is going on during the connection. When mine connects I see the following lines written: