Problem merging two Lan's through OpenVPN

[Mike77]

Hi guys,

The goal is to merge two separate lan's over the internet with OpenVPN. All machines have to be able to see eachother, file shares have to work, and I have to be able to connect to webcam's.

I'm trying to connect two asus rt-ac68u routers (newest merlin build, I know it will be slow) with a TAP connection. At the moment one of them has the server running (ip specs, 192.168.2.1, 255.255.255.0, DHCP 100 to 254) and the other is the cliënt (ip specs, 192.168.4.254, 255.255.255.0, DHCP 192.168.4.1 to 253). the machines seem to have a connection, but I can't ping the server from a laptop on the other network. Forthermore none of the machines show up, or can be accessed.

When I change the subnet on the cliënt side to 255.255.248.0 I can see some machines (all windows machines) on the other network and I can even use remote desktop t access them. but I still can't ping het router on the server side (192.168.2.1 (host unreachable) or even the machines I can see and use a remote desktop on?

I've already tried it with a laptop (Windows 10) as the OpenVPN cliënt. That seems to work and I can see all machines on the other network.

Can anyone help me with this?

 

[bilboSNB]

Isn't TAP like a network extension/bridge in which case I think both sides need to be on the same subnet?

 

[Mike77]

Isn't TAP like a network extension/bridge in which case I think both sides need to be on the same subnet?

So, if I understand you correctly I should change the IP and IP range and subnet to match each other.

Lets say, The server should be 192.168.2.0/24, with a local DHCP range of 192.168.2.1 to 192.168.2.99 and VPN range of 192.168.2.100 to 192.168.2.254, and then the cliënt side should be 192.168.2.0/24, with a local DHCP range of 192.168.2.100 to 192.168.2.254 ?

What about the gateways on both sides? I have on now at 192.168.2.1 and one at 192.168.4.254 (should this one be 1922.168.2.254?)

Or do you mean just the subnet /24 ? Can a host on 192.168.0.2/255.255.248.0 even see a host on 192.168.4.2/255.255.248.0 ? How do the asus routers handel this?

Edit: I just tried something like the formentioned by changing the subnet on the server side to 248. So both the cliënt and the server assus rt-ac68u are now on the same subnet. On the cliënt side I can now see a couple of the hosts from the server side, but I can't reach them (ping: host unreachable; remote desktop: nope). And the strange thing is that sometimes it shows media devices (server side hue bridge) and sometimes it doesn't.

So If anyone can help me?

 

[Shonk]

Im also interested joining two lan's
i wish someone would do a guide with screenshots..

 

[bilboSNB]

If you want to stick with TAP both sides need to be on the same subnet eg 192.168.1.x 255.255.255. 0 ( 192.168.1.0/24) and the dhcp servers need to be handing out non over lapping ip addresses on the same subnet eg router 1: router 192.168.1.1 , 192.168.1.2 - 192.168.1.100 router 2: 192.168.1.100, 192.168.1.101 - 200

If you want to use separate subnets change to TUN which is a routed connection and add the appropriate routes.

See this and prob many more threads for info if you have a search:
http://www.snbforums.com/threads/request-help-on-site-to-site-openvpn.23304/

 

[Mike77]

If you want to stick with TAP both sides need to be on the same subnet eg 192.168.1.x 255.255.255. 0 ( 192.168.1.0/24) and the dhcp servers need to be handing out non over lapping ip addresses on the same subnet eg router 1: router 192.168.1.1 , 192.168.1.2 - 192.168.1.100 router 2: 192.168.1.100, 192.168.1.101 - 200

If you want to use separate subnets change to TUN which is a routed connection and add the appropriate routes.

See this and prob many more threads for info if you have a search:
http://www.snbforums.com/threads/request-help-on-site-to-site-openvpn.23304/

Bilbo, thanks for the link and your answer.

Reading through the link I read something about a problem with DHCP on both sides of the VPN and blocking it. Can anyone tell me how to do this? Can I do this in the Merlin GUI?

 

[ColinTaylor]

Reading through the link I read something about a problem with DHCP on both sides of the VPN and blocking it. Can anyone tell me how to do this? Can I do this in the Merlin GUI?

It looks like the answer is in post #11 of the topic that bilboSNB linked to which also refers to http://www.linksysinfo.org/index.php?threads/block-dhcp-over-openvpn-bridge.36739/
So you can't do it in the GUI you'll have to create a script.

 

[Mike77]

It looks like the answer is in post #11 of the topic that bilboSNB linked to which also refers to http://www.linksysinfo.org/index.php?threads/block-dhcp-over-openvpn-bridge.36739/
So you can't do it in the GUI you'll have to create a script.

Colin, thanks. Yes, that's how I found out about it. But it's not really an answer for me, because I seem to lack the necessary knowledge. If I get it right I have to put a script in the server router, but could do it in both routers. The second thing is that I can't do it through the GUI.

So there my knowledge ends. If been googeling how to do this. It seems to me that I have to use SSH. Didn't know what that was, but If i got it right it's some way to access the router, with help of a program. So I found out that I could use somthing called Putty, and that I have to go to some directory on the router and ad the script. But I'm not shure what script (there are a couple of examples, but which one?), do I ad the script text to the directory or should I put it in somekind of file (txt document?), can I do this in word and then just put the file in the directory, afther which it wil work?

I'm kinda out of my depth here...

 

[bilboSNB]

something like this but add dest interface for vpn (get that from ifconfig)

#!/bin/sh
ebtables -A INPUT --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap11 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap11 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

If it works for rmerlin, i dont know.

See what the correct tap numbers should be by gui system log > routing table.

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts (firewall-start) <=== create this file is the jffs scripts folder, jffs must be enabled in the gui.

I do it using a program called winscp, very easy to do. Right click the files when you have created it and properties and check the x's to make executable.

 

[Mike77]

See what the correct tap numbers should be by gui system log > routing table.

Thanks, but I must be missing something. On the OpenVPN server, when I go to systemlog> routing table, there is no mention of TAP.
Just the two WAN IP adresses. I thougt think that I'm looking for the word TAP followed by a number right, or should I do something with one of these WAN adresses (not static)?

On the cliënt there is a mention of TAP. Should I use that number?

I've also looked at the system log >general log. This log mentions OpenVpn[736]? Could this be the TAP?

 

[bilboSNB]

Ah of course , probably because its the ROUTING table and it is a TAP bridge connection?!?


Login with putty which you mentioned earlier and run:

ifconfig

I think the interfaces will show there.

 

[Mike77]

If it works for rmerlin, i dont know.

See what the correct tap numbers should be by gui system log > routing table.

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts (firewall-start) <=== create this file is the jffs scripts folder, jffs must be enabled in the gui.

I do it using a program called winscp, very easy to do. Right click the files when you have created it and properties and check the x's to make executable.

Thanks, I think I did the above. In the log it reads: "Sep 26 17:12:02 custom script: Running /jffs/scripts/firewall-start (args: eth0)"

Is there a way I can see if it's working?

The log is now just filling up with messages like:
1.
Sep 26 17:42:52 kernel: br0: topology change detected, sending tcn bpdu
Sep 26 17:42:53 kernel: br0: port 1(vlan1) received tcn bpdu

&

2.
Sep 26 17:00:15 kernel: net_ratelimit: 463 callbacks suppressed
Sep 26 17:00:15 kernel: br0: received packet on vlan1 with own address as source address

What do these messages mean?

 

[Calisro]

IMHO a mesh vpn makes this easier to configure. I like tinc vpn. You still have similar constraints as far @bilboSNB mentioned but its made easier to handle the routing. Sort of "off topic" to your question but worth a read.

 

[Mike77]

IMHO a mesh vpn makes this easier to configure. I like tinc vpn. You still have similar constraints as far @bilboSNB mentioned but its made easier to handle the routing. Sort of "off topic" to your question but worth a read.

Thanks, and yes it is interesting. But I'm not doing this because of work or a direct need. I'm just trying to find out how to make it work in the way I'm trying to, before trying different things .

Afther I have this working I wanted to take a look at the way VLAN's work, but I might first take a look at Mesh VPN's.

But first I have to find out if these messages that keep popping up in the log are a problem, what they are and what to do with them.

 

[loadbang]

Just set the VPN server IP address range as 192.168.0.0 (default 10.16.0.0), netmask of 255255.0.0

Asus router under 'LAN -> LAN IP' to 192.168.1.0 (the default) and change to netmask to 255.255.0.0

All computers, devices etc will all communicate like you are on your local network. The default 10.16.0.0 is the problem. If you want to join more than two LANs, you just need to change the netmask, confused why you're making it more complicated with having IPs on the same subset?

 

[nostalos]

To summarize here. If you use TAP, they have to be in the same subnet PERIOD. This is because of how ip works not any special sauce in the firmware or openvpn.

TAP is a bridge and assumes that both sides of the tunnel participate in the same broadcast domain. When a network client needs to communicate to another in the same broadcast domain he does not pass the packet to the router, he simply queries for that client to respond with his MAC to IP via broadcast. And in the case of Bridge Mode OpenVPN, the router is only facilitating those broadcasts from reaching each location. No routing of any kind comes into play and the router never sees the traffic beyond Layer2 and passes info back and forth based on MAC Address, Not IP.

If you want the two networks to be on different subnets as you have stated, you have to use a TUN Mode tunnel. If you look at the logic your client goes through passing traffic up and down the TCP stack you get the following

Is my destination on the same subnet as me
if yes, then I query my subnet for the MAC address of the owner of the IP that exists on my local subnet and pass the packet directly to them
if no, then do I have a route that to that different subnet, if yes (usually default route) then pass the packet on to that router and assume it knows the proper path to reach the other network.

So technically what you are trying is the same as putting 2 subnets into the same switch/hub. You can have 2 subnets on the same switch, but they can't talk to each other without participating in the same subnet or having a router at Layer3 passing the IP traffic.


Now technically you CAN use TAP mode to tie the router into the other subnet, but the router would have to have a IP address that exists in the subnet and the client would have to have a route path through this router to achieve sending the packet over. This has a lot of extra overhead due to noisy broadcast traffic being sent constantly over your internet link.

 

[Mike77]

@loadbang & @nostalos

Thanks, but I think I've already fixed the IP and subnet problems. The network is working (althoug kinda slow), the IP's are all on the same subnet and the ranges have been devided between the different lan's.

In this thread there are only three questions that remain:
1. The log says that the firewall-start script is working. Is there a way to test if this is correct?

The log is now just filling up with messages like:
Sep 26 17:42:52 kernel: br0: topology change detected, sending tcn bpdu
Sep 26 17:42:53 kernel: br0: port 1(vlan1) received tcn bpdu

&

Sep 26 17:00:15 kernel: net_ratelimit: 463 callbacks suppressed
Sep 26 17:00:15 kernel: br0: received packet on vlan1 with own address as source address

2. What do these messages mean?
3. Do I have to do something about it, and what and how?

In two separate threads on this forum I have two extra questions.

1. On the server side the client router shows as connecting two different devices. How to split these. Or is this normal with a TAP connection. Are these two connecting cliënts the real ethernet adapter and the virtual tap adapter?
2. On the server side the cliënt router is jumping between IP adresses, while it should be static. How can I lock it to it's own IP?

 

[donkey1983]

Hi Guys,

Sorry to crash this thread. I have one question though. I have setup a VPN using Open VPN and (TUN) protocol. I can ping Client to Server OK however I cant ping from the SERER to any CLIENT LAN devices. So esentially i have one way ping!

Any obvious Ideas. As far as I can see the route is in the Routing table

 

[ColinTaylor]

@donkey1983 Ah, I see you have re-posted your question here: http://www.snbforums.com/threads/open-vpn-tun-problems.27346/

 

[donkey1983]

Yes correct that is me. I felt it was on topic to this thread. I have tried everything and only seem to have a one way ping (one directional Route) from the Client LAN to the Server LAN. The VPN is all connected and great otherwise using the TUN OpenVPN protocol. Its very frustrating, I can't work it out.