Problem with Lan-Route using VPN

[F.L.]

Hi
Anyone else having issues with the Route setting in the latest fw?

I run OpenVPN on my NAS and after upgrading the Merlin fw I can´t access the other PC:s on the LAN anymore (when connecting via VPN).

I can reach the NAS but that's it.
It all worked before and the only thing that changed is that I've upgraded the routers fw.

Sadly I don´t remember which version I had before.

Route is like this (.126 is the ip of my NAS):
10.8.0.0 255.255.255.0 192.168.1.126 LAN

Anyone got any suggestions what the problem might be?

Thanks

EDIT: The router is a RT-N66U

 

[F.L.]

Since it seems that I am the only one with this problem:
Which fw are you guys running that works flawless with OpenVPN?

As stated before I´m not running the VPN-server on the actual router but on a NAS but I guess the problem would be the same?

 

[RMerlin]

If the server is running on the NAS, then all you need to configure on the router is the port forward toward the NAS, with appropriate protocol (TCP or UDP).

Beyond that, don't configure any route. Routing should be handled by the client connecting back home.

 

[F.L.]

If the server is running on the NAS, then all you need to configure on the router is the port forward toward the NAS, with appropriate protocol (TCP or UDP).

Beyond that, don't configure any route. Routing should be handled by the client connecting back home.

Thank you RMerlin for your suggestion but unfortunately that didn't work.
I disabled static routes (and cleared the record) and I can still only connect to the NAS.

I followed this guide:
http://blog.roychowdhury.org/2011/05/10/adding-a-vpn-server-to-readynas/

And in step 5 I did this:

Step 5: Configuring your home router
This last step can be forgotten very easily. If you don’t do this, things won’t work.

We need to do 2 things:
a) If your VPN server is not on a public IP, you need to use the public IP of your router and port forward all traffic to port 1194 to the router to the VPN server.
b) Set up a static route to make sure remote clients can reach other LAN terminals once connected via VPN.

It also says that this might not be needed when using tap but I´m using tun


I´ll keep digging

 

[RMerlin]

Thank you RMerlin for your suggestion but unfortunately that didn't work.
I disabled static routes (and cleared the record) and I can still only connect to the NAS.

I followed this guide:
http://blog.roychowdhury.org/2011/05/10/adding-a-vpn-server-to-readynas/

And in step 5 I did this:



It also says that this might not be needed when using tap but I´m using tun


I´ll keep digging

This is most likely an issue with either the NAS's VPN server not pushing the route to clients, or your OpenVPN client not applying the route. Remember to run the client as an Administrator under Windows, so it can apply the pushed route.

 

[F.L.]

This is most likely an issue with either the NAS's VPN server not pushing the route to clients, or your OpenVPN client not applying the route. Remember to run the client as an Administrator under Windows, so it can apply the pushed route.

Ok thanks, strange it worked before though

I´'m using OpenVPN for Android as a client:
https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en


I will move my certs and keys to the N66U instead and see if that solves it.
No need for LAN-route when running the OpenVPN server on the router?

 

[RMerlin]

Ok thanks, strange it worked before though

I´'m using OpenVPN for Android as a client:
https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en


I will move my certs and keys to the N66U instead and see if that solves it.
No need for LAN-route when running the OpenVPN server on the router?

The client will always need to apply some local routes. I'm not sure if the Android client does it. I'd recommend testing it with a laptop to confirm if the issue is client-side or not.

 

[F.L.]

The client will always need to apply some local routes. I'm not sure if the Android client does it. I'd recommend testing it with a laptop to confirm if the issue is client-side or not.

Did some more testing.
I created a Server1 on the router using new keys. As a client I used a Win7x64 machine.
Client is OpenVPN running as administrator.

Using TAP I can connect successfully and also access the rest of the network.
Using TUN I can connect but the problem with no access to rest of the network remains.

Since TAP requires root on mobile phones I need to get TUN working.

Got any ideas on how to get local routes to work in TUN-mode?

Here are my config files:

Server:

admin@RT-N66U:/tmp/etc/openvpn/server1# cat config.ovpn
# Automatically generated configuration
daemon
server 10.8.0.0 255.255.255.0
proto udp
port 1194
dev tun21
cipher AES-128-CBC
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

Client

client
dev tun
proto udp
remote my.server.com
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert Client.crt
key Client.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 4
explicit-exit-notify 1

Many thanks

 

[RMerlin]

No idea, not really an expert on OpenVPN, sorry. You might get better luck on the OpenVPN forums since this is really specific to that, not to the router itself.

 

[Martineau]

Did some more testing.
I created a Server1 on the router using new keys. As a client I used a Win7x64 machine.
Client is OpenVPN running as administrator.

Using TAP I can connect successfully and also access the rest of the network.
Using TUN I can connect but the problem with no access to rest of the network remains.

Since TAP requires root on mobile phones I need to get TUN working.

Got any ideas on how to get local routes to work in TUN-mode?

Here are my config files:

Server:



Client


Many thanks

I have set up OpenVPN TUN server on three RT-N66Us and using the Android OpenVPN client on a variety of devices (phones/tablets) all LAN access is fine (albeit performance is not as quick as a PPTP connection...new RT-AC56Us all round? when finances improve ;-)

My configs are not too dissimilar from yours apart from a couple of minor details such as explicity including 1194 on the end of the clients 'remote' directive, and 'verb 3' rather than your 'verb 4'.

The log on the Android OpenVPN client is quite detailed, so you presumably should be able to see if the RT-N66U is correctly 'pushing' the desired LAN routes:

e.g. in my SGSII OpenVPN client log I see the follwing block of lines:

Opening tun interface
Local IPv4: 10.8.0.6/30 IPv6:null MTU1500
Routes:10.xxx.xxx.0/24,10.8.0.1/32

However, on one RT-N66U we could not access a Win8 Share which worked perfectly using a PPTP connection, so naturally assumed OpenVPN was to blame.

It turned out it was the Norton firewall on the Win8 box that was blocking the share -Doh!

Regards,

 

[F.L.]

I have set up OpenVPN TUN server on three RT-N66Us and using the Android OpenVPN client on a variety of devices (phones/tablets) all LAN access is fine (albeit performance is not as quick as a PPTP connection...new RT-AC56Us all round? when finances improve ;-)

My configs are not too dissimilar from yours apart from a couple of minor details such as explicity including 1194 on the end of the clients 'remote' directive, and 'verb 3' rather than your 'verb 4'.

The log on the Android OpenVPN client is quite detailed, so you presumably should be able to see if the RT-N66U is correctly 'pushing' the desired LAN routes:

e.g. in my SGSII OpenVPN client log I see the follwing block of lines:

Opening tun interface
Local IPv4: 10.8.0.6/30 IPv6:null MTU1500
Routes:10.xxx.xxx.0/24,10.8.0.1/32

However, on one RT-N66U we could not access a Win8 Share which worked perfectly using a PPTP connection, so naturally assumed OpenVPN was to blame.

It turned out it was the Norton firewall on the Win8 box that was blocking the share -Doh!

Regards,

Thanks Martineau, nice to hear that it is working for someone!

You are using the official VPN-client on your phones? I will try that one.
Also, you have not added anything in the route-setting on the router?

 

[Martineau]

All Android clients are using the OpenVPN client you quoted in post #6.

NOTE: I forgot to add that ALL of the RT-N66Us are using 374.32_0-dwrpyd to exploit the Dual-WAN 3G failover.

I'll try and test the latest 374.33_beta1 over weekend.

Regards,

 

[F.L.]

Hi
Just tried the Android client advertised in the official OpenVPN forum.
Same problem. Can connect and access router but not internal network.

Do you mind posting your server/client conf?
Would like to try with the exact same config.

Thanks

 

[Xerxist]

I just configured mine in the last 30 min.
Already had the keys from before so it didn't take that long

I got LAN access and Internet access from my phone (SGS4) using the OpenVPN client official.

Just imported this config.

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
#dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
proto tcp


# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote yourserver.com 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.

# remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
# user nobody
# group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
# http-proxy-retry # retry on connection failures
# http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert phone.crt
key phone.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
# tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
;verb 3

# Silence repeating messages
mute 20

This is on a AC66U with the latest beta firmware 374.33beta1

Check the attached image for the settings on the OpenVPN page.
The only thing I couldn't figure out was the static key in the keys page but it doesn't seem to need it.

 

[F.L.]

OK, now this is starting to drive me nuts

Xerxist: I applied your client.conf and did the server changes.
Same thing: Can connect but yadda yadda for access to rest of the PC:s on the LAN.

Just to be sure: The only thing you did on the router was to enable and configure the openvpn server?

Can you give me the full server conf?
If you have SSH access just do a

cat /etc/openvpn/server1/config.ovpn

Mine is like this after updating to your server settings:

daemon
server 10.8.0.0 255.255.255.0
proto tcp-server
port 1194
dev tun21
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

 

[F.L.]

OK,
I did a desperate test with PPTP and the problem is there too.
Same problem with both my Nexus 7 and Galaxy S4
Maybe the router settings are corrupt in some way and a factory reset is the way to go...

 

[Xerxist]

OK,
I did a desperate test with PPTP and the problem is there too.
Same problem with both my Nexus 7 and Galaxy S4
Maybe the router settings are corrupt in some way and a factory reset is the way to go...

This my config after just configuring from the pages.

# Automatically generated configuration
daemon
server 10.8.0.0 255.255.255.0
proto tcp-server
port 1194
dev tun21
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.10.0 255.255.255.0"
push "redirect-gateway def1"
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

Just to be sure its not something stupid like the windows firewall.
Have you turned that off?
You are coming from a different range 10.8.0.0 so the Windows firewall doesn't think it not you local lan ip range and blocks everything.

BTW you are still pushing the dns settings which is not needed as the openvpn client for android uses the google dns servers by default unless you uncheck it in the app.

 

[F.L.]

This my config after just configuring from the pages.

# Automatically generated configuration
daemon
server 10.8.0.0 255.255.255.0
proto tcp-server
port 1194
dev tun21
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.10.0 255.255.255.0"
push "redirect-gateway def1"
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

Just to be sure its not something stupid like the windows firewall.
Have you turned that off?
You are coming from a different range 10.8.0.0 so the Windows firewall doesn't think it not you local lan ip range and blocks everything.

BTW you are still pushing the dns settings which is not needed as the openvpn client for android uses the google dns servers by default unless you uncheck it in the app.

Thank you
I am not on Windows anymore since I need to get this to work on a mobile unit.
But our configs look the same except for the dns push.

Since this is not working with PPTP either there must be something else wrong with the router.

 

[Xerxist]

Thank you
I am not on Windows anymore since I need to get this to work on a mobile unit.
But our configs look the same except for the dns push.

Since this is not working with PPTP either there must be something else wrong with the router.

I meant the PC you are trying to connect to from your mobile device.

 

[F.L.]

Ah, sorry I misunderstood.
The "target" is only a webpage running on a PI.