Unable to ping anything on GW or LAN after Openvpn connects

[mobileman88]

Hi,
I am unable to ping anything on the LAN or GW after OpenVPN connects although there were no errors and I got an IP in the remote LAN. The only IP I could ping is the assigned IP from Openvpn.
This is the config I took from another working OpenVPN which is run from command line in DDWRT, the only thing I changed was that the tap device needed to be "tap21" in Asus-Merlin as per "ls -l" in
"/proc/sys/net/ipv4/conf" after I did a "modprobe tun"


Server
-----------

port 1194
proto udp
dev tap21
ca ca.crt
cert server.crt
dh dh2048.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.20.2 255.255.255.0 192.168.20.221 192.168.20.240
push "route 192.168.20.0 255.255.255.0"
push "route 192.168.21.0 255.255.255.0"
keepalive 10 60
tls-auth ta.key 0
persist-key
persist-tun
verb 0
mute 5

Client
------

client
dev tap
dev-node "Local Area Connection 3"
proto udp
remote remote.hostname.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
tls-auth taClient.key 1

verb 1

 

[mobileman88]

Has anyone here seen this on their Openvpn setup?

 

[RMerlin]

Any particular reason why you use TAP instead of TUN? It adds overhead and potential complexity to your network, especially if both networks have their own DHCP server.

 

[mrgenie]

Any particular reason why you use TAP instead of TUN? It adds overhead and potential complexity to your network, especially if both networks have their own DHCP server.

I also use TAP.. when using TUN, I found out I can't browse all the network.
When using TAP, all clients in the network are accessible from every client and vice versa..

If you know a setup for TUN to do this as well, let me know. I'm willing to experiment.

But if you need a "open" setup for all clients inside the network..use TAP.

My setup: 1 openVPN Server, using TAP with a 172.22.56.0 network behind it.
And then 9 Client openVPN, using TAP, with a 172.22.57.0 to 172.22.65.0 networks behind it..

All clients are DD-wrt routers.. and they use TAP to connect complete networks alltogether.. not just single clients..

 

[mobileman88]

Any particular reason why you use TAP instead of TUN? It adds overhead and potential complexity to your network, especially if both networks have their own DHCP server.

I use TAP so that I can see the entire network without having to handle additional routing rules. Moreover, this config has been working for DDWRT <-> DDWRT and also DDWRT <-> OpenVPN clients (windows/tablets etc) for the past few years. All I did was copy over the certificates and the config file and execute it on the Asus-Merlin firmware. Only thing I changed was to use "tap21" as that seems to be the only TAP device available for me to use.

 

[mobileman88]

I also use TAP.. when using TUN, I found out I can't browse all the network.
When using TAP, all clients in the network are accessible from every client and vice versa..

If you know a setup for TUN to do this as well, let me know. I'm willing to experiment.

But if you need a "open" setup for all clients inside the network..use TAP.

My setup: 1 openVPN Server, using TAP with a 172.22.56.0 network behind it.
And then 9 Client openVPN, using TAP, with a 172.22.57.0 to 172.22.65.0 networks behind it..

All clients are DD-wrt routers.. and they use TAP to connect complete networks alltogether.. not just single clients..

Could you pm me your config on ASUS-Merlin? I am able to connect and get an IP successfully but not able to do anything else.

 

[mobileman88]

I tried adding the tap21 interface to my br0 bridge but I am still unable to ping anything other than my VPN client's IP address.

 

[mobileman88]

Licked the problem. Issue is with ISP supplied router in front of my ASUS, it is still redirecting traffic to my old router! What a PITA.

 

[extensi0n]

Being far from the expert, this helped me decide: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting

I guess the TUN/TAP depends on what you want. I have router to router OVPN setup working wonderfully with TUN. I've set all of my PC's, and other devices to static internal IP's. That way I KNOW where everything is at with the different sites. I find it actually preferable in my case, since I don't want my other sites browsing the network. (snooping around)

mRemoteNG has helped tremendously in organizing access to different network resources...

 

[mobileman88]

Being far from the expert, this helped me decide: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting

I guess the TUN/TAP depends on what you want. I have router to router OVPN setup working wonderfully with TUN. I've set all of my PC's, and other devices to static internal IP's. That way I KNOW where everything is at different sites. I find it actually preferable in my case, since I don't want my other sites browsing the network. (snooping around)

mRemoteNG has helped tremendously in organizing access to different network resources...

Great tip. Thanks!

 

[extensi0n]

Great tip. Thanks!

Sure thing!