Using 2 OpenVPN servers, clients connected to different servers can't communicate to eachother

[vyruz]

Hi everyone,

I have Asuswrt-Merlin running fine on my Asus RT-N66U for some years now.
Over time I have configured both OpenVPN servers, one server I use to let some virtual servers I rent all over the world connect to my network.
This first OpenVPN server uses TAP over UDP, clients connect and are authenticated using only certificates.
The 2nd OpenVPN server uses TUN over TCP, and I use this to connect mainly myself from different devices over the internet (Android only supports TUN protocol AFAIK, so I can't use first server for this).

My physical LAN behind the router at home is in the 192.168.2.0/24 range.
The DHCP server provides addresses from 192.168.2.52 to .99
The router itself has local address 192.168.2.51

The 1st OpenVPN server does not use DHCP for it's client, since all clients are servers connecting externally, they all have reserved IP's outside of the DHCP range, but still in the 192.168.2.0/24 range.

The 2nd OpenVPN server hands out DHCP addresses in the 10.8.0.0/24 range. I did this because I cannot choose 'Allocate from DHCP' when setting up a TUN server, compared to a TAP server.

So for example 1 virtual server I rent connects and gets IP 192.168.2.161
When I connect from my workstation at work (windows 7 pc) it will get for example 10.8.0.2, my router being 10.8.0.1.

Now my problem is, for some reason clients connected to server 2, cannot communicate to clients connected to server 1.
Both clients can talk fine to my local physically connected LAN devices in the 192.168.2.0/24 range.
And all devices physically connected to my LAN can talk both to the 192.168.2.161 client, and to the 10.8.0.2 client.

But I cannot get any communication going from 10.8.0.2 to 192.168.2.161.
The 10.8.0.2 client has the correct route, if I to 'tracert -d 192.168.2.161' it will show the first hop going correctly to 10.8.0.1 (openVPN server 2) but then dying.

I suspect there is some kind of routing missing to correctly forward the packets from one OpenVPN server to the other.

 

[vyruz]

No ideas? Anyone...

 

[Maxiller]

Subscribed.
I have different setup, but the same problem:
RT66U as OpenVPN server for site-to-site tunnel.
AC68U as OpenVPN client for site-to-site and as Server for external users.

External users can access the LAN segment of AC68U, but not the one of RT66U behind the tunnel. Names are being resolved though. Tried to setup external Server on RT66U — same story.

I presume something is missing from firewall setup:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination       
    0     0 ACCEPT     all  --  tun21  any     anywhere             anywhere         
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:1194
    0     0 ACCEPT     all  --  tap11  any     anywhere             anywhere         
  114  4444 DROP       icmp --  vlan2  any     anywhere             anywhere             icmp echo-request
4155  211K DROP       all  --  any    any     anywhere             anywhere             state INVALID
  70M   25G ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
1742  526K ACCEPT     all  --  lo     any     anywhere             anywhere             state NEW
487K  153M ACCEPT     all  --  br0    any     anywhere             anywhere             state NEW
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp spt:bootps dpt:bootpc
    0     0 SSHBFP     tcp  --  vlan2  any     anywhere             anywhere             tcp dpt:22 state NEW
    1    40 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp !echo-request
4735  476K DROP       all  --  any    any     anywhere             anywhere         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination       
591K   49M ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  tun21  any     anywhere             anywhere         
    0     0 ACCEPT     all  --  tap11  any     anywhere             anywhere         
    0     0 DROP       all  --  !br0   vlan2   anywhere             anywhere         
    0     0 DROP       all  --  vlan2  any     anywhere             anywhere             state INVALID
    0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere         
   78  5792 SECURITY   all  --  vlan2  any     anywhere             anywhere         
   78  5792 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT
93090   11M ACCEPT     all  --  br0    any     anywhere             anywhere

...or the routing table:

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
77.37.xxx.yyy     *               255.255.255.255 UH        0 0          0 vlan2
192.168.35.1    *               255.255.255.255 UH        0 0          0 vlan3
192.168.35.0    *               255.255.255.240 U         0 0          0 vlan3
10.3.3.0        *               255.255.255.240 U         0 0          0 tun21
192.168.97.0    *               255.255.255.0   U         0 0          0 br0
77.37.xxx.0     *               255.255.252.0   U         0 0          0 vlan2
127.0.0.0       *               255.0.0.0       U         0 0          0 lo
default         broadband-77-37 0.0.0.0         UG        0 0          0 vlan2

 

[Maxiller]

Seems I've managed to solve my problem. It was in missing route to the network of OpenVPN from RT66U:

10.3.3.0        192.168.97.40   255.255.255.240 UG    1      0        0 br0

After I added a static route, whole LAN became available for all the clients. Even remote clients are pinable from the LAN segment behind the bridge.

No ideas? Anyone...

You should probably check your routing tables either: all gateways should propagate static routes to each other.

 

[vyruz]

Oh my god... I ought to slap myself in the face for not finding this out sooner!
For some reason today I got the idea to start a tcpdump/wireshark trace on both my remote virtual server and one of my openvpn clients.
I saw the ping packets sent from the client coming in to the remote server, so my router was seemingly doing things correctly. Only my server was not sending any replies.
Then it hit me: The server which was logged in via OpenVPN, but did have a fixed IP in the 192.168.2.0/24 range, did not have a route to the 10.8.0.0/24 range which my openvpn clients get.
In the end I had to add this simple line to my openvpn server configuration:

push "route 10.8.0.0 255.255.255.0"

This pushes the route to 10.8.0.0/24 via the openvpn server to all clients who connect.
And now everything is happily talking to eachother