VPN Router behind Primary Router Help

[d12welve]

I'm attempting to setup a network containing two routers, a primary giving me local internet access, and a secondary router that has a persistent VPN connection to a service (i.e. vpnunlimited).

My primary router is configured with ip Address 192.168.1.1, Subnet 255.255.255.0. It acts also as DHCP that release 192.168.1.x address class.

The new router with DD-WRT is configured with ip address 192.168.2.1. Then i configure VPN as described here: https://www.vpnunlimitedapp.com/ddwrtsetup.

I am able to connect to the internet using the new router with VPN OFF but as soon as I turn on VPN I can no longer connect to the internet. I can ping the primary router and other devices on the network.

When viewing the status tab of the OpenVPN on the DD-WRT router, it show that it is connected as a client and gives an ip address but not one for the Remote Address.

What am i missing ?

Here are some of the troubleshooting tests I've done so far to try and identify the problem... but I've had no luck so far. If you can help I'd appreciate it!

VPN STATE
Code:
Client: CONNECTED SUCCESS

Local Address: 10.208.29.206
Remote Address:

STATUS
VPN Client Stats
TUN/TAP read bytes 27412
TUN/TAP write bytes 252
TCP/UDP read bytes 6513
TCP/UDP write bytes 42963
Auth read bytes 700
pre-compress bytes 6389
post-compress bytes 6410
pre-decompress bytes 0
post-decompress bytes 0


LOG
Code:
Clientlog:
20151207 15:13:52 I OpenVPN 2.3.4 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Aug 1 2014
20151207 15:13:52 I library versions: OpenSSL 1.0.1h 5 Jun 2014 LZO 2.08
20151207 15:13:52 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20151207 15:13:52 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20151207 15:13:52 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20151207 15:13:52 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
20151207 15:13:52 Socket Buffers: R=[180224->131072] S=[180224->131072]
20151207 15:13:55 I UDPv4 link local: [undef]
20151207 15:13:55 I UDPv4 link remote: [AF_INET]199.115.117.73:443
20151207 15:13:55 TLS: Initial packet from [AF_INET]199.115.117.73:443 sid=8806d159 424e5be7
20151207 15:13:55 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20151207 15:13:55 VERIFY OK: depth=1 C=US ST=NY L=New York O=Simplex Solutions Inc. OU=Vpn Unlimited CN=server.vpnunlimitedapp.com name=server.vpnunlimitedapp.com emailAddress=support@simplexsolutionsinc.com
20151207 15:13:55 VERIFY OK: nsCertType=SERVER
20151207 15:13:55 VERIFY OK: depth=0 C=US ST=NY L=New York O=Simplex Solutions Inc. OU=Vpn Unlimited CN=openvpn.vpnunlimitedapp.com name=openvpn.vpnunlimitedapp.com emailAddress=support@simplexsolutionsinc.com
20151207 15:13:55 NOTE: --mute triggered...
20151207 15:13:55 5 variation(s) on previous 3 message(s) suppressed by --mute
20151207 15:13:55 I [openvpn.vpnunlimitedapp.com] Peer Connection Initiated with [AF_INET]199.115.117.73:443
20151207 15:13:58 SENT CONTROL [openvpn.vpnunlimitedapp.com]: 'PUSH_REQUEST' (status=1)
20151207 15:13:58 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 10.208.0.1 reneg-sec 0 rcvbuf 262144 sndbuf 262144 ping 5 ping-exit 30 route 10.208.0.1 topology net30 ifconfig 10.208.29.206 10.208.29.205'
20151207 15:13:58 N Options error: option 'reneg-sec' cannot be used in this context ([PUSH-OPTIONS])
20151207 15:13:58 OPTIONS IMPORT: timers and/or timeouts modified
20151207 15:13:58 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
20151207 15:13:58 Socket Buffers: R=[131072->360448] S=[131072->360448]
20151207 15:13:58 OPTIONS IMPORT: --ifconfig/up options modified
20151207 15:13:58 OPTIONS IMPORT: route options modified
20151207 15:13:58 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
20151207 15:13:58 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth1 HWADDR=e4:f4:c6:0f:b3:e5
20151207 15:13:58 I TUN/TAP device tun0 opened
20151207 15:13:58 TUN/TAP TX queue length set to 100
20151207 15:13:58 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0
20151207 15:13:58 I /sbin/ifconfig tun0 10.208.29.206 pointopoint 10.208.29.205 mtu 1500
20151207 15:13:58 I /tmp/openvpn-up.sh tun0 1500 1542 10.208.29.206 10.208.29.205 init
20151207 15:13:58 /sbin/route add -net 199.115.117.73 netmask 255.255.255.255 gw 192.168.1.1
20151207 15:13:58 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.208.29.205
20151207 15:13:58 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.208.29.205
20151207 15:13:58 /sbin/route add -net 10.208.0.1 netmask 255.255.255.255 metric 1 gw 10.208.29.205
20151207 15:13:58 I Initialization Sequence Completed
20151207 15:16:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151207 15:16:32 D MANAGEMENT: CMD 'state'
20151207 15:16:32 MANAGEMENT: Client disconnected
20151207 15:16:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151207 15:16:32 D MANAGEMENT: CMD 'state'
20151207 15:16:32 MANAGEMENT: Client disconnected
20151207 15:16:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151207 15:16:32 D MANAGEMENT: CMD 'state'
20151207 15:16:32 MANAGEMENT: Client disconnected
20151207 15:16:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151207 15:16:32 D MANAGEMENT: CMD 'status 2'
20151207 15:16:32 MANAGEMENT: Client disconnected
20151207 15:16:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151207 15:16:32 D MANAGEMENT: CMD 'log 500'
19691231 19:00:00

ca /tmp/openvpncl/ca.crt cert /tmp/openvpncl/client.crt key /tmp/openvpncl/client.key management 127.0.0.1 16 management-log-cache 100 verb 3 mute 3 syslog writepid /var/run/openvpncl.pid client resolv-retry infinite nobind persist-key persist-tun script-security 2 dev tun1 proto udp cipher bf-cbc auth sha1 auth-user-pass /tmp/openvpncl/credentials remote us.vpnunlimitedapp.com 22 comp-lzo adaptive tls-client tun-mtu 1500 mtu-disc yes fast-io tun-ipv6 tls-cipher TLS-RSA-WITH-AES-128-CBC-SHA client dev tun reneg-sec 0 persist-tun persist-key ping 5 ping-exit 30 nobind comp-lzo adaptive remote-random ns-cert-type server route-metric 1 up /tmp/openvpn-up.sh down /tmp/openvpn-down.sh remote us.vpnunlimitedapp.com 443 udp remote us.vpnunlimitedapp.com 22 udp remote us.vpnunlimitedapp.com 80 tcp-client


Kernel IP routing table
Code:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.208.19.169 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
10.208.0.1 10.208.19.169 255.255.255.255 UGH 1 0 0 tun0
10.208.19.169 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
128.0.0.0 10.208.19.169 128.0.0.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
207.244.66.209 192.168.1.1 255.255.255.255 UGH 0 0 0 eth1

and just to clarify...

I have two routers: Router A and Router B. Router A is my "primary" router (it serves my internet connection directly). I want Router B as a secondary router of A, but the catch is, I want it to be dedicated to a VPN connection; I want everything connected to Router B to flow through a VPN.

 

[CaptainSTX]

I'm attempting to setup a network containing two routers, a primary giving me local internet access, and a secondary router that has a persistent VPN connection to a service (i.e. vpnunlimited).

My primary router is configured with ip Address 192.168.1.1, Subnet 255.255.255.0. It acts also as DHCP that release 192.168.1.x address class.

The new router with DD-WRT is configured with ip address 192.168.2.1. Then i configure VPN as described here: https://www.vpnunlimitedapp.com/ddwrtsetup.

I am able to connect to the internet using the new router with VPN OFF but as soon as I turn on VPN I can no longer connect to the internet. I can ping the primary router and other devices on the network.

When viewing the status tab of the OpenVPN on the DD-WRT router, it show that it is connected as a client and gives an ip address but not one for the Remote Address.

What am i missing ?

Here are some of the troubleshooting tests I've done so far to try and identify the problem... but I've had no luck so far. If you can help I'd appreciate it!

VPN STATE
Code:
Client: CONNECTED SUCCESS

Local Address: 10.208.29.206
Remote Address:

STATUS
VPN Client Stats
TUN/TAP read bytes 27412
TUN/TAP write bytes 252
TCP/UDP read bytes 6513
TCP/UDP write bytes 42963
Auth read bytes 700
pre-compress bytes 6389
post-compress bytes 6410
pre-decompress bytes 0
post-decompress bytes 0


LOG
Code:
Clientlog:
20151207 15:13:52 I OpenVPN 2.3.4 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Aug 1 2014
20151207 15:13:52 I library versions: OpenSSL 1.0.1h 5 Jun 2014 LZO 2.08
20151207 15:13:52 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20151207 15:13:52 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20151207 15:13:52 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20151207 15:13:52 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
20151207 15:13:52 Socket Buffers: R=[180224->131072] S=[180224->131072]
20151207 15:13:55 I UDPv4 link local: [undef]
20151207 15:13:55 I UDPv4 link remote: [AF_INET]199.115.117.73:443
20151207 15:13:55 TLS: Initial packet from [AF_INET]199.115.117.73:443 sid=8806d159 424e5be7
20151207 15:13:55 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20151207 15:13:55 VERIFY OK: depth=1 C=US ST=NY L=New York O=Simplex Solutions Inc. OU=Vpn Unlimited CN=server.vpnunlimitedapp.com name=server.vpnunlimitedapp.com emailAddress=support@simplexsolutionsinc.com
20151207 15:13:55 VERIFY OK: nsCertType=SERVER
20151207 15:13:55 VERIFY OK: depth=0 C=US ST=NY L=New York O=Simplex Solutions Inc. OU=Vpn Unlimited CN=openvpn.vpnunlimitedapp.com name=openvpn.vpnunlimitedapp.com emailAddress=support@simplexsolutionsinc.com
20151207 15:13:55 NOTE: --mute triggered...
20151207 15:13:55 5 variation(s) on previous 3 message(s) suppressed by --mute
20151207 15:13:55 I [openvpn.vpnunlimitedapp.com] Peer Connection Initiated with [AF_INET]199.115.117.73:443
20151207 15:13:58 SENT CONTROL [openvpn.vpnunlimitedapp.com]: 'PUSH_REQUEST' (status=1)
20151207 15:13:58 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 10.208.0.1 reneg-sec 0 rcvbuf 262144 sndbuf 262144 ping 5 ping-exit 30 route 10.208.0.1 topology net30 ifconfig 10.208.29.206 10.208.29.205'
20151207 15:13:58 N Options error: option 'reneg-sec' cannot be used in this context ([PUSH-OPTIONS])
20151207 15:13:58 OPTIONS IMPORT: timers and/or timeouts modified
20151207 15:13:58 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
20151207 15:13:58 Socket Buffers: R=[131072->360448] S=[131072->360448]
20151207 15:13:58 OPTIONS IMPORT: --ifconfig/up options modified
20151207 15:13:58 OPTIONS IMPORT: route options modified
20151207 15:13:58 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
20151207 15:13:58 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth1 HWADDR=e4:f4:c6:0f:b3:e5
20151207 15:13:58 I TUN/TAP device tun0 opened
20151207 15:13:58 TUN/TAP TX queue length set to 100
20151207 15:13:58 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0
20151207 15:13:58 I /sbin/ifconfig tun0 10.208.29.206 pointopoint 10.208.29.205 mtu 1500
20151207 15:13:58 I /tmp/openvpn-up.sh tun0 1500 1542 10.208.29.206 10.208.29.205 init
20151207 15:13:58 /sbin/route add -net 199.115.117.73 netmask 255.255.255.255 gw 192.168.1.1
20151207 15:13:58 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.208.29.205
20151207 15:13:58 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.208.29.205
20151207 15:13:58 /sbin/route add -net 10.208.0.1 netmask 255.255.255.255 metric 1 gw 10.208.29.205
20151207 15:13:58 I Initialization Sequence Completed
20151207 15:16:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151207 15:16:32 D MANAGEMENT: CMD 'state'
20151207 15:16:32 MANAGEMENT: Client disconnected
20151207 15:16:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151207 15:16:32 D MANAGEMENT: CMD 'state'
20151207 15:16:32 MANAGEMENT: Client disconnected
20151207 15:16:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151207 15:16:32 D MANAGEMENT: CMD 'state'
20151207 15:16:32 MANAGEMENT: Client disconnected
20151207 15:16:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151207 15:16:32 D MANAGEMENT: CMD 'status 2'
20151207 15:16:32 MANAGEMENT: Client disconnected
20151207 15:16:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151207 15:16:32 D MANAGEMENT: CMD 'log 500'
19691231 19:00:00

ca /tmp/openvpncl/ca.crt cert /tmp/openvpncl/client.crt key /tmp/openvpncl/client.key management 127.0.0.1 16 management-log-cache 100 verb 3 mute 3 syslog writepid /var/run/openvpncl.pid client resolv-retry infinite nobind persist-key persist-tun script-security 2 dev tun1 proto udp cipher bf-cbc auth sha1 auth-user-pass /tmp/openvpncl/credentials remote us.vpnunlimitedapp.com 22 comp-lzo adaptive tls-client tun-mtu 1500 mtu-disc yes fast-io tun-ipv6 tls-cipher TLS-RSA-WITH-AES-128-CBC-SHA client dev tun reneg-sec 0 persist-tun persist-key ping 5 ping-exit 30 nobind comp-lzo adaptive remote-random ns-cert-type server route-metric 1 up /tmp/openvpn-up.sh down /tmp/openvpn-down.sh remote us.vpnunlimitedapp.com 443 udp remote us.vpnunlimitedapp.com 22 udp remote us.vpnunlimitedapp.com 80 tcp-client


Kernel IP routing table
Code:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.208.19.169 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
10.208.0.1 10.208.19.169 255.255.255.255 UGH 1 0 0 tun0
10.208.19.169 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
128.0.0.0 10.208.19.169 128.0.0.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
207.244.66.209 192.168.1.1 255.255.255.255 UGH 0 0 0 eth1

and just to clarify...

I have two routers: Router A and Router B. Router A is my "primary" router (it serves my internet connection directly). I want Router B as a secondary router of A, but the catch is, I want it to be dedicated to a VPN connection; I want everything connected to Router B to flow through a VPN.

I have run the same setup but with different VPN providers with no problems.

Just to be sure you have covered the basics.

The cable connecting the router A - B runs from LAN port on A to the WAN port on B

The DHCP server on B is on and it is set to assign addresses in the 192.168.2.1 - 254 range

If this matches your setup you will have to look at your specfic settings on the router for your VPN provider.

 

[Cloud200]

one thing you can test is to set Router B on a DMZ of Router A
IE;
on Router A, set the DHCP range to 192.168.1.100-199
on Router B, set the WAN address to 192.168.1.2 with a gateway of 192.168.1.1
on Router B, set the DMZ address to 192.168.1.2

 

[System Error Message]

instead of DMZ just treat the router handling VPN as a server and use port forwarding for the VPN port. NAT will be able to handle other things.

 

[Cloud200]

instead of DMZ just treat the router handling VPN as a server and use port forwarding for the VPN port. NAT will be able to handle other things.

Oh you are right and that's definitely the end result.
It is just easy to test with a DMZ and is (usually) not a security risk point to another NAT firewall.