What's new

Site to Site vpn on Merlin and DD-WRT

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

samisheikh

New Around Here
Hi,

I am trying to setup an OpenVPN site to site between site A(Server-Merlin) and site B(Client DD-WRT). The tunnel comes up and both peers are able to ping each other but when anyone on the client subnet(10.1.30.0/24) tries to ping any host on the server side(10.1.10.0/24) packets are being dropped by the server since the server doesn't know how to get to client's subnet even after adding the route.
Here are the configs:

Server
Code:
# Automatically generated configuration
daemon
server 172.16.254.0 255.255.255.248
proto udp
port 1198
dev tun21
cipher AES-256-CBC
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 10.1.10.0 255.255.255.0"
client-config-dir ccd
client-to-client
duplicate-cn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

# Custom Configuration
ifconfig 172.16.254.1 255.255.255.248M
management 127.0.0.1 5001M
auth none

Firewall - Server

Code:
iptables -I INPUT 2 -p udp --dport 1198 -j ACCEPT
iptables -I FORWARD -i br0 -o tun21 -j ACCEPT
iptables -I FORWARD -i tun21 -o br0 -j ACCEPT

Routing table Server:
Code:
172.16.254.2 dev tun21  proto kernel  scope link  src 172.16.254.1
x.x.x.x dev eth0  scope link
172.16.254.0/29 via 172.16.254.2 dev tun21
x.x.x.x/28 dev eth0  proto kernel  scope link  src x.x.x.x
10.1.10.0/24 dev br0  proto kernel  scope link  src 10.1.10.254
127.0.0.0/8 dev lo  scope link
default via x.x.x.x dev eth0


Client Config:
Code:
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
management 127.0.0.1 5001
management-log-cache 50
verb 4
mute 3
log-append /var/log/openvpncl
writepid /var/run/openvpncl.pid
client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
mtu-disc yes
dev tun1
proto udp
cipher aes-256-cbc
auth none
remote x.x.x.x 1198
comp-lzo adaptive
tun-mtu 1500
fast-io


Client Firewall
Code:
iptables -I INPUT 2 -p udp --dport 1198 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT


Client routing table:
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.2.253   0.0.0.0         UG    0      0        0 eth1
10.1.10.0       172.16.254.5    255.255.255.0   UG    0      0        0 tun1
10.1.30.0       0.0.0.0         255.255.255.0   U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 br0
172.16.254.0    172.16.254.5    255.255.255.248 UG    0      0        0 tun1
172.16.254.5    0.0.0.0         255.255.255.255 UH    0      0        0 tun1
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
239.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 br0

What is weird is that on the client side the tun device has an IP of 172.16.254.6 while the gateway is 172.16.254.5 and on the server side the IP is 172.16.254.1 and the tun IP is 172.16.254.2. On the server side I can't ping 172.16.254.2 but I can ping the tun IP of the client(172.16.254.6) and vice versa on the client side I can't ping 172.16.254.5 which is the gateway but I can ping 172.16.254.1.

Server interfaces
Code:
admin@MTL-AP:/tmp/etc/openvpn/server1# ip addr
1: lo: <LOOPBACK,MULTICAST,UP,10000> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether d8:50:e6:cb:f5:f0 brd ff:ff:ff:ff:ff:ff
    inet x.x.x.x/28 brd x.x.x.x scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether d8:50:e6:cb:f5:f0 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether d8:50:e6:cb:f5:f4 brd ff:ff:ff:ff:ff:ff
5: vlan1@eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
    link/ether d8:50:e6:cb:f5:f0 brd ff:ff:ff:ff:ff:ff
6: vlan2@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
    link/ether d8:50:e6:cb:f5:f0 brd ff:ff:ff:ff:ff:ff
7: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
    link/ether d8:50:e6:cb:f5:f0 brd ff:ff:ff:ff:ff:ff
    inet 10.1.10.254/24 brd 10.1.10.255 scope global br0
8: tun21: <POINTOPOINT,MULTICAST,NOARP,PROMISC,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100
    link/[65534]
    inet 172.16.254.1 peer 172.16.254.2/32 scope global tun21

Client interfaces:
Code:
ath0      Link encap:Ethernet  HWaddr B0:C7:45:75:1C:F6
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2528056 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3317121 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:177453174 (169.2 MiB)  TX bytes:539912763 (514.9 MiB)

ath1      Link encap:Ethernet  HWaddr B0:C7:45:75:1C:F7
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12502 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:0 (0.0 B)  TX bytes:1688459 (1.6 MiB)

br0       Link encap:Ethernet  HWaddr B0:C7:45:75:1C:F6
          inet addr:10.1.30.251  Bcast:10.1.30.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3715741 errors:0 dropped:3772 overruns:0 frame:0
          TX packets:5006361 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:415672171 (396.4 MiB)  TX bytes:6820174338 (6.3 GiB)

br0:0     Link encap:Ethernet  HWaddr B0:C7:45:75:1C:F6
          inet addr:169.254.255.1  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth0      Link encap:Ethernet  HWaddr B0:C7:45:75:1C:F6
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:610099 errors:0 dropped:4 overruns:18 frame:0
          TX packets:931175 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:263258272 (251.0 MiB)  TX bytes:833541212 (794.9 MiB)
          Interrupt:4

eth1      Link encap:Ethernet  HWaddr B0:C7:45:75:1C:F6
          inet addr:192.168.2.254  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1492  Metric:1
          RX packets:5071499 errors:0 dropped:787 overruns:0 frame:0
          TX packets:3681042 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2519572372 (2.3 GiB)  TX bytes:462892303 (441.4 MiB)
          Interrupt:5

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:421 errors:0 dropped:0 overruns:0 frame:0
          TX packets:421 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:37100 (36.2 KiB)  TX bytes:37100 (36.2 KiB)

mon.ath0  Link encap:UNSPEC  HWaddr B0-C7-45-75-1C-F6-00-00-00-00-00-00-00-00-00-00
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:462186 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:105722162 (100.8 MiB)  TX bytes:0 (0.0 B)

mon.ath1  Link encap:UNSPEC  HWaddr B0-C7-45-75-1C-F7-00-00-00-00-00-00-00-00-00-00
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3114 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:377428 (368.5 KiB)  TX bytes:0 (0.0 B)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.16.254.6  P-t-P:172.16.254.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:268 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14279 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:22488 (21.9 KiB)  TX bytes:775355 (757.1 KiB)
 
Ping peer IP from server:
Code:
ping 172.16.254.2
PING 172.16.254.2 (172.16.254.2): 56 data bytes

--- 172.16.254.2 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

Ping tun0's client IP address from the server:
Code:
ping 172.16.254.6
PING 172.16.254.6 (172.16.254.6): 56 data bytes
64 bytes from 172.16.254.6: seq=0 ttl=64 time=30.222 ms
64 bytes from 172.16.254.6: seq=1 ttl=64 time=29.536 ms
64 bytes from 172.16.254.6: seq=2 ttl=64 time=30.918 ms
64 bytes from 172.16.254.6: seq=3 ttl=64 time=30.386 ms
64 bytes from 172.16.254.6: seq=4 ttl=64 time=30.788 ms
64 bytes from 172.16.254.6: seq=5 ttl=64 time=31.271 ms

--- 172.16.254.6 ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 29.536/30.520/31.271 ms


Ping peer IP from the client:
Code:
ping 172.16.254.5
PING 172.16.254.5 (172.16.254.5): 56 data bytes
^C
--- 172.16.254.5 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss


Ping tun21's IP on the server from the client
Code:
ping 172.16.254.1
PING 172.16.254.1 (172.16.254.1): 56 data bytes
64 bytes from 172.16.254.1: seq=0 ttl=64 time=29.253 ms
64 bytes from 172.16.254.1: seq=1 ttl=64 time=31.730 ms
64 bytes from 172.16.254.1: seq=2 ttl=64 time=30.010 ms
^C
--- 172.16.254.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 29.253/30.331/31.730 ms

I tried adding a route to 10.1.30.0(Client LAN) on the server using the ip 172.16.254.6 but it will only let me map it to 172.16.254.2
Code:
ip route add 10.1.30.0/24 via 172.16.254.6 dev tun21
RTNETLINK answers: No such process
ip route add 10.1.30.0/24 via 172.16.254.2 dev tun21

Pinging a host on client LAN from the server -- no dice
Code:
PING 10.1.30.100 (10.1.30.100): 56 data bytes

--- 10.1.30.100 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

Ping a host on Server LAN from the client -- no dice
Code:
ping 10.1.10.100
PING 10.1.10.100 (10.1.10.100): 56 data bytes
^C
--- 10.1.10.100 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

Logs from the server side:
Code:
>LOG:1432700723,D,Client/x.x.x.x:44820 UDPv4 READ [81] from [AF_INET]x.x.x.x:44820: P_DATA_V1 kid=0 DATA len=80
>LOG:1432700723,,Client/x.x.x.x:44820 MULTI: bad source address from client [10.1.30.100], packet dropped
>LOG:1432700723,D,Client/x.x.x.x:44820 UDPv4 READ [81] from [AF_INET]x.x.x.x:44820: P_DATA_V1 kid=0 DATA len=80
>LOG:1432700723,,Client/x.x.x.x:44820 MULTI: bad source address from client [10.1.30.106], packet dropped
>LOG:1432700724,D,Client/x.x.x.x:44820 UDPv4 READ [81] from [AF_INET]x.x.x.x:44820: P_DATA_V1 kid=0 DATA len=80
>LOG:1432700724,,Client/x.x.x.x:44820 MULTI: bad source address from client [10.1.30.110], packet dropped
2700729,,Client/x.x.x.x:44820 MULTI: bad source address from client [10.1.30.100], packet dropped

Logs from the client side:
Code:
>LOG:1432686050,D,UDPv4 WRITE [81] to x.x.x.x:1198: P_DATA_V1 kid=0 DATA len=80
>LOG:1432686050,D,UDPv4 WRITE [81] to x.x.x.x:1198: P_DATA_V1 kid=0 DATA len=80
>LOG:1432686051,D,UDPv4 WRITE [81] to x.x.x.x:1198: P_DATA_V1 kid=0 DATA len=80

I even ran a tcpdump on both routers and turns out the packets from LAN on server side aren't even getting to the client router.

Any help would be appreciated.

Thanks
 
I have resolved my issue by adding the following lines in the server config and creating a CCD for the client and adding an iroute for the client.

route 10.1.30.0 255.255.255.0
push "route 10.1.10.0 255.255.255.0"
push "route 10.1.30.0 255.255.255.0"

My final config
Code:
#Server Config
# Automatically generated configuration
daemon
server 172.16.254.0 255.255.255.248
proto udp
port 1198
dev tun21
cipher AES-256-CBC
comp-lzo adaptive
keepalive 15 60
verb 3
route 10.1.30.0 255.255.255.0
push "route 10.1.10.0 255.255.255.0"
push "route 10.1.30.0 255.255.255.0"
topology subnet
client-config-dir ccd
client-to-client
duplicate-cn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

# Custom Configuration
ifconfig 172.16.254.1 255.255.255.248^M
management 127.0.0.1 5001^M
auth none

Client CCD Config:
Code:
less /tmp/etc/openvpn/server1/ccd/CALPHA
iroute 10.1.30.0 255.255.255.0
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top