LAN behind router not accessible with openvpn

[tossom]

Case closed: It was the win7 firewall blocking the traffic. Sorry that I didn't figure this out earlier.





Hello people,

sorry for coming up with this, but I have already searched the forum for hours to find any hints to resolve this problem and I guess it must have been discussed already elsewhere.

Anyhow I am running the latest Merlin build (374.33) on my N66U and I have set up the built-in openvpn server. The server settings are:

Service state: on
start with wan: yes
interface type: tun
protocol: tcp
port: 443
firewall: automatic
authorisation mode: tls
extra hmac authorisation: disabled
vpn subnet/ mask: 10.8.0.0 255.255.255.0

Poll interval: 0
push LAN to clients: yes
direct clients to redirect internet traffic: no
respond to dns: no
encryption cypher: aes-128-cbc
compression: adaptive
tls renegotiation time: -1
manage client specific options: no


The client config is the following:

client
server-poll-timeout 4
connect-retry-max 5
resolv-retry 60
nobind
remote remoteadress.no-ip.com 443 tcp
dev tun
ns-cert-type server
remote-cert-tls server
cipher AES-128-CBC
comp-lzo
verb 3
ca ca.crt
cert client1.crt
key client1.key

This config is working, I can connect to the server from WAN and it's possible to access the hdd which is attached to the router.
The problem is that the whole LAN behind the router is not accessible. I can't ping any machine nor is it possible to obtain access to other samba shares.
On the openvpn webpage I read, that

"By default, clients will only see the server. To force clients to only see the server, you will also need to appropriately firewall the server's TUN/TAP interface."

They state that the command "client-to-client" will enable the clients to see each other. I added this under custom configuration to the openvpn server configuration in the web gui. Furthermore, I added a push command

push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 10.8.0.1"

and I disabled the firewall. Still no connectivity to the LAN behind the router. Had this all smoothly running on my old WRT-54GL with dd-wrt and I remember that I had to add there some rules for the firewall to get it working. This was what I added in dd-wrt as firewall script:

iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
iptables -I FORWARD 1 --source 10.168.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.168.1.0/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.168.1.0/24 -j MASQUERADE
iptables -I INPUT 3 -i tun0 -j ACCEPT
iptables -I FORWARD 3 -i tun0 -o tun0 -j ACCEPT

Maybe I have to this also somewhere in Merlins firmware?

Any help is appreciated. I know that this all would work quiet flawless if I would switch to a tap interface, but IOS and I think also Android don't support it. Thanks for all your help and advices.

 

[Asmodian]

Is this the hardware acceleration NAT issue? Have you tried turning off hardware acceleration?

 

[tossom]

I just switched it off, unfortunately still no connectivity. Is it maybe not possible, because the local machines which I would like to access are all connected via Wifi and not by cable to the router. Does that make any difference?

 

[mobileman88]

Case closed: It was the win7 firewall blocking the traffic. Sorry that I didn't figure this out earlier.





Hello people,

sorry for coming up with this, but I have already searched the forum for hours to find any hints to resolve this problem and I guess it must have been discussed already elsewhere.

Anyhow I am running the latest Merlin build (374.33) on my N66U and I have set up the built-in openvpn server. The server settings are:

Service state: on
start with wan: yes
interface type: tun
protocol: tcp
port: 443
firewall: automatic
authorisation mode: tls
extra hmac authorisation: disabled
vpn subnet/ mask: 10.8.0.0 255.255.255.0

Poll interval: 0
push LAN to clients: yes
direct clients to redirect internet traffic: no
respond to dns: no
encryption cypher: aes-128-cbc
compression: adaptive
tls renegotiation time: -1
manage client specific options: no


The client config is the following:

client
server-poll-timeout 4
connect-retry-max 5
resolv-retry 60
nobind
remote remoteadress.no-ip.com 443 tcp
dev tun
ns-cert-type server
remote-cert-tls server
cipher AES-128-CBC
comp-lzo
verb 3
ca ca.crt
cert client1.crt
key client1.key

This config is working, I can connect to the server from WAN and it's possible to access the hdd which is attached to the router.
The problem is that the whole LAN behind the router is not accessible. I can't ping any machine nor is it possible to obtain access to other samba shares.
On the openvpn webpage I read, that

"By default, clients will only see the server. To force clients to only see the server, you will also need to appropriately firewall the server's TUN/TAP interface."

They state that the command "client-to-client" will enable the clients to see each other. I added this under custom configuration to the openvpn server configuration in the web gui. Furthermore, I added a push command

push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 10.8.0.1"

and I disabled the firewall. Still no connectivity to the LAN behind the router. Had this all smoothly running on my old WRT-54GL with dd-wrt and I remember that I had to add there some rules for the firewall to get it working. This was what I added in dd-wrt as firewall script:

iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
iptables -I FORWARD 1 --source 10.168.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.168.1.0/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.168.1.0/24 -j MASQUERADE
iptables -I INPUT 3 -i tun0 -j ACCEPT
iptables -I FORWARD 3 -i tun0 -o tun0 -j ACCEPT

Maybe I have to this also somewhere in Merlins firmware?

Any help is appreciated. I know that this all would work quiet flawless if I would switch to a tap interface, but IOS and I think also Android don't support it. Thanks for all your help and advices.

I did not have to do any ip tables mucking around. However I noticed your following line is incorrect :

I am using the "tap" device and my server line is
server-bridge 192.168.1.1 255.255.255.0 192.168.1.221 192.168.1.240

The above line will provide IP addresses of 192.168.1.221-240 to the clients connecting from WAN and set gateway through 192.168.1.1
assuming your network is 192.168.1.XXX

Then add a

"push "route 192.168.1.0 255.255.255.0" "

You should be good to go. I have been using this config with DD WRT and Tomato for the past few years. Just got my Asus router which works with it too however the wireless is not working too well. But it's not openvpn related.

 

[oldgringo]

Case closed: It was the win7 firewall blocking the traffic. Sorry that I didn't figure this out earlier.





Hello people,

sorry for coming up with this, but I have already searched the forum for hours to find any hints to resolve this problem and I guess it must have been discussed already elsewhere.

Anyhow I am running the latest Merlin build (374.33) on my N66U and I have set up the built-in openvpn server. The server settings are:

Service state: on
start with wan: yes
interface type: tun
protocol: tcp
port: 443
firewall: automatic
authorisation mode: tls
extra hmac authorisation: disabled
vpn subnet/ mask: 10.8.0.0 255.255.255.0

Poll interval: 0
push LAN to clients: yes
direct clients to redirect internet traffic: no
respond to dns: no
encryption cypher: aes-128-cbc
compression: adaptive
tls renegotiation time: -1
manage client specific options: no


The client config is the following:

client
server-poll-timeout 4
connect-retry-max 5
resolv-retry 60
nobind
remote remoteadress.no-ip.com 443 tcp
dev tun
ns-cert-type server
remote-cert-tls server
cipher AES-128-CBC
comp-lzo
verb 3
ca ca.crt
cert client1.crt
key client1.key

This config is working, I can connect to the server from WAN and it's possible to access the hdd which is attached to the router.
The problem is that the whole LAN behind the router is not accessible. I can't ping any machine nor is it possible to obtain access to other samba shares.
On the openvpn webpage I read, that

"By default, clients will only see the server. To force clients to only see the server, you will also need to appropriately firewall the server's TUN/TAP interface."

They state that the command "client-to-client" will enable the clients to see each other. I added this under custom configuration to the openvpn server configuration in the web gui. Furthermore, I added a push command

push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 10.8.0.1"

and I disabled the firewall. Still no connectivity to the LAN behind the router. Had this all smoothly running on my old WRT-54GL with dd-wrt and I remember that I had to add there some rules for the firewall to get it working. This was what I added in dd-wrt as firewall script:

iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
iptables -I FORWARD 1 --source 10.168.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.168.1.0/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.168.1.0/24 -j MASQUERADE
iptables -I INPUT 3 -i tun0 -j ACCEPT
iptables -I FORWARD 3 -i tun0 -o tun0 -j ACCEPT

Maybe I have to this also somewhere in Merlins firmware?

Any help is appreciated. I know that this all would work quiet flawless if I would switch to a tap interface, but IOS and I think also Android don't support it. Thanks for all your help and advices.

You do not need extra iptables hassle. Everything is done by fw automatically. Your config is OK, you only need to specify the subnet, from which you want to access router's lan. You can do it by selection:

manage client specific options: yes

and into frame you have to add (for client's subnet 192.168.2.0/24)

route 192.168.2.0 255.255.255.0
persist-key
persist-tun

In /jffs/configs/ccd1 folder you have to create client's configs with predefined ip addresses and subnet, let say for client1 it will be file client1 with this content:

#!/bin/sh
ifconfig-push 10.8.0.6 10.8.0.5
iroute 192.168.2.0 255.255.255.0

where iroute parameter means again client's subnet. If you want only client without subnet, use full ip address and mask 255.255.255.255.

BTW, if you would like to see whole config generated by fw, you can connect to the router by ftp (or telnet) and look at the file /etc/openvpn/server1/config.ovpn.