What's new

[380.64_2 AC87U] Torturing myself with site to site VPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Zulgrib

Occasional Visitor
Hello,

I'm torturing myself with site to site VPN and i'm now pulling my hairs because i'm out of idea.

Computers on the client side can talk to computers on the remote side (Ping, SMB shares)
Computers on the server side cannot talk to computers on the client side. (Pings times out)

OpenVPN server uses subnet 192.168.6.0/24
OpenVPN client uses subnet 192.168.5.0/24

wrt-merlin powered router is the client.

Configuration of the OpenVPN server
Code:
push "route 192.168.200.0 255.255.255.0"
push "route 192.168.6.0 255.255.255.0"
route 192.168.5.0 255.255.255.0
dev tun

management 127.0.0.1 1195

server 192.168.200.0 255.255.255.0


dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh1024.pem
ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key

max-clients 3

comp-lzo

persist-tun
persist-key

verb 3

#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf
client-cert-not-required
username-as-common-name
duplicate-cn

status /tmp/ovpn_status_2_result 30
status-version 2
proto udp
port 1194

And has this client specific config file
Code:
ifconfig-push 192.168.200.6 255.255.255.0
iroute 192.168.5.0 255.255.255.0

The client has this config
Code:
Start with wan : Yes
Interface type : Tun
Proto : UDP
Server Address and Port : dnsnameoftheserver 1194
Firewall : auto
Auth mode : TLS (Only CA certificate shared)
Username/Password Authentication : Yes
Username / Password Auth. Only (Must define certificate authority) : No
Extra HMAC authorization : Disabled
Auth digest : Default
Create NAT on tunnel : Yes
Log : 3
Poll : 0
Accept DNS Configuration : Disabled
Encryption cipher : Default
Compression : Adaptive
TLS Renegotiation Time : -1
Connection Retry : -1
Verify serv cert : No
Redirect Internet traffic : No

And in the custom config field
Code:
tls-client
script-security 2
reneg-sec 0
ifconfig 192.168.200.6 192.168.200.5
route 192.168.6.0 255.255.255.0
keepalive 10 60
persist-key
persist-tun

I don't know what to do next.

I tried to remove all the rules containing "--state INVALID" but they are recreated dynamicly
I tried to add
Code:
iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
but the rules aren't actually created when the command is sent
 
Computers on the server side cannot talk to computers on the client side. (Pings times out)

On the server, does an entry exist?
Code:
ip route

192.168.5.0/24 via 10.8.0.1 dev tun21

If I recall, you should be able have the route created automatically via the VPN Server GUI
Specify the COMMON-NAME Client subnet, and it should create the route for you.

2017-01-23_16-02-03.png
 
The OpenVPN server is not running on merlin, it is the client that is on merlin.
On the server (Synology RT1900AC), there is a tun0 interface.

There is an "192.168.5.0/24 via 192.168.200.2 dev tun0" entry server side when checking with "ip route"

Client side (merlin) I have "192.168.6.0/24 via 192.168.200.5 dev tun11"
 
The OpenVPN server is not running on merlin

Ahhh:oops:

Only thing I can suggest is that the server CCD directive ifconfig-push should be removed?
Code:
ifconfig-push 192.168.200.6 255.255.255.0
iroute 192.168.5.0 255.255.255.0

Also when trying to ping from the server to router (rather than LAN devices) is it successful?

Have you checked the tun11 firewall rule to see if the packet count is >0 ?
Code:
iptables -nvL FORWARD -t filter | grep tun11

       0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0

If rule doesn't exist then add a temp firewall rule on the router
Code:
iptables -I FORWARD -i tun+ -j ACCEPT

Also check route table 111 (if it exists) to have valid routes for the Client LAN.
 
Code:
iptables -nvL FORWARD -t filter |grep tun
    0     0 ACCEPT     all  --  tun11  br0     0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    tun11   0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun11  br0     0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    tun11   0.0.0.0/0            0.0.0.0/0

Not superior to zero, the only counter increasing is the "TUN/TAP read bytes" when I ping the router using the VPN subnet instead of the local subnet.

So, this means the problem is on server's side and not on the client side ?
 
Not superior to zero, the only counter increasing is the "TUN/TAP read bytes" when I ping the router using the VPN subnet instead of the local subnet.

So, this means the problem is on server's side and not on the client side ?

Possibly... added temp rule to my system and the rule counters are >0
Code:
num   pkts bytes target     prot opt in     out     source               destination       
1    83966  108M ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0
 
Last edited:
The torture can end, Synology router manager create client specific config but don't start openvpn with the --client-config-dir switch. Adding it in the config file solved the problem.
 
The torture can end, Synology router manager create client specific config but don't start openvpn with the --client-config-dir switch. Adding it in the config file solved the problem.

Typical eh? - computers...only do what you explicity tell them to do! :rolleyes:

P.S. Should have stuck with an ASUS/Merlin router! :p
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top