Help needed with client-side routing

[andres99]

I need a site-to-site OpenVPN connection between two LANs in different locations. I have managed to get the OpenVPN connection running but there seems to be a problem with client-side routing.

The OpenVPN server is on Asuswrt-Merlin (Asus RT-AC68U). That machine is the gateway, 192.168.0.1, on the server-side LAN (192.168.0.0 / 255.255.255.0). On OpenVPN it is 192.168.5.1.

The OpenVPN client is on FreshTomato. It is running on a Linksys WRT54GL (192.168.34.202), which is *not* the gateway, on the client-side LAN (192.168.34.0 / 255.255.255.0). The client’s user name is "vpn4" and IP address on the OpenVPN is 192.168.5.2.

The gateway of the client-side LAN is a Huawei modem router with very little configurable options (192.168.34.1), and there are some more devices on the client-side LAN that I need to access from the server-side LAN.

At the moment I can ping the Linksys device (192.168.34.202) and access FreshTomato on that device over OpenVPN from the server-side LAN.

THE PROBLEM: I cannot ping or access any other devices on client-side LAN over OpenVPN from the server-side LAN. I suppose that the problem is somewhere in the client-side LAN and related to client-side routing.

VPN Client:

and

Current routes on VPN Client machine:

I have not manually added any static routes to either the VPN server or the VPN client. (I tried though but none of my ideas solved the problem.)

VPN Server configuration:
TUN
UDP
VPN subnet 192.168.5.0 / 255.255.255.0
Push LAN to clients: Yes
Direct clients to redirect Internet traffic: No
Manage Client-Specific Options: Yes
Allow Client<-> Client: Yes
Allow only specified clients: No

Custom:
client-config-dir /jffs/configs/openvpn/ccd2
script-security 3
reneg-sec 0
route 192.168.34.0 255.255.255.0
push "route 192.168.34.0 255.255.255.0"

In the folder ccd2 I have a file named "vpn4" containing this:
iroute 192.168.34.0 255.255.255.0

I noticed that when I remove the route, push "route" and iroute directives from the OpenVPN server, then machines in the server-side LAN can ping (but not access) 192.168.34.1. When I add those directives to the OpenVPN server, 192.168.34.1 becomes unpingable and 192.168.34.202 (the OpenVPN client machine) becomes pingable and accessible.

Tracert from a machine on server-side LAN shows (Doomsville.KCN is the VPN server machine, which is also the gateway on the server side):

None of the numerous options I could think of during a number of hours gave me access to the client-side LAN. Any ideas how to make other devices (like 192.168.34.1 or 192.168.34.102) on the client-side LAN accessible from the server-side LAN?

 

[andres99]

Should I have posted this under "VPN" instead?

 

[DJones]

So were dealing with 3 routers? Linksys, Asus, and Huawei modem router?

OpenVPN server is on Asuswrt-Merlin (Asus RT-AC68U)
Client openvpn is on Linksys.
WAN gateway is on Huawei modem router; so (double NAT) and your running automatic ip to the Linksys?

I assume their isn't any LAN devices on the gateway Huawei modem router your trying to access besides the Linksys.

 

[andres99]

So were dealing with 3 routers? Linksys, Asus, and Huawei modem router?

Yes. The caveat is that the modem router is not very configurable. It is a small portable consumer thing (Huawei E5783B).

OpenVPN server is on Asuswrt-Merlin (Asus RT-AC68U)

Yes.

Client openvpn is on Linksys.

Yes, the client openvpn is on Linksys (running FreshTomato).

WAN gateway is on Huawei modem router; so (double NAT)

Yes. The Huawei modem router is the internet gateway for the Linksys (Client OpenVPN).

and your running automatic ip to the Asuswrt-Merlin?

I am not sure if I understand this question 100% but I suppose yes.

 

[DJones]

I am not sure if I understand this question 100% but I suppose yes.

Sorry I mean to the Linksys. Definitely sounds like a routing issue unfortunately not really my area of expertise and I'd probably take longer to figure it out just trying to understand the problem. I'm not too sure, but x3mRouting might be the way to go. Available by ssh on amtm. https://github.com/Xentrk/x3mRouting

Theirs also VPNDirector https://github.com/RMerl/asuswrt-merlin.ng/wiki/VPN-Director

Home

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

Theirs manually routing also.

Policy based routing (manual method)

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

Policy based Port routing (manual method)

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[andres99]

Thank you for the hints! I took a look at the x3mRouting utility and policy-based routing but they seem to be for AsusWRT Merlin only.

Since I can establish two-way connection to the Linksys router from the server-side LAN, I can be sure that any signal from the server-side LAN passes through the Huawei router and reaches the inside of the client-side LAN (i.e. the Linksys router, which is behind the Huawei router). And the replies from the Linksys come back to the server-side network from the inside of the client-side LAN.

Therefore I tend to think that the problem lies more probably somewhere in the client-side LAN (i.e. either in the Linksys machine or the Huawei thingy). Either (a) the signal from the server-side LAN does not reach further beyond the Linksys (i.e. does not reach other devices) or (b) it can reach even further beyond the Linksys (i.e. it reaches other devices) but any response from those devices cannot find its way back to the server-side network.

Would it really be possible to cure any such problem from the AsusWRT Merlin machine (which is the server)?

I would suppose that the most probable way to resolve this, if there is a way at all, would be to add some kind of routing directive or script to the Linksys machine, since I cannot add anything to the Huawei router.

Sorry if I posted this to the wrong section but I got really good help here with a complex OpenVPN setup a few years ago.

 

[DJones]

Thank you for the hints! I took a look at the x3mRouting utility and policy-based routing but they seem to be for AsusWRT Merlin only.

Since I can establish two-way connection to the Linksys router from the server-side LAN, I can be sure that any signal from the server-side LAN passes through the Huawei router and reaches the inside of the client-side LAN (i.e. the Linksys router, which is behind the Huawei router). And the replies from the Linksys come back to the server-side network from the inside of the client-side LAN.

Therefore I tend to think that the problem lies more probably somewhere in the client-side LAN (i.e. either in the Linksys machine or the Huawei thingy). Either (a) the signal from the server-side LAN does not reach further beyond the Linksys (i.e. does not reach other devices) or (b) it can reach even further beyond the Linksys (i.e. it reaches other devices) but any response from those devices cannot find its way back to the server-side network.

Would it really be possible to cure any such problem from the AsusWRT Merlin machine (which is the server)?

I would suppose that the most probable way to resolve this, if there is a way at all, would be to add some kind of routing directive or script to the Linksys machine, since I cannot add anything to the Huawei router.

Sorry if I posted this to the wrong section but I got really good help here with a complex OpenVPN setup a few years ago.

Assuming the layout is like this [Gateway router] -> Asus router (running dhcp & openvpn) -> Linksys client OpenVPN.

If one device (192.168.5.1) on the Asus and the other device is (192.168.5.2) is on the Linksys then the Asus router handles the dhcp server and routing of internet and lan.

If their are additional devices your trying to access on the Huawei router then that’s behind a double nat and you would need to do routing on the Huawei. ICMP Ping might still be open on these devices which is why the ping works, but smb file sharing doesn’t.

If your main devices are on the Asus router then x3mrouting or vpndirector should help. @ColinTaylor might know for sure.

 

[andres99]

The layout is like this, where the server side is on the left and the client side is on the right:

AsusWRT (OpenVPN server, 192.168.5.1) --- Internet (WAN) --- Client-Side gateway (Huawei) - Linksys (OpenVPN client, 192.168.5.2)

The server-side LAN is centred around the AsusWRT and the client-side LAN is centred around the Huawei. Internet traffic of the client-side network is not redirected through OpenVPN.

I need other devices behind the Huawei router to be accessible from the server side.

The Huawei has no options for routing. It has some basic options for DHCP server, Firewall (Enable/disable), port forwarding, DMZ, UPnP (on/off), NAT (only "symmetric" or "cone") and that’is it, more or less.

Everything works as needed with exactly the same setup when the Linksys (FreshTomato) is running the server but I need Linksys to run the OpenVPN client instead because I cannot afford a static WAN IP and open ports for the client-side gateway.