How to Push Route with different gateway

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

scuro

New Around Here
I'm trying to push a route to a family asus router so they can access a VM that I have on a different subnet from my router/openvpn.

I am using a pfsense firewall to lock down all my VMs (192.168.3.109).

I can push the route without issue with
Code:
push "route 192.168.6.0 255.255.255.0"
however it uses the vlan interface as the gateway (192.168.10.1).

If I use
Code:
push "route 192.168.6.0 255.255.255.0 192.168.3.109 1"
the route is never added because it errors out.

When I check logs I can see that it is getting pushed but it just says:

Code:
vpnclient5[5690]: /sbin/route add -net 192.168.3.0 netmask 255.255.255.0 metric 500 gw 192.168.10.1
vpnclient5[5690]: /sbin/route add -net 192.168.6.0 netmask 255.255.255.0 metric 1 gw 192.168.3.109
vpnclient5[5690]: ERROR: Linux route add command failed: external program exited with error status: 1
vpnclient5[5690]: Initialization Sequence Completed

I tried changing the metric to 500. It makes no difference.
 

eibgrad

Very Senior Member
In order for the 192.168.3.x and 192.168.6.x networks to be reachable from the router, you must define (on the router, as static routes) the gateway(s) (presumably on the 192.168.10.x network) by which they can be reached. The only time that wouldn't be necessary is if the router itself was hosting those networks. But I assume that's not the case. Then once you push those networks, and the OpenVPN client attempts to access them, it will be properly directed to them via the gateway(s).
 

scuro

New Around Here
I do have the static routes already set up in the openvpn server (192.168.10.1 for VPN, 192.168.3.1 for LAN). All of my LAN devices (192.168.3.0/24) can reach my VM subnets without issue. When I do a traceroute on a client of the VPN with the route set to use 10.1 for the gateway I, I can see it make the first hop to the vpn server but it never makes it to 3.109 for the next hop.
 

eibgrad

Very Senior Member
I need to see the actual routing table on the router to make sense of all this (use ssh). I'm getting confused about where some of these networks/routes are established (e.g., 192.168.10.x). I was initially under the impression 192.168.10.x was the LAN, but now you seem to be indicating 192.168.3.x is the LAN.

Code:
ip route

While you're at it, include ifconfig as well.

Code:
ifconfig
 

scuro

New Around Here
Sorry for the confusion.

192.168.3.0/24 is home LAN
192.168.3.1 is the LAN interface for the router
192.168.3.109 is the LAN interface address for the router to the VM networks.
192.168.6.0/24 is a VM network
192.168.10.0/24 is VPN network
192.168.10.1 is the VPN interface for the router/server
192.168.1.0/24 is client's LAN

LAN to VM networks work without issue. Routes work properly.
VPN to VM networks never gets routed to 3.109

This is the routes and interfaces from the asus router that is hosting the openvpn as well

Code:
[email protected]:/tmp/home/root# ip route
*.*.80.1 dev eth0  proto kernel  scope link
192.168.6.0/24 via 192.168.3.109 dev br0  metric 2
192.168.5.0/24 via 192.168.3.109 dev br0  metric 2
192.168.4.0/24 via 192.168.3.109 dev br0  metric 2
192.168.3.0/24 dev br0  proto kernel  scope link  src 192.168.3.1
192.168.1.0/24 via 192.168.10.2 dev tun21
192.168.10.0/24 dev tun21  proto kernel  scope link  src 192.168.10.1
*.*.80.0/23 dev eth0  proto kernel  scope link  src *.*.80.47
127.0.0.0/8 dev lo  scope link
default via *.*.80.1 dev eth0
[email protected]:/tmp/home/root# ifconfig
br0       Link encap:Ethernet  HWaddr B0:6E:BF:B5:04:90
          inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:71880049 errors:0 dropped:0 overruns:0 frame:0
          TX packets:65450105 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:54164781475 (50.4 GiB)  TX bytes:55911197513 (52.0 GiB)


eth0      Link encap:Ethernet  HWaddr E0:D5:5E:88:9C:A0
          inet addr:*.*.80.47  Bcast:*.*.81.255  Mask:255.255.254.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1340392053 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1333922706 errors:320836 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3919490467 (3.6 GiB)  TX bytes:3969787316 (3.6 GiB)
          Interrupt:179 Base address:0x4000


eth1      Link encap:Ethernet  HWaddr B0:6E:BF:B5:04:94
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:15619040 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32196831 errors:0 dropped:3681375 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1181313054 (1.0 GiB)  TX bytes:2604695682 (2.4 GiB)


eth2      Link encap:Ethernet  HWaddr B0:6E:BF:B5:04:90
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:10193 errors:0 dropped:0 overruns:0 frame:0
          TX packets:614979 errors:0 dropped:2270410 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:711871 (695.1 KiB)  TX bytes:59101568 (56.3 MiB)


eth3      Link encap:Ethernet  HWaddr B0:6E:BF:B5:04:98
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:10504414 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21976516 errors:0 dropped:2936666 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1902009654 (1.7 GiB)  TX bytes:3310168667 (3.0 GiB)


lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:9753554 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9753554 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2302013975 (2.1 GiB)  TX bytes:2302013975 (2.1 GiB)


lo:0      Link encap:Local Loopback
          inet addr:127.0.1.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1


tun21     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00                                                                             -00
          inet addr:192.168.10.1  P-t-P:192.168.10.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:4167 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3082 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3306352 (3.1 MiB)  TX bytes:300331 (293.2 KiB)


vlan1     Link encap:Ethernet  HWaddr B0:6E:BF:B5:04:90
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:654517013 errors:0 dropped:0 overruns:0 frame:0
          TX packets:714040918 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:452794921188 (421.6 GiB)  TX bytes:667695386237 (621.8 GiB)


vlan2     Link encap:Ethernet  HWaddr B0:6E:BF:B5:04:90
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ISP addresses were partially sanitized.

My custom openvpn server configuration is
Code:
push "route 192.168.6.0 255.255.255.0"
route 192.168.6.0 255.255.255.0
 
Last edited:

eibgrad

Very Senior Member
Based on this latest information, you only need to push those VM networks as follows.

Code:
push "route 192.168.3.0 255.255.255.0"
push "route 192.168.6.0 255.255.255.0"

But you also need to configure the OpenVPN server "Client will use VPN to access" setting to Both, otherwise it will configure the firewall to prevent access to those other networks.

Finally, this may be a problem of the VMs not knowing how to route the OpenVPN client's network (192.168.10.x). It's also possible the VM's own personal firewalls are not allowing access by 192.168.10.x. This is esp. true w/ Windows.

For these reasons, I prefer to NAT the traffic inbound from the OpenVPN server's network as it's dumped on the private network, thereby masking it w/ the LAN ip of the router and avoiding a lot of these routing and firewall issues.

Code:
iptables -t nat -I POSTROUTING -s 192.168.10.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)

First try it from a shell (ssh) to verify it works. And if it does, make it persistent w/ a nat-start script.
 

scuro

New Around Here
But you also need to configure the OpenVPN server "Client will use VPN to access" setting to Both, otherwise it will configure the firewall to prevent access to those other networks.
I figured this might be a possibility but when you set this to both, the vpn client starts sending all traffic through VPN, not just the LAN.
 

eibgrad

Very Senior Member
Then you may need to specify LAN only, but add firewall rules to permit the other networks as well.

Code:
iptables -I FORWARD -i tun21 -d 192.168.3.0/24 -j ACCEPT
iptables -I FORWARD -i tun21 -d 192.168.6.0/24 -j ACCEPT

These you would need to add to the firewall-start script to make them persistent.
 

scuro

New Around Here
Yup it was just the firewall of the router/vpn that wasn't letting the packets through.

Code:
iptables -I FORWARD -i tun21 -d 192.168.6.0/24 -j ACCEPT
This fixed it. I'll have to add that line to the startup scripts. Thank you!

The rest of my config was good that I listed above.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top