Openvpn - can't ping the openvpn clients from LAN

[gmx-smallnetbuilder]

Hi everyone,

I generated a few certificates and set an OpenVPN server on an ASUS RT-N66u with RT-N66U_3.0.0.4_270.26b.

When I connect from WAN to the router using the OpenVPN client I get an IP address and I can ping the IPs from the LAN.

However, when I'm in the LAN and I try to ping the openvpn IP of my client (10.9.0.6), I don't receive any replies.
Am I missing a route on the router? Or do I need to add a rule on the firewall?

The settings of the OpenVPN server are as following:
Server instance Srv1
State ON
Start with WAN Yes
Interface type TUN
Protocol TCP
Port 1194
Firewall Automatic
Authorization Mode TLS
Extra HMAC (tls-auth) Disabled
VPN Subnet 10.9.0.0/24
Pool interval 0
Push LAN to clients Yes
Direct clients to redirect Internet traffic No
Respond to DNS No
Encryption cipher AES-256-CBC
Compression Adaptive
TLS Renegociation Time -1
Manage Client-Specific Options No

Thank you!

 

[gmx-smallnetbuilder]

I found the answer to this question by my own.
It looks that if you want to allow traffic between the OpenVPN clients (tun21) and the LAN clients (br0) you need to add some iptables rules to the nat table. To do this, you need to enable SSH and connect to the router over SSH.
Then at the command prompt you can type the following:

iptables -A FORWARD -i tun21 -o br0 -j ACCEPT
iptables -A FORWARD -i br0 -o tun21 -j ACCEPT​

To make this change survive a reboot you'll need to enable jffs and save the following in the file /jffs/scripts/nat-start:

#!/bin/sh
touch /tmp/000_nat-start
iptables -A FORWARD -i tun21 -o br0 -j ACCEPT
iptables -A FORWARD -i br0 -o tun21 -j ACCEPT
​

After the file is saved, you need to make it executable. At the command prompt run the following command:

chmod a+rx /jffs/scripts/*​

To enable jffs you can use the following link:
https://github.com/RMerl/asuswrt-merlin/wiki/JFFS
To read some info about the 'User scripts' you can follow the following link:
https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts
To edit a file, you can use the built in 'vi' editor. You can check the following link for a jump start on how to create the nat-start file with vi:
http://www.unix-manuals.com/tutorials/vi/vi-in-10-1.html

To check that the 'nat-start' script is run after a reboot you can run the following command:

ls -al /tmp/​

a file named '000_nat-start' should have been created.

Running the command 'iptables -L -v' should show up in the FORWARD chain 2 lines showing that the traffic from br0 to tun21 and from tun21 to br0 is ACCEPT.

Hope this helps!

 

[RMerlin]

You shouldn't need these rules. The first rule in the FORWARD chain is:

 pkts bytes target     prot opt in     out     source               destination
   0     0 ACCEPT     all  --  tun21  any     anywhere             anywhere

which would do the same thing as your first rule. And the last FORWARD rule:

13183 1419K ACCEPT     all  --  br0    any     anywhere             anywhere

would also take care of what your second rule does.

Instead, see if it helps when you delete the following rule:

2387K 2152M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED

as there's been some reports about issues related to this rule.

I just thought about something - another thing to try is to disable HW acceleration. I suspect this could cause the whole FORWARD chain from being bypassed.

 

[gmx-smallnetbuilder]

Cool! Thanks for the reply!

It works with the 2 rules and I'll play with the rules you specified to find out if that all all rule caused the issue.

The FORWARD chain is not bypassed as it started to work when I added the 2 rules.

Br, gmx