OpenVPN Clients Can't Reach Subnet / Child Network

radams

Occasional Visitor
I've searched for a solution for my issue in these fantastic SNB forums as well as all over Google and have not found my exact issue or resolution to it.
I have an ASUS RT-ac86u with the latest (386.2_6) compatible version of Aswrt-Merlin. I have also set up a child subnet in my network using an ASUS RT-ac68u, also running the latest (386.2_6) compatible version of Aswrt-Merlin. No issues with access to / from the child network from / to my main network - I can access all hosts as needed and the hosts on the child network can access the internet.
I've set up the OpenVPN Server on my main router (ac86u) and can access all hosts on my main network remotely.
So far so good.
The problem I'm having is that I cannot access my child network via the VPN connection.
Since I can access everything locally, I've ruled out a number of possible blocks and it seems to me that I need to play with IP Tables to properly gain access thru my VPN connection. For the record, NONE of these hosts are running Windows anything - they are all either Linux hosts, Android devices or cameras (the cameras are on the child network) - so there is no WFW preventing access.
Interestingly, while I cannot access or ping any hosts on the child subnet thru the VPN, I CAN ping the VPN clients from the child subnet. This tells me that routing *seems* to be properly in place and working as expected.
My belief is that this is an issue with reverse nat. I've played with IPTables' tables (NAT and OVPN), as well as the chains and targets - all to no avail.

EDIT:
I have no idea whether I actually created my IPTables rules correctly or not with the Merlin firmware and may have configured it wrong.

Here is my setup:
Main network ID: 10.0.10.0/26
Child network ID: 10.0.20.0/29
VPN network ID: 10.8.0.0/24

LAN port 4 of rt-ac86u (10.0.10.0/26) -->> WAN port of rt-ac68u (static IP of 10.0.10.2)
LAN ports of rt-ac68u (10.0.20.0/29) -->> child network

I can provide any additional information needed.

Thanks in advance for any help.
 
Last edited:

ColinTaylor

Part of the Furniture
1. Have you disabled NAT on the AC68U? Depending on whether you have or not different solutions are required.

2. On the VPN server have you pushed the 10.0.20.0 subnet under "Custom Configuration".
 

radams

Occasional Visitor
1. Yes, I disabled NAT on the ac68u and that made no difference. There is a feature on the 86 that allows for "Full cone" NAT, but the 68 does not have this capability.

2. Yes, with both of the following configurations, neither of which worked:
a. push "route 10.0.20.0 255.255.255.248 vpn_gateway 501"
b. push "route 10.0.20.0 255.255.255.248"

Is this a routing issue? A VPN config issue? A NAT issue? I'm stuck and would really appreciate any help.
 
Last edited:

eibgrad

Part of the Furniture
The fact you state "No issues with access to / from the child network from / to my main network - I can access all hosts as needed and the hosts on the child network can access the internet" tells me you must have used iptables to allow access into the child network from the main network over the WAN, because normally that would NOT be allowed. And so it might help to see specifically what you did w/ iptables. Maybe you only allowed source IPs in from the main network and NOT the VPN's network.

Btw, there are numerous issues that can crop up when trying to access remote networks over the VPN server, including firewalls. In my own case, to simplify matters, I always NAT the inbound traffic from the VPN's tunnel over the private network (br0) w/ the LAN ip of the router. By doing so, it appears to all targets that the client is the router itself rather than the OpenVPN client.

Code:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)

Yes, it's a bit of a trick. But as I said, sometimes it's just simpler than trying to manage all the issues that crop up when you introduce a new IP network from the tunnel. Granted, if you have a need to filter access by your OpenVPN client based on their source IP, this isn't going to work. But for most ppl, it's NOT going to be an issue.
 

radams

Occasional Visitor
I ran the code you had provided and there is no change.

Are there any commands I can run for you to take a peek at any specific configs?
 

eibgrad

Part of the Furniture
Well as I stated before, your description suggests you added firewall rules to make the child network available from the main network over the former's WAN. I'd like to see those rules.

I suppose it wouldn't hurt to dump the firewall on both routers.

Code:
iptables -vnL INPUT
iptables -vnL FORWARD
iptables -vnL OVPN # only relevant to primary router

Might as well dump ifconfig and the routing tables as well.

Code:
ifconfig
ip route

And the OpenVPN server config file.

Code:
cat /tmp/etc/openvpn/server1/config.ovpn
 

radams

Occasional Visitor
I was pretty rude in not thanking you for your time previously - thank you very much.

I made no direct firewall changes for this, however, I had disabled the child network from within the router's "Network Map" page by viewing the list of clients and then choosing "Block Internet Accress" for the child router. This, I am quite certain, made a change in the IPTables.

Since there is a limit to the number of characters I can post, I've attached the outputs in a text file; the file was created in Kate but should be viewable with any text program.

Thank you again for your time and help!
 

Attachments

  • command-outputs.txt
    14.4 KB · Views: 29

eibgrad

Part of the Furniture
I took a look at your dumps, and something doesn't make sense here.

Reading your initial post, I was under the impression that you had simply daisy-chained the child router to the main router, WAN to LAN respectively. You even indicated the WAN of the child router was assigned an IP from the main router (10.0.10.2). That's why I stated that you normally need to add firewall rules to the child router that allowed connections to be initiated from the main router's IP network (10.0.10.0/26), past the firewall protecting the child router's WAN, and into the 10.0.20.x network. But then you said you hadn't added any such rules.

Now I'm starting to think that your child router is NOT configured as a standard router w/ an active WAN. But more likely, in some sort of bridged/AP mode, where the WAN has been remapped to the LAN. IOW, it's a WAN port in name only. It's really acting as just another LAN port, and therefore both networks are part of the same ethernet segment.

If so, that's highly unusual. There's not much benefit in having multiple IP networks on the same ethernet segment, since you can't fully secure one from the other. All a client has to do is multihome their network adapter for both networks to gain access to either one. But if the child router is using an actual *WAN*, the child network is firewall'd from the main network, and it takes firewall rules for the main network to access the child network.

One of the giveaways that this wasn't the configuration I was expecting is when I saw NO RULES for the INPUT chain on the child router. Plus, the following rule in the FORWARD chain of the primary router.

0 0 ACCEPT all -- br0 br0 10.0.10.0/26 10.0.20.0/29

A rule like that would only make sense if the main router had an assigned IP on *both* networks. So clients bound to 10.0.10.x could route to 10.0.20.x via the primary router. But that's NOT the case.

So from my side of the forum, a lot of this isn't making sense. You need to explain what's really going on here before I can assess why the OpenVPN server can't access the child router's network.
 

radams

Occasional Visitor
Thank you again for your time and patience.
Here is my setup:

- Internet --> WAN port of primary router
- LAN port 4 of primary router --> WAN port of child router
- Primary network id: 10.0.10.0/26
- Child network id: 10.0.20.0/29

- Route added on primary network --> 10.0.20.0/29
- Internet access for child router is blocked at primary router thru ASUS Merlin gui (Network map > Client list > child router > "Block Internet Access" > save)
- Firewall on child router disabled thru ASUS Merlin gui

- All hosts physically located on the primary network can access all hosts on the child network
- VPN access from the internet works for access to all hosts only on the primary network

The issue is that I cannot access any hosts on the child network via VPN.

I have not manually / directly made any changes to IP Tables, the only changes made would have been from changes made via the gui.

I'm sorry if any of that was unclear before.
 

eibgrad

Part of the Furniture
Thanks, although you've pretty much restated what you said initially.

As ColinTaylor suggested previously, you need to push the 10.0.20.0/29 network to the OpenVPN client in the OpenVPN server config, which you said didn't work. But you still need it. Perhaps there are additional issues. And the latest dump does NOT show it in the OpenVPN server config.

Code:
push "route 10.0.20.0 255.255.255.248"

Without it, the OpenVPN client does even know that it needs to use the OpenVPN server to access that network.

- Internet access for child router is blocked at primary router thru ASUS Merlin gui (Network map > Client list > child router > "Block Internet Access" > save)

Well that's interesting. That would normally block access from br0 to *any* other network interface, including the WAN or OpenVPN. And AFAIK, the firewall rule it generates is based on the MAC address of the client when using that technique. For example...

Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
...
    0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC 40:16:7E:C4:5A:FC
...

But I don't see any such thing in the dump of the primary router's firewall.

Regardless, I would suggest removing the block, if only to see if it now works (provided you also put back the push directive for 10.0.20.0/29 in the OpenVPN server config).
 

radams

Occasional Visitor
Ok, so the "push" directive has been added, the block has been removed and there is no change. I've re-run the commands on each router and have attached their outputs.

That would normally block access from br0 to *any* other network interface, including the WAN or OpenVPN.

If that were the case, wouldn't that also prevent access to the child router from any host connected to the primary router? I do have access from all hosts located on my physical network, connected both via ethernet and WiFi.

FYI: there is an update to the Merlin fw; I had installed it on both routers in the hopes that there might be a bug in the previous fw, but there were no changes in behavior.
 

Attachments

  • command-outputs_2.txt
    14.3 KB · Views: 17

eibgrad

Part of the Furniture
I just noticed this in the dump.

Code:
Chain OVPN (2 references)
pkts bytes target     prot opt in     out     source               destination      
    0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            10.0.10.0/26

That suggests you have "LAN Only" specified for "Client will use VPN to access" on the OpenVPN server. That is limiting access to the primary router's IP network. You either have to specify "Both" (the destination on that rule will then change to 0.0.0.0/0 (i.e., anything)), or else add a rule for the 10.0.20.0/29 network to the firewall.

Code:
iptables -I FORWARD -i tun21 -d 10.0.20.0/29 -j ACCEPT

IOW, you have to make the route for 10.0.20.0/29 known w/ the push, *and* allow access to it through the firewall.
 
Last edited:

radams

Occasional Visitor
So creating the firewall rule did not make the difference, but setting "Client will use VPN to access" to "Both" did; however, I also had to unblock the child router from the "Network Map" page, which defeats the purpose of having the child router in the first place.

Does setting the VPN clients to access both LAN and Internet force the client to use the VPN connection for all its network traffic during the session? I'm OK with that if yes, but a bit better than OK if no.

Thanks again for your time and patience.
 

radams

Occasional Visitor
I had forgotten to add that, after adding the firewall rule I had run the command "iptables -vnL OVPN" and expected to see the rule listed there - it was not. I then ran "iptables -vnL FORWARD" and found the rule listed there as the first one. Not sure if that makes a difference.
 

eibgrad

Part of the Furniture
So creating the firewall rule did not make the difference, but setting "Client will use VPN to access" to "Both" did

Makes no sense. If using Both worked (which allows access to any network (0.0.0.0/0)), then clearly it was a firewall issue. I suggested that firewall rule for 10.0.20.0/29 so you could limit the additional networks to it alone. But either way, it should have worked.

And no, it doesn't matter whether its placed in the OVPN chain or the FORWARD chain. Either will work.

Does setting the VPN clients to access both LAN and Internet force the client to use the VPN connection for all its network traffic during the session? I'm OK with that if yes, but a bit better than OK if no.

Yes. Because the use of Both or Internet Only will result in the router adding the following directive to the OpenVPN server config file.

Code:
push "redirect-gateway def1"

You can confirm this by dumping the config file.

Code:
cat /tmp/etc/openvpn/server1/config.ovpn

When that directive is received by the OpenVPN client, it will change its default gateway to the OpenVPN server, and thus its internet access will be routed through the OpenVPN server. Even so, the OpenVPN client still has the option to ignore that push'd directive with the following directive in its own config file.

Code:
pull-filter ignore "redirect-gateway"

IOW, ultimately the OpenVPN client has the final say on whether or not it will use the OpenVPN server for internet access.
 

radams

Occasional Visitor
Sorry for the late response, I've got a newborn that takes a good deal of my time, plus I'm in south Florida (I only live here, I'm not actually from here) and preparing for the coming storm Fred (great name, huh?). I'll probably not be able to do anything with this for another day or two, depending on what Fred decides to do.

Thank you again for all your help and patience!
 

radams

Occasional Visitor
Storm passed us by and I didn't even have to test the new grill :)

I'm beginning to believe the reason the router isn't allowing my VPN connection to the child network when it's blocked is because the VPNed packets don't show their origin as being from within the network. I also believe they can't be mangled to "fool" the primary router, since that is where the actual mangling would occur. If this is the case the I'll have to be satisfied with keeping the block off and using IPTables to prevent unwanted communications of my IoT devices to/from the Chinese servers they so desperately want to connect with.
 

radams

Occasional Visitor
To add to the weirdness, I woke up to start working on IPTables and tested before doing anything and, quite to my surprise, everything works as I'd wanted it to - the child network has Internet access blocked at the primary router and I can log in via VPN and access my cameras. I rebooted both routers to make sure there weren't any configs being held over from any previously unsaved changes and it still worked as desired.
Thank you all, especially eibgrad, for all your assistance and patience with this, it is greatly appreciated!
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top