What's new

OpenVPN server can't see client's LAN on Site to site connection

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Valentino

Occasional Visitor
Hi,

AC56U acts as OpenVPN server. It's LAN 192.168.1.0/24 router 192.168.1.1
Client is AC66u with LAN 192.168.3.0/24 router 192.168.3.1
Another client is RT-N16 on Tomato 192.168.2.0
Connection is successfull and client see only 192.168.1.1, but from server's LAN and router itself dont't see clients. Routing table is not updated with the route to client 192.168.3.0 or 2.0, but even after I add it manually route add -net 192.168.3.0 gw 10.8.0.2 dev tun21 there is still no connection. I tried different options, but nothing helps. I don't use traffic encryption and use username/password authentication. Even clients can ping each other, but server doesn't..

on server side:
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
178.140.236.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun21
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun21
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
178.140.236.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 178.140.236.1 0.0.0.0 UG 0 0 0 eth0

Even if I add route manually, still no ping
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
178.140.236.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun21
192.168.2.1 10.8.0.2 255.255.255.255 UGH 0 0 0 tun21
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun21
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
178.140.236.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 178.140.236.1 0.0.0.0 UG 0 0 0 eth0
 

Attachments

  • serverOpenVPN.jpg
    serverOpenVPN.jpg
    63.6 KB · Views: 8,979
Last edited:
People, help me with this problem please!
I can ping server from client, but not client from server!
 
Please, stop bumping the thread. If someone knows the answer, they've already read your message and they will answer.
 
Dear Merlin, maybe you want to help me this strange feature?

I've never configured a site-to-site tunnel with OpenVPN, only client-to-site, sorry.
 
Hi Valentino, I have the same problem you have described. I want to connect 3 small offices with ASUS RT-N66U, and it works only one way

from client LAN to server LAN, but not from server LAN to client LAN (ping and FTP)

do you have idea how to add routes to OpenVPN server router, so it knows where are different CLIENT IP ranges? I think server doesn't know about clients, so requests need to be routed, but how?

I found this, but I got lost along the way http://wadihzaatar.com/?p=11
 
Hi peraburek. Thank you for the link!
I think it can be helpful. I have tried to add a route, but it didn't help. I think problem is with firewall configuration. I hope these lines should help:
iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

I'm not sure if to apply it on server or client side...
I'll try it later...
And you have to add a route to client's LAN first:
route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.0.0.2 (or dev tun0)
where 192.168.2.0 - is client's LAN and 10.0.0.2 is client's VPN ip
you better view route on client (route -n) and make similarly on server side.
 
Last edited:
I would like to find (collect) what is necessary to create OpenVPN site-to-site routed LAN connection
(TUN, not TAP) with LAN A (192.168.110.0/24) and LAN B (192.168.120.0/24)

at the moment it seems that OpenVPN and ASUS WRT are not capable of getting this connection working both ways without heavy intervention

it would be perfect if it could work for majority of users without too much hassle
something like this

if we can get that done, that I would try to create OpenVPN multisite routed LAN tutorial
LAN A (192.168.110.0/24)
LAN B (192.168.120.0/24)
LAN C (192.168.130.0/24)

addresses 192.168.x.x are just for example
 
Hi peraburek. Thank you for the link!
I think it can be helpful. I have tried to add a route, but it didn't help. I think problem is with firewall configuration. I hope these lines should help:
iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Hi Valentino, I think firewall is the problem as well, however if you do
route -n
or
ip route

watch for tun## number (for example tun21) so I think this rules should be changed
iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun21 -j ACCEPT
iptables -I FORWARD -i tun21 -o br0 -j ACCEPT

I have tried this on server side, but it doesn't work :(
 
I think I got it!
https://community.openvpn.net/openvpn/wiki/RoutedLans
trick is here:
OpenVPN Server side (192.168.0.0/24)
VPN Details: Advanced settings

Manage Client-Specific Options Yes
Allow Client <-> Client Yes
Allow only specified clients No

Custom Configuration
Code:
route 192.168.1.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"

create on OpenVPN SERVER side (192.168.0.0/24):
/jffs/configs/openvpn/ccd1/

file named "client" - this should be common name, if you have changed it, you should name it accordingly
and put this code inside
Code:
iroute 192.168.1.0 255.255.255.0

reboot OpenVPN server, reboot OpenVPN client
*change 192.168.1.0 address to your CLIENT LAN subnet, it could be differrent
*change 192.168.0.0 address to your SERVER LAN subnet, it could be differrent

now in OpenVPN status (server side) you should see this
Routes
Virtual Address Common Name Real Address Last Ref
10.8.0.6 client Sun May 31 02:08:38 2015
192.168.1.0/24 client Sun May 31 02:05:23 2015

from Server side (Asus router), I can ping Client LAN computers :)

@Merlin - what do you think about including OpenVPN site-to-site feature in next firmware release, at least as experimental feature? It should be dead simple to create one script
 
Last edited:
@Merlin - what do you think about including OpenVPN site-to-site feature in next firmware release, at least as experimental feature? It should be dead simple to create one script

I would have to find the time to setup a complete lab setup with two separate LANs to be able to test and implement it. At this time this isn't a priority, but I'm not opposed to adding this in the future.
 
file named "client" - this should be common name
Good news, peraburek! But I didn't understand what filename should I use??? client1 or what?

I wnated to make a tutorial too :) I'm trying to connect all home routers of my parents and friends together in one common network. Also trying to establish VPN tunnel with ipsec routers, but it's another story and it's a petty there is no GUI for it in wrt firmwares :( Also I want to make network neighborhood working too. I read somewhere it's needed to configure samba smb.conf for master browser and configure one common wins server for all client's PC.
 
Got it! It's working!!!! :)
I understood, filename should be like Common name on VPN status page!

Now network neighborhood and ipsec left :)
 
I would like to find (collect) what is necessary to create OpenVPN site-to-site routed LAN connection
(TUN, not TAP) with LAN A (192.168.110.0/24) and LAN B (192.168.120.0/24)
Peraburek, don't you plan to make network neighborhood working? And don't you plan to establish IPSec tunnel?
 
ASUS routers don't support IPSec out of the box, and I think if they do, performance will be very poor.
Network neighborhood, why, I don't see the purpose?

I am connecting 3 small business sites with Asus routers using OpenVPN, and it works just fine.

I could recommend AC66U since this router has decent OpenVPN performance (throughput about 4 MB/sec = 32 Mbit/sec) which is great if you have enough bandwidth available

I use RT-N66U and I can saturate 5 Mbit/s upload, soon I will test it with 10 Mbit/s upload
from this table RT-N66U has 1,6 MB/s = 12,8 Mbit/s so it should be sufficient to saturate 10 Mbit/s upload link

on 5Mbit/s upload with full link (OpenVPN) saturation I see cpu use ~ 45% on RT-N66U model, so I guess on 10Mbit/s upload it will be close to 100% cpu use

asus-routers-openvpn-thr.jpg

http://www.smallnetbuilder.com/othe...-up-and-using-openvpn-on-asus-routers?start=2
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top