What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

OpenVPN, site to site, vlan to vlan?

ladra

New Around Here
Hello,

I would like to ask the community for help in finishing my setup of OpenVPN site to site connection, where VLANs are involved.

* My hardware - RT-N66U at each site, running Tomato Firmware 1.28.0000 MIPSR2-115 K26AC USB AIO-64K by SHIBBY

* My configuration - SITE A has two vlans, 192.168.10.x(LAN/br0) and 20.x(LAN1/br1), SITE B also has two vlans, 192.168.30.x(LAN/br0) and 40.x(LAN1/br1)

* What I have accomplished so far -

Site A is running OpenVPN Server and Site B is the OpenVPN Client, and the VPN connection is working fine. I used the "Manage Client-Specific Options" setting on the VPN server to input the 192.168.40.0 network at SITE B. All devices go out to the Internet via their site router, VPN is only used to access the other site's LAN.

From SITE A,
router can reach 192.168.40.0 network
router can NOT reach 192.168.30.0 network
192.168.10.x devices get "TTL expired in transit" when you ping 192.168.30.0 network
192.168.10.x devices are able to ping 192.168.40.0 network
192.168.20.x devices get "TTL expired in transit" when you ping 192.168.30.0 network
192.168.20.x devices get "Request timed out" when you ping 192.168.40.0 network

Fromt SITE B,
router can reach 192.168.10.0 network
router can NOT reach 192.168.20.0 network
192.168.30.x devices get "TTL expired in transit" when you ping 192.168.20.0 network
192.168.30.x devices get "Request timed out" when you ping 192.168.10.0 network
192.168.40.x devices get "TTL expired in transit" when you ping 192.168.20.0 network
192.168.40.x devices are able to ping 192.168.10.0 network

Basically, SITE B 192.168.40x network is able to communicate with SITE A 192.168.10.x network

* What I would like to accomplish -

I would like only SITE A 192.168.20.x vlan(network) to communicate with SITE B 192.168.40.x vlan(network).

Using the "Manage Client-Specific Options" at the server allowed me to accomplish half the objective, accessing only 192.168.40.x network at SITE B. However, I'm not sure how to stop access to 192.168.10.x network at SITE A and allow access to 192.168.20.x ...

I think it has to do with adding and deleting the routes, and maybe firewall, but I'm not sure what to do. I've read many posts on many forums for about a day and I'm still lost. I would appreciate any help and/or guidance. Thank you in advance.
 
Problem solved, it was way too easy...

Just needed to add a route. At SITE B(client) added a route to 192.168.20.x network via P-t-P Gateway IP. This gave me the connection I wanted from 192.168.20.x to 192.168.40.x and vice versa.

Then, again at SITE B, delete the route to 192.168.10.x, preventing access to and from 192.168.10.x network from SITE B.

I just need to figure out one more thing. The client(SITE B) P-t-P IP and Gateway IP will/can change every time you establish the VPN connection. I manually looked up the current IPs, then added and deleted the routes. I would like to use a script so that the routes are added and deleted automatically when the VPN connects. However, to do this I need to know the names of the variables that hold these IP numbers...

Does anyone know the variable names for the client tunnel P-t-P IP and Gateway IP? Also, where would I put the script?

Thank you in advance.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Back
Top