Hi all

I'm having a bit of a problem with running OpenVPN on the linksys. Well, actually, running it is not a problem. The OpenVPN runs perfectly, and on the linksys I can access the other network without any trouble.

The only thing now is that the clients that are connected on the LAN side of the linksys, can't get to the devices. A ping or whatever ends in a void. Since the OpenVPN on the linksys works, and all the routes seems fine, I believe it to be a problem with iptables.
I'm using the standard /etc/init.d/S45firewall script, and haven't changed anything just yet. The OpenVPN connects as client on a remote server using tcp:6005.

Does anyone have an idea on what rules to add in S45firewall for the LAN side to have access to OpenVPN ?

If you need more information, let me know and I'll post some configs here.

Greetings.

after getting the vpn connection up, are you adding the routes?
I run 2 scripts via /etc/init.d/rcS

cd /etc/openvpn
/etc/openvpn/connection.sh &
sleep 10
/etc/openvpn/connection-route.sh

the sleep 10 is needed because openvpn takes a bit to get going.

My route add script is this..
route add -net 10.10.0.0 netmask 255.255.0.0 gw 10.4.0.1

I use the default firewall except on the locations I want to route ALL traffic through..

Yes, that all works.

On the client:

lunarg@maya ~ $ /sbin/route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 wlan0
172.16.198.0    *               255.255.255.0   U     0      0        0 vmnet1
loopback        localhost       255.0.0.0       UG    0      0        0 lo
default         192.168.1.1     0.0.0.0         UG    0      0        0 wlan0

On the Linksys:

/ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.254.22  *               255.255.255.255 UH    0      0        0 tun0
10.10.0.0       192.168.254.22  255.255.255.0   UG    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.168.123.0   *               255.255.255.0   U     0      0        0 vlan1
default         192.168.123.254 0.0.0.0         UG    0      0        0 vlan1

And this all seems right to me, or isn't it?

Also, I'm using this version of OpenVPN:

OpenVPN 2.0_test19 mipsel-unknown-linux-gnu [SSL] [LZO] built on Apr  7 2004
Copyright (C) 2002-2004 James Yonan <jim@yonan.net>

EDIT: one more note though. The linksys is stationed behind another router. Its WAN interface is connected on the "primary router" and gets its IP from the "primary router's" DHCP. Could that be the problem?
Also note, when I telnet into the Linksys, and do a ping to the corporate subnet (10.10.0.0), it works just fine. When doing the same from the clients, it fails, and traceroute ends at the first hop at 192.168.1.1. Other internet-traffic works fine.

did you add your clients subnet route to the main openvpn server?

No. Should I ?
Never had to do that before, but it could make sense.

Anyway, the more I'm reading about it, the more it could seem that double masquerading (done by the linksys and the other router) would break openvpn somehow.

Tomorrow I'm going to test by plugging it in directly on a dsl-modem. It might make a big difference.

I'll let you know.

yes, you need to do that as well. At least the way I use opnvpn you do. You have to let the main openvpn server know how to get to your wans(linksys's lan) subnet. I am no expert on linux networking, but I'm able to fumble my way through it -lol

here's an example I do

i have a 10.10.19.0 network tunneling through the internet, port forwarded from a firewall to an internal  openvpn server. I have to add a route on the default gateway there telling all the 10.10.10.0 clients that 10.10.19.0 is accessed via the internal openvpn server (10.10.10.248) and vice versa on the linksys side

being that you have the default route setup you wont be masqerading any of the wan-lan ip.

That sounds pretty obvious as you say it.

Gonna try this out asap.

I'll let you know.

Greetings,

In my setup, I use the wrt54gS running openwrt and openvpn 2.0beta15 as my gateway to the internet and also my "default route" for all my computers on my internal LAN.

For the VPN routes, I just added routes to each computer on my (wired) LAN that needed access to the VPN.

It took a while to figure out all the routes, and I forgot about the fact that one computer was running Zonealarm (firewall) and I had to tell zonealarm to "trust" the VPN subnet.

Mostly I use the VPN to provide extra security for my wifi connection (laptop to wrt54gs). It seems to work fine also.  I had to "break the bridge" as discussed elsewhere on this website, so that I could keep non-vpn wifi traffic from getting access to my LAN. I'm real happy with the results so far.