OpenWrt Forum Archive

Topic: OpenVPN routing problem

The content of this topic has been archived on 30 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
netstorm
22 Jun 2008, 16:13

I've searched the whole internet and still didn't find a solution... or maybe I did and overlooked it smile. Ok... the problem is this:
- i set up an Asus WL500gP with OpenWRT
- installed OpenVPN on it to use it as a client to connect to the office
- managed to configure it and now it connects and can access the office lan from my router
- what do i have to do to make the computers from behind the router to see the office lan?

   In my limited knowledge I'm guessing it's a routing problem and that I have to set the router to allow traffic between the lan interface (br-lan) and the vpn interface (tun). I've got no i idea how to do this... can anyone please help?

Post #2
alexsamad
23 Jun 2008, 01:02
netstorm wrote:

I've searched the whole internet and still didn't find a solution... or maybe I did and overlooked it smile. Ok... the problem is this:
- i set up an Asus WL500gP with OpenWRT
- installed OpenVPN on it to use it as a client to connect to the office
- managed to configure it and now it connects and can access the office lan from my router
- what do i have to do to make the computers from behind the router to see the office lan?

   In my limited knowledge I'm guessing it's a routing problem and that I have to set the router to allow traffic between the lan interface (br-lan) and the vpn interface (tun). I've got no i idea how to do this... can anyone please help?

couple of things you need to do (some I guess you have done already)

1) turn on ip forwarding otherwise packets will not be routed through the machine, but I am guess this is already on
2) is your openwrt box the default gateway for your network
3) fix up iptables
   a quick and simple solution is

iptables -I FORWARD -i <internal interface> -o <openvpn interface> -j ACCEPT

Which basically says allow through anything that is coming from your local lan and going out the openvpn interface

or you could do it by ip address

iptables -I FORWARD -s <source network> -d <destination network> -j ACCEPT

Alex

Post #3
netstorm
24 Jun 2008, 10:00

Thanks for the reply! I'll give it a shot as soon as i get home... now I'm at work and there's no way to test if it's working big_smile. Anyway, I think the first option is better because the lan at work has more than one ip class. So the iptables should look like this:
   iptables -I FORWARD -i br-lan -o tun0 -j ACCEPT  ?

Post #4
netstorm
1 Jul 2008, 17:24

That didn't work smile

After some more searching and requesting help, I managed with this:

iptables -t nat -I POSTROUTING  -o tun0 -s <local ip class> -d <ip class behind vpn server> -j SNAT --to <router ip on vpn interface>
iptables  -I FORWARD -s <local ip class> -d <ip class behind vpn server>  -j ACCEPT

Something like this:

iptables -t nat -I POSTROUTING  -o tun0 -s 192.168.1.0/24 -d 192.168.2.0/24 -j SNAT --to 10.4.1.2
iptables  -I FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24  -j ACCEPT

Maybe this'll help somebody else too... good luck!

The discussion might have continued from here.