Topic: [Solved]Need help with access to openvpn client network, vpn site2site

The content of this topic has been archived on 13 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

tcm1003

14 Oct 2017, 12:58

Hey guys,

I need help with an openvpn site to site connection between two networks via two openwrt router (TP-Link WR1043N/NDv4). The connection works and the vpn client site reach hosts on vpn server site, but the other direction is a worry to me.

I used this setup guide in openwrt wiki (wiki.openwrt.org/doc/howto/vpn.openvpn).
I used uci / luci, because this vpn isn't for me and I think via gui it's easier to support if I'm not available.
Besides the guide I changed some interface settings to match with my test networks and added some openvpn options via luci.

Summary:
vpn client network = 192.168.0.0/24
vpn server network = 192.168.23.0/24
vpn client: reach vpn server, reach vpn server network, reach own network
vpn client network: see above* (test before router moved in another test network, so... should be?)
vpn server: reach vpn client, reach own network, reach [color=FF0000]NOT[/color] vpn client network
vpn server network: reach vpn server, reach vpn client, reach [color=FF0000]NOT[/color] vpn client network

tracer from vpn server network to vpn client network:

tracert to 192.168.0.1 # internet router of vpn client network
  1    <1 ms    <1 ms    <1 ms  fritz.box [192.168.23.1] # internet router of vpn server network
  2     1 ms    <1 ms    <1 ms  vpnserver[192.168.23.10]
  3     *        *        *     Zeitüberschreitung der Anforderung.
  4     *        *        *     Zeitüberschreitung der Anforderung.
[...] # this goes on until hop 30

Below my config files + "route -n" of both sites. If it's to difficult to read I can offer txt-files on my webspace, but as long as links are not allowed here I try it this way:

Config files:
vpnserver# /etc/config/network:

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd3c:40cb:d011::/48'

config interface 'lan'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option _orig_ifname 'eth0.1 radio0.network1'
    option _orig_bridge 'true'
    option ifname 'eth0.1'

config interface 'wan'
    option ifname 'eth0.2'
    option proto 'dhcp'

config interface 'wan6'
    option ifname 'eth0.2'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option vid '1'
    option ports '0t 1 2 3'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '0t 5'
    option vid '2'

config interface 'vpn0'
    option ifname 'tun0'
    option proto 'none'
    option auto '1'

config switch_vlan
    option device 'switch0'
    option vlan '3'
    option vid '3'
    option ports '0t 4'

config interface 'Gate23'
    option proto 'dhcp'
    option ifname 'eth0.3'
    option delegate '0'

config route
    option interface 'vpn0'
    option target '192.168.0.0'
    option netmask '255.255.255.0'
    option gateway '10.8.0.2'
    option metric '0'
    option mtu '1500'

vpnserver# /etc/config/firewall:

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan Gate23'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'wan wan6'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config rule 'Allow_OpenVPN_Inbound'
    option target 'ACCEPT'
    option src '*'
    option proto 'udp'
    option dest_port '9001'

config zone 'vpn'
    option name 'vpn'
    option network 'vpn0'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option masq '1'
    option forward 'ACCEPT'

config forwarding 'vpn_forwarding_lan_in'
    option src 'vpn'
    option dest 'lan'

config forwarding 'vpn_forwarding_lan_out'
    option src 'lan'
    option dest 'vpn'

vpnserver# /etc/config/openvpn:

config openvpn 'vpnbridge'
    option enabled '1'
    option verb '3'
    option port '9001'
    option dev 'tun'
    option server '10.8.0.0 255.255.255.0'
    option keepalive '10 120'
    option topology 'subnet'
    option ifconfig '10.8.0.1 255.255.255.0'
    option ca '/etc/openvpn/vpnbridge/ca.crt'
    option cert '/etc/openvpn/vpnbridge/vpnbridge-nbz.crt'
    option key '/etc/openvpn/vpnbridge/vpnbridge-nbz.key'
    option dh '/etc/openvpn/vpnbridge/dh2048.pem'
    option log '/etc/openvpn/vpnbridge/openvpn.log'
    list push 'route-gateway 10.8.0.1'
    list push 'route 192.168.23.0 255.255.255.0'
    option client_to_client '1'
    option client_config_dir '/etc/openvpn/vpnbridge/staticclients'
    option ifconfig_pool '10.8.0.2 10.8.0.4 255.255.255.0'

vpnserver# route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.23.1    0.0.0.0         UG    0      0        0 eth0.3
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.0.0     10.8.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.23.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0.3
192.168.23.1    0.0.0.0         255.255.255.255 UH    0      0        0 eth0.3

vpnclient# /etc/config/network:

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd94:0782:5d60::/48'

config interface 'lan'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option _orig_ifname 'eth0.1 wlan0'
    option _orig_bridge 'true'
    option ifname 'eth0.1'
    option ipaddr '192.168.0.50'
    option gateway '192.168.0.1'
    option broadcast '192.168.0.254'
    option dns '8.8.8.8'
    option delegate '0'

config interface 'wan'
    option ifname 'eth0.2'
    option proto 'dhcp'

config interface 'wan6'
    option ifname 'eth0.2'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '1 2 3 4 0t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '5 0t'

config interface 'vpn0'
    option ifname 'tun0'
    option proto 'none'
    option auto '1'

config interface 'wlan'
    option proto 'static'
    option ipaddr '192.168.21.1'
    option netmask '255.255.255.0'
    option auto '0'

vpnclient# /etc/config/firewall:

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'wan wan6'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config zone 'vpn'
    option name 'vpn'
    option network 'vpn0'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option masq '1'

config forwarding 'vpn_forwarding_lan_in'
    option src 'vpn'
    option dest 'lan'

config forwarding 'vpn_forwarding_lan_out'
    option src 'lan'
    option dest 'vpn'

vpnclient# /etc/config/openvpn:

config openvpn 'vpnbridge'
    option enabled '1'
    option dev 'tun'
    option proto 'udp'
    option verb '3'
    option ca '/etc/openvpn/vpnbridge/ca.crt'
    option cert '/etc/openvpn/vpnbridge/vpnbridge-nat.crt'
    option key '/etc/openvpn/vpnbridge/vpnbridge-nat.key'
    option log '/etc/openvpn/vpnbridge/openvpn.log'
    option client '1'
    option remote_cert_tls 'server'
    list remote '$domain$ 9001'

vpnclient# route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 br-lan
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.23.0    10.8.0.1        255.255.255.0   UG    0      0        0 tun0

###

If someone have a solution or just a tip to test something, I will be grateful.

(Last edited by tcm1003 on 21 Oct 2017, 18:58)

Post #2

ulmwind

14 Oct 2017, 19:00

Ok, let's be more concrete.
Output of

ifconfig

both from server and client?
Is 10.8.0.2 IP of tun0 of client?
On server I can see 3 networks: 0,1,23. What are they? 1 is for wan?
Run traceroute to 192.168.0.1 on server.

(Last edited by ulmwind on 14 Oct 2017, 19:04)

Post #3

tcm1003

14 Oct 2017, 19:58

Hello,

first to your questions, after that the output of ifconfig and traceroute.

1) like you will see, 10.8.0.2 is ip of tun0 (vpn interface) of vpn client, so: yes
2) network 23 is my home network where the vpnserver router is placed at the moment with ip 23.10.
network 0 is network of vpnclient and shouldn't be in direct contact with vpnserver.
network 1 is on one hand an old configuration from initial installation. I started with both routers in my 23 network over wan port and separated networks 1 and 2 with laptops. Later router vpnclient went to a friend (network 0) and vpnserver was configured as vpn gateway only in network 23. I didn't want to reconfigure wan port (inclusive wan zone of firewall etc), so I reconfigured one LAN port to a static address (network 23) and LAN port 2 to 4 holds as backup network 1 with dhcp, both in zone lan of firewall. (If I have to disconnect the router from my 23 network I just have to connect me to LAN 2/3/4 and have access to the router. Or wlan on the same interface).
(hope my text is understandable, english is not my native language)

WAN unused,
LAN 1 in network 23,
LAN 2/3/4 & WLAN in network 1 with dhcp.

Note: The router shall be placed beside other routers to the internet as second gateway (into vpn) and will not connect two real networks like lan and wan.

vpnclient# ifconfig

br-lan    Link encap:Ethernet  HWaddr 18:D6:C7:51:51:CC
          inet addr:192.168.0.50  Bcast:192.168.0.254  Mask:255.255.255.0
          inet6 addr: fd94:782:5d60::1/60 Scope:Global
          inet6 addr: fe80::1ad6:c7ff:fe51:51cc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:69242 errors:0 dropped:0 overruns:0 frame:0
          TX packets:44049 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6895341 (6.5 MiB)  TX bytes:8557397 (8.1 MiB)

eth0      Link encap:Ethernet  HWaddr 18:D6:C7:51:51:CC
          inet6 addr: fe80::1ad6:c7ff:fe51:51cc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:122681 errors:0 dropped:0 overruns:0 frame:0
          TX packets:76834 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:29010511 (27.6 MiB)  TX bytes:19691287 (18.7 MiB)
          Interrupt:4

eth0.1    Link encap:Ethernet  HWaddr 18:D6:C7:51:51:CC
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:122672 errors:0 dropped:0 overruns:0 frame:0
          TX packets:45005 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:26798159 (25.5 MiB)  TX bytes:8639573 (8.2 MiB)

eth0.2    Link encap:Ethernet  HWaddr 18:D6:C7:51:51:CC
          inet6 addr: fe80::1ad6:c7ff:fe51:51cc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:31815 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:10743030 (10.2 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:2164 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2164 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:229949 (224.5 KiB)  TX bytes:229949 (224.5 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.2  P-t-P:10.8.0.2  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:7182 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8052 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:761238 (743.3 KiB)  TX bytes:2377193 (2.2 MiB)

vpnserver# ifconfig

br-lan    Link encap:Ethernet  HWaddr D4:6E:0E:F5:C1:C6
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::d66e:eff:fef5:c1c6/64 Scope:Link
          inet6 addr: fd3c:40cb:d011::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4667 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:407666 (398.1 KiB)

eth0      Link encap:Ethernet  HWaddr D4:6E:0E:F5:C1:C6
          inet6 addr: fe80::d66e:eff:fef5:c1c6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:81566 errors:0 dropped:0 overruns:0 frame:0
          TX packets:79830 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:17891674 (17.0 MiB)  TX bytes:22444932 (21.4 MiB)
          Interrupt:4

eth0.1    Link encap:Ethernet  HWaddr D4:6E:0E:F5:C1:C6
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1608 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:114232 (111.5 KiB)

eth0.2    Link encap:Ethernet  HWaddr D4:6E:0E:F5:C1:C6
          inet6 addr: fe80::d66e:eff:fef5:c1c6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32473 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:10964161 (10.4 MiB)

eth0.3    Link encap:Ethernet  HWaddr D4:6E:0E:F5:C1:C6
          inet addr:192.168.23.10  Bcast:192.168.23.255  Mask:255.255.255.0
          inet6 addr: fe80::d66e:eff:fef5:c1c6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:81566 errors:0 dropped:226 overruns:0 frame:0
          TX packets:45736 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:16423486 (15.6 MiB)  TX bytes:11045965 (10.5 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:18 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:1509 (1.4 KiB)  TX bytes:1509 (1.4 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:13904 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12416 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:5075636 (4.8 MiB)  TX bytes:1180160 (1.1 MiB)

vpnserver# traceroute 192.168.0.1

traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 38 byte packets
 1  *  *  *
 2  *  *  *
 3  *  *  *
[...] # until 30 hops

(Last edited by tcm1003 on 15 Oct 2017, 00:05)

Post #4

ulmwind

14 Oct 2017, 23:27

You've specified both outputs as vpnclient, please, correct. I suppose, first is client, second is server. I suppose, you've configured port forwarding on main router, connected to ISP.
Run traceroute to 192.168.0.50 on server.

Post #5

tcm1003

15 Oct 2017, 00:09

Oops, I'm very sorry. I corrected the post above. But you were right with your interpretation.
The new traceroute gives the same output like before to .0.1

vpnserver# traceroute 192.168.0.50

traceroute to 192.168.0.50 (192.168.0.50), 30 hops max, 38 byte packets
 1  *  *  *
 2  *  *  *
 3  *  *  *
[...]

Post #6

ulmwind

15 Oct 2017, 10:54

It is interesting.
Try to traceroute 10.8.0.2, ping 10.8.0.2 from server.

Post #7

tcm1003

15 Oct 2017, 18:03

Hey,
I'm sorry to say that I'm not at home until tuesday, but I can tell you my results from previous tests.

vpnserver and vpnclient have full and direct contact to each other. ping and traceroute works fine without limits.
Access from 23 network to vpnclient works fine, too.
I can access vpnclient via ssh and luci (h-t-t-p / h-t-t-p-s [url filter of this forum is stupid]) from my windows notebook and my ping/tracert went over my fritzbox (192.168.23.1) to vpnserver (192.168.23.10/10.8.0.1) and vpnclient (10.8.0.2). And I can access vpnclient (10.8.0.2) via ssh from vpnserver shell.

If you want the CLI output, I'll write it asap on tuesday.

---

I found an openwrt wiki article about network configuration.
wiki.openwrt.org/doc/uci/network#ipv4_routes
In last paragraph before ipv6 routes there's an interesting note about gateways.

It seems that on openwrt 12.09 if a route is defined using a gateway in an address space where a gateway is already defined, it will be not added. Like the lan has the gateway 192.168.1.1 and we want to go to 1.2.3.4 over the gateway 192.168.1.5 within the interface lan, it will not be added.

I use a openwrt trunk version / designated driver, but I don't think it's that different to stable chaos calmer - and I don't know if this "bug" exists in recent version.
But route -n shows the correct route, so... I don't know, just a thought.

I like to think, it's something in forwarding between vpn and lan zone of firewall of vpnclient, but I don't know...

Just a thought - I don't believe it, but... - the main router of 192.168.0.0/24 should not block anything shouldnt it? Like rule 'block everything external' because of block wan, but packets from vpn are blocked, too? Don't know.

Post #8

ulmwind

16 Oct 2017, 19:31

Now we are exploring connectivity from vpnserver to network behind vpnclient, so it doesn't matter. OK, asap check following from vpnserver:
traceroute 10.8.0.2, ping 10.8.0.2
traceroute 192.168.0.50, ping 192.168.0.50
It is interesting, why the latter doesn't work, because there is route on vpnserver:

192.168.0.0     10.8.0.2        255.255.255.0   UG    0      0        0 tun0

Post #9

tcm1003

17 Oct 2017, 19:37

vpnserver# ping 10.8.0.2

PING 10.8.0.2 (10.8.0.2): 56 data bytes
64 bytes from 10.8.0.2: seq=0 ttl=64 time=79.925 ms
64 bytes from 10.8.0.2: seq=1 ttl=64 time=80.368 ms
64 bytes from 10.8.0.2: seq=2 ttl=64 time=83.944 ms
64 bytes from 10.8.0.2: seq=3 ttl=64 time=88.410 ms
^C

vpnserver# traceroute 10.8.0.2

traceroute to 10.8.0.2 (10.8.0.2), 30 hops max, 38 byte packets
 1  10.8.0.2 (10.8.0.2)  49.970 ms  50.326 ms  53.254 ms

vpnserver# ping 192.168.0.50

PING 192.168.0.50 (192.168.0.50): 56 data bytes
^C
--- 192.168.0.50 ping statistics ---
738 packets transmitted, 0 packets received, 100% packet loss

(I canceled the command after a few minutes...)

vpnserver# traceroute 192.168.0.50

traceroute to 192.168.0.50 (192.168.0.50), 30 hops max, 38 byte packets
 1  *  *  *
 2  *  *  *
 3  *  *  *
 4  *  *  *
 5  *  *  *
 6  *  *  *
 7  *  *  *
 8  *  *  *
 9  *  *  *
10  *  *  *
11  *  *  *
12  *  *  *
13  *  *  *
14  *  *  *
15  *  *  *
16  *  *  *
17  *  *  *
18  *  *  *
19  *  *  *
20  *  *  *
21  *  *  *
22  *  *  *
23  *  *  *
24  *  *  *
25  *  *  *
26  *  *  *
27  *  *  *
28  *  *  *
29  *  *  *
30  *  *  *

Post #10

ulmwind

18 Oct 2017, 09:55

It is interesting, because it has route to 192.168.0.X
Please, provide output of

route -n

ip route show table all

from vpnserver.

(Last edited by ulmwind on 18 Oct 2017, 09:55)

Post #11

tcm1003

18 Oct 2017, 11:38

vpnserver# route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.23.1    0.0.0.0         UG    0      0        0 eth0.3
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.0.0     10.8.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.23.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0.3
192.168.23.1    0.0.0.0         255.255.255.255 UH    0      0        0 eth0.3

vpnserver# ip route show table all

default via 192.168.23.1 dev eth0.3  src 192.168.23.10
10.8.0.0/24 dev tun0  src 10.8.0.1
192.168.0.0/24 via 10.8.0.2 dev tun0
192.168.1.0/24 dev br-lan  src 192.168.1.1
192.168.23.0/24 dev eth0.3  src 192.168.23.10
192.168.23.1 dev eth0.3  src 192.168.23.10
broadcast 10.8.0.0 dev tun0  src 10.8.0.1
local 10.8.0.1 dev tun0  src 10.8.0.1
broadcast 10.8.0.255 dev tun0  src 10.8.0.1
broadcast 127.0.0.0 dev lo  src 127.0.0.1
local 127.0.0.0/8 dev lo  src 127.0.0.1
local 127.0.0.1 dev lo  src 127.0.0.1
broadcast 127.255.255.255 dev lo  src 127.0.0.1
broadcast 192.168.1.0 dev br-lan  src 192.168.1.1
local 192.168.1.1 dev br-lan  src 192.168.1.1
broadcast 192.168.1.255 dev br-lan  src 192.168.1.1
broadcast 192.168.23.0 dev eth0.3  src 192.168.23.10
local 192.168.23.10 dev eth0.3  src 192.168.23.10
broadcast 192.168.23.255 dev eth0.3  src 192.168.23.10
fd3c:40cb:d011::/64 dev br-lan  metric 1024
unreachable fd3c:40cb:d011::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256
fe80::/64 dev eth0.2  metric 256
fe80::/64 dev eth0.3  metric 256
fe80::/64 dev br-lan  metric 256
unreachable default dev lo  metric -1  error -128
local ::1 dev lo  metric 0
local fd3c:40cb:d011:: dev lo  metric 0
local fd3c:40cb:d011::1 dev lo  metric 0
local fe80:: dev lo  metric 0
local fe80:: dev lo  metric 0
local fe80:: dev lo  metric 0
local fe80:: dev lo  metric 0
local fe80::d66e:eff:fef5:c1c6 dev lo  metric 0
local fe80::d66e:eff:fef5:c1c6 dev lo  metric 0
local fe80::d66e:eff:fef5:c1c6 dev lo  metric 0
local fe80::d66e:eff:fef5:c1c6 dev lo  metric 0
ff00::/8 dev br-lan  metric 256
ff00::/8 dev eth0  metric 256
ff00::/8 dev eth0.2  metric 256
ff00::/8 dev eth0.3  metric 256
unreachable default dev lo  metric -1  error -128

Post #12

ulmwind

18 Oct 2017, 12:33

I've found the answer: https://serverfault.com/questions/82783 … ind-server
System route doesn't suffice, openvpn iroute should be used.

(Last edited by ulmwind on 18 Oct 2017, 12:33)

Post #13

tcm1003

19 Oct 2017, 22:20

Oh, thx, didn't find that on my search. Perhaps wrong query.

After some changes I could ping/traceroute 192.168.0.50, but no other hosts in 0 network.
But this could be of a wrong routing in .0.1 - i have to check this.

I remembered that I wanted to activate NAT/masquerading for vpn. I checked this and now it's working.
If the corrected routing is working too I will check whether I use this or masquerading.

Thanks a lot for your help.

(Would it be helpful to post my edited configurations for archive, if somebody is searching for a similiar problem?)

The discussion might have continued from here.

Page 1 of 1