OpenWrt Forum Archive

Topic: 2 openwrt routers and openvpn tap

The content of this topic has been archived on 21 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Need some help with my current setup.

I have 1 router running openvpn as a tap server, this router has a lan address of 192.168.1.1 and openvpn uses the lans dhcp server to push 192.168.1.x address to openvpn clients.

The second router has openvpn as a tap client which uses a 192.168.1.x address on the tap interface pushed by router 1. This router also has its own lan address of 192.168.2.1 and uses DHCP to push ips to its own lan clients,

I have a connection between the 2 routers and i can browse router 1 and its lan of 192.168.1.x from the openvpn clients router and devices from 192.168.2.x lan.

BUT i can not browse anything on the client lan from router 1 openvpn server. I know this is because the client lan uses 192.168.2.x and its not routed to the openvpn server. How can i achieve this???


https://preview.ibb.co/mj1w27/EIm4K.png

Openvpn Server (Lan1)

Network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd32:6dd8:7370::/48'

config interface 'lan'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option macaddr '00:00:00:00:00:01'
    option ip6assign '64'
    option ifname 'eth0.1 ra0 rai0 tap0 tap1'

config interface 'wan'
    option ifname 'eth0.2'
    option macaddr '00:00:00:00:00:02'
    option proto 'pppoe'
    option username '****************'
    option password '****************'
    option ipv6 '1'

config interface 'wan6'
    option ifname '@wan'
    option proto 'dhcpv6'

config interface 'Home_VPN_TAP_UDP'
    option proto 'none'
    option ifname 'tap0'
    option auto '1'

config interface 'Home_VPN_TAP_TCP'
    option proto 'none'
    option ifname 'tap1'
    option auto '1'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0 1 2 3 5t 6t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '4 5t 6t'

Firewall

config include
    option path '/etc/firewall.user'

config defaults
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'DROP'
    option syn_flood '1'
    option drop_invalid '1'

config rule
    option target 'ACCEPT'
    option family 'ipv4'
    option proto 'tcp udp'
    option src '*'
    option dest_port '99999'
    option name 'Allow Forwarded VPN TAP Request -> <device>'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'DROP'
    option masq '1'
    option network 'lan Home_VPN_TAP_UDP'

config zone
    option name 'wan'
    option network 'wan wan6'
    option input 'DROP'
    option output 'ACCEPT'
    option forward 'DROP'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option dest 'Home_VPN_TAP'
    option src 'lan'

config forwarding
    option dest 'wan'
    option src 'lan'

config forwarding
    option dest 'lan'
    option src 'Home_VPN_TAP'

config include 'miniupnpd'
    option type 'script'
    option path '/usr/share/miniupnpd/firewall.include'
    option family 'any'
    option reload '1'

Openvpn Config

config openvpn 'Home_VPN_TAP_UDP'
    option dev 'tap0'
    option proto 'udp'
    option port '99999'
    option mode 'server'
    option ccd_exclusive '1'
    option client_config_dir '/etc/openvpn/ccd/Home_VPN_TAP/'
    list push 'dhcp-option    DNS 192.168.1.1'
    list push 'redirect-gateway   def1'
    list push 'route-gateway      dhcp'
    list push 'sndbuf 393216'
    list push 'rcvbuf 393216'
    option dh '/etc/openvpn/keys/Home_VPN_TAP/dh4096.pem'
    option ca '/etc/openvpn/keys/Home_VPN_TAP/ca.crt'
    option cert '/etc/openvpn/keys/Home_VPN_TAP/Server.crt'
    option key '/etc/openvpn/keys/Home_VPN_TAP/Server.key'
    option cipher 'AES-256-CBC'
    option auth 'SHA512'
    option tls_auth '/etc/openvpn/keys/Home_VPN_TAP/ta.key 0'
    option tls_server '1'
    option tls_version_min '1.2'
    option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'
    option log '/var/log/Home_VPN_TAP_UDP.log'
    option log_append '/var/log/Home_VPN_TAP_UDP.log'
    option status '/var/log/Home_VPN_TAP_UDP.status 5'
    option verb '5'
    option keepalive '10 120'
    option comp_lzo 'yes'
    option client_to_client '1'
    option persist_key '1'
    option persist_tun '1'
    option sndbuf '393216'
    option rcvbuf '393216'
    option user 'nobody'
    option group 'nogroup'
    option float '1'
    option fast_io '1'
    option enabled '1'

Openvpn Client (Lan2)

Network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd0e:b1e3:926a::/48'

config dsl 'dsl'
    option xfer_mode 'ptm'
    option line_mode 'vdsl'
    option annex 'b'

config interface 'lan'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.2.1'
    option ifname 'eth0.1'

config interface 'wan'
    option proto 'dhcp'
    option ifname 'ptm0.101'
    option mtu '1432'

config interface 'Home_VPN_TAP_UDP'
    option ifname 'tap0'
    option proto 'dhcp'
    option hostname 'BTHH5-Lede'
    option macaddr '00:aa:11:bb:22:cc'

config device 'lan_dev'
    option name 'eth0.1'
    option macaddr '00:00:00:00:00:01'

config device 'wan_dev'
    option name 'ptm0.101'
    option macaddr '00:00:00:00:00:01'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0 1 2 4 6t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '5 6t'

config interface 'wan6'
    option proto 'dhcpv6'
    option ifname '@wan'
    option reqaddress 'try'
    option reqprefix 'auto'

Firewall

config include
    option path '/etc/firewall.user'

config defaults
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'DROP'
    option syn_flood '1'
    option drop_invalid '1'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'DROP'
    option masq '1'
    option network 'lan'

config zone
    option name 'Home_VPN_TAP'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option masq '1'
    option network 'Home_VPN_TAP_TCP Home_VPN_TAP_UDP'

config zone
    option name 'wan'
    option network 'wan wan6'
    option input 'DROP'
    option output 'ACCEPT'
    option forward 'DROP'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option dest 'Home_VPN_TAP'
    option src 'lan'

config forwarding
    option dest 'wan'
    option src 'lan'

config forwarding
    option dest 'lan'
    option src 'Home_VPN_TAP'

Openvpn Config

config openvpn 'Home_VPN_TAP_UDP'
    option dev 'tap0'
    option topology 'subnet'
    option proto 'udp'
    option remote '1.2.3.4 99999'
    option ca '/etc/openvpn/keys/ca.crt'
    option cert '/etc/openvpn/keys/client.crt'
    option key '/etc/openvpn/keys/client.key'
    option cipher 'AES-256-CBC'
    option auth 'SHA512'
    option tls_auth '/etc/openvpn/keys/ta.key 1'
    option tls_version_min '1.2'
    option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'
    option log '/var/log/Home_VPN_TAP_UDP.log'
    option log_append '/var/log/Home_VPN_TAP_UDP.log'
    option status '/var/log/Home_VPN_TAP_UDP.status 5'
    option verb '5'
    option keepalive '10 120'
    option comp_lzo 'yes'
    option persist_key '1'
    option persist_tun '1'
    option sndbuf '393216'
    option rcvbuf '393216'
    option user 'nobody'
    option group 'nogroup'
    option float '1'
    option fast_io '1'
    option client '1'
    option pull '1'
    option auth_nocache '1'
    option tls_client '1'
    option enabled '1'

You need to add a static lease for the Openvpn client, or maybe even better use a static IP address instead of dhcp.

Then configure a static route to 192.168.2.0/255.255.255.0 with 192.168.1.x as gateway on the router running the dhcp server.

The discussion might have continued from here.