OpenWRT: Routing between LAN and OpenVPN
up vote
1
down vote
favorite
So, this is the current situation:
There is an OpenVPN-Server in the internet, there is an OpenWRT-Router at my place.
The router is connected to the VPN as a client.
I want the router to behave just as usual, but with an extra routing between the VPN and the LAN.
I successfully pinged between the two VPN adresses. Then I added a route on the VPN server for 192.168.1.0/24 via 10.8.0.2 (IP address of my local router), but I am not able to ping 192.168.1.1, the other network adress of my router...
The wohle thing clearly looks like a routing issue which I am not able to solve...
/etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0.1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config switch
option name 'eth0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'eth0'
option vlan '1'
option ports '0t 2 3 4 5'
config switch_vlan
option device 'eth0'
option vlan '2'
option ports '0t 1'
config interface 'vpn'
option proto 'none'
option ifname 'tun0'
/etc/config/firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option dest_port '1194'
option src 'wan'
option proto 'udp'
option family 'ipv4'
config include
option path '/etc/firewall.user'
Output of route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default stdw-wh-84-0.st 0.0.0.0 UG 0 0 0 eth0.2
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
212.201.84.0 * 255.255.254.0 U 0 0 0 eth0.2
Output of ifconfig -a
br-lan Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:534 errors:0 dropped:8 overruns:0 frame:0
TX packets:458 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:97412 (95.1 KiB) TX bytes:105023 (102.5 KiB)
eth0 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1495490 errors:0 dropped:13 overruns:0 frame:0
TX packets:259329 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:500056893 (476.8 MiB) TX bytes:220075895 (209.8 MiB)
Interrupt:4
eth0.1 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:407 errors:0 dropped:0 overruns:0 frame:0
TX packets:353 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:77176 (75.3 KiB) TX bytes:81768 (79.8 KiB)
eth0.2 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
inet addr:x.x.x.x Bcast:x.x.x.255 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3090 errors:0 dropped:1098 overruns:0 frame:0
TX packets:527 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:419453 (409.6 KiB) TX bytes:104348 (101.9 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2549 (2.4 KiB) TX bytes:2549 (2.4 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.2 P-t-P:10.8.0.2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:83
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:130 errors:0 dropped:0 overruns:0 frame:0
TX packets:131 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:22234 (21.7 KiB) TX bytes:28345 (27.6 KiB)
wlan1 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:84
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:620 (620.0 B)
Part of output of ip route
on the VPN server (attached VPN route, manually added route to my LAN):
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
192.168.1.0/24 via 10.8.0.2 dev tun0
I have absolutely no clue about iptables, so this is the best I can do.
networking router vpn openvpn openwrt
add a comment |
up vote
1
down vote
favorite
So, this is the current situation:
There is an OpenVPN-Server in the internet, there is an OpenWRT-Router at my place.
The router is connected to the VPN as a client.
I want the router to behave just as usual, but with an extra routing between the VPN and the LAN.
I successfully pinged between the two VPN adresses. Then I added a route on the VPN server for 192.168.1.0/24 via 10.8.0.2 (IP address of my local router), but I am not able to ping 192.168.1.1, the other network adress of my router...
The wohle thing clearly looks like a routing issue which I am not able to solve...
/etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0.1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config switch
option name 'eth0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'eth0'
option vlan '1'
option ports '0t 2 3 4 5'
config switch_vlan
option device 'eth0'
option vlan '2'
option ports '0t 1'
config interface 'vpn'
option proto 'none'
option ifname 'tun0'
/etc/config/firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option dest_port '1194'
option src 'wan'
option proto 'udp'
option family 'ipv4'
config include
option path '/etc/firewall.user'
Output of route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default stdw-wh-84-0.st 0.0.0.0 UG 0 0 0 eth0.2
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
212.201.84.0 * 255.255.254.0 U 0 0 0 eth0.2
Output of ifconfig -a
br-lan Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:534 errors:0 dropped:8 overruns:0 frame:0
TX packets:458 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:97412 (95.1 KiB) TX bytes:105023 (102.5 KiB)
eth0 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1495490 errors:0 dropped:13 overruns:0 frame:0
TX packets:259329 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:500056893 (476.8 MiB) TX bytes:220075895 (209.8 MiB)
Interrupt:4
eth0.1 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:407 errors:0 dropped:0 overruns:0 frame:0
TX packets:353 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:77176 (75.3 KiB) TX bytes:81768 (79.8 KiB)
eth0.2 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
inet addr:x.x.x.x Bcast:x.x.x.255 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3090 errors:0 dropped:1098 overruns:0 frame:0
TX packets:527 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:419453 (409.6 KiB) TX bytes:104348 (101.9 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2549 (2.4 KiB) TX bytes:2549 (2.4 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.2 P-t-P:10.8.0.2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:83
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:130 errors:0 dropped:0 overruns:0 frame:0
TX packets:131 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:22234 (21.7 KiB) TX bytes:28345 (27.6 KiB)
wlan1 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:84
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:620 (620.0 B)
Part of output of ip route
on the VPN server (attached VPN route, manually added route to my LAN):
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
192.168.1.0/24 via 10.8.0.2 dev tun0
I have absolutely no clue about iptables, so this is the best I can do.
networking router vpn openvpn openwrt
you left out the routing table and the output of ifconfig -a
– MariusMatutiae
Dec 10 '13 at 19:31
Added the outputs of route and ifconfig -a
– WolleTD
Dec 10 '13 at 21:14
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
So, this is the current situation:
There is an OpenVPN-Server in the internet, there is an OpenWRT-Router at my place.
The router is connected to the VPN as a client.
I want the router to behave just as usual, but with an extra routing between the VPN and the LAN.
I successfully pinged between the two VPN adresses. Then I added a route on the VPN server for 192.168.1.0/24 via 10.8.0.2 (IP address of my local router), but I am not able to ping 192.168.1.1, the other network adress of my router...
The wohle thing clearly looks like a routing issue which I am not able to solve...
/etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0.1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config switch
option name 'eth0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'eth0'
option vlan '1'
option ports '0t 2 3 4 5'
config switch_vlan
option device 'eth0'
option vlan '2'
option ports '0t 1'
config interface 'vpn'
option proto 'none'
option ifname 'tun0'
/etc/config/firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option dest_port '1194'
option src 'wan'
option proto 'udp'
option family 'ipv4'
config include
option path '/etc/firewall.user'
Output of route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default stdw-wh-84-0.st 0.0.0.0 UG 0 0 0 eth0.2
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
212.201.84.0 * 255.255.254.0 U 0 0 0 eth0.2
Output of ifconfig -a
br-lan Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:534 errors:0 dropped:8 overruns:0 frame:0
TX packets:458 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:97412 (95.1 KiB) TX bytes:105023 (102.5 KiB)
eth0 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1495490 errors:0 dropped:13 overruns:0 frame:0
TX packets:259329 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:500056893 (476.8 MiB) TX bytes:220075895 (209.8 MiB)
Interrupt:4
eth0.1 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:407 errors:0 dropped:0 overruns:0 frame:0
TX packets:353 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:77176 (75.3 KiB) TX bytes:81768 (79.8 KiB)
eth0.2 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
inet addr:x.x.x.x Bcast:x.x.x.255 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3090 errors:0 dropped:1098 overruns:0 frame:0
TX packets:527 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:419453 (409.6 KiB) TX bytes:104348 (101.9 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2549 (2.4 KiB) TX bytes:2549 (2.4 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.2 P-t-P:10.8.0.2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:83
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:130 errors:0 dropped:0 overruns:0 frame:0
TX packets:131 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:22234 (21.7 KiB) TX bytes:28345 (27.6 KiB)
wlan1 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:84
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:620 (620.0 B)
Part of output of ip route
on the VPN server (attached VPN route, manually added route to my LAN):
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
192.168.1.0/24 via 10.8.0.2 dev tun0
I have absolutely no clue about iptables, so this is the best I can do.
networking router vpn openvpn openwrt
So, this is the current situation:
There is an OpenVPN-Server in the internet, there is an OpenWRT-Router at my place.
The router is connected to the VPN as a client.
I want the router to behave just as usual, but with an extra routing between the VPN and the LAN.
I successfully pinged between the two VPN adresses. Then I added a route on the VPN server for 192.168.1.0/24 via 10.8.0.2 (IP address of my local router), but I am not able to ping 192.168.1.1, the other network adress of my router...
The wohle thing clearly looks like a routing issue which I am not able to solve...
/etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0.1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config switch
option name 'eth0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'eth0'
option vlan '1'
option ports '0t 2 3 4 5'
config switch_vlan
option device 'eth0'
option vlan '2'
option ports '0t 1'
config interface 'vpn'
option proto 'none'
option ifname 'tun0'
/etc/config/firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option dest_port '1194'
option src 'wan'
option proto 'udp'
option family 'ipv4'
config include
option path '/etc/firewall.user'
Output of route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default stdw-wh-84-0.st 0.0.0.0 UG 0 0 0 eth0.2
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
212.201.84.0 * 255.255.254.0 U 0 0 0 eth0.2
Output of ifconfig -a
br-lan Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:534 errors:0 dropped:8 overruns:0 frame:0
TX packets:458 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:97412 (95.1 KiB) TX bytes:105023 (102.5 KiB)
eth0 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1495490 errors:0 dropped:13 overruns:0 frame:0
TX packets:259329 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:500056893 (476.8 MiB) TX bytes:220075895 (209.8 MiB)
Interrupt:4
eth0.1 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:407 errors:0 dropped:0 overruns:0 frame:0
TX packets:353 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:77176 (75.3 KiB) TX bytes:81768 (79.8 KiB)
eth0.2 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
inet addr:x.x.x.x Bcast:x.x.x.255 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3090 errors:0 dropped:1098 overruns:0 frame:0
TX packets:527 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:419453 (409.6 KiB) TX bytes:104348 (101.9 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2549 (2.4 KiB) TX bytes:2549 (2.4 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.2 P-t-P:10.8.0.2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:83
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:130 errors:0 dropped:0 overruns:0 frame:0
TX packets:131 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:22234 (21.7 KiB) TX bytes:28345 (27.6 KiB)
wlan1 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:84
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:620 (620.0 B)
Part of output of ip route
on the VPN server (attached VPN route, manually added route to my LAN):
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
192.168.1.0/24 via 10.8.0.2 dev tun0
I have absolutely no clue about iptables, so this is the best I can do.
networking router vpn openvpn openwrt
networking router vpn openvpn openwrt
edited Dec 10 '13 at 21:13
asked Dec 10 '13 at 18:14
WolleTD
5639
5639
you left out the routing table and the output of ifconfig -a
– MariusMatutiae
Dec 10 '13 at 19:31
Added the outputs of route and ifconfig -a
– WolleTD
Dec 10 '13 at 21:14
add a comment |
you left out the routing table and the output of ifconfig -a
– MariusMatutiae
Dec 10 '13 at 19:31
Added the outputs of route and ifconfig -a
– WolleTD
Dec 10 '13 at 21:14
you left out the routing table and the output of ifconfig -a
– MariusMatutiae
Dec 10 '13 at 19:31
you left out the routing table and the output of ifconfig -a
– MariusMatutiae
Dec 10 '13 at 19:31
Added the outputs of route and ifconfig -a
– WolleTD
Dec 10 '13 at 21:14
Added the outputs of route and ifconfig -a
– WolleTD
Dec 10 '13 at 21:14
add a comment |
2 Answers
2
active
oldest
votes
up vote
0
down vote
I ran into this issue myself. So far, I've only gotten it so I can ping VPN machines from LAN. I did this by using a similar configuration to you except I set the VPN zone's Forward to ACCEPT instead of REJECT.
Setting the LAN zone's Forward to ACCEPT doesn't change anything for me.
As a side note, you have two wan
zones in your config file which are exactly the same.
add a comment |
up vote
0
down vote
It could be a number of things, all very simple to solve...
Most likely, it's a two fold firewall issue within OpenWRT and the end device's firewall... either you copied and pasted doubles, or your firewall config is improperly configured as not only are there two WANs (mentioned above), there's two VPNs (while you can run multiple servers and clients from the same config file, each must have their own unique zone name)
On OpenWRT, you must allow traffic to pass from VPN to LAN and LAN to VPN... a firewall rule must also be utilized along with the forwarding you set up under the LAN and VPN zones to redirect traffic. I'd recommend taking a look at OpenVPN's HOWTO page
Firewall Traffic and Redirect Rules Required
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '1194'
option family 'ipv4'
option src '*'
option name 'Allow Inbound VPN0'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option src '*'
option dest '*'
option dest_port '1194'
option family 'ipv4'
option name 'Allow Forwarded VPN0'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
option dest_ip '192.168.1.0/24'
option name 'Allow Inbound VPN0 Traffic to LAN'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
option dest '*'
option dest_ip '192.168.1.0/24'
option name 'Allow Forwarded VPN0 Traffic to LAN'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
option src '*'
option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
option dest 'wan'
option name 'Allow Outbound ICMP Echo Request (8)'
list icmp_type 'echo-request'
I'd recommend changing the subnet for your VPN to something other than 10.8.0.0/netmask as 10.8.0.0 covers 10.8.0.0 - 10.8.255.255.
You should also change the port to something other than 1194, in combination with choosing a different server subnet that is higher up (i.e. 10.25.100.1 for instance), as keeping defaults is doing half the job for a cyber intruder.
The port number should be higher than 1025 (as <1025 are privileged ports), but lower than 10000.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f686519%2fopenwrt-routing-between-lan-and-openvpn%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
I ran into this issue myself. So far, I've only gotten it so I can ping VPN machines from LAN. I did this by using a similar configuration to you except I set the VPN zone's Forward to ACCEPT instead of REJECT.
Setting the LAN zone's Forward to ACCEPT doesn't change anything for me.
As a side note, you have two wan
zones in your config file which are exactly the same.
add a comment |
up vote
0
down vote
I ran into this issue myself. So far, I've only gotten it so I can ping VPN machines from LAN. I did this by using a similar configuration to you except I set the VPN zone's Forward to ACCEPT instead of REJECT.
Setting the LAN zone's Forward to ACCEPT doesn't change anything for me.
As a side note, you have two wan
zones in your config file which are exactly the same.
add a comment |
up vote
0
down vote
up vote
0
down vote
I ran into this issue myself. So far, I've only gotten it so I can ping VPN machines from LAN. I did this by using a similar configuration to you except I set the VPN zone's Forward to ACCEPT instead of REJECT.
Setting the LAN zone's Forward to ACCEPT doesn't change anything for me.
As a side note, you have two wan
zones in your config file which are exactly the same.
I ran into this issue myself. So far, I've only gotten it so I can ping VPN machines from LAN. I did this by using a similar configuration to you except I set the VPN zone's Forward to ACCEPT instead of REJECT.
Setting the LAN zone's Forward to ACCEPT doesn't change anything for me.
As a side note, you have two wan
zones in your config file which are exactly the same.
answered Jul 13 '14 at 9:08
Sawtaytoes
346314
346314
add a comment |
add a comment |
up vote
0
down vote
It could be a number of things, all very simple to solve...
Most likely, it's a two fold firewall issue within OpenWRT and the end device's firewall... either you copied and pasted doubles, or your firewall config is improperly configured as not only are there two WANs (mentioned above), there's two VPNs (while you can run multiple servers and clients from the same config file, each must have their own unique zone name)
On OpenWRT, you must allow traffic to pass from VPN to LAN and LAN to VPN... a firewall rule must also be utilized along with the forwarding you set up under the LAN and VPN zones to redirect traffic. I'd recommend taking a look at OpenVPN's HOWTO page
Firewall Traffic and Redirect Rules Required
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '1194'
option family 'ipv4'
option src '*'
option name 'Allow Inbound VPN0'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option src '*'
option dest '*'
option dest_port '1194'
option family 'ipv4'
option name 'Allow Forwarded VPN0'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
option dest_ip '192.168.1.0/24'
option name 'Allow Inbound VPN0 Traffic to LAN'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
option dest '*'
option dest_ip '192.168.1.0/24'
option name 'Allow Forwarded VPN0 Traffic to LAN'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
option src '*'
option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
option dest 'wan'
option name 'Allow Outbound ICMP Echo Request (8)'
list icmp_type 'echo-request'
I'd recommend changing the subnet for your VPN to something other than 10.8.0.0/netmask as 10.8.0.0 covers 10.8.0.0 - 10.8.255.255.
You should also change the port to something other than 1194, in combination with choosing a different server subnet that is higher up (i.e. 10.25.100.1 for instance), as keeping defaults is doing half the job for a cyber intruder.
The port number should be higher than 1025 (as <1025 are privileged ports), but lower than 10000.
add a comment |
up vote
0
down vote
It could be a number of things, all very simple to solve...
Most likely, it's a two fold firewall issue within OpenWRT and the end device's firewall... either you copied and pasted doubles, or your firewall config is improperly configured as not only are there two WANs (mentioned above), there's two VPNs (while you can run multiple servers and clients from the same config file, each must have their own unique zone name)
On OpenWRT, you must allow traffic to pass from VPN to LAN and LAN to VPN... a firewall rule must also be utilized along with the forwarding you set up under the LAN and VPN zones to redirect traffic. I'd recommend taking a look at OpenVPN's HOWTO page
Firewall Traffic and Redirect Rules Required
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '1194'
option family 'ipv4'
option src '*'
option name 'Allow Inbound VPN0'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option src '*'
option dest '*'
option dest_port '1194'
option family 'ipv4'
option name 'Allow Forwarded VPN0'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
option dest_ip '192.168.1.0/24'
option name 'Allow Inbound VPN0 Traffic to LAN'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
option dest '*'
option dest_ip '192.168.1.0/24'
option name 'Allow Forwarded VPN0 Traffic to LAN'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
option src '*'
option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
option dest 'wan'
option name 'Allow Outbound ICMP Echo Request (8)'
list icmp_type 'echo-request'
I'd recommend changing the subnet for your VPN to something other than 10.8.0.0/netmask as 10.8.0.0 covers 10.8.0.0 - 10.8.255.255.
You should also change the port to something other than 1194, in combination with choosing a different server subnet that is higher up (i.e. 10.25.100.1 for instance), as keeping defaults is doing half the job for a cyber intruder.
The port number should be higher than 1025 (as <1025 are privileged ports), but lower than 10000.
add a comment |
up vote
0
down vote
up vote
0
down vote
It could be a number of things, all very simple to solve...
Most likely, it's a two fold firewall issue within OpenWRT and the end device's firewall... either you copied and pasted doubles, or your firewall config is improperly configured as not only are there two WANs (mentioned above), there's two VPNs (while you can run multiple servers and clients from the same config file, each must have their own unique zone name)
On OpenWRT, you must allow traffic to pass from VPN to LAN and LAN to VPN... a firewall rule must also be utilized along with the forwarding you set up under the LAN and VPN zones to redirect traffic. I'd recommend taking a look at OpenVPN's HOWTO page
Firewall Traffic and Redirect Rules Required
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '1194'
option family 'ipv4'
option src '*'
option name 'Allow Inbound VPN0'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option src '*'
option dest '*'
option dest_port '1194'
option family 'ipv4'
option name 'Allow Forwarded VPN0'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
option dest_ip '192.168.1.0/24'
option name 'Allow Inbound VPN0 Traffic to LAN'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
option dest '*'
option dest_ip '192.168.1.0/24'
option name 'Allow Forwarded VPN0 Traffic to LAN'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
option src '*'
option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
option dest 'wan'
option name 'Allow Outbound ICMP Echo Request (8)'
list icmp_type 'echo-request'
I'd recommend changing the subnet for your VPN to something other than 10.8.0.0/netmask as 10.8.0.0 covers 10.8.0.0 - 10.8.255.255.
You should also change the port to something other than 1194, in combination with choosing a different server subnet that is higher up (i.e. 10.25.100.1 for instance), as keeping defaults is doing half the job for a cyber intruder.
The port number should be higher than 1025 (as <1025 are privileged ports), but lower than 10000.
It could be a number of things, all very simple to solve...
Most likely, it's a two fold firewall issue within OpenWRT and the end device's firewall... either you copied and pasted doubles, or your firewall config is improperly configured as not only are there two WANs (mentioned above), there's two VPNs (while you can run multiple servers and clients from the same config file, each must have their own unique zone name)
On OpenWRT, you must allow traffic to pass from VPN to LAN and LAN to VPN... a firewall rule must also be utilized along with the forwarding you set up under the LAN and VPN zones to redirect traffic. I'd recommend taking a look at OpenVPN's HOWTO page
Firewall Traffic and Redirect Rules Required
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '1194'
option family 'ipv4'
option src '*'
option name 'Allow Inbound VPN0'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option src '*'
option dest '*'
option dest_port '1194'
option family 'ipv4'
option name 'Allow Forwarded VPN0'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
option dest_ip '192.168.1.0/24'
option name 'Allow Inbound VPN0 Traffic to LAN'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
option dest '*'
option dest_ip '192.168.1.0/24'
option name 'Allow Forwarded VPN0 Traffic to LAN'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
option src '*'
option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
option dest 'wan'
option name 'Allow Outbound ICMP Echo Request (8)'
list icmp_type 'echo-request'
I'd recommend changing the subnet for your VPN to something other than 10.8.0.0/netmask as 10.8.0.0 covers 10.8.0.0 - 10.8.255.255.
You should also change the port to something other than 1194, in combination with choosing a different server subnet that is higher up (i.e. 10.25.100.1 for instance), as keeping defaults is doing half the job for a cyber intruder.
The port number should be higher than 1025 (as <1025 are privileged ports), but lower than 10000.
answered Apr 26 '15 at 23:09
JW0914
1
1
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f686519%2fopenwrt-routing-between-lan-and-openvpn%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
you left out the routing table and the output of ifconfig -a
– MariusMatutiae
Dec 10 '13 at 19:31
Added the outputs of route and ifconfig -a
– WolleTD
Dec 10 '13 at 21:14