OpenWRT: Routing between LAN and OpenVPN











up vote
1
down vote

favorite
4












So, this is the current situation:



There is an OpenVPN-Server in the internet, there is an OpenWRT-Router at my place.
The router is connected to the VPN as a client.



I want the router to behave just as usual, but with an extra routing between the VPN and the LAN.
I successfully pinged between the two VPN adresses. Then I added a route on the VPN server for 192.168.1.0/24 via 10.8.0.2 (IP address of my local router), but I am not able to ping 192.168.1.1, the other network adress of my router...



The wohle thing clearly looks like a routing issue which I am not able to solve...



/etc/config/network:



config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config interface 'lan'
option ifname 'eth0.1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1'

config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'

config switch
option name 'eth0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'eth0'
option vlan '1'
option ports '0t 2 3 4 5'

config switch_vlan
option device 'eth0'
option vlan '2'
option ports '0t 1'

config interface 'vpn'
option proto 'none'
option ifname 'tun0'


/etc/config/firewall:



config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'

config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option forward 'REJECT'


config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'

config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option forward 'REJECT'

config forwarding
option src 'lan'
option dest 'wan'

config forwarding
option dest 'lan'
option src 'vpn'

config forwarding
option dest 'vpn'
option src 'lan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'

option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option target 'ACCEPT'
option dest_port '1194'
option src 'wan'
option proto 'udp'
option family 'ipv4'

config include
option path '/etc/firewall.user'


Output of route



Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default stdw-wh-84-0.st 0.0.0.0 UG 0 0 0 eth0.2
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
212.201.84.0 * 255.255.254.0 U 0 0 0 eth0.2


Output of ifconfig -a



br-lan    Link encap:Ethernet  HWaddr 64:66:B3:C6:FC:82
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:534 errors:0 dropped:8 overruns:0 frame:0
TX packets:458 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:97412 (95.1 KiB) TX bytes:105023 (102.5 KiB)

eth0 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1495490 errors:0 dropped:13 overruns:0 frame:0
TX packets:259329 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:500056893 (476.8 MiB) TX bytes:220075895 (209.8 MiB)
Interrupt:4

eth0.1 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:407 errors:0 dropped:0 overruns:0 frame:0
TX packets:353 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:77176 (75.3 KiB) TX bytes:81768 (79.8 KiB)

eth0.2 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
inet addr:x.x.x.x Bcast:x.x.x.255 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3090 errors:0 dropped:1098 overruns:0 frame:0
TX packets:527 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:419453 (409.6 KiB) TX bytes:104348 (101.9 KiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2549 (2.4 KiB) TX bytes:2549 (2.4 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.2 P-t-P:10.8.0.2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

wlan0 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:83
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:130 errors:0 dropped:0 overruns:0 frame:0
TX packets:131 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:22234 (21.7 KiB) TX bytes:28345 (27.6 KiB)

wlan1 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:84
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:620 (620.0 B)


Part of output of ip route on the VPN server (attached VPN route, manually added route to my LAN):



10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.1
192.168.1.0/24 via 10.8.0.2 dev tun0


I have absolutely no clue about iptables, so this is the best I can do.










share|improve this question
























  • you left out the routing table and the output of ifconfig -a
    – MariusMatutiae
    Dec 10 '13 at 19:31










  • Added the outputs of route and ifconfig -a
    – WolleTD
    Dec 10 '13 at 21:14















up vote
1
down vote

favorite
4












So, this is the current situation:



There is an OpenVPN-Server in the internet, there is an OpenWRT-Router at my place.
The router is connected to the VPN as a client.



I want the router to behave just as usual, but with an extra routing between the VPN and the LAN.
I successfully pinged between the two VPN adresses. Then I added a route on the VPN server for 192.168.1.0/24 via 10.8.0.2 (IP address of my local router), but I am not able to ping 192.168.1.1, the other network adress of my router...



The wohle thing clearly looks like a routing issue which I am not able to solve...



/etc/config/network:



config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config interface 'lan'
option ifname 'eth0.1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1'

config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'

config switch
option name 'eth0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'eth0'
option vlan '1'
option ports '0t 2 3 4 5'

config switch_vlan
option device 'eth0'
option vlan '2'
option ports '0t 1'

config interface 'vpn'
option proto 'none'
option ifname 'tun0'


/etc/config/firewall:



config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'

config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option forward 'REJECT'


config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'

config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option forward 'REJECT'

config forwarding
option src 'lan'
option dest 'wan'

config forwarding
option dest 'lan'
option src 'vpn'

config forwarding
option dest 'vpn'
option src 'lan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'

option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option target 'ACCEPT'
option dest_port '1194'
option src 'wan'
option proto 'udp'
option family 'ipv4'

config include
option path '/etc/firewall.user'


Output of route



Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default stdw-wh-84-0.st 0.0.0.0 UG 0 0 0 eth0.2
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
212.201.84.0 * 255.255.254.0 U 0 0 0 eth0.2


Output of ifconfig -a



br-lan    Link encap:Ethernet  HWaddr 64:66:B3:C6:FC:82
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:534 errors:0 dropped:8 overruns:0 frame:0
TX packets:458 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:97412 (95.1 KiB) TX bytes:105023 (102.5 KiB)

eth0 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1495490 errors:0 dropped:13 overruns:0 frame:0
TX packets:259329 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:500056893 (476.8 MiB) TX bytes:220075895 (209.8 MiB)
Interrupt:4

eth0.1 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:407 errors:0 dropped:0 overruns:0 frame:0
TX packets:353 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:77176 (75.3 KiB) TX bytes:81768 (79.8 KiB)

eth0.2 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
inet addr:x.x.x.x Bcast:x.x.x.255 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3090 errors:0 dropped:1098 overruns:0 frame:0
TX packets:527 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:419453 (409.6 KiB) TX bytes:104348 (101.9 KiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2549 (2.4 KiB) TX bytes:2549 (2.4 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.2 P-t-P:10.8.0.2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

wlan0 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:83
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:130 errors:0 dropped:0 overruns:0 frame:0
TX packets:131 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:22234 (21.7 KiB) TX bytes:28345 (27.6 KiB)

wlan1 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:84
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:620 (620.0 B)


Part of output of ip route on the VPN server (attached VPN route, manually added route to my LAN):



10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.1
192.168.1.0/24 via 10.8.0.2 dev tun0


I have absolutely no clue about iptables, so this is the best I can do.










share|improve this question
























  • you left out the routing table and the output of ifconfig -a
    – MariusMatutiae
    Dec 10 '13 at 19:31










  • Added the outputs of route and ifconfig -a
    – WolleTD
    Dec 10 '13 at 21:14













up vote
1
down vote

favorite
4









up vote
1
down vote

favorite
4






4





So, this is the current situation:



There is an OpenVPN-Server in the internet, there is an OpenWRT-Router at my place.
The router is connected to the VPN as a client.



I want the router to behave just as usual, but with an extra routing between the VPN and the LAN.
I successfully pinged between the two VPN adresses. Then I added a route on the VPN server for 192.168.1.0/24 via 10.8.0.2 (IP address of my local router), but I am not able to ping 192.168.1.1, the other network adress of my router...



The wohle thing clearly looks like a routing issue which I am not able to solve...



/etc/config/network:



config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config interface 'lan'
option ifname 'eth0.1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1'

config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'

config switch
option name 'eth0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'eth0'
option vlan '1'
option ports '0t 2 3 4 5'

config switch_vlan
option device 'eth0'
option vlan '2'
option ports '0t 1'

config interface 'vpn'
option proto 'none'
option ifname 'tun0'


/etc/config/firewall:



config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'

config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option forward 'REJECT'


config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'

config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option forward 'REJECT'

config forwarding
option src 'lan'
option dest 'wan'

config forwarding
option dest 'lan'
option src 'vpn'

config forwarding
option dest 'vpn'
option src 'lan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'

option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option target 'ACCEPT'
option dest_port '1194'
option src 'wan'
option proto 'udp'
option family 'ipv4'

config include
option path '/etc/firewall.user'


Output of route



Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default stdw-wh-84-0.st 0.0.0.0 UG 0 0 0 eth0.2
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
212.201.84.0 * 255.255.254.0 U 0 0 0 eth0.2


Output of ifconfig -a



br-lan    Link encap:Ethernet  HWaddr 64:66:B3:C6:FC:82
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:534 errors:0 dropped:8 overruns:0 frame:0
TX packets:458 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:97412 (95.1 KiB) TX bytes:105023 (102.5 KiB)

eth0 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1495490 errors:0 dropped:13 overruns:0 frame:0
TX packets:259329 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:500056893 (476.8 MiB) TX bytes:220075895 (209.8 MiB)
Interrupt:4

eth0.1 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:407 errors:0 dropped:0 overruns:0 frame:0
TX packets:353 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:77176 (75.3 KiB) TX bytes:81768 (79.8 KiB)

eth0.2 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
inet addr:x.x.x.x Bcast:x.x.x.255 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3090 errors:0 dropped:1098 overruns:0 frame:0
TX packets:527 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:419453 (409.6 KiB) TX bytes:104348 (101.9 KiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2549 (2.4 KiB) TX bytes:2549 (2.4 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.2 P-t-P:10.8.0.2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

wlan0 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:83
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:130 errors:0 dropped:0 overruns:0 frame:0
TX packets:131 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:22234 (21.7 KiB) TX bytes:28345 (27.6 KiB)

wlan1 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:84
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:620 (620.0 B)


Part of output of ip route on the VPN server (attached VPN route, manually added route to my LAN):



10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.1
192.168.1.0/24 via 10.8.0.2 dev tun0


I have absolutely no clue about iptables, so this is the best I can do.










share|improve this question















So, this is the current situation:



There is an OpenVPN-Server in the internet, there is an OpenWRT-Router at my place.
The router is connected to the VPN as a client.



I want the router to behave just as usual, but with an extra routing between the VPN and the LAN.
I successfully pinged between the two VPN adresses. Then I added a route on the VPN server for 192.168.1.0/24 via 10.8.0.2 (IP address of my local router), but I am not able to ping 192.168.1.1, the other network adress of my router...



The wohle thing clearly looks like a routing issue which I am not able to solve...



/etc/config/network:



config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config interface 'lan'
option ifname 'eth0.1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1'

config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'

config switch
option name 'eth0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'eth0'
option vlan '1'
option ports '0t 2 3 4 5'

config switch_vlan
option device 'eth0'
option vlan '2'
option ports '0t 1'

config interface 'vpn'
option proto 'none'
option ifname 'tun0'


/etc/config/firewall:



config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'

config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option forward 'REJECT'


config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'

config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option forward 'REJECT'

config forwarding
option src 'lan'
option dest 'wan'

config forwarding
option dest 'lan'
option src 'vpn'

config forwarding
option dest 'vpn'
option src 'lan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'

option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option target 'ACCEPT'
option dest_port '1194'
option src 'wan'
option proto 'udp'
option family 'ipv4'

config include
option path '/etc/firewall.user'


Output of route



Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default stdw-wh-84-0.st 0.0.0.0 UG 0 0 0 eth0.2
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
212.201.84.0 * 255.255.254.0 U 0 0 0 eth0.2


Output of ifconfig -a



br-lan    Link encap:Ethernet  HWaddr 64:66:B3:C6:FC:82
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:534 errors:0 dropped:8 overruns:0 frame:0
TX packets:458 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:97412 (95.1 KiB) TX bytes:105023 (102.5 KiB)

eth0 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1495490 errors:0 dropped:13 overruns:0 frame:0
TX packets:259329 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:500056893 (476.8 MiB) TX bytes:220075895 (209.8 MiB)
Interrupt:4

eth0.1 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:407 errors:0 dropped:0 overruns:0 frame:0
TX packets:353 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:77176 (75.3 KiB) TX bytes:81768 (79.8 KiB)

eth0.2 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
inet addr:x.x.x.x Bcast:x.x.x.255 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3090 errors:0 dropped:1098 overruns:0 frame:0
TX packets:527 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:419453 (409.6 KiB) TX bytes:104348 (101.9 KiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2549 (2.4 KiB) TX bytes:2549 (2.4 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.2 P-t-P:10.8.0.2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

wlan0 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:83
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:130 errors:0 dropped:0 overruns:0 frame:0
TX packets:131 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:22234 (21.7 KiB) TX bytes:28345 (27.6 KiB)

wlan1 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:84
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:620 (620.0 B)


Part of output of ip route on the VPN server (attached VPN route, manually added route to my LAN):



10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.1
192.168.1.0/24 via 10.8.0.2 dev tun0


I have absolutely no clue about iptables, so this is the best I can do.







networking router vpn openvpn openwrt






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 10 '13 at 21:13

























asked Dec 10 '13 at 18:14









WolleTD

5639




5639












  • you left out the routing table and the output of ifconfig -a
    – MariusMatutiae
    Dec 10 '13 at 19:31










  • Added the outputs of route and ifconfig -a
    – WolleTD
    Dec 10 '13 at 21:14


















  • you left out the routing table and the output of ifconfig -a
    – MariusMatutiae
    Dec 10 '13 at 19:31










  • Added the outputs of route and ifconfig -a
    – WolleTD
    Dec 10 '13 at 21:14
















you left out the routing table and the output of ifconfig -a
– MariusMatutiae
Dec 10 '13 at 19:31




you left out the routing table and the output of ifconfig -a
– MariusMatutiae
Dec 10 '13 at 19:31












Added the outputs of route and ifconfig -a
– WolleTD
Dec 10 '13 at 21:14




Added the outputs of route and ifconfig -a
– WolleTD
Dec 10 '13 at 21:14










2 Answers
2






active

oldest

votes

















up vote
0
down vote













I ran into this issue myself. So far, I've only gotten it so I can ping VPN machines from LAN. I did this by using a similar configuration to you except I set the VPN zone's Forward to ACCEPT instead of REJECT.



Setting the LAN zone's Forward to ACCEPT doesn't change anything for me.



As a side note, you have two wan zones in your config file which are exactly the same.






share|improve this answer




























    up vote
    0
    down vote













    It could be a number of things, all very simple to solve...



    Most likely, it's a two fold firewall issue within OpenWRT and the end device's firewall... either you copied and pasted doubles, or your firewall config is improperly configured as not only are there two WANs (mentioned above), there's two VPNs (while you can run multiple servers and clients from the same config file, each must have their own unique zone name)



    On OpenWRT, you must allow traffic to pass from VPN to LAN and LAN to VPN... a firewall rule must also be utilized along with the forwarding you set up under the LAN and VPN zones to redirect traffic. I'd recommend taking a look at OpenVPN's HOWTO page



    Firewall Traffic and Redirect Rules Required



    config rule      
    option target 'ACCEPT'
    option proto 'tcp udp'
    option dest_port '1194'
    option family 'ipv4'
    option src '*'
    option name 'Allow Inbound VPN0'

    config rule
    option target 'ACCEPT'
    option proto 'tcp udp'
    option src '*'
    option dest '*'
    option dest_port '1194'
    option family 'ipv4'
    option name 'Allow Forwarded VPN0'

    config rule
    option target 'ACCEPT'
    option proto 'tcp udp'
    option family 'ipv4'
    option src '*'
    option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
    option dest_ip '192.168.1.0/24'
    option name 'Allow Inbound VPN0 Traffic to LAN'

    config rule
    option target 'ACCEPT'
    option proto 'tcp udp'
    option family 'ipv4'
    option src '*'
    option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
    option dest '*'
    option dest_ip '192.168.1.0/24'
    option name 'Allow Forwarded VPN0 Traffic to LAN'

    config rule
    option target 'ACCEPT'
    option family 'ipv4'
    option proto 'icmp'
    option src '*'
    option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
    option dest 'wan'
    option name 'Allow Outbound ICMP Echo Request (8)'
    list icmp_type 'echo-request'


    I'd recommend changing the subnet for your VPN to something other than 10.8.0.0/netmask as 10.8.0.0 covers 10.8.0.0 - 10.8.255.255.



    You should also change the port to something other than 1194, in combination with choosing a different server subnet that is higher up (i.e. 10.25.100.1 for instance), as keeping defaults is doing half the job for a cyber intruder.



    The port number should be higher than 1025 (as <1025 are privileged ports), but lower than 10000.






    share|improve this answer





















      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "3"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f686519%2fopenwrt-routing-between-lan-and-openvpn%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      0
      down vote













      I ran into this issue myself. So far, I've only gotten it so I can ping VPN machines from LAN. I did this by using a similar configuration to you except I set the VPN zone's Forward to ACCEPT instead of REJECT.



      Setting the LAN zone's Forward to ACCEPT doesn't change anything for me.



      As a side note, you have two wan zones in your config file which are exactly the same.






      share|improve this answer

























        up vote
        0
        down vote













        I ran into this issue myself. So far, I've only gotten it so I can ping VPN machines from LAN. I did this by using a similar configuration to you except I set the VPN zone's Forward to ACCEPT instead of REJECT.



        Setting the LAN zone's Forward to ACCEPT doesn't change anything for me.



        As a side note, you have two wan zones in your config file which are exactly the same.






        share|improve this answer























          up vote
          0
          down vote










          up vote
          0
          down vote









          I ran into this issue myself. So far, I've only gotten it so I can ping VPN machines from LAN. I did this by using a similar configuration to you except I set the VPN zone's Forward to ACCEPT instead of REJECT.



          Setting the LAN zone's Forward to ACCEPT doesn't change anything for me.



          As a side note, you have two wan zones in your config file which are exactly the same.






          share|improve this answer












          I ran into this issue myself. So far, I've only gotten it so I can ping VPN machines from LAN. I did this by using a similar configuration to you except I set the VPN zone's Forward to ACCEPT instead of REJECT.



          Setting the LAN zone's Forward to ACCEPT doesn't change anything for me.



          As a side note, you have two wan zones in your config file which are exactly the same.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jul 13 '14 at 9:08









          Sawtaytoes

          346314




          346314
























              up vote
              0
              down vote













              It could be a number of things, all very simple to solve...



              Most likely, it's a two fold firewall issue within OpenWRT and the end device's firewall... either you copied and pasted doubles, or your firewall config is improperly configured as not only are there two WANs (mentioned above), there's two VPNs (while you can run multiple servers and clients from the same config file, each must have their own unique zone name)



              On OpenWRT, you must allow traffic to pass from VPN to LAN and LAN to VPN... a firewall rule must also be utilized along with the forwarding you set up under the LAN and VPN zones to redirect traffic. I'd recommend taking a look at OpenVPN's HOWTO page



              Firewall Traffic and Redirect Rules Required



              config rule      
              option target 'ACCEPT'
              option proto 'tcp udp'
              option dest_port '1194'
              option family 'ipv4'
              option src '*'
              option name 'Allow Inbound VPN0'

              config rule
              option target 'ACCEPT'
              option proto 'tcp udp'
              option src '*'
              option dest '*'
              option dest_port '1194'
              option family 'ipv4'
              option name 'Allow Forwarded VPN0'

              config rule
              option target 'ACCEPT'
              option proto 'tcp udp'
              option family 'ipv4'
              option src '*'
              option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
              option dest_ip '192.168.1.0/24'
              option name 'Allow Inbound VPN0 Traffic to LAN'

              config rule
              option target 'ACCEPT'
              option proto 'tcp udp'
              option family 'ipv4'
              option src '*'
              option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
              option dest '*'
              option dest_ip '192.168.1.0/24'
              option name 'Allow Forwarded VPN0 Traffic to LAN'

              config rule
              option target 'ACCEPT'
              option family 'ipv4'
              option proto 'icmp'
              option src '*'
              option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
              option dest 'wan'
              option name 'Allow Outbound ICMP Echo Request (8)'
              list icmp_type 'echo-request'


              I'd recommend changing the subnet for your VPN to something other than 10.8.0.0/netmask as 10.8.0.0 covers 10.8.0.0 - 10.8.255.255.



              You should also change the port to something other than 1194, in combination with choosing a different server subnet that is higher up (i.e. 10.25.100.1 for instance), as keeping defaults is doing half the job for a cyber intruder.



              The port number should be higher than 1025 (as <1025 are privileged ports), but lower than 10000.






              share|improve this answer

























                up vote
                0
                down vote













                It could be a number of things, all very simple to solve...



                Most likely, it's a two fold firewall issue within OpenWRT and the end device's firewall... either you copied and pasted doubles, or your firewall config is improperly configured as not only are there two WANs (mentioned above), there's two VPNs (while you can run multiple servers and clients from the same config file, each must have their own unique zone name)



                On OpenWRT, you must allow traffic to pass from VPN to LAN and LAN to VPN... a firewall rule must also be utilized along with the forwarding you set up under the LAN and VPN zones to redirect traffic. I'd recommend taking a look at OpenVPN's HOWTO page



                Firewall Traffic and Redirect Rules Required



                config rule      
                option target 'ACCEPT'
                option proto 'tcp udp'
                option dest_port '1194'
                option family 'ipv4'
                option src '*'
                option name 'Allow Inbound VPN0'

                config rule
                option target 'ACCEPT'
                option proto 'tcp udp'
                option src '*'
                option dest '*'
                option dest_port '1194'
                option family 'ipv4'
                option name 'Allow Forwarded VPN0'

                config rule
                option target 'ACCEPT'
                option proto 'tcp udp'
                option family 'ipv4'
                option src '*'
                option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
                option dest_ip '192.168.1.0/24'
                option name 'Allow Inbound VPN0 Traffic to LAN'

                config rule
                option target 'ACCEPT'
                option proto 'tcp udp'
                option family 'ipv4'
                option src '*'
                option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
                option dest '*'
                option dest_ip '192.168.1.0/24'
                option name 'Allow Forwarded VPN0 Traffic to LAN'

                config rule
                option target 'ACCEPT'
                option family 'ipv4'
                option proto 'icmp'
                option src '*'
                option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
                option dest 'wan'
                option name 'Allow Outbound ICMP Echo Request (8)'
                list icmp_type 'echo-request'


                I'd recommend changing the subnet for your VPN to something other than 10.8.0.0/netmask as 10.8.0.0 covers 10.8.0.0 - 10.8.255.255.



                You should also change the port to something other than 1194, in combination with choosing a different server subnet that is higher up (i.e. 10.25.100.1 for instance), as keeping defaults is doing half the job for a cyber intruder.



                The port number should be higher than 1025 (as <1025 are privileged ports), but lower than 10000.






                share|improve this answer























                  up vote
                  0
                  down vote










                  up vote
                  0
                  down vote









                  It could be a number of things, all very simple to solve...



                  Most likely, it's a two fold firewall issue within OpenWRT and the end device's firewall... either you copied and pasted doubles, or your firewall config is improperly configured as not only are there two WANs (mentioned above), there's two VPNs (while you can run multiple servers and clients from the same config file, each must have their own unique zone name)



                  On OpenWRT, you must allow traffic to pass from VPN to LAN and LAN to VPN... a firewall rule must also be utilized along with the forwarding you set up under the LAN and VPN zones to redirect traffic. I'd recommend taking a look at OpenVPN's HOWTO page



                  Firewall Traffic and Redirect Rules Required



                  config rule      
                  option target 'ACCEPT'
                  option proto 'tcp udp'
                  option dest_port '1194'
                  option family 'ipv4'
                  option src '*'
                  option name 'Allow Inbound VPN0'

                  config rule
                  option target 'ACCEPT'
                  option proto 'tcp udp'
                  option src '*'
                  option dest '*'
                  option dest_port '1194'
                  option family 'ipv4'
                  option name 'Allow Forwarded VPN0'

                  config rule
                  option target 'ACCEPT'
                  option proto 'tcp udp'
                  option family 'ipv4'
                  option src '*'
                  option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
                  option dest_ip '192.168.1.0/24'
                  option name 'Allow Inbound VPN0 Traffic to LAN'

                  config rule
                  option target 'ACCEPT'
                  option proto 'tcp udp'
                  option family 'ipv4'
                  option src '*'
                  option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
                  option dest '*'
                  option dest_ip '192.168.1.0/24'
                  option name 'Allow Forwarded VPN0 Traffic to LAN'

                  config rule
                  option target 'ACCEPT'
                  option family 'ipv4'
                  option proto 'icmp'
                  option src '*'
                  option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
                  option dest 'wan'
                  option name 'Allow Outbound ICMP Echo Request (8)'
                  list icmp_type 'echo-request'


                  I'd recommend changing the subnet for your VPN to something other than 10.8.0.0/netmask as 10.8.0.0 covers 10.8.0.0 - 10.8.255.255.



                  You should also change the port to something other than 1194, in combination with choosing a different server subnet that is higher up (i.e. 10.25.100.1 for instance), as keeping defaults is doing half the job for a cyber intruder.



                  The port number should be higher than 1025 (as <1025 are privileged ports), but lower than 10000.






                  share|improve this answer












                  It could be a number of things, all very simple to solve...



                  Most likely, it's a two fold firewall issue within OpenWRT and the end device's firewall... either you copied and pasted doubles, or your firewall config is improperly configured as not only are there two WANs (mentioned above), there's two VPNs (while you can run multiple servers and clients from the same config file, each must have their own unique zone name)



                  On OpenWRT, you must allow traffic to pass from VPN to LAN and LAN to VPN... a firewall rule must also be utilized along with the forwarding you set up under the LAN and VPN zones to redirect traffic. I'd recommend taking a look at OpenVPN's HOWTO page



                  Firewall Traffic and Redirect Rules Required



                  config rule      
                  option target 'ACCEPT'
                  option proto 'tcp udp'
                  option dest_port '1194'
                  option family 'ipv4'
                  option src '*'
                  option name 'Allow Inbound VPN0'

                  config rule
                  option target 'ACCEPT'
                  option proto 'tcp udp'
                  option src '*'
                  option dest '*'
                  option dest_port '1194'
                  option family 'ipv4'
                  option name 'Allow Forwarded VPN0'

                  config rule
                  option target 'ACCEPT'
                  option proto 'tcp udp'
                  option family 'ipv4'
                  option src '*'
                  option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
                  option dest_ip '192.168.1.0/24'
                  option name 'Allow Inbound VPN0 Traffic to LAN'

                  config rule
                  option target 'ACCEPT'
                  option proto 'tcp udp'
                  option family 'ipv4'
                  option src '*'
                  option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
                  option dest '*'
                  option dest_ip '192.168.1.0/24'
                  option name 'Allow Forwarded VPN0 Traffic to LAN'

                  config rule
                  option target 'ACCEPT'
                  option family 'ipv4'
                  option proto 'icmp'
                  option src '*'
                  option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
                  option dest 'wan'
                  option name 'Allow Outbound ICMP Echo Request (8)'
                  list icmp_type 'echo-request'


                  I'd recommend changing the subnet for your VPN to something other than 10.8.0.0/netmask as 10.8.0.0 covers 10.8.0.0 - 10.8.255.255.



                  You should also change the port to something other than 1194, in combination with choosing a different server subnet that is higher up (i.e. 10.25.100.1 for instance), as keeping defaults is doing half the job for a cyber intruder.



                  The port number should be higher than 1025 (as <1025 are privileged ports), but lower than 10000.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Apr 26 '15 at 23:09









                  JW0914

                  1




                  1






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Super User!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.





                      Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                      Please pay close attention to the following guidance:


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f686519%2fopenwrt-routing-between-lan-and-openvpn%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Probability when a professor distributes a quiz and homework assignment to a class of n students.

                      Aardman Animations

                      Are they similar matrix