1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help configuring Firewalls and Routers with OpenVPN (TUN) on Tomato 1.28 (Shibby)

Discussion in 'Tomato Firmware' started by ChuckHL, Jul 22, 2013.

  1. ChuckHL

    ChuckHL Serious Server Member

    Hi everyone,

    First I apologize if this is not the right sub-forum.

    I need help configuring my routers' route, firewall, etc, to allow establishing connections from my OpenVPN TUN clients to other subnets.

    Current Layout
    Here is the current layout of my network (just routers).

    1) Main router running Tomato 1.28 Shibby v110-EN
    External IP: Assigned by ISP
    Internal IP: 10.0.0.1 | Network: 10.0.0.0/24
    DHCP: 10.0.0.101-150 | STP: Enabled | DNS: OpenDNS
    Firewall: Default settings
    Static Routes (Dest/Gate/Subnet/Interface):
    10.0.1.0/10.0.0.10/24/LAN​
    10.0.5.0/10.0.0.251/24/LAN​
    OpenVPN Server1 TAP IP range 10.0.0.241-250
    OpenVPN Server2 Tun Sub/Mask 10.0.3.0/24
    Firewall Script:
    iptables -I FORWARD -s 10.0.1.0/24 -j ACCEPT (not sure if required)​
    iptables -I FORWARD -s 10.0.5.0/24 -j ACCEPT (not sure if required)​

    2) Additional router working as a wireless repeater for main router running 1.28 Shibby v110-EN

    External IP: None
    Internal IP: 10.0.0.2 | Network: 10.0.0.0/24
    DHCP: Disabled | STP: Enabled | DNS: 10.0.0.1


    3) Additional router working as a Gateway hosting another subnet connected to the main router by cable running 1.28 Shibby v110-EN
    External IP: 10.0.0.10
    Internal IP: 10.0.1.1 | Network: 10.0.1.0/24
    DHCP: 10.0.1.101-150 | STP: Enabled | DNS: 10.0.0.1
    Firewall: Default settings
    Static Routes (Dest/Gate/Subnet/Interface):
    10.0.5.0/10.0.0.1/24/WAN (see router 1' definitions)​
    I added the route despite traffic going through router 1 since this router connects to a VPN privacy service provider and that provider uses the redirect-gateway command. This way connections going to 10.0.5.0/24 won't go through the VPN​
    OpenVPN Client1 TUN IP Assigned by VPN provider
    (using VPN services of companies such as PIA/HMA/etc)​
    Firewall Script:
    iptables -I FORWARD -s 10.0.0.0/24 -j ACCEPT​

    4) Additional router (DDWRT) working as Gateway at remote location connected via OpenVPN to the main router via TAP connection.
    External IP: Assigned by ISP
    Internal IP: 10.0.5.1 | Network: 10.0.5.0/24
    DHCP: 10.0.5.101-150 | STP: Enabled | DNS: OpenDNS
    Firewall: Default settings
    Static Routes (Dest/Gate/Subnet/Interface):
    10.0.1.0/10.0.0.1/24/TAP1​
    I added the route since the OpenVPN connections won't enforce the redirect-gateway directive. This way connections going to 10.0.1.0/24 will go through the OpenVPN network 10.0.0.0/24​
    OpenVPN Client connected to router 1: IP: 10.0.0.251
    Firewall Script:
    iptables -I FORWARD -s 10.0.0.0/24 -j ACCEPT​

    Current Status
    Connections between all three subnets works perfectly. A client in network 10.0.x.0 (10.0.0.0, 10.0.1.0, and 10.0.5.0) can reach any of the other networks and viceversa.

    The problem
    On the main router I created a second OpenVPN server for TUN connections hosting subnet 10.0.3.0/24. The issue is that clients that connect to this server are not able to reach the other subnetworks.

    For example: I connect my laptop through TUN and I get assigned IP 10.0.3.6. Through this connection I am able to reach the main router (10.0.0.1), the secondary router (10.0.0.2), and all other PCs and IP cameras connected in this network (10.0.0.0/24). However, I am not able to reach the router hosting network 10.0.1.0/24 and the router hosting network 10.0.5.0/24, nor any of the devices connected to these two routers.

    Personally, I believe the problem is firewall related but I have not been able to find the firewall rule to add to the scripts. I've tried adding the following line on all routers with no success at all.
    iptables -I FORWARD -s 10.0.3.0/24 -j ACCEPT​

    For the OpenVPN server running in TUN mode I have enabled the following:
    Push LAN to clients​
    Allow Client <-> Client​
    Direct clients to redirect internet traffic​
    Respond and Advertise DNS to clients​

    And I have also tried to push routes to the other networks (even though it should not be necessary since all traffic is already going through the VPN) and I have confirmed it by surfing the network and checking my IP.

    Any help will be appreciated.

    Regards
     
  2. Malitiacurt

    Malitiacurt Networkin' Nut Member

    You have to add all the common name, subnet and netmask of the other subnets your tunneled clients are on.

    I found just checking them off doesn't work, have to manually add all the client subnets to connect to them.
     
  3. ChuckHL

    ChuckHL Serious Server Member

    Thanks for the info but could you elaborate with an example? I'm not sure what you mean.
     
  4. Malitiacurt

    Malitiacurt Networkin' Nut Member

    Common name is a setting in the openvpn client when you created the keys/certificates.
    Subnet/netmask of the gateway/settings on that openvpn client, NOT the VPN subnet/netmask you set under openvpn-server->basic configuration.

    Eg. Common_name_you_set, 10.0.1.0, 255.255.255.0.
    Add that to your vpn server configuration that creates TUN clients.

    ~Edit: Your numbering of subnets is pretty confusing when you use the tunneled vpn subnet to be so close to the numbering of your actual routers (I think you set it as 10.0.3.0/24, when your networks/clients reside on 10.0.1.0/24, 10.0.5.0/24 etc.) The tunneled vpn subnet/ip's are never 'seen' or known by clients, the vpn client/servers handles it so it's just logically awkward (at least from my experience in TUN vpn setups).
     
  5. ChuckHL

    ChuckHL Serious Server Member


    I figured it out. Nothing to do with common names. It was a matter of firewall rules. Disabling nat on VPN and adding the routes on the other routers.

    Regards
     

Share This Page