1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Looking for minimum OpenVPN Server/Client configuration for following network setup?

Discussion in 'Tomato Firmware' started by sunsina, Mar 3, 2014.

  1. sunsina

    sunsina Reformed Router Member

    Hi,
    I need to connect and bridge two remote networks, residing in two different geographical locations,
    the network configuration is shown in the following figure. (Internet IPs are not real but the local network addresses and netmasks are taken from actual implementation).

    I read a number of “How to's” for OpenVPN on internet non of them where comprehensive and I found many of them were confusing instead of instructive.

    The reason that I post this question in this forum is that I am tired of different tries,suggestions and web links,references,...

    My aim is to connect devices on Site A (DeviceA1 or DA-1, and DeviceA2 or DA-2) to be accessible to OSD-1 (OpenVPN Server Device1 on SiteB), while DA-1 and DA-2 must have their own transferred similar IP address on RT-S [which runs on tomato Shibby-AIO] which is running an openVPN server.
    (May be RT-S needs an extra bridge (br1) or VLAN in range 192.168.42.x/24 to be defined in its VLANs list!?)


    In addition DB-1 and DB-2 that are connected to LPB-1 (LanPort#1 Site B) and LPB-2 (LanPort#2 Site B) must not have access to DA-1 and DA-2 at all (vice versa).

    Since the internet on Site A is very limited, the internet must be redirected from Site B to Site A (ip forwarding) so all DA-1 and DA-2 internet traffic must passthrough RT-C and then forwarded from RT-S (which is behind NAT of Router Site B).

    So the WAN IP for the DA-1 and DA-2 must be 97.55.67.B


    Since DA-2 gets dynamic ip and implements multicast address 239.1.2.3:50550,which DA-1 receives it, and it is required to have a copy of the multicast packet forwarded to on the other side of OpenVPN server network on OSD-1 or RT-S .


    I would be happy if any could solve and explain the problem for me,
    I would rather to have not refereed to other website links , guidelines, …. since I had enough of them to get confused.

    I know how to make the Client,Srerver,keys certificate and open ports on routers,....

    I already have chosen tap device since I realized that tap device implements Network Layer 2 which is essential for UDP multicast forwarding.

    What I am stuck is the required correct route table settings for both client/server sides.

    I do not know what would be the correct routing configuration, and how I have to set it up properly on the tomato router ( via GUI,extra conf, ssh rootfs or jffs).

    Please kindly if you are going to leave a reply on this thread explain (since I am very new to routing,...)
    Where I have to add settings (Router GUI for OpenVPN,Advanced->Routing option menu,file in /tmp/openvpn/....,in route-up.sh,route-down.sh)
    for both RT-S(Server) and RT-C(Client) sides.

    And finally how the routing table must look like if I run following commands:

    [​IMG]
    iptables -t filter -nvL

    iptables -t nat -nvL

    Shall I add route and modify route table manually instead of route-add in openvpn config scripts?


    I guess a comprehensive answer to this question could be considered as a very good online tutorial and many can benefit from it.

    Your help will save a lot of time from me and is really appreciated.
    Thanks in advance
     
  2. kthaddock

    kthaddock Network Guru Member

    First to test is to get both Site A and B on same subnet.
    A = 192.168.42.100/24
    B = 192.168.42.200/24
    or the other way
    A = 192.168.100.100/24
    B = 192.168.100.200/24
    And it's a TAP-net so NO routing is needed only plan your ip-number on both side.
     
    Last edited: Mar 3, 2014
  3. shibby20

    shibby20 Network Guru Member

    In TAP mode you have to block broadcast or DHCP requests only.
     
  4. sunsina

    sunsina Reformed Router Member

    How about internet redirection from SiteB ---> SiteA
    And shall I implement just an extra bridge br1 or VLAN in range 192.168.42.0/24 on RT-S and not on RT-C ?
     
  5. kthaddock

    kthaddock Network Guru Member

    Q = How about internet redirection from SiteB ---> SiteA
    A = It's on same subnet, everybody can talk with eachother. A=B B=A.

    Q = And shall I implement just an extra bridge br1 or VLAN in range 192.168.42.0/24 on RT-S and not on RT-C ?
    A = Why? You only need one of my suggestion, not both.
     
  6. kthaddock

    kthaddock Network Guru Member

  7. sunsina

    sunsina Reformed Router Member

    Please note that Main Souter Site A and Main Router Site B has nothing to do with OpenVPN.
    The open VPN client is just installed on RT-C (OpenVPN client) and RT-S(OpenVPN server)

    And on which side I have to block DHCP is it Site A,Site B or both (and you mean on the RT-C and RT-S or on main router I should block?)

    I would be happy If I get a simple screenshot or values for the OpenVPN GUI for both Server and Client sides(Thanks)
     
  8. kthaddock

    kthaddock Network Guru Member

    Please note that Main Souter Site A and Main Router Site B has nothing to do with OpenVPN.
    The open VPN client is just installed on RT-C (OpenVPN client) and RT-S(OpenVPN server)
    - Well that's not true. You still have DHCP and Multicast packet on TAP.


    And on which side I have to block DHCP is it Site A,Site B or both (and you mean on the RT-C and RT-S or on main router I should block?)
    -
    You have DHCP servers on both side and need block on RT-C and RT-B

    I would be happy If I get a simple screenshot or values for the OpenVPN GUI for both Server and Client sides(Thanks)
    - I can't my both is in use and can't reconnect.
     
    Last edited: Mar 4, 2014

Share This Page