1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Openvpn Server to client problem

Discussion in 'Tomato Firmware' started by andy, Mar 30, 2013.

  1. andy

    andy Addicted to LI Member

    I am using two WL-520gu, I installed the VPN by optware.
    From client to server side, everything works fine. However, I cannot access the client side from the server.

    push "route"
    port 1194
    dev tun0
    proto tcp
    keepalive 15 60
    verb 3
    tls-auth ta.key 0
    dh dh2048.pem
    ca ca.crt
    cert server.crt
    key server.key
    user nobody
    group nobody
    chroot /tmp/chroot
    comp-lzo adaptive
    cipher AES-128-CBC
    client-config-dir ccd
    #push "route"
    server firewall :
    iptables -I FORWARD 1 --source -j ACCEPT
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    iptables -I OUTPUT -o tun0 -j ACCEPT
    iptables -I INPUT -i tun0 -j ACCEPT
    iptables -t nat -A POSTROUTING -s -o vlan1 -j MASQUERADE
    dev tun1
    proto tcp
    remote 1194
    resolv-retry infinite
    http-proxy 8889
    ca ca.crt
    cert client.crt
    key client.key
    ns-cert-type server
    tls-auth ta.key 1
    cipher AES-128-CBC  # AES
    comp-lzo adaptive
    verb 0
    user nobody
    group nobody
    chroot /tmp/chroot
    script-security 2
    client firewall :
    iptables -t nat -A POSTROUTING -s -o tun1 -j MASQUERADE
    # Without the following 4 rules, I cannot even ping the client's VPN IP from the Server
    # with these 4 rules, I can ping the client's VPN IP from the Server, but still cannot ping (Router local IP)
    iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
    iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
    iptables -I OUTPUT -o tun1 -j ACCEPT
    iptables -I INPUT -i tun1 -j ACCEPT
    Server's route table :
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface        *      UH    0      0        0 tun0   *      UH    0      0        0 vlan1   UG    0      0        0 tun0     *        U     0      0        0 br0   UG    0      0        0 tun0   *        U     0      0        0 vlan1       *            U     0      0        0 lo
    default         UG    0      0        0 vlan1
    Any help will be appreciated. Thanks.
  2. jbcdidgosir

    jbcdidgosir Serious Server Member

    In tomato, there's an option called "Manage Client-Specific Options" and "Allow Client<->Client". Would you please check?
  3. andy

    andy Addicted to LI Member

    Thanks, I do not use the Openvpn GUI. Even I use it, same result.

    I just found that may be the "iroute" in the ccd file is not working. If I change the ccd file to :
    the client still got the IP instead of the expected

    The firmware of my openvpn server router is TB mod : "Tomato Firmware v1.28.8754 ND USB vpn3.6".
  4. andy

    andy Addicted to LI Member

    Moreover, ping from server to client :
    ping : (client router VPN IP) succeed.
    ping : (client router local IP) fail, checked the client router firewall log and did not find any packet dropped by the client firewall.
  5. gfunkdave

    gfunkdave LI Guru Member

    I'm a bit unclear...when you can't ping from the server to the client, can you still ping from client to server? If so, once you successfully ping from client to server try pinging from server to client. If it works, the issue is that OpenVPN is timing out the connection. I think it's a bug somewhere - happened to me. The solution is to add ping 30 to the client's client.conf file. This way, the client keeps the connection alive.
  6. andy

    andy Addicted to LI Member

    Yes, when I can't ping from the server to the client, I can ping from client to server (and all pc on the server subnet).

    The server ping can reach the client's VPN IP (, but no ping packet reaches client router's local IP ( I checked the firewall log of the client router, no packet from source, was dropped, and no packet with destinction was dropped.

    It seems that the server router does not route the ping packet to Please check the server's route table I showed earlier, I cannot find any problem in the route table.
  7. gfunkdave

    gfunkdave LI Guru Member

    After looking at your config, I'm not sure what you're trying to do. You do realize that you're trying to connect to the server via a LAN connection, not over the internet, right? That's got to be wrong. Also,why are you using TCP instead of UDP? UDP is the default. This config is pretty messed up.

    Look in the logs for problem reports.
  8. andy

    andy Addicted to LI Member

    My vpn server router is behind another external router connecting to internet, that external router is not under my control. That external router has not port forwarding for my vpn, but it has port forwarding of SSH to my server router, so my vpn client is connecting to my vpn server through a SSH tunnel (client --> polipo --> ssh tunnel through the external router --> server). This is the reason I used TCP instead of UDP, as "http-proxy ip port" option does not support UDP.

    If finally this problem cannot be fixed, I am considering a stupid workaround :
    set up another VPN network, install a vpn server to the existing client router, a vpn client to the existing server router. With the 2 vpn networks, I think I can have bi-direction traffic.
  9. gfunkdave

    gfunkdave LI Guru Member

    I suspect (but have no way of knowing) that your problem is due to tunneling VPN over an SSH tunnel. I am unaware if that's possible. I suppose it should work, but who knows.

    I trust you're aware that you can quite easily tunnel HTTP/HTTPS traffic through an SSH tunnel with no need for a full blown VPN.
  10. andy

    andy Addicted to LI Member

    SSH setup is easy, but usually the software should support using proxy in order to use the tunnel. I think I'll go to the 2 vpn workaround mentioned above.

    Anyway, thanks very much for your advise.
  11. gfunkdave

    gfunkdave LI Guru Member

    Putty is a free and full featured SSH client that supports tunneling and is a local SOCKS proxy. I use it all the time.
  12. andy

    andy Addicted to LI Member

    Yes, sometimes I use putty + proxifier if vpn is not available.

Share This Page