1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Please help: Double-VPN, how to forward server->client->client

Discussion in 'Tomato Firmware' started by premudriy, Sep 10, 2013.

  1. premudriy

    premudriy LI Guru Member

    Hello everybody,

    I'm having troubles setting up a somewhat complicated VPN netwok. Here's a topology that I'd like to achieve:

    Server in another                        Office
        location                            location
    |=============|                   |==================|
    (Tomato router)  <Ser==VPN==Cli>  (Tomato router     )                    Users at diff
    ( running VPN )                   ( running VPN      )                      locations
    (    Server   )                   ( Client to connect)                  |=================|
    (             )                   (to "A" and another)  <Ser==VPN==Cli> (Computers running)
    (  Point "A"  )                   (VPN Server for "C")                  ( any kind of VPN )
                                      (                  )                  ( client software )
                                      (    Point "B"     )                  (                 )
                                                                            (    Point "C"    )

    Verbally: At first there was an office (point "B") where users were connecting through VPN. The Tomato router in "B" runs OpenVPN server and everything is accessible between "B" and "C".

    Now we've added another server with Tomato router (point "A") that is running VPN Server and the office router "B" also runs the client. So router in "B" now runs both: client to connect to "A" and server so that "C" can connect to it.

    What is happening right now:
    1. Everything between "A" and "B" is perfectly accessible.
    2. Everything between "B" and "C" is perfectly accessible.
    3. Problem is that "C" can't hit IPs that are in "A". Basically no "A" <-> "C" communication.

    How can I make "C" and "A" communicate over this setup?

    Some more info:
    1) Router at "A": IP=, VPN subnet for clients is
    2) Router at "B": IP=, VPN subnet for clients is

    From what I've read I understood that I have to setup a static route on "B" that will tell "C" where devices are, but no matter what I try the "C" can't access "A" through "B".

    Please help.
  2. Disassembler

    Disassembler Reformed Router Member

    What do you mean by "static route on B"? If it's an actual static route there, then no, the problem seems to be that C sees an interface for but doesn't know that can also be reached via (or whatever B's IP on the VPN subnet between B and C is). You could try "ip route add via dev tun0" on C. If that works, an OpenVPN config line like
    push "route"
    should do it.
    If you already figured out that the route has to be pushed to the clients, I'd have to use tcpdump though because I don't know what could be the problem.
  3. Malitiacurt

    Malitiacurt Networkin' Nut Member

    You can't setup the static route using Advanced->Routing->Static Routing Table under tomato because you can't specify the interface. Don't think you can specify in the openvpn Tomato gui to push that route.

    It has to be done through iptables. If your openvpn C clients have all traffic redirected to B it should work, otherwise it might not since you have to 'push' that route ( to the C's which would by default go up their default gateway for a route they don't recognize.
  4. premudriy

    premudriy LI Guru Member

    I see. Thank you for the explanation. I am thinking now that I won't bother and just have people who need have OpenVPN keys to hit the "A" directly. Can't have the option to redirect all traffic from "C"s to "B" in our setup.

    The reason I thought of going with the idea of C->B->A is that if A has only one client key generated, then no one can connect to it, even if key gets leaked, because A->B will be connected 24/7 and no other connections with that key can be made to "A".

    Thanks again!
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Is there a reason you don't make Point B the server and Point A/C the clients? Then, having A and C communicate is just checking a box to allow it... (plus there's less overhead since there's only one server running)
  6. lancethepants

    lancethepants Network Guru Member

    I used to run a setup similar to this until I started adding more sites. I realized that I didn't like the star topology of all the client sites connecting to the server site. In this scenario, when any two client sites want to talk, they must go through the server site.

    For all my sites now, I run tinc mesh vpn. Each site can talk directly to any other site.
    Every site still runs OpenVPN, and roaming clients can pick which site to connect to.
    I've actually placed a custom OpenVPN config in each OpenVPN server also.

    push "route"
    No matter which OpenVPN server someone connects to, they actually still have access to the entire mesh vpn through that particular node. It would also be possible to create tinc clients, that then can have access directly to each site running tinc. Say a laptop, or phone. Just start the tinc service, and you have a direct line to every site.

    edit: I do run this on my router's too. I store the static binaries I've compiled in /jffs, for dependability over USB,.
  7. premudriy

    premudriy LI Guru Member

    Oh, interesting thing about tinc vpn. Never heard of this. The tinc vpn is not available for Tomato routers, does it?
  8. premudriy

    premudriy LI Guru Member

    Yeah, that's another great idea. Today we actually moved/deployed the server hardware in "A". After a long talk/thinking we figured we shouldn't have the rest of the guys "B" accessing stuff in "A" directly anyway because someone will eventually screw something up since not all people in "B" are qualified to touch stuff in "A".
  9. lancethepants

    lancethepants Network Guru Member

    There isn't a firmware with built in tinc support currently.
    It is available through entware, though I do not like to rely on USB for important things like VPN.
    I compile my own static tinc binaries, and make them available at lancethepants.com/files.
    I then load the binaries info the /jffs partition of the router with all my configs.
    Since /jffs is internal memory, I don't have to worry about USB drives coming unplugged or anything
    I then place my firewall scripts and startup script in the tomato gui.

    Seems you came to a resolution though.
  10. premudriy

    premudriy LI Guru Member

    Nice! I'll try that for possible other use in the future, even though the current server system is setup this way. Thank you very much!

Share This Page