1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Site-to-Site OpenVPN Problems

Discussion in 'Tomato Firmware' started by sayBubba, Feb 11, 2013.

  1. sayBubba

    sayBubba Serious Server Member

    My goal is to create a site-to-site connection between two tomato routers. Like many others, I've follow the tutorial at http://www.wasagacomputers.com/home...te-vpn-using-tomato-firmware-and-openvpn.html.

    My problem is that as soon as I connect the client router (192.168.24.1) to the server router (192.168.44.1), the VPN connection is successfully established between the routers, however, computers on the client router network (192.168.24.0) are not able to access the client router or the internet anymore. Computers on the server router network are not able to access the client router itself or computers on the client router network.

    I suspect this is a issue with the routing tables. As can be seen in the routing table for the client below, there are two routes for 192.168.24.0 -- I think that is where the problem is.

    Both routers are running TomatoUSB v1.28.9054 MIPSR2-beta K26 USB vpn3.6 on ASUS RT-N16.

    Below are the config.ovpn file, the routing table and the iptables table for the client and server.

    Appreciate any help!


    CLIENT (Router Local IP: 192.168.24.1)
    --------------------------------------

    # Automatically generated configuration
    daemon
    client
    dev tun11
    proto udp
    remote nope.nope.nope 40
    resolv-retry 30
    nobind
    persist-key
    persist-tun
    comp-lzo adaptive
    cipher AES-256-CBC
    verb 3
    ca ca.crt
    cert client.crt
    key client.key
    status-version 2
    status status

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.8.0.5 * 255.255.255.255 UH 0 0 0 tun11
    192.168.100.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun11
    10.40.80.2 * 255.255.255.255 UH 0 0 0 vlan1
    10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun11
    192.168.44.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun11
    192.168.24.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun11
    192.168.24.0 * 255.255.255.0 U 0 0 0 br0
    10.40.80.0 * 255.255.254.0 U 0 0 0 vlan1
    127.0.0.0 * 255.0.0.0 U 0 0 0 lo
    default 10.40.80.2 0.0.0.0 UG 0 0 0 vlan1

    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    DROP all -- anywhere n-ac-80-237.wireless.test.net
    DROP all -- anywhere anywhere state INVALID
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    DROP all -- anywhere anywhere state INVALID
    TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    wanin all -- anywhere anywhere
    wanout all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain wanin (1 references)
    target prot opt source destination

    Chain wanout (1 references)
    target prot opt source destination



    SERVER (Local IP: 192.168.44.1)
    -------------------------------

    # Automatically generated configuration
    daemon
    server 10.8.0.0 255.255.255.0
    proto udp
    port 40
    dev tun21
    cipher AES-256-CBC
    comp-lzo adaptive
    keepalive 15 60
    verb 3
    push "route 192.168.44.0 255.255.255.0"
    client-config-dir ccd
    client-to-client
    route 192.168.24.0 255.255.255.0
    push "route 192.168.24.0 255.255.255.0"
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status

    # Custom Configuration
    user nobody
    group nobody
    push "route 192.168.100.1 255.255.255.255"


    Client CCD file
    iroute 192.168.24.0 255.255.255.0


    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    98.251.100.1 * 255.255.255.255 UH 0 0 0 vlan2
    10.8.0.2 * 255.255.255.255 UH 0 0 0 tun21
    10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun21
    192.168.44.0 * 255.255.255.0 U 0 0 0 br0
    192.168.24.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun21
    98.251.100.0 * 255.255.252.0 U 0 0 0 vlan2
    127.0.0.0 * 255.0.0.0 U 0 0 0 lo
    default x.x.x.x 0.0.0.0 UG 0 0 0 vlan2

    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT udp -- anywhere anywhere udp dpt:40
    DROP all -- anywhere nope.hsd1.ga.comcast.net
    DROP all -- anywhere anywhere state INVALID
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    shlimit tcp -- anywhere anywhere tcp dpt:ssh state NEW
    shlimit tcp -- anywhere anywhere tcp dpt:telnet state NEW
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    DROP all -- anywhere anywhere state INVALID
    TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
    monitor all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    wanin all -- anywhere anywhere
    wanout all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain monitor (1 references)
    target prot opt source destination
    all -- anywhere anywhere WEBMON --max_domains 3000 --max_searches 3000

    Chain shlimit (2 references)
    target prot opt source destination
    all -- anywhere anywhere recent: SET name: shlimit side: source
    DROP all -- anywhere anywhere recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source

    Chain wanin (1 references)
    target prot opt source destination
    ACCEPT udp -- anywhere home udp dpt:40
    ACCEPT udp -- anywhere home udp dpt:40

    Chain wanout (1 references)
    target prot opt source destination
     
  2. sayBubba

    sayBubba Serious Server Member

    Just as an update to everybody having site-to-site problems, I had "user nobody" and "group nobody" in the custom configuration field. That messed things up.
     

Share This Page