1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Toastman openvpn connectivity problems

Discussion in 'Tomato Firmware' started by Phenom100, Mar 25, 2013.

  1. Phenom100

    Phenom100 Reformed Router Member

    Hi all -

    I have configured an OpenVPN client and server & the connection appears to work but I have some connectivity problems.. I have the following setup:

    Internet Gateway is Virgin superhub. This provides IP addresses to the LAN in the range 192.168.36.x (port forwarding enabled to 1194) gateway (superhub) local address is 192.168.36.1
    WRT54G router configured in wireless bridge mode (so is effectively on the LAN behind the superhub) & running Tomato firmware - Toastman V1.28 1.28.7634 IPT-ND-VPN (VPN server) local address from superhub is 192.168.36.11. I have configured tomato to issue ip addresses on a separate subnet (192.168.40.x) and the router address is 192.168.40.2 on its own subnet.
    Ipconfig on the LAN from superhub shows the DNS servers to be 194.168.4.100 and 194.168.8.100

    Attempted goal: to create openVPN connection from client PC to the WRT54G router in order to establish an internet connection for ALL client traffic through the OpenVPN server.

    Current situation: I can establish a connection between the client and server but unable to ping anything on the LAN / open any web pages (local or internet) or open either router gui page from the VPN client when connected

    Client:
    Windows 7 64 bit machine running openvpn software. client config file:
    client

    client
    dev tun0
    proto udp
    remote xx.xx.xx.xx 1194
    resolv-retry infinite
    nobind
    persist-key
    #persist-tun
    float
    tun-mtu 1500
    tun-mtu-extra 32
    keepalive 10 60
    ca ca.crt
    cert client1.crt
    key client1.key
    cipher AES-128-CBC
    verb 4
    I have currently only used the GUI interface (i.e. no additional commands in the firewall or port forwarding). OpenVPN server is providing the client with ip addresses in the range 10.8.0.0.
    I suspect I have a forwarding or NAT issue but was hoping that the GUI tick boxes would take care of it...
    Any ideas please!?
    Thanks


     
  2. jbcdidgosir

    jbcdidgosir Serious Server Member

    I have several questions:
    1. If a PC is locally connected to your router's LAN port, what's the IP address assigned by router's DHCP?
    2. When your PC is connected to your router by VPN, what's the IP address assigned by this router?
    3. When your PC is connected to your router by VPN, is it possible to log in router's configuration page by router's IP address?
    4. Please run "route print" and paste a screen shot.
     
  3. Phenom100

    Phenom100 Reformed Router Member


    1a) If a pc is connected to the LAN port on the gateway superhub router: 192.168.36.x (assigned by DHCP on the superhub)
    b) If a pc is connected to the LAN port on the Tomato WRT54G router: 192.168.40.x (currently assigned by DHCP on the Tomato WRT54G)

    2) When a client connects a vpn tunnel the ip address allocated is 10.8.0.6

    3) I will need to check but I don't believe I can. Currently at work but will try it later

    4) No access currently as at work but will do..

    Thanks
     
  4. Phenom100

    Phenom100 Reformed Router Member

    Ok:

    3) I can access both the Superhub router GUI and Tomato WRT gui when connected to the VPN but ONLY if I try to connect using their respective WAN ip addresses. In the case of the superhub that is my WAN ip to the outside word with a particular port number & in the WRT case it is the same WAN ip to the outside world with a different port number (my superhub is set up to port forward this)

    Bearing in mind the above, I cannot open or access any of the router GUIs using their LAN ip addresses when the VPN is connected (192.168.36.1 in the case of the superhub) and (192.168.36.11 or 192.168.40.2) in the case of the WRT. I also cannot ping these addresses when connected to the VPN.

    4) see below (vpn is connected via my neighbours connection, with his permission, to make the connection from the outside) :

    Code:
    C:\Users\Steve>route print
    ===========================================================================
    Interface List
    15... ......Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20
    14... ......Microsoft Virtual WiFi Miniport Adapter
    13... ......TAP-Windows Adapter V9
    11... ......Killer Wireless-N 1202 (2.4GHz and 5GHz)
      1...........................Software Loopback Interface 1
    16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
    12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
    ===========================================================================
     
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0      192.168.0.1      192.168.0.3    25
              0.0.0.0        128.0.0.0        10.8.0.5        10.8.0.6    30
            10.8.0.0    255.255.255.0        10.8.0.5        10.8.0.6    30
            10.8.0.4  255.255.255.252        On-link          10.8.0.6    286
            10.8.0.6  255.255.255.255        On-link          10.8.0.6    286
            10.8.0.7  255.255.255.255        On-link          10.8.0.6    286
          X.X.X.X      255.255.255.255      192.168.0.1      192.168.0.3    25
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
            128.0.0.0        128.0.0.0        10.8.0.5        10.8.0.6    30
          192.168.0.0    255.255.255.0        On-link      192.168.0.3    281
          192.168.0.3  255.255.255.255        On-link      192.168.0.3    281
        192.168.0.255  255.255.255.255        On-link      192.168.0.3    281
        192.168.40.0    255.255.255.0        10.8.0.5        10.8.0.6    30
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link          10.8.0.6    286
            224.0.0.0        240.0.0.0        On-link      192.168.0.3    281
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link          10.8.0.6    286
      255.255.255.255  255.255.255.255        On-link      192.168.0.3    281
    ===========================================================================
    Persistent Routes:
      None
     
    IPv6 Route Table
    ===========================================================================
    Active Routes:
    If Metric Network Destination      Gateway
      1    306 ::1/128                  On-link
    13    286 fe80::/64                On-link
    11    281 fe80::/64                On-link
    11    281 fe80::cd6c:3ec:cc5e:4221/128
                                        On-link
    13    286 fe80::e0c3:9c9f:fc2:202c/128
                                        On-link
      1    306 ff00::/8                On-link
    13    286 ff00::/8                On-link
    11    281 ff00::/8                On-link
    ===========================================================================
    Persistent Routes:
      None

    Finally, when connected to the vpn, I am unable to ping anything outside such as 8.8.8.8

    Any help would be much appreciated. Thank you.
     
  5. jbcdidgosir

    jbcdidgosir Serious Server Member

    From your route table, I can see that your first priority route is to through 192.168.0.1 . This must be your local network. That's the reason why you can access your router by its WAN IP. Because you are still using the local 192.168.0 network. If you want to use VPN network, delete this route by:
    route delete 0.0.0.0 mask 0.0.0.0 192.168.0.1
    Then the route 10.8.0.5 will take effect.
    Wish you good luck.
     
  6. Phenom100

    Phenom100 Reformed Router Member

    Unfortunately 192.168.0.1 is my neighbours gateway address and is nothing to do with my local network. I have been connecting to his wireless network in order to connect my vpn from 'outside' my own network.

    I have posted my 'route print' below from inside my own local network with NO vpn connected:

    Code:
    t
    ===========================================================================
    Interface List
    15... ......Atheros AR8151 PCI-E Gigabit Ethernet Controll
    14.........Microsoft Virtual WiFi Miniport Adapter
    13... ......TAP-Windows Adapter V9
    11... ......Killer Wireless-N 1202 (2.4GHz and 5GHz)
      1...........................Software Loopback Interface 1
    16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
    12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
    38...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
    39...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
    ===========================================================================
     
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0    192.168.36.1    192.168.36.6    25
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
        192.168.36.0    255.255.255.0        On-link      192.168.36.6    281
        192.168.36.6  255.255.255.255        On-link      192.168.36.6    281
      192.168.36.255  255.255.255.255        On-link      192.168.36.6    281
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link      192.168.36.6    281
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link      192.168.36.6    281
    ===========================================================================
    Persistent Routes:
      None
     
    IPv6 Route Table
    ===========================================================================
    Active Routes:
    If Metric Network Destination      Gateway
    12    58 ::/0                    On-link
      1    306 ::1/128                  On-link
    12    58 2001::/32                On-link
    12    306 2001:0:9d38:953c:3cc5:3b5c:3f57:dbf9/128
                                        On-link
    11    281 fe80::/64                On-link
    12    306 fe80::/64                On-link
    12    306 fe80::3cc5:3b5c:3f57:dbf9/128
                                        On-link
    11    281 fe80::cd6c:3ec:cc5e:4221/128
                                        On-link
      1    306 ff00::/8                On-link
    12    306 ff00::/8                On-link
    11    281 ff00::/8                On-link
    ===========================================================================
    Persistent Routes:
    Any thoughts?

    Thanks
     
  7. jbcdidgosir

    jbcdidgosir Serious Server Member

    "192.168.0.1 is the local network." Here "local" means your basic internet connection, no matter your neighbour's or your company's or your friend's network, it is called local.
    After connected to VPN network, you are sure to have another network which is based on your "local" network. In your "My Network Places", you can see at least two internet connection. One is your local network(the basic one). Another is VPN network.
    Now the problem is: Your computer doesn't know which route to go when two 0.0.0.0 route exist. So you need to delete one route to tell the computer that 10.8.0.5 is the only route you want to go. You can visit www.ip138.com to detect your IP address before deleting the route. The IP address displayed must be your neighbour's. After deleting, the IP address displayed must be your VPN server's.

    By the way,
    1. If you couldn't access the internet, manually add a DNS server address in VPN connection.
    2. www.ip138.com is a Chinese web site, but displayed IP address is recognizable. Or you can try other IP detecting web sites.
     
  8. Phenom100

    Phenom100 Reformed Router Member

    Ok, so i tried the following:

    Deleting the route before connecting the VPN; in this case, I lose the internet connection entirely and cannot connect the VPN
    Deleting the route after connecting the VPN; in this case, no changes to the behaviour already seen i.e. ping to both routers just times out, as does a ping attempt to an external address such as 8.8.8.8. No web pages available (via ip address or DNS)

    Any more thoughts? Your help is much appreciated, thank you.
     
  9. jbcdidgosir

    jbcdidgosir Serious Server Member

    If you are not connected to VPN, don't delete route because you have only one route. No confusion for computer. Deleting route will result in internet connection lost. Deleting route is needed ONLY when VPN is connected.

    I found that when you connected to VPN, the IP address assigned by VPN server is different from the IP assigned locally by DHCP. Would you please change the VPN server setting? To change the IP range from 10.8.0 to 192.168.36? Keeping the same IP range is also what I set in my VPN server and it works prefectly.
     
  10. Phenom100

    Phenom100 Reformed Router Member

    If I try and change the VPN servers subnet to be 192.168.36.0 (same as DHCP subnet from superhub), I can no longer connect to the VPN server. If I make the subnet 192.168.40.0 I can connect but have the same problem / symptoms as before.

    BTW - I am connecting using a TUN interface not TAP
     
  11. jbcdidgosir

    jbcdidgosir Serious Server Member


    I'd like to understand the structure of your network firstly.
    Your superhub(I don't know what is superhub, switcher? Or can I consider it as a router?) has a LAN IP: 192.168.36.1, your WRT54G's WAN is connected to superhub's LAN. WRT54G's WAN IP is 192.168.36.11 and its LAN IP is 192.168.40.2. Port 1194 forwarded from superhub to WRT54G's 1194. Is it correct?

    In the configuration page, you can set how VPN server assign the IP address to VPN clients. So I suggest you change the ip range to 192.168.40.X-192.168.40.Y . So when you connected to VPN, you can be assigned an IP begin with 192.168.40.

    My VPN is using TAP. But I think TUN should also works.

    Please see my configuration, keeping the DHCP and VPN clients in the same subnet

    [​IMG]

    [​IMG]
     
  12. Phenom100

    Phenom100 Reformed Router Member

    Your understanding of my network is almost correct. The important point is that the WAN on the WRT is not physically connected to anything, I have the Tomato firmware configured in 'wireless client' mode, so it is effectively a wireless client & gets its IP address wirelessly from the superhub.

    The Superhub is a wireless N router with cable modem built in to it - supplied by Virgin Media for broadband customers in the UK.

    In the vpn config page, if you have the router set to TUN, you can only specify the subnet that the openvpn server will use -you do not have a range to choose from. My understanding is that the openvpn client IP address assigned in the case of TUN needs to be different to the subnet. I believe TAP is a bit different in that respect but I am no expert.. I have tried TAP but I run in to similar problems with the connection / ping etc
     
  13. jbcdidgosir

    jbcdidgosir Serious Server Member

    I suggest you:
    1. Try the TAP mode. IP rang set to 192.168.40.
    2. When connected to VPN server, delete the route whose gateway is not 192.168.40.2, only leave 0.0.0.0 mask 0.0.0.0 gateway 192.168.40.2
    3. ping 192.168.40.2 and access it by web.

    If it still doesn't work, I really have no idea. Sorry.
     
  14. Phenom100

    Phenom100 Reformed Router Member

    Ok, so I changed the vpn connection setting to TAP, put the wrt back in 'wireless ethernet bridge' mode (so there is now only one LAN & one DHCP from the superhub - 192.168.36.x), changed the VPN addressing so that it should pick up the ip address from DHCP.

    When I connect with the tunnel - no IP address is being assigned to the tunnel (it defaults to a 196.254 address). Forcing the address by manually inputting the settings in to the TAP adapter does force the IP address but I get no LAN or WAN connectivity (and that includes when I delete the route as discussed).

    I really am lost for ideas so would really appreciate any further help or suggestions.

    Thanks
     
  15. jbcdidgosir

    jbcdidgosir Serious Server Member

    Would you please paste a screen shot of
    1. Basic->Network
    2. "Basic" of VPN setting
     

Share This Page