1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato OpenVPN, site to site, vlan to vlan?

Discussion in 'Tomato Firmware' started by ladra, Mar 26, 2014.

  1. ladra

    ladra Network Newbie Member

    Hello,

    I would like to ask the community for help in finishing my setup of OpenVPN site to site connection, where VLANs are involved.

    * My hardware - RT-N66U at each site, running Tomato Firmware 1.28.0000 MIPSR2-115 K26AC USB AIO-64K by SHIBBY

    * My configuration - SITE A has two vlans, 192.168.10.x(LAN/br0) and 20.x(LAN1/br1), SITE B also has two vlans, 192.168.30.x(LAN/br0) and 40.x(LAN1/br1)

    * What I have accomplished so far -

    Site A is running OpenVPN Server and Site B is the OpenVPN Client, and the VPN connection is working fine. I used the "Manage Client-Specific Options" setting on the VPN server to input the 192.168.40.0 network at SITE B. All devices go out to the Internet via their site router, VPN is only used to access the other site's LAN.

    From SITE A,
    router can reach 192.168.40.0 network
    router can NOT reach 192.168.30.0 network
    192.168.10.x devices get "TTL expired in transit" when you ping 192.168.30.0 network
    192.168.10.x devices are able to ping 192.168.40.0 network
    192.168.20.x devices get "TTL expired in transit" when you ping 192.168.30.0 network
    192.168.20.x devices get "Request timed out" when you ping 192.168.40.0 network

    Fromt SITE B,
    router can reach 192.168.10.0 network
    router can NOT reach 192.168.20.0 network
    192.168.30.x devices get "TTL expired in transit" when you ping 192.168.20.0 network
    192.168.30.x devices get "Request timed out" when you ping 192.168.10.0 network
    192.168.40.x devices get "TTL expired in transit" when you ping 192.168.20.0 network
    192.168.40.x devices are able to ping 192.168.10.0 network

    Basically, SITE B 192.168.40x network is able to communicate with SITE A 192.168.10.x network

    * What I would like to accomplish -

    I would like only SITE A 192.168.20.x vlan(network) to communicate with SITE B 192.168.40.x vlan(network).

    Using the "Manage Client-Specific Options" at the server allowed me to accomplish half the objective, accessing only 192.168.40.x network at SITE B. However, I'm not sure how to stop access to 192.168.10.x network at SITE A and allow access to 192.168.20.x ...

    I think it has to do with adding and deleting the routes, and maybe firewall, but I'm not sure what to do. I've read many posts on many forums for about a day and I'm still lost. I would appreciate any help and/or guidance. Thank you in advance.
     
  2. lancethepants

    lancethepants Network Guru Member

    I don't know much about vlans, but someone had me compile an openvpn binary once that had experimental vlan support.

    http://files.lancethepants.com/Bina... 2.1.1b VLAN (OpenSSL, Static, Experimental)/

    It's an older version. Seems like I remember somewhere reading an OpenVPN TODO talking about adding vlan support in 2.4 version.
    Here's some links regarding the OpenVPN and vlans
    https://community.openvpn.net/openvpn/ticket/6
    http://opensource.fsmi.uni-karlsruhe.de/gitweb/?p=openvpn.git;a=shortlog;h=refs/heads/feat_vlan

    BTW, just googling the subject I see there's very little information. I'm sure whatever you can figure out will be of great interest to others.
     
  3. ladra

    ladra Network Newbie Member

    Problem solved, it was way too easy...

    Just needed to add a route. At SITE B(client) added a route to 192.168.20.x network via P-t-P Gateway IP. This gave me the connection I wanted from 192.168.20.x to 192.168.40.x and vice versa.

    Then, again at SITE B, delete the route to 192.168.10.x, preventing access to and from 192.168.10.x network from SITE B.

    I just need to figure out one more thing. The client(SITE B) P-t-P IP and Gateway IP will/can change every time you establish the VPN connection. I manually looked up the current IPs, then added and deleted the routes. I would like to use a script so that the routes are added and deleted automatically when the VPN connects. However, to do this I need to know the names of the variables that hold these IP numbers...

    Does anyone know the variable names for the client tunnel P-t-P IP and Gateway IP? Also, where would I put the script?

    Thank you in advance.
     
  4. ladra

    ladra Network Newbie Member

Share This Page