1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN GUI: TAP+Wireless Client

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Nov 17, 2008.

  1. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm starting this thread as a continuation of a discussion in the VPN GUI thread:
    Let's go ahead and nail down what a few of the settings should be in your situation (TAP + different subnets).
    • Server:
      • Client address pool: A range of addresses in the server's subnet
        • for example: 10.168.222.50 - 10.168.222.55
    • Client:
      • Server is on the same subnet: unchecked
      • Create NAT on tunnel: checked

    The routing table on the client makes me think that you have a 192.168.2.0/24 address range entered on the server and have the "on the same subnet" box checked. If you could double-check those settings, and report back the results of
    Code:
    route -n
    ifconfig
    iptables -L
    I'll try and see what is amiss.

    - Keith
     
  2. baldrickturnip

    baldrickturnip LI Guru Member

    Thanks for your help

    the client 54GL is running as a wireless client getting its address via DHCP from a communal AP which has the internet connection.
    the LAN IP is 192.168.2.2 and one desktop is connected to it and its IP is static 192.168.2.25.
    below are the results from the commands
    Code:
    Tomato v1.21vpn1.9036
    
    
    BusyBox v1.2.2 (2008.10.06-02:45+0000) Built-in shell (ash)
    Enter 'help' for a list of built-in commands.
    
    # route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth1
    # ifconfig
    br0        Link encap:Ethernet  HWaddr 00:1D:7E:27:C2:F0
               inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0
               UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
               RX packets:2017003 errors:0 dropped:0 overruns:0 frame:0
               TX packets:2177390 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:229284572 (218.6 MiB)  TX bytes:664213311 (633.4 MiB)
    
    eth0       Link encap:Ethernet  HWaddr 00:1D:7E:27:C2:F0
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:2017003 errors:0 dropped:0 overruns:0 frame:0
               TX packets:2177390 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:100
               RX bytes:273658638 (260.9 MiB)  TX bytes:672922871 (641.7 MiB)
               Interrupt:4 Base address:0x1000
    
    eth1       Link encap:Ethernet  HWaddr 00:1D:7E:27:C2:F2
               inet addr:192.168.1.102  Bcast:192.168.1.255  Mask:255.255.255.0
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:1605790 errors:0 dropped:0 overruns:0 frame:11730373
               TX packets:1561651 errors:5 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:100
               RX bytes:520076492 (495.9 MiB)  TX bytes:180080554 (171.7 MiB)
               Interrupt:2 Base address:0x5000
    
    lo         Link encap:Local Loopback
               inet addr:127.0.0.1  Mask:255.0.0.0
               UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
               RX packets:1314 errors:0 dropped:0 overruns:0 frame:0
               TX packets:1314 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:189735 (185.2 KiB)  TX bytes:189735 (185.2 KiB)
    
    vlan0      Link encap:Ethernet  HWaddr 00:1D:7E:27:C2:F0
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:1983695 errors:0 dropped:0 overruns:0 frame:0
               TX packets:2126800 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:232062594 (221.3 MiB)  TX bytes:649619351 (619.5 MiB)
    
    vlan1      Link encap:Ethernet  HWaddr 00:1D:7E:27:C2:F1
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:0 errors:0 dropped:0 overruns:0 frame:0
               TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    
    # iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    DROP       0    --  anywhere             192.168.1.102
    DROP       0    --  anywhere             anywhere            state INVALID
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     0    --  anywhere             anywhere
    ACCEPT     0    --  anywhere             anywhere
    ACCEPT     tcp  --  anywhere             unknown             tcp dpt:ssh
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ACCEPT     0    --  anywhere             anywhere
    DROP       0    --  anywhere             anywhere            state INVALID
    TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN tcpmss match 1461:65535 TCPMSS set 1460
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
    wanin      0    --  anywhere             anywhere
    wanout     0    --  anywhere             anywhere
    ACCEPT     0    --  anywhere             anywhere
    upnp       0    --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain upnp (1 references)
    target     prot opt source               destination
    ACCEPT     udp  --  anywhere             192.168.2.25        udp dpt:42793
    ACCEPT     tcp  --  anywhere             192.168.2.25        tcp dpt:42793
    
    Chain wanin (1 references)
    target     prot opt source               destination
    
    Chain wanout (1 references)
    target     prot opt source               destination
    #
    the server 54GL has its WAN port connected to an ADSL modem which is in full bridge mode and the PPPoE connection is controlled by the 54GL.
    its LAN is 10.168.222.1 and has a DHCP server leasing 10.168.222.200 to 210

    below are the results for the commands
    Code:
    Tomato v1.21vpn2.0001
    
    
    BusyBox v1.2.2 (2008.10.06-02:45+0000) Built-in shell (ash)
    Enter 'help' for a list of built-in commands.
    
    # route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    220.255.112.1   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
    10.168.222.0    0.0.0.0         255.255.255.0   U     0      0        0 br0
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         220.255.112.1   0.0.0.0         UG    0      0        0 ppp0
    # ifconfig
    br0        Link encap:Ethernet  HWaddr 00:1E:E5:57:A0:CB
               inet addr:10.168.222.1  Bcast:10.168.222.255  Mask:255.255.255.0
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:359658 errors:0 dropped:0 overruns:0 frame:0
               TX packets:208648 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:51577226 (49.1 MiB)  TX bytes:82578916 (78.7 MiB)
    
    eth0       Link encap:Ethernet  HWaddr 00:1E:E5:57:A0:CB
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:6564256 errors:30 dropped:0 overruns:30 frame:30
               TX packets:12484022 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:100
               RX bytes:519961558 (495.8 MiB)  TX bytes:1380149004 (1.2 GiB)
               Interrupt:4 Base address:0x1000
    
    eth1       Link encap:Ethernet  HWaddr 00:1E:E5:57:A0:CD
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:12317664 errors:0 dropped:0 overruns:0 frame:1015917
               TX packets:6468790 errors:842 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:100
               RX bytes:1279290450 (1.1 GiB)  TX bytes:498314702 (475.2 MiB)
               Interrupt:2 Base address:0x5000
    
    lo         Link encap:Local Loopback
               inet addr:127.0.0.1  Mask:255.0.0.0
               UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
               RX packets:61 errors:0 dropped:0 overruns:0 frame:0
               TX packets:61 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:5516 (5.3 KiB)  TX bytes:5516 (5.3 KiB)
    
    ppp0       Link encap:Point-to-Point Protocol
               inet addr:220.255.34.24  P-t-P:220.255.112.1  Mask:255.255.255.255
               UP POINTOPOINT RUNNING MULTICAST  MTU:1492  Metric:1
               RX packets:63900 errors:0 dropped:0 overruns:0 frame:0
               TX packets:52690 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:3
               RX bytes:17538032 (16.7 MiB)  TX bytes:12089623 (11.5 MiB)
    
    tap21      Link encap:Ethernet  HWaddr 00:FF:29:12:7C:DD
               UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
               RX packets:0 errors:0 dropped:0 overruns:0 frame:0
               TX packets:157179 errors:0 dropped:376 overruns:0 carrier:0
               collisions:0 txqueuelen:100
               RX bytes:0 (0.0 B)  TX bytes:20628408 (19.6 MiB)
    
    vlan0      Link encap:Ethernet  HWaddr 00:1E:E5:57:A0:CB
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:1976112 errors:0 dropped:0 overruns:0 frame:0
               TX packets:3710921 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:105972328 (101.0 MiB)  TX bytes:2933022879 (2.7 GiB)
    
    vlan1      Link encap:Ethernet  HWaddr 00:1E:E5:57:A0:CC
               UP BROADCAST RUNNING MULTICAST  MTU:1492  Metric:1
               RX packets:89305 errors:0 dropped:0 overruns:0 frame:0
               TX packets:89477 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:27739752 (26.4 MiB)  TX bytes:18535538 (17.6 MiB)
    
    # iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    DROP       0    --  anywhere             bb220-255-34-24.singnet.com.sg
    DROP       0    --  anywhere             anywhere            state INVALID
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTAB                       LISHED
    ACCEPT     0    --  anywhere             anywhere
    ACCEPT     0    --  anywhere             anywhere
    ACCEPT     icmp --  anywhere             anywhere
    ACCEPT     tcp  --  anywhere             10.168.222.1        tcp dpt:www
    ACCEPT     tcp  --  anywhere             10.168.222.1        tcp dpt:ssh
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ACCEPT     0    --  anywhere             anywhere
    DROP       0    --  anywhere             anywhere            state INVALID
    TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/S                       YN tcpmss match 1453:65535 TCPMSS set 1452
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTAB                       LISHED
    wanin      0    --  anywhere             anywhere
    wanout     0    --  anywhere             anywhere
    ACCEPT     0    --  anywhere             anywhere
    upnp       0    --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain upnp (1 references)
    target     prot opt source               destination
    ACCEPT     udp  --  anywhere             192.168.222.203     udp dpt:1167
    ACCEPT     tcp  --  anywhere             192.168.222.203     tcp dpt:1167
    ACCEPT     udp  --  anywhere             Bio3-PC             udp dpt:25914
    ACCEPT     tcp  --  anywhere             Bio3-PC             tcp dpt:25914
    ACCEPT     tcp  --  anywhere             Bio3-PC             tcp dpt:49648
    ACCEPT     tcp  --  anywhere             Leong-PC     tcp dpt:26100
    ACCEPT     udp  --  anywhere             Leong-PC     udp dpt:26100
    ACCEPT     tcp  --  anywhere             Leong-PC     tcp dpt:49465
    ACCEPT     tcp  --  anywhere             bio-office-2        tcp dpt:24691
    ACCEPT     udp  --  anywhere             bio-office-2        udp dpt:24691
    ACCEPT     udp  --  anywhere             Bio3-PC             udp dpt:56905
    
    Chain wanin (1 references)
    target     prot opt source               destination
    ACCEPT     tcp  --  anywhere             192.168.222.21      tcp dpt:4421
    ACCEPT     udp  --  anywhere             192.168.222.21      udp dpt:4421
    ACCEPT     tcp  --  anywhere             192.168.222.22      tcp dpt:4422
    ACCEPT     udp  --  anywhere             192.168.222.22      udp dpt:4422
    ACCEPT     tcp  --  anywhere             192.168.222.23      tcp dpt:4423
    ACCEPT     udp  --  anywhere             192.168.222.23      udp dpt:4423
    ACCEPT     tcp  --  anywhere             192.168.222.24      tcp dpt:4424
    ACCEPT     udp  --  anywhere             192.168.222.24      udp dpt:4424
    ACCEPT     tcp  --  anywhere             192.168.222.25      tcp dpt:4425
    ACCEPT     udp  --  anywhere             192.168.222.25      udp dpt:4425
    ACCEPT     tcp  --  anywhere             192.168.222.26      tcp dpt:4426
    ACCEPT     udp  --  anywhere             192.168.222.26      udp dpt:4426
    ACCEPT     tcp  --  anywhere             192.168.222.51      tcp dpt:4451
    ACCEPT     udp  --  anywhere             192.168.222.51      udp dpt:4451
    ACCEPT     tcp  --  anywhere             192.168.222.52      tcp dpt:4452
    ACCEPT     udp  --  anywhere             192.168.222.52      udp dpt:4452
    ACCEPT     tcp  --  anywhere             192.168.222.53      tcp dpt:4453
    ACCEPT     udp  --  anywhere             192.168.222.53      udp dpt:4453
    ACCEPT     tcp  --  anywhere             192.168.222.54      tcp dpt:4454
    ACCEPT     udp  --  anywhere             192.168.222.54      udp dpt:4454
    ACCEPT     tcp  --  anywhere             192.168.222.55      tcp dpt:4455
    ACCEPT     udp  --  anywhere             192.168.222.55      udp dpt:4455
    ACCEPT     tcp  --  anywhere             192.168.222.56      tcp dpt:4456
    ACCEPT     udp  --  anywhere             192.168.222.56      udp dpt:4456
    ACCEPT     tcp  --  anywhere             192.168.222.57      tcp dpt:4457
    ACCEPT     udp  --  anywhere             192.168.222.57      udp dpt:4457
    ACCEPT     tcp  --  anywhere             192.168.222.58      tcp dpt:4458
    ACCEPT     udp  --  anywhere             192.168.222.58      udp dpt:4458
    ACCEPT     tcp  --  anywhere             192.168.222.59      tcp dpt:4459
    ACCEPT     udp  --  anywhere             192.168.222.59      udp dpt:4459
    ACCEPT     tcp  --  anywhere             192.168.222.70      tcp dpt:4470
    ACCEPT     udp  --  anywhere             192.168.222.70      udp dpt:4470
    ACCEPT     tcp  --  anywhere             192.168.222.66      tcp dpt:4466
    ACCEPT     udp  --  anywhere             192.168.222.66      udp dpt:4466
    ACCEPT     tcp  --  anywhere             192.168.222.67      tcp dpt:4467
    ACCEPT     udp  --  anywhere             192.168.222.67      udp dpt:4467
    ACCEPT     tcp  --  anywhere             192.168.222.68      tcp dpt:4468
    ACCEPT     udp  --  anywhere             192.168.222.68      udp dpt:4468
    ACCEPT     tcp  --  anywhere             192.168.222.69      tcp dpt:4469
    ACCEPT     udp  --  anywhere             192.168.222.69      udp dpt:4469
    ACCEPT     tcp  --  anywhere             192.168.222.71      tcp dpt:4471
    ACCEPT     udp  --  anywhere             192.168.222.71      udp dpt:4471
    ACCEPT     tcp  --  anywhere             192.168.222.72      tcp dpt:4472
    ACCEPT     udp  --  anywhere             192.168.222.72      udp dpt:4472
    ACCEPT     tcp  --  anywhere             192.168.222.73      tcp dpt:4473
    ACCEPT     udp  --  anywhere             192.168.222.73      udp dpt:4473
    ACCEPT     tcp  --  anywhere             192.168.222.185     tcp dpt:4585
    ACCEPT     udp  --  anywhere             192.168.222.185     udp dpt:4585
    ACCEPT     tcp  --  anywhere             192.168.222.96      tcp dpt:4496
    ACCEPT     udp  --  anywhere             192.168.222.96      udp dpt:4496
    ACCEPT     tcp  --  anywhere             192.168.222.97      tcp dpt:4497
    ACCEPT     udp  --  anywhere             192.168.222.97      udp dpt:4497
    ACCEPT     tcp  --  anywhere             192.168.222.98      tcp dpt:4498
    ACCEPT     udp  --  anywhere             192.168.222.98      udp dpt:4498
    ACCEPT     tcp  --  anywhere             192.168.222.99      tcp dpt:4499
    ACCEPT     udp  --  anywhere             192.168.222.99      udp dpt:4499
    ACCEPT     tcp  --  anywhere             192.168.222.100     tcp dpt:4500
    ACCEPT     udp  --  anywhere             192.168.222.100     udp dpt:4500
    ACCEPT     tcp  --  anywhere             192.168.222.102     tcp dpt:4502
    ACCEPT     udp  --  anywhere             192.168.222.102     udp dpt:4502
    ACCEPT     tcp  --  anywhere             192.168.222.101     tcp dpt:4501
    ACCEPT     udp  --  anywhere             192.168.222.101     udp dpt:4501
    ACCEPT     tcp  --  anywhere             10.168.222.6        tcp dpt:ftp
    ACCEPT     tcp  --  anywhere             10.168.222.6        tcp dpt:4406
    ACCEPT     tcp  --  anywhere             192.168.222.36      tcp dpt:www
    ACCEPT     udp  --  anywhere             192.168.222.36      udp dpt:www
    ACCEPT     tcp  --  anywhere             192.168.222.202     tcp dpt:550
    ACCEPT     udp  --  anywhere             192.168.222.202     udp dpt:550
    ACCEPT     tcp  --  anywhere             192.168.222.88      tcp dpt:4488
    ACCEPT     udp  --  anywhere             192.168.222.88      udp dpt:4488
    ACCEPT     tcp  --  anywhere             192.168.222.89      tcp dpt:4489
    ACCEPT     udp  --  anywhere             192.168.222.89      udp dpt:4489
    
    Chain wanout (1 references)
    target     prot opt source               destination
    #
    the large amount of forwarded ports to the 192.168.222.x range are IP cameras which used to be inside the network , but are now on their own on the WAN side of another 54GL - I am having a problem with static routing to them at the moment an today I will back up the main router config and flush the NVRAM .
     
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    This problem must be something to do with Wireless Client Mode, but without that kind of setup, I'm not sure what the issue is.

    Have you tried not checking the NAT checkbox on the client. I could see that possibly not being compatible with Wireless Client Mode. Note that if you do this your client LAN will not have access to your server LAN, but if this allows you to connect, it gives us a direction to focus on.
     
  4. baldrickturnip

    baldrickturnip LI Guru Member

    with no NAT on the tunnel it is looking better , looks like it connects from the logs ( posted below ) and I can ping from the client 54GL to the server 54GL and devices beyond. I cannot ping from the desktop attached to the client to the server 54GL. I cannot ping from the server 54GL to the client 54GL.

    Client

    Code:
    
    Nov 18 19:45:38 unknown daemon.notice openvpn[2333]: Re-using SSL/TLS context
    Nov 18 19:45:38 unknown daemon.notice openvpn[2333]: LZO compression initialized
    Nov 18 19:45:38 unknown daemon.notice openvpn[2333]: Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Nov 18 19:45:38 unknown daemon.notice openvpn[2333]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Nov 18 19:45:38 unknown daemon.notice openvpn[2333]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Nov 18 19:45:38 unknown daemon.notice openvpn[2333]: UDPv4 link local: [undef]
    Nov 18 19:45:38 unknown daemon.notice openvpn[2333]: UDPv4 link remote: 220.255.113.2:1194
    Nov 18 19:45:40 unknown daemon.notice openvpn[2333]: TLS: Initial packet from 220.255.113.2:1194, sid=49a5a962 33d3d4ea
    Nov 18 19:45:41 unknown daemon.notice openvpn[2333]: VERIFY OK: depth=1, /C=SG/ST=SG/L=Singapore/O=Biotouch/CN=Bio_office/Email=enquiries@biotouch.com.sg
    Nov 18 19:45:41 unknown daemon.notice openvpn[2333]: VERIFY OK: depth=0, /C=SG/ST=SG/O=Biotouch/CN=server/Email=enquiries@biotouch.com.sg
    Nov 18 19:45:43 unknown daemon.notice openvpn[2333]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Nov 18 19:45:43 unknown daemon.notice openvpn[2333]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Nov 18 19:45:43 unknown daemon.notice openvpn[2333]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Nov 18 19:45:43 unknown daemon.notice openvpn[2333]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Nov 18 19:45:43 unknown daemon.notice openvpn[2333]: Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Nov 18 19:45:43 unknown daemon.notice openvpn[2333]: [server] Peer Connection Initiated with 220.255.113.2:1194
    Nov 18 19:45:44 unknown daemon.notice openvpn[2333]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Nov 18 19:45:44 unknown daemon.notice openvpn[2333]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.168.222.1,ping 15,ping-restart 60,ifconfig 
    
    10.168.222.211 255.255.255.0'
    Nov 18 19:45:44 unknown daemon.notice openvpn[2333]: OPTIONS IMPORT: timers and/or timeouts modified
    Nov 18 19:45:44 unknown daemon.notice openvpn[2333]: OPTIONS IMPORT: --ifconfig/up options modified
    Nov 18 19:45:44 unknown daemon.notice openvpn[2333]: OPTIONS IMPORT: route-related options modified
    Nov 18 19:45:44 unknown daemon.notice openvpn[2333]: TUN/TAP device tap11 opened
    Nov 18 19:45:44 unknown daemon.notice openvpn[2333]: TUN/TAP TX queue length set to 100
    Nov 18 19:45:44 unknown daemon.notice openvpn[2333]: /sbin/ifconfig tap11 10.168.222.211 netmask 255.255.255.0 mtu 1500 broadcast 10.168.222.255
    Nov 18 19:45:44 unknown daemon.notice openvpn[2333]: Initialization Sequence Completed
    server

    Code:
    Nov 18 19:45:40  daemon.notice openvpn[1415]: MULTI: multi_create_instance called
    Nov 18 19:45:40  daemon.notice openvpn[1415]: 116.86.24.66:2051 Re-using SSL/TLS context
    Nov 18 19:45:40  daemon.notice openvpn[1415]: 116.86.24.66:2051 LZO compression initialized
    Nov 18 19:45:40  daemon.notice openvpn[1415]: 116.86.24.66:2051 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Nov 18 19:45:40  daemon.notice openvpn[1415]: 116.86.24.66:2051 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Nov 18 19:45:40  daemon.notice openvpn[1415]: 116.86.24.66:2051 TLS: Initial packet from 116.86.24.66:2051, sid=3f1ddb19 a1a53684
    Nov 18 19:45:42  daemon.notice openvpn[1415]: 116.86.24.66:2051 VERIFY OK: depth=1, /C=SG/ST=SG/L=Singapore/O=Biotouch/CN=Bio_office/Email=enquiries@biotouch.com.sg
    Nov 18 19:45:42  daemon.notice openvpn[1415]: 116.86.24.66:2051 VERIFY OK: depth=0, /C=SG/ST=SG/O=Biotouch/CN=client1/Email=enquiries@biotouch.com.sg
    Nov 18 19:45:43  daemon.notice openvpn[1415]: 116.86.24.66:2051 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Nov 18 19:45:43  daemon.notice openvpn[1415]: 116.86.24.66:2051 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Nov 18 19:45:43  daemon.notice openvpn[1415]: 116.86.24.66:2051 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Nov 18 19:45:43  daemon.notice openvpn[1415]: 116.86.24.66:2051 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Nov 18 19:45:43  daemon.notice openvpn[1415]: 116.86.24.66:2051 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Nov 18 19:45:43  daemon.notice openvpn[1415]: 116.86.24.66:2051 [client1] Peer Connection Initiated with 116.86.24.66:2051
    Nov 18 19:45:44  daemon.notice openvpn[1415]: client1/116.86.24.66:2051 PUSH: Received control message: 'PUSH_REQUEST'
    Nov 18 19:45:44  daemon.notice openvpn[1415]: client1/116.86.24.66:2051 SENT CONTROL [client1]: 'PUSH_REPLY,route-gateway 10.168.222.1,ping 15,ping-restart 60,ifconfig 
    
    10.168.222.211 255.255.255.0' (status=1
     
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The lack of LAN->LAN connectivity is expected at this point without that NAT in place. And server->client is not possible without custom routing.

    Could you post the output of
    Code:
    nvram show | grep if
    nvram show | grep lan
     
  6. baldrickturnip

    baldrickturnip LI Guru Member

    from the client - ( if you need from the server let me know )

    Code:
    # nvram show | grep if
    cifs1=
    cifs2=
    lan_ifname=br0
    lan_ifnames=vlan0 eth1 eth2 eth3
    portforward=0<3<1.1.1.0/24<1000:2000<<192.168.1.2<ex: 1000 to 2000, restricted>0<2<<1000,2000<<192.168.1.2<ex: 1000 and 2000>0<1<<1000<2000<192.168.1.2<ex: different 
    
    internal port>0<3<<1000:2000,3000<<192.168.1.2<ex: 1000 to 2000, and 3000>
    pppoe_ifname=
    trigforward=0<1<3000:4000<5000:6000<ex: open 5000-6000 if 3000-4000>
    vpn_client1_addr=xxxxxxxx.dyndns.org
    vpn_client1_crt=-----BEGIN CERTIFICATE----- <cert>-----END CERTIFICATE-----
    vpn_client1_if=tap
    vpn_client2_if=tap
    vpn_server1_if=tap
    vpn_server2_if=tap
    wan_iface=eth1
    wan_ifname=eth1
    wan_ifnames=eth1
    wl0_ifname=eth1
    wl_ifname=eth1
    # nvram show | grep lan
    dr_lan_rx=0
    dr_lan_tx=0
    http_lanport=80
    https_lanport=443
    lan_dhcp=0
    lan_domain=
    lan_gateway=0.0.0.0
    lan_hwaddr=00:1D:7E:27:C2:F0
    lan_hwnames=
    lan_ifname=br0
    lan_ifnames=vlan0 eth1 eth2 eth3
    lan_ipaddr=192.168.2.2
    lan_lease=86400
    lan_netmask=255.255.255.0
    lan_proto=static
    lan_route=
    lan_stp=0
    lan_wins=
    vlan0hwname=et0
    vlan0ports=3 2 1 0 5*
    vlan1hwname=et0
    vlan1ports=4 5

    and the server --> client custom routing - can you point me in the direction of some reading that explains what is required for it to work.
     
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Wow, okay. I think Wireless Client Mode has a bug. eth1 (wireless) is connected to both the LAN and the WAN. Not only is this causing us problems, I would think it would have security implications. Unless I'm missing something, somebody on the WAN side with knowledge of your LAN could route traffic around the router's firewall.
    There are two things you could try from the shell
    • brctl delif br0 eth0
      • This directly removes interface from the LAN bridge. If it causes a problem, replace the 'del' with 'add' to reverse it.
    • nvram set lan_ifnames="vlan0 eth2 eth3"; nvram commit; reboot
      • This sets the nvram variables that decide what is on the LAN bridge. Make sure the first command doesn't keep you from accessing the router web GUI and/or ssh first (I don't see why it would, but it doesn't hurt to be safe). It will also reboot the router (obviously). When it comes back up, hopefully the wireless interface will be on the WAN only, not the LAN.

    Let me know how this goes. If it works okay, you should see no negative effects, and the VPN NAT firewall rule should work (your client LAN should have access to the server LAN).
     
  8. baldrickturnip

    baldrickturnip LI Guru Member

    ok the first command

    # brctl delif br0 eth0
    device eth0 is not a slave of br0

    but still had telnet and GUI access

    then

    # nvram set lan_ifnames="vlan0 eth2 eth3"; nvram commit; reboot
    Commit... done.
    Rebooting...

    came back and the WAN could not negotiate a connection to the AP

    flushed the NVRAM and reconfigured - I think I will make a backup cfg now :D
    though this is a testing setup so no biggie.
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay, I'll need to think a bit more about the configuration necessary, but there definitely is something screwy with the bridge/vlans going on.
    And, in case we get into a similar situation, a
    Code:
    nvram set lan_ifnames="vlan0 eth1 eth2 eth3"; nvram commit; reboot
    would have put things back to normal.
     
  10. baldrickturnip

    baldrickturnip LI Guru Member

    your newest build seems to have helped some things with the routing

    the pushed tap11 route is showing up in the routing table on the client
    the DHCP IP assigned is on the device list on the server

    I have unchecked server is on the same subnet and checked create NAT on tunnel on the client

    looks good - thank you

    how hard is it for the LAN on the server side to be able to innitiate requests to the LAN on the client side ? do static routes have to be set in the server routing table pointing to the TAP interface ?

    I would like to have the client 54GL connect to the server 54GL and then be able to VNC to machines located on the Client LAN.
     
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Try the suggestions I posted here. Of course, replace all of the (this|other)_(subnet|netmask|commonname) as appropriate. I haven't actually tried it myself, so it may require a little tweaking.

    If you try it, definitely let me know whether it works or not. If it does, I'll add it to a README file or something.
     

Share This Page