1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN questions....

Discussion in 'Tomato Firmware' started by kameleon, Jun 25, 2009.

  1. kameleon

    kameleon LI Guru Member

    I am starting this thread at the request of SgtPepperSKU to break it off the main "VPN build with web GUI" thread.... Main posts located here:
    http://www.linksysinfo.org/forums/showpost.php?p=347809&postcount=988
    http://www.linksysinfo.org/forums/showpost.php?p=347809&postcount=989
    http://www.linksysinfo.org/forums/showpost.php?p=347809&postcount=990
    http://www.linksysinfo.org/forums/showpost.php?p=347809&postcount=991
    http://www.linksysinfo.org/forums/showpost.php?p=347809&postcount=994
    http://www.linksysinfo.org/forums/showpost.php?p=347809&postcount=996
    http://www.linksysinfo.org/forums/showpost.php?p=347809&postcount=997

    Down to the nitty gritty. I am running the "VPN build with Web GUI" on a Linksys WRT54G-TM router. All clients are windows pc's. We need our outside people (and owner while he travels) to be able to get on the VPN and use x-lite and get to internal servers and such... without ALL traffic going over the VPN. Just the stuff on our networks. No matter if it is a connection we own or a hotel. We need them to be able to get to our asterisk box to make internal calls and such mostly. Basically here is what I have setup on the tomato box now:

    Code:
    # Automatically generated configuration
    daemon
    server-bridge
    proto udp
    port 1194
    dev tap21
    comp-lzo adaptive
    keepalive 15 60
    verb 3
    push "dhcp-option DOMAIN ourdomain.com"
    push "dhcp-option DNS XXX.148.196.101"
    push "route-gateway XXX.148.196.101"
    push "redirect-gateway def1"
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status
    
    # Custom Configuration
    
    With this setup all traffic goes through the VPN. We don't want that. We do have a few /19's that need to be accessible across the VPN also. Let's just say that these networks need to be accessible over the VPN:

    Code:
    XXX.137.128.0 255.255.224.0
    XXX.148.192.0 255.255.224.0
    XXY.41.224.0 255.255.224.0
    The MAIN thing that needs to work regardless is the x-lite. In other words no bridging, no NAT, just plain static IP's.

    When I tried what was suggested in the other thread by adding the lines:
    Code:
    push "route-gateway XXX.148.196.101"
    push "route XXX.137.128.0 255.255.224.0"
    push "route XXX.148.192.0 255.255.224.0"
    and removing the "Direct clients to redirect Internet traffic" check box, x-lite starts with the one-way audio again and I cannot get to anything on the above networks. A traceroute just fails with "Destination Host Unreachable".

    What do I need to add to be able to only route the specific networks across the VPN. I have read the openvpn documentation till my eyes cross but I must be missing something simple here. Thanks in advance.
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Could you post the routing table from the router (Advanced->Routing) and client ("route PRINT" from windows command prompt) while the tunnel is connected?

    Is the server router on either of the subnets you mention?
     
  3. kameleon

    kameleon LI Guru Member

    Before any VPN client conects:
    Code:
    Destination	Gateway	Subnet Mask	Metric	Interface
    208.148.196.0	*	255.255.255.128	0	br0 (LAN)
    208.148.196.0	*	255.255.255.128	0	vlan1 (WAN)
    127.0.0.0	*	255.0.0.0	0	lo
    default	208.148.196.1	0.0.0.0	0	vlan1 (WAN)
    AFTER client connects:
    Code:
    Destination	Gateway	Subnet Mask	Metric	Interface
    208.148.196.0	*	255.255.255.128	0	br0 (LAN)
    208.148.196.0	*	255.255.255.128	0	vlan1 (WAN)
    127.0.0.0	*	255.0.0.0	0	lo
    default	208.148.196.1	0.0.0.0	0	vlan1 (WAN)
    No change.... hmmmm it may be useful to know the router is in "router" mode and not "gateway" mode.

    For reference here is the routing table on the client before connecting:
    Code:
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.4     25
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
          192.168.1.0    255.255.255.0         On-link       192.168.1.4    281
          192.168.1.4  255.255.255.255         On-link       192.168.1.4    281
        192.168.1.255  255.255.255.255         On-link       192.168.1.4    281
        192.168.216.0    255.255.255.0         On-link     192.168.216.1    276
        192.168.216.1  255.255.255.255         On-link     192.168.216.1    276
      192.168.216.255  255.255.255.255         On-link     192.168.216.1    276
        192.168.230.0    255.255.255.0         On-link     192.168.230.1    276
        192.168.230.1  255.255.255.255         On-link     192.168.230.1    276
      192.168.230.255  255.255.255.255         On-link     192.168.230.1    276
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link     192.168.230.1    276
            224.0.0.0        240.0.0.0         On-link     192.168.216.1    276
            224.0.0.0        240.0.0.0         On-link       192.168.1.4    281
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link     192.168.230.1    276
      255.255.255.255  255.255.255.255         On-link     192.168.216.1    276
      255.255.255.255  255.255.255.255         On-link       192.168.1.4    281
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0      192.168.1.1  Default
    ===========================================================================
    And client with server set the way it actually works.....

    Code:
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.4     25
              0.0.0.0          0.0.0.0  208.148.196.101  208.148.196.109     30
              0.0.0.0        128.0.0.0  208.148.196.101  208.148.196.109     31
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
            128.0.0.0        128.0.0.0  208.148.196.101  208.148.196.109     31
          192.168.1.0    255.255.255.0         On-link       192.168.1.4    281
          192.168.1.4  255.255.255.255         On-link       192.168.1.4    281
        192.168.1.255  255.255.255.255         On-link       192.168.1.4    281
        192.168.216.0    255.255.255.0         On-link     192.168.216.1    276
        192.168.216.1  255.255.255.255         On-link     192.168.216.1    276
      192.168.216.255  255.255.255.255         On-link     192.168.216.1    276
        192.168.230.0    255.255.255.0         On-link     192.168.230.1    276
        192.168.230.1  255.255.255.255         On-link     192.168.230.1    276
      192.168.230.255  255.255.255.255         On-link     192.168.230.1    276
        208.148.196.0  255.255.255.128         On-link   208.148.196.109    286
      208.148.196.100  255.255.255.255      192.168.1.1      192.168.1.4     26
      208.148.196.109  255.255.255.255         On-link   208.148.196.109    286
      208.148.196.127  255.255.255.255         On-link   208.148.196.109    286
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link     192.168.230.1    276
            224.0.0.0        240.0.0.0         On-link     192.168.216.1    276
            224.0.0.0        240.0.0.0         On-link   208.148.196.109    286
            224.0.0.0        240.0.0.0         On-link       192.168.1.4    281
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link     192.168.230.1    276
      255.255.255.255  255.255.255.255         On-link     192.168.216.1    276
      255.255.255.255  255.255.255.255         On-link   208.148.196.109    286
      255.255.255.255  255.255.255.255         On-link       192.168.1.4    281
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0      192.168.1.1  Default
    ===========================================================================
    And lastly client with the server set without the "redirect...." thing clicked and the routes added to the custom config:

    Code:
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.4     25
              0.0.0.0          0.0.0.0  208.148.196.101  208.148.196.109     30
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
          192.168.1.0    255.255.255.0         On-link       192.168.1.4    281
          192.168.1.4  255.255.255.255         On-link       192.168.1.4    281
        192.168.1.255  255.255.255.255         On-link       192.168.1.4    281
        192.168.216.0    255.255.255.0         On-link     192.168.216.1    276
        192.168.216.1  255.255.255.255         On-link     192.168.216.1    276
      192.168.216.255  255.255.255.255         On-link     192.168.216.1    276
        192.168.230.0    255.255.255.0         On-link     192.168.230.1    276
        192.168.230.1  255.255.255.255         On-link     192.168.230.1    276
      192.168.230.255  255.255.255.255         On-link     192.168.230.1    276
        208.137.128.0    255.255.224.0  208.148.196.101  208.148.196.109     31
        208.148.192.0    255.255.224.0  208.148.196.101  208.148.196.109     31
        208.148.196.0  255.255.255.128         On-link   208.148.196.109    286
      208.148.196.109  255.255.255.255         On-link   208.148.196.109    286
      208.148.196.127  255.255.255.255         On-link   208.148.196.109    286
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link     192.168.230.1    276
            224.0.0.0        240.0.0.0         On-link     192.168.216.1    276
            224.0.0.0        240.0.0.0         On-link   208.148.196.109    286
            224.0.0.0        240.0.0.0         On-link       192.168.1.4    281
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link     192.168.230.1    276
      255.255.255.255  255.255.255.255         On-link     192.168.216.1    276
      255.255.255.255  255.255.255.255         On-link   208.148.196.109    286
      255.255.255.255  255.255.255.255         On-link       192.168.1.4    281
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0      192.168.1.1  Default
    ===========================================================================
    The vpn server and asterisk server are both on the same subnet.

    Thanks again!
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You have conflicting subnets defined.

    The TAP interface is defined as 208.148.196.0/25, and you're pushing 208.148.192.0/19 and 208.137.128.0/19.

    208.148.196.0/25 (208.148.196.0-208.148.196.127) is a subset of 208.148.192.0/19 (208.148.192.0-208.148.223.255).

    Which is the correct subnet?
     
  5. kameleon

    kameleon LI Guru Member

    I see what you are saying. The extra networks were just recently added. Mainly I need to get the VPN running so that not all the traffic goes across it. But eventually I would like to just have the /19's on there since that would cover the /25 also. Make sense?
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The problem is that the /25 needs different directions than the /19 since it is the VPN subnet (it doesn't need a gateway).

    Now, is 208.148.196.0/25 the correct subnet for the VPN server (regardless of whether you want other traffic to go over)? If it isn't how the localized subnet is configured, you can run into troubles.

    Note that this complication wouldn't come up at all if you used TUN...

    However, we should be able to chop up the route rules to get this to work:
    Code:
    push "route 208.137.128.0 255.255.224.0"
    push "route 208.148.192.0 255.255.252.0"
    push "route 208.148.196.128 255.255.255.128"
    push "route 208.148.197.0 255.255.255.0"
    push "route 208.148.198.0 255.255.254.0"
    push "route 208.148.200.0 255.255.248.0"
    push "route 208.148.208.0 255.255.240.0"
    
    Try it with and without the route-gateway line.

    Or, if you know how it is really separated, it may make more sense to use that.

    And, of course, you can try it without pushing any of the extra routes to see if you can at least access stuff on the VPN servers local subnet.
     
  7. kameleon

    kameleon LI Guru Member

    Found part of my problem. I did not have the "pull" option in the client config. I don't know how I missed that! I also unchecked the "respond to DNS". After adding that to the client config and adding only the route-gateway option I was able to access everything on the same subnet as the VPN server no issue and traceroutes go across the vpn to items on the same subnet. So that is a good thing.

    After I made sure this was working I added the
    Code:
    push "route 208.137.128.0 255.255.224.0"
    to the server and it just plain worked also. I cannot believe that after all that pouring over the documentation I missed the "pull" client config. Thanks for all the help. I will let you know if anything else turns up.
     
  8. kameleon

    kameleon LI Guru Member

    And as soon as I post that I find an issue. Intermittent routing. But only to anything on the 208.137.128.0/19 network. All these are within a 5 minute window first to last:

    Code:
    C:\Users\kameleon>tracert tech.netdoor.com
    
    Tracing route to tech.netdoor.com [208.137.150.12]
    over a maximum of 30 hops:
    
      1    44 ms    45 ms    42 ms  tomato.netdoor.com [208.148.196.101]
      2    61 ms    74 ms    88 ms  core1-fe0-0-4.jxn.netdoor.net [208.148.196.1]
      3    46 ms    49 ms    47 ms  core1-fe0-0.jxn.netdoor.net [208.137.128.3]
      4    43 ms    47 ms    53 ms  tech.netdoor.com [208.137.150.12]
    
    Trace complete.
    
    C:\Users\kameleon>tracert tech.netdoor.com
    
    Tracing route to tech.netdoor.com [208.137.150.12]
    over a maximum of 30 hops:
    
      1     1 ms     1 ms     1 ms  router.brooksdatacenter.com [192.168.1.1]
      2    47 ms    41 ms    42 ms  core1-fe0-0-4.jxn.netdoor.net [208.148.196.1]
      3    42 ms    45 ms    45 ms  core1-fe0-0.jxn.netdoor.net [208.137.128.3]
      4    45 ms    48 ms    45 ms  tech.netdoor.com [208.137.150.12]
    
    Trace complete.
    
    C:\Users\kameleon>tracert tech.netdoor.com
    
    Tracing route to tech.netdoor.com [208.137.150.12]
    over a maximum of 30 hops:
    
      1     *        *        *     Request timed out.
      2     *     sw20.netdoor.com [208.148.196.109]  reports: Destination host unre
    achable.
    
    Trace complete.
    
    C:\Users\kameleon>tracert tech.netdoor.com
    
    Tracing route to tech.netdoor.com [208.137.150.12]
    over a maximum of 30 hops:
    
      1     1 ms     1 ms     1 ms  router.brooksdatacenter.com [192.168.1.1]
      2     *        *        *     Request timed out.
      3     9 ms     8 ms     8 ms  ge-1-11-ur01.rankin.ms.malt.comcast.net [68.86.2
    46.137]
      4    10 ms    15 ms    14 ms  te-9-3-ur03.jacksonnorth.ms.malt.comcast.net [68
    .86.241.37]
      5    19 ms    12 ms    15 ms  te-7-1-ar01.dannythomas.tn.malt.comcast.net [68.
    86.240.133]
      6    24 ms    23 ms    24 ms  te-1-4-0-1-cr01.dallas.tx.ibone.comcast.net [68.
    86.91.205]
      7    42 ms    22 ms    23 ms  xe-5-1-0.edge3.Dallas1.Level3.net [4.71.198.41]
    
      8    35 ms    35 ms    33 ms  vlan79.csw2.Dallas1.Level3.net [4.68.19.126]
      9    34 ms    37 ms    33 ms  ae-71-71.ebr1.Dallas1.Level3.net [4.69.136.125]
    
     10    30 ms    28 ms    28 ms  ae-1-13.bar1.Houston1.Level3.net [4.69.137.137]
    
     11    99 ms    29 ms    29 ms  ae-5-5.car1.Houston1.Level3.net [4.69.132.229]
     12    39 ms    39 ms    38 ms  ge-10-3-12.car1.Jackson1.Level3.net [4.69.135.54
    ]
     13    46 ms    42 ms    48 ms  64.66.69.114
     14    50 ms    43 ms    44 ms  tech.netdoor.com [208.137.150.12]
    
    Trace complete.
    
    C:\Users\kameleon>tracert tech.netdoor.com
    
    Tracing route to tech.netdoor.com [208.137.150.12]
    over a maximum of 30 hops:
    
      1     *        *        *     Request timed out.
      2     *        *        *     Request timed out.
      3  sw20.netdoor.com [208.148.196.109]  reports: Destination host unreachable.
    
    Trace complete.
    
    C:\Users\kameleon>
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Can you check the routing table on the client when the problems are occurring? Does anything show up in the client's OpenVPN log?

    Also, if you have the "client" directive in your client configuration, you don't need "pull". Perhaps it would be good for you to post your client config. As there were a couple of fishy items in your routing table before...
     
  10. kameleon

    kameleon LI Guru Member

    Client routing table never changes while connected to the VPN. The strange thing is it is intermittent. One minute it will traceroute to the other network just fine through the VPN and other it times out or goes through the internet and not the VPN. I have included the routing table in the zip file that is attached along with the client config and log.
     

    Attached Files:

  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Try removing the first entry in your client config file "route-method exe". That could be the cause of your troubles.

    Also, did you ever try it without the "route-gateway" push in your server config file, like I suggested a couple of posts ago?
     
  12. kameleon

    kameleon LI Guru Member

    I uncommented the "route-method exe" from the config. I had added that since this client is a vista machine and I read that may solve some issues with the routing. It works with that removed and the "route-gateway" removed with the exception I cannot access anything on the /19 network. I also get this in the client log:

    Code:
    Fri Jun 26 10:29:09 2009 ROUTE default_gateway=192.168.1.1
    Fri Jun 26 10:29:09 2009 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
    Fri Jun 26 10:29:09 2009 OpenVPN ROUTE: failed to parse/resolve route for host/network: 208.137.128.0
    So it appears I need that route-gateway line. Testing now with that added back but the "route-method exe" commented out.
     
  13. kameleon

    kameleon LI Guru Member

    Continued testing. Still back at square one. Once I connect to the VPN I can get to everything needed. The pushed network stops working about 2 minutes into the connection (tested via tracert) but regains connectivity intermittently.

    Also something is keeping the x-lite from having full duplex audio. But when I connect with the redirect gaateway it works fine.
     
  14. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sorry, but the problem would have to be in Windows, and I don't know where to begin debugging it. Perhaps you could ask for help in the #openvpn IRC channel on freenode.
    What subnet is x-lite trying to contact?
     
  15. kameleon

    kameleon LI Guru Member

    I am afraid you are correct with the winblows deal. I have a few other machines I can try to rule out this specific machine or not.

    The same one that the vpn box is on. 208.148.196.0/25.
     
  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmmm, can you ping devices on the VPN client from the server-side LAN?
     
  17. kameleon

    kameleon LI Guru Member

    With about 31% packet loss over a 1 hour time period... yes.
     
  18. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm sorry, but I'm not sure what you should try next. If it didn't work at all, I could try to debug the routing and firewall rules. But, with it intermittent, the only think I can think of is Windows changing routes from under OpenVPN...
     

Share This Page