FreshTomato OpenVPN Server: no LAN access

Discussion in 'Tomato Firmware' started by TheHellSite, Feb 10, 2019.

  1. TheHellSite

    TheHellSite Network Newbie Member

    Hello,

    I am currently trying to configure a working OpenVPN server on my RT-N18U running this release "FreshTomato Firmware 2019.1.015 -beta K26ARM USB AIO-64K-NOSMP".

    Right now the clients connect fine but can only access my AP (running the VPN server) with its local IP.
    I am unable to connect to my other APs, devices or NAS.

    Attached you can see my configuration.
    My goal is to access all devices of br0 in my LAN.
    What am I missing?
    Also what is "crypt tls" for? This was in the router generated client config. I can't find anything about this option in the reference manual for OpenVPN 2.4.

    client config:
    Code:
    remote abc.123.org 1194
    proto udp
    dev tun
    ifconfig 10.6.0.2 10.6.0.1
    cipher AES-256-CBC
    auth SHA512
    client
    crypt tls
    <ca, crt, key>
    .......
    </ca, crt, key>
    
    I hope you guys can help me out here.

    EDIT:
    My overall network setup.
    1x Main router: Modem, DHCP Server and DECT Base
    3x RT-N18U APs: 192.168.2.2-VPN Server, .3-AdBlocking, .4-NAS

    The APs use my main router (192.168.2.1) as gateway and the OpenNIC DNS servers.
    Each AP has different jobs, while all of them distribute the same WiFi network on each level in the house.
     

    Attached Files:

    Last edited: Feb 11, 2019
  2. feedzapper

    feedzapper Reformed Router Member

    maybe "also" check :
    -> Push LAN1 (br1) to clients ?!!
     
  3. TheHellSite

    TheHellSite Network Newbie Member

    br1 is the guest network, which is (and should .. be) only available on this AP.
    I see no need to push this to the VPN clients as my aim is to make br0 available to them.
    Though I already tried to also check br1, but I still can't access any devices of br1.

    I will add some info about my network setup in the 1st post.
     
  4. feedzapper

    feedzapper Reformed Router Member

    ok , i understand.
    I did miss also in your "client" config.
    Where is the "pull" command ?
    Which sould be resolve the subnets from the server ..
     
  5. TheHellSite

    TheHellSite Network Newbie Member

    I am not that familiar with openvpn.
    I just downloaded the router generated config file, included all certs, keys,... and imported it to openvpn connect for ios.
     
  6. feedzapper

    feedzapper Reformed Router Member

    add the "pull" command in the client config and test again.
    It invokes your server to "push" your LAN's and other options to the client ...
    "crypt tls" ?
    yes you are right, i think this is a wrong openvpn 2.4 command.
    maybe "tls-crypt" ;-) ?

    here for example my client config :

    Code:
    tls-client
    proto udp
    dev tun
    ca /tmp/flash/openvpn/ca.crt
    cert /tmp/flash/openvpn/box.crt
    key /tmp/flash/openvpn/box.key
    remote-cert-tls server
    verify-x509-name My_VPNServer1 name
    tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
    tls-crypt /tmp/flash/openvpn/static.key
    remote secret.secret.com 1194
    fast-io
    nobind
    pull
    verb 3
    cipher AES-256-GCM
    auth sha512
    float
    reneg-sec 0
    #redirect-gateway def1
    resolv-retry infinite
    user openvpn
    group openvpn
    persist-tun
    persist-key
    compress
     
    Last edited: Feb 11, 2019
  7. TheHellSite

    TheHellSite Network Newbie Member

    Here is the client log, I think the routes are pulled/pushed correctly.

    Code:
    2019-43-11 22:43:54 1
    
    2019-43-11 22:43:54 ----- OpenVPN Start -----
    OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct 3 2018 06:35:04
    
    2019-43-11 22:43:54 Frame=512/2048/512 mssfix-ctrl=1250
    
    2019-43-11 22:43:54 UNUSED OPTIONS
    4 [resolv-retry] [infinite]
    5 [nobind]
    6 [persist-tun]
    7 [persist-key]
    
    2019-43-11 22:43:54 EVENT: RESOLVE
    
    2019-43-11 22:43:55 Contacting [RESOLVED_IP]:1194/UDP via UDP
    
    2019-43-11 22:43:55 EVENT: WAIT
    
    2019-43-11 22:43:55 Connecting to [HOSTNAME]:1194 (RESOLVED_IP) via UDPv4
    
    2019-43-11 22:43:55 EVENT: CONNECTING
    
    2019-43-11 22:43:55 Tunnel Options:V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client
    
    2019-43-11 22:43:55 Creds: UsernameEmpty/PasswordEmpty
    
    2019-43-11 22:43:55 Peer Info:
    IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
    IV_VER=3.2
    IV_PLAT=ios
    IV_NCP=2
    IV_TCPNL=1
    IV_PROTO=2
    IV_AUTO_SESS=1
    
    
    2019-43-11 22:43:55 VERIFY OK : depth=1
    cert. version : 3
    serial number : 
    issuer name : C=GB, ST=Yorks, L=York, O=Company, OU=IT, CN=server.
    subject name : C=GB, ST=Yorks, L=York, O=Company, OU=IT, CN=server.
    issued on : 2019-02-10 20:22:15
    expires on : 2029-02-07 20:22:15
    signed using : RSA with SHA-256
    RSA key size : 2048 bits
    basic constraints : CA=true
    
    
    2019-43-11 22:43:55 VERIFY OK : depth=0
    cert. version : 3
    serial number : 00
    issuer name : C=GB, ST=Yorks, L=York, O=Company, OU=IT, CN=server.
    subject name : C=GB, ST=Yorks, L=York, O=Company, OU=IT, CN=client1.
    issued on : 2019-02-10 20:22:21
    expires on : 2029-02-07 20:22:21
    signed using : RSA with SHA-256
    RSA key size : 2048 bits
    basic constraints : CA=false
    
    
    2019-43-11 22:43:55 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
    
    2019-43-11 22:43:55 Session is ACTIVE
    
    2019-43-11 22:43:55 EVENT: GET_CONFIG
    
    2019-43-11 22:43:55 Sending PUSH_REQUEST to server...
    
    2019-43-11 22:43:55 OPTIONS:
    0 [route] [192.168.2.0] [255.255.255.0]
    1 [route] [10.6.0.1]
    2 [topology] [net30]
    3 [ping] [10]
    4 [ping-restart] [120]
    5 [ifconfig] [10.6.0.6] [10.6.0.5]
    6 [peer-id] [0]
    7 [cipher] [AES-256-GCM]
    
    
    2019-43-11 22:43:55 PROTOCOL OPTIONS:
    cipher: AES-256-GCM
    digest: SHA512
    compress: NONE
    peer ID: 0
    
    2019-43-11 22:43:55 EVENT: ASSIGN_IP
    
    2019-43-11 22:43:55 NIP: preparing TUN network settings
    
    2019-43-11 22:43:55 NIP: init TUN network settings with endpoint: RESOLVED_IP
    
    2019-43-11 22:43:55 NIP: adding IPv4 address to network settings 10.6.0.6/255.255.255.252
    
    2019-43-11 22:43:55 NIP: adding (included) IPv4 route 10.6.0.4/30
    
    2019-43-11 22:43:55 NIP: adding (included) IPv4 route 192.168.2.0/24
    
    2019-43-11 22:43:55 NIP: adding (included) IPv4 route 10.6.0.1/32
    
    2019-43-11 22:43:55 Connected via NetworkExtensionTUN
    
    2019-43-11 22:43:55 EVENT: CONNECTED HOSTNAME:1194 (RESOLVED_IP) via /UDPv4 on NetworkExtensionTUN/10.6.0.6/ gw=[/]
     
  8. feedzapper

    feedzapper Reformed Router Member

    ok looks fine ..
    take care with set the VPN Subnet manually !
    delete also the "ifconfig 10.6.0.2 10.6.0.1" in the client config and check "Manage client specific options" on the
    server site .
    Now , the server takes control over all client routes and also over the VPN Subnet IP + options (push the right ifconfig to the client). If the server got a "pull" request from the client ...
    You do not need to do anything on the client site.
     
  9. TheHellSite

    TheHellSite Network Newbie Member

    I already removed "ifconfig 10.6.0.2 10.6.0.1" but this didn't work either.

    "Manage client specific options"
    There is a new menu, how can I define a client name in the client config?
    It would be nice to see which client is connected to my network on the status page.
     
  10. feedzapper

    feedzapper Reformed Router Member

    You can restrict clients in this menu to allowed to connect to the server ..
    allow only these clients (uncheck this box)
    there is no need to do this for the moment.
    But you should enter your client in this Menu also with the right subnet of yout client.
    e.g. NAME 192.168.10.0 255.255.255.0 check "PUSH" -> add -> SAVE
     
  11. TheHellSite

    TheHellSite Network Newbie Member

    But this still doesn't solve the unavailable lan access.
    There has to be something wrong with the server config.
     
  12. Twincam

    Twincam Networkin' Nut Member

    @TheHellSite I may be wide of the mark, but in testing APs [wired to the GW router] hosting OpenVPN servers a while ago, I ran into similar problems. In my case, I had forgotten to forward the port [usually UDP 1194 or 1195] in the GW [your "Main router"] to the AP [your 192.168.2.2]. HTH.
     
  13. TheHellSite

    TheHellSite Network Newbie Member

    Good tip, but I forwarded UDP 1194 to my AP. I guess otherwise I wouldn't even be able to connect.
     
  14. ddimitrov

    ddimitrov Network Newbie Member

    Your OpenVPN server is not run on the gateway (but on another device). Are the other AP devices configured to route the return packets back to the OpenVPN server when replying to a VPN client (e.g. when the packet's destination IP is from the VPN's network)? If they aren't, they will route the return packets to the gateway. If the gateway is not configured to re-route them to the OpenVPN server, they will be lost (and will not return back to the VPN client).
     
    Last edited: Feb 12, 2019 at 9:23 PM
  15. TheHellSite

    TheHellSite Network Newbie Member

    I get what you are trying to say. I am not only trying to access the other APs, I also want to have access to every single client in my LAN.
    Shouldn't "Push LAN (br0) to clients" do exactly that?! As far as I'm concerned the VPN Server/Router will act as a "translator" between the VPN Client's and the LAN Client's. I don't see the need to change any settings on my LAN Clients. There is something wrong on the server side as routes are pushed to the VPN Clients just fine.
     
  16. ddimitrov

    ddimitrov Network Newbie Member

    "Push LAN (br0) to clients" just adds a routing rule to the VPN clients in order for them to send to the VPN tunnel the packets with destination IPs from VPN server's LAN (br0). The VPN server at the other side will deliver them to the corresponding device in br0. This is OK in this direction. But in the opposite direction, when the corresponding machine in br0 tries to return a packet back to the VPN client, this packet should be routed back to the VPN server in order for it to send it back through the VPN tunnel to the client. If this packet is not routed to the VPN server but to the gateway (and the gateway is not configured to re-route these packets to the VPN server), these packets will not be delivered back to the VPN client.
     
  17. ddimitrov

    ddimitrov Network Newbie Member

    You do not have to make any changes at your LAN clients if you add a routing rule in the gateway. Try to add in the gateway a routing rule that instructs it to route all the packets with destination IP net 10.6.0.0/24 (e.g. packets addressed to your VPN clients) to the OpenVPN server's machine.

    P.S. This would have not been necessary if the VPN server was run at the gateway machine. The "return" packets would reach the VPN server then, because the packets would be sent to the gateway machine by default (but the gateway machine is also the VPN server's machine). But this is not your case, so you need an additional routing rule in the gateway.
     
    Last edited: Feb 12, 2019 at 10:46 PM
  18. TheHellSite

    TheHellSite Network Newbie Member

    Sadly my gateway doesn't have many options to do these kind of things.

    Is there any other way to get around this problem?

    If not then the only other solution for me would be to put my current gateway into "modem only mode" and let one of my tomato APs handle the DHCP, routing,... The only small problem is, for this I would need to install another lan cable between my modem and the WAN port of one AP. (Because the modem has a 4 Port switch which I am using to connect 2 APs.)
     
  19. ddimitrov

    ddimitrov Network Newbie Member

    What is the model of your gateway? What firmware does it run? Doesn't it have GUI for configuring its routing table?

    If the gateway is a blackbox given to you by the Internet provider (and therefore you do not have access to its GUI), you may ask them to add the routing rule for you.
     
  20. TheHellSite

    TheHellSite Network Newbie Member

    I don't know much about OpenVPN but I not quite something about routers. You can believe me that my gateway doesn't allow me to edit the routing table. Even though I have full control and access to it. It is a special Modem that bundles DSL and LTE connection to a single connection, which I am FORCED to use because otherwise my internet speed would be very slow.

    So lets get back to my original question:
    Is there any other way to get around this problem?

    EDIT:
    I just found this: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1008095#1008095
    Can I also workaround my problem with this firewall rule?
    Code:
    iptables -t nat -I POSTROUTING -s 10.6.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
    I added it to Scripts --> Firewall, but I still can't access any other clients in my LAN.
    After adding a static route to the routing table of my OpenVPN Server AP the connection is now working.
    My OpenVPN Server Clients can now see and access all my LAN Clients.

    However sometimes I still get some timeouts and have to restart the VPN Server.
    Also when I try to copy a large file (around 4 GB) the connection resets after around 300 MB.
     

    Attached Files:

    Last edited: Feb 13, 2019 at 3:12 PM
  21. ddimitrov

    ddimitrov Network Newbie Member

    AFAIK, NAT is disabled when the device works in a "Router" mode. NAT is enabled when the device works in a "Gateway" mode. Have you tried by changing the mode to "Gateway", while still connected the AP to the gateway using one of AP's LAN ports?

    This was a smart move! I am not experienced with routers much, so I needed some time to understand why adding a routing rule to the OpenVPN server (instead of to the gateway) would work, but then I understood that it was because of RIP, wasn't it? This is a better solution than doing SNAT.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice