Need help setting up VPN client on second Tomato router

Discussion in 'Networking Issues' started by MaxMax, Apr 16, 2019.

  1. MaxMax

    MaxMax New Member Member

    Hello everyone, I'm sorry if this question was already answered somewhere else but I was not able to find answer.

    Task:
    Setup a Tomato router as second WiFi access point using a OpenVPN tunnel for the wireless clients connected via this access point. On LAN, the devices connected to the first router must be reachable from the devices connected to second router.

    Current setup:
    Router A from ISP providing internet connection gateway.
    Router B Linksys E2500 with latest Tomato firmware

    Connection A-B: LAN to LAN Ethernet
    Router A IP: 192.168.2.1 with DHCP server for the IP range 2-199

    Router B (Tomato):
    WAN disabled
    LAN br0 at 192.168.2.200 (DHCP off)
    Gateway 192.168.2.1 (Router A) and same for DNS
    Wireless eth1/eth2 properly configured and working
    OpenVPN configured and connected

    In the above situation I have the second router perfectly working as an additional access point but the wireless clients connected via this second router get routed via the gateway (router A) and therefore no VPN tunneling.

    If I check my public IP address from the router (either via SSH or using the Tools) THIS goes trough VPN instead.

    The following is my routing table

    Code:
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    82.102.21.75    192.168.2.1     255.255.255.255 UGH   0      0        0 br0
    10.8.3.0        *               255.255.255.0   U     0      0        0 tun11
    192.168.2.0     *               255.255.255.0   U     0      0        0 br0
    127.0.0.0       *               255.0.0.0       U     0      0        0 lo
    default         10.8.3.1        128.0.0.0       UG    0      0        0 tun11
    128.0.0.0       10.8.3.1        128.0.0.0       UG    0      0        0 tun11
    default         192.168.2.1     0.0.0.0         UG    0      0        0 br0

    The only solution I found, so far is to connect the A-B routers as LAN-WAN and assign to the second router another subnet (e.g. 192.168.1.0/24) with gateway on router A. This indeed works, but makes impossible to communicate devices connected to the different subnets.

    Can someone kindly point me a solution if it exists?

    Thanks in advance.
     
  2. eibgrad

    eibgrad Network Guru Member

    The problem, of course, is that in a LAN to LAN configuration, your desired VPN clients are NOT using that AP as their default gateway, so the fact the AP is configured w/ the VPN is of consequence only to that AP. It's no different than if you configured your VPN on some PC, and expected the rest of the network to magically use it. That's only going to happen if you *force* those clients to use the AP as their gateway, and NOT the primary router. And you can do that in a number of ways.

    1. Configure DHCP on the primary router to return the AP's IP as the default gateway for those specific clients. Of course, this assumes your primary router allows you to make such changes. But that's usually problematic if the primary router is using OEM firmware.

    2. Statically configure the individual clients you want to use the VPN w/ the AP as their gateway. IOW, go into the Windows networking applet and manually configure it as needed. Here again, this may not always be possible. Some network appliances and IOT devices may insist on using DHCP.

    3. Implement PBR (policy based routing) on the primary router, and route those clients that need to use the VPN from the default gateway of that primary router, and over to the AP. Once again, using OEM firmware on the primary router usually makes this problematic.

    In most cases, option #2 ends up being the only viable option.

    That's why configuring a VPN in a LAN to LAN network can often be difficult, esp. when you don't have full control of and access to all of your devices. And that's why many ppl end using the WAN to LAN configuration; it forces the VPN clients to use the tomato router as their default gateway, rather than the primary router. But as you noted, that causes its own problems, like network discovery, which can't cross ethernet boundaries.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice