New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
OpenWRT + OpenVPN problem
Hello friends! I have a problem. I have a OpenWRT router with a 3g dongle, and I want to use OpenVPN. When the VPN is up, I can ping from the router, but from the other clients I can't even access the internet. The routes
Without VPN (working OK):
route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 10.64.64.64 0.0.0.0 UG 0 0 0 3g-3g 10.64.64.64 * 255.255.255.255 UH 0 0 0 3g-3g 192.168.5.0 * 255.255.255.0 U 0 0 0 br-lan
With OpenVPN
route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 10.2.3.9 128.0.0.0 UG 0 0 0 tun0 default 10.64.64.64 0.0.0.0 UG 0 0 0 3g-3g 10.2.3.1 10.2.3.9 255.255.255.255 UGH 0 0 0 tun0 10.2.3.9 * 255.255.255.255 UH 0 0 0 tun0 10.64.64.64 * 255.255.255.255 UH 0 0 0 3g-3g 128.0.0.0 10.2.3.9 128.0.0.0 UG 0 0 0 tun0 187.176.xxx.xxx 10.64.64.64 255.255.255.255 UGH 0 0 0 3g-3g 192.168.5.0 * 255.255.255.0 U 0 0 0 br-lan
Where 10.2.3.1 is the VPN IP (the internal one).
Any clue on how to fix it? Thanks!
Comments
You either need to NAT your network IPs to your OpenVPN client IP, or you need to add a route on the server side to tell it where to send packets for your network subnet to. Since you didn't mention doing either of these I'm assuming you haven't.
Any command-line? I tried to route them but I'm a newbie there.
On your router:
iptables -t nat -A POSTROUTING -s x.x.x.x/24 -o tun0 -j MASQUERADE
Replace x.x.x.x/24 with your network subnet (not your openvpn subnet).
I didn't read previously that than is for OpenWRT; kind if odd as you'd think this would work appropriately without modification. Maybe check what's in iptables already with iptables -L or iptables-save.
You shouldn't have two 'default' routes.
On the router, do
# ip r d default via 10.2.3.9 dev tun0
that should fix the issue with your clients being unable to reach the internet.
On the openVPN configuration, you need to tick off the default routing, so it won't be configured on each boot. I'm not familiar with the openWRT firmware, but in linux this default route added by openVPN is in the tun0 config file. (ifcfg-tun0 or similar)
John
The second route OpenVPN made it. I believe the problem relies there, on the iptables, because 1 default route is for the 3g donfke, and the other one from openvpn. Will try your suggestions
ip r d default via 10.2.3.9 dev tun0
RTNETLINK answers: No such process
OpenVPN does it this way to not lose the actual default route when you disconnect. It adds routes for 0.0.0.0/1 and 128.0.0.0/1, and route displays "0.0.0.0" as "default". Anyway, since the netmask is larger, i.e. /1 instead of /0, the /1 routes are used until they are removed.
Didn;t work
I told OpenVPN not to pull routes, so that's a start, but I can;t manage to route the traffic to the tun0
You must delete the first default route in the routing table, the one that says:
default 10.2.3.9 128.0.0.0 UG 0 0 0 tun0
Perhaps in the command I said before, the netmask is missing, which is 128.0.0.0 , that's why you got the error
RTNETLINK answers: No such process
Do a
ip route show
You should get something along the lines of
default via 10.2.3.9 dev tun0 (and something else)
Get all that and prefix it with ip route delete.This also should work in removing that wrong default route :
ip route delete $(ip r s |grep default | grep 10.2.3.9)
Cheers,
J
Hang on. I think it's not quite clear what you're trying to achieve there....
Do you want to use the 3g modem for all the clients to connect to internet thru it, and the VPN just to access the vpn server.....
OR
do you want the router to use the 3g to connect to the vpn server and all the clients access the internet thru the VPN?
Those are two completely different setups. From your original post, it's not quite clear what you're wanting to do.
In the first case I expose, removing the default route thru the VPN server should get you done.
For the second setup, you must remove the default route going through the 3g, and add a static route to reach the VPN server through the 3g modem.
got it?
Perhaps a simple graph image of the network setup could help understand it.
All clients to VPN. I've found d the solution, will post it on the night for all
I have tplink tl-mr3420, I got the openwrt flashed with rooter ext to have usb stick accessible for extended storage (to add more features), I got access to the internet but when I add the additional features,openvpn being one of them, I loose access to the internet,c an someone help with setup? I would like to use skype and share screen so we can setup together. Can some one help?
You have to:
Add the tun0 interface on luck
Add it to the wan irewall rules
And it will work