Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


OpenWRT + OpenVPN problem
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

OpenWRT + OpenVPN problem

netomxnetomx Moderator, Veteran

Hello friends! I have a problem. I have a OpenWRT router with a 3g dongle, and I want to use OpenVPN. When the VPN is up, I can ping from the router, but from the other clients I can't even access the internet. The routes

Without VPN (working OK):

 route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.64.64.64     0.0.0.0         UG    0      0        0 3g-3g
10.64.64.64     *               255.255.255.255 UH    0      0        0 3g-3g
192.168.5.0     *               255.255.255.0   U     0      0        0 br-lan

With OpenVPN

 route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.2.3.9        128.0.0.0       UG    0      0        0 tun0
default         10.64.64.64     0.0.0.0         UG    0      0        0 3g-3g
10.2.3.1        10.2.3.9        255.255.255.255 UGH   0      0        0 tun0
10.2.3.9        *               255.255.255.255 UH    0      0        0 tun0
10.64.64.64     *               255.255.255.255 UH    0      0        0 3g-3g
128.0.0.0       10.2.3.9        128.0.0.0       UG    0      0        0 tun0
187.176.xxx.xxx    10.64.64.64     255.255.255.255 UGH   0      0        0 3g-3g
192.168.5.0     *               255.255.255.0   U     0      0        0 br-lan

Where 10.2.3.1 is the VPN IP (the internal one).

Any clue on how to fix it? Thanks!

Comments

  • petrispetris Member

    You either need to NAT your network IPs to your OpenVPN client IP, or you need to add a route on the server side to tell it where to send packets for your network subnet to. Since you didn't mention doing either of these I'm assuming you haven't.

  • netomxnetomx Moderator, Veteran

    @petris said:
    You either need to NAT your network IPs to your OpenVPN client IP, or you need to add a route on the server side to tell it where to send packets for your network subnet to. Since you didn't mention doing either of these I'm assuming you haven't.

    Any command-line? I tried to route them but I'm a newbie there.

  • petrispetris Member

    @netomx said:
    Any command-line? I tried to route them but I'm a newbie there.

    On your router:

    iptables -t nat -A POSTROUTING -s x.x.x.x/24 -o tun0 -j MASQUERADE

    Replace x.x.x.x/24 with your network subnet (not your openvpn subnet).

    I didn't read previously that than is for OpenWRT; kind if odd as you'd think this would work appropriately without modification. Maybe check what's in iptables already with iptables -L or iptables-save.

  • john_kjohn_k Member

    You shouldn't have two 'default' routes.

    On the router, do # ip r d default via 10.2.3.9 dev tun0

    that should fix the issue with your clients being unable to reach the internet.

    On the openVPN configuration, you need to tick off the default routing, so it won't be configured on each boot. I'm not familiar with the openWRT firmware, but in linux this default route added by openVPN is in the tun0 config file. (ifcfg-tun0 or similar)

    John

  • netomxnetomx Moderator, Veteran

    @john_k said:
    You shouldn't have two 'default' routes.

    On the router, do # ip r d default via 10.2.3.9 dev tun0

    that should fix the issue with your clients being unable to reach the internet.

    On the openVPN configuration, you need to tick off the default routing, so it won't be configured on each boot. I'm not familiar with the openWRT firmware, but in linux this default route added by openVPN is in the tun0 config file. (ifcfg-tun0 or similar)

    John

    The second route OpenVPN made it. I believe the problem relies there, on the iptables, because 1 default route is for the 3g donfke, and the other one from openvpn. Will try your suggestions :)

  • netomxnetomx Moderator, Veteran

    @john_k said:
    You shouldn't have two 'default' routes.

    On the router, do # ip r d default via 10.2.3.9 dev tun0

    that should fix the issue with your clients being unable to reach the internet.

    On the openVPN configuration, you need to tick off the default routing, so it won't be configured on each boot. I'm not familiar with the openWRT firmware, but in linux this default route added by openVPN is in the tun0 config file. (ifcfg-tun0 or similar)

    John

    ip r d default via 10.2.3.9 dev tun0
    RTNETLINK answers: No such process

    :(

  • petrispetris Member

    @john_k said:
    You shouldn't have two 'default' routes.

    On the router, do # ip r d default via 10.2.3.9 dev tun0

    that should fix the issue with your clients being unable to reach the internet.

    On the openVPN configuration, you need to tick off the default routing, so it won't be configured on each boot. I'm not familiar with the openWRT firmware, but in linux this default route added by openVPN is in the tun0 config file. (ifcfg-tun0 or similar)

    John

    OpenVPN does it this way to not lose the actual default route when you disconnect. It adds routes for 0.0.0.0/1 and 128.0.0.0/1, and route displays "0.0.0.0" as "default". Anyway, since the netmask is larger, i.e. /1 instead of /0, the /1 routes are used until they are removed.

  • netomxnetomx Moderator, Veteran

    @petris said:
    I didn't read previously that than is for OpenWRT; kind if odd as you'd think this would work appropriately without modification. Maybe check what's in iptables already with iptables -L or iptables-save.

    Didn;t work :(

    I told OpenVPN not to pull routes, so that's a start, but I can;t manage to route the traffic to the tun0 :(

  • john_kjohn_k Member

    You must delete the first default route in the routing table, the one that says:

    default 10.2.3.9 128.0.0.0 UG 0 0 0 tun0

    Perhaps in the command I said before, the netmask is missing, which is 128.0.0.0 , that's why you got the error RTNETLINK answers: No such process

    Do a ip route show

    You should get something along the lines of
    default via 10.2.3.9 dev tun0 (and something else) Get all that and prefix it with ip route delete.

    This also should work in removing that wrong default route :
    ip route delete $(ip r s |grep default | grep 10.2.3.9)

    Cheers,

    J

  • john_kjohn_k Member

    Hang on. I think it's not quite clear what you're trying to achieve there....

    Do you want to use the 3g modem for all the clients to connect to internet thru it, and the VPN just to access the vpn server.....

    OR

    do you want the router to use the 3g to connect to the vpn server and all the clients access the internet thru the VPN?

    Those are two completely different setups. From your original post, it's not quite clear what you're wanting to do.

    In the first case I expose, removing the default route thru the VPN server should get you done.

    For the second setup, you must remove the default route going through the 3g, and add a static route to reach the VPN server through the 3g modem.
    got it?

    Perhaps a simple graph image of the network setup could help understand it.

  • netomxnetomx Moderator, Veteran

    All clients to VPN. I've found d the solution, will post it on the night for all :)

  • I have tplink tl-mr3420, I got the openwrt flashed with rooter ext to have usb stick accessible for extended storage (to add more features), I got access to the internet but when I add the additional features,openvpn being one of them, I loose access to the internet,c an someone help with setup? I would like to use skype and share screen so we can setup together. Can some one help?

  • netomxnetomx Moderator, Veteran

    @phpsystems said:
    I have tplink tl-mr3420, I got the openwrt flashed with rooter ext to have usb stick accessible for extended storage (to add more features), I got access to the internet but when I add the additional features,openvpn being one of them, I loose access to the internet,c an someone help with setup? I would like to use skype and share screen so we can setup together. Can some one help?

    You have to:

    Add the tun0 interface on luck
    Add it to the wan irewall rules

    And it will work

Sign In or Register to comment.