Openvpn – site to site openvpn with Merlin and DD-WRT

I am trying to setup an OpenVPN site to site between site A(Server-Merlin) and site B(Client DD-WRT). The tunnel comes up and both peers are able to ping each other but when anyone on the client subnet(10.1.30.0/24) tries to ping any host on the server side(10.1.10.0/24) packets are being dropped by the server since the server doesn't know how to get to client's subnet even after adding the route.
Here are the configs:

Server

Automatically generated configuration

daemon

server 172.16.254.0 255.255.255.248

proto udp

port 1198

dev tun21

cipher AES-256-CBC

comp-lzo adaptive

keepalive 15 60

verb 3

push "route 10.1.10.0 255.255.255.0"

client-config-dir ccd

client-to-client

duplicate-cn

ca ca.crt

dh dh.pem

cert server.crt

key server.key

status-version 2

status status

Custom Configuration

ifconfig 172.16.254.1 255.255.255.248M

management 127.0.0.1 5001M

auth none

Firewall – Server

iptables -I INPUT 2 -p udp –dport 1198 -j ACCEPT

iptables -I FORWARD -i br0 -o tun21 -j ACCEPT

iptables -I FORWARD -i tun21 -o br0 -j ACCEPT

Routing table Server:

172.16.254.2 dev tun21 proto kernel scope link src 172.16.254.1

x.x.x.x dev eth0 scope link

172.16.254.0/29 via 172.16.254.2 dev tun21

x.x.x.x/28 dev eth0 proto kernel scope link src x.x.x.x

10.1.10.0/24 dev br0 proto kernel scope link src 10.1.10.254

127.0.0.0/8 dev lo scope link

default via x.x.x.x dev eth0

Client Config:

ca /tmp/openvpncl/ca.crt

cert /tmp/openvpncl/client.crt

key /tmp/openvpncl/client.key

management 127.0.0.1 5001

management-log-cache 50

verb 4

mute 3

log-append /var/log/openvpncl

writepid /var/run/openvpncl.pid

client

resolv-retry infinite

nobind

persist-key

persist-tun

script-security 2

mtu-disc yes

dev tun1

proto udp

cipher aes-256-cbc

auth none

remote x.x.x.x 1198

comp-lzo adaptive

tun-mtu 1500

fast-io

Client Firewall

iptables -I INPUT 2 -p udp –dport 1198 -j ACCEPT

iptables -I FORWARD -i br0 -o tun1 -j ACCEPT

iptables -I FORWARD -i tun1 -o br0 -j ACCEPT

Client routing table:

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

0.0.0.0 192.168.2.253 0.0.0.0 UG 0 0 0 eth1

10.1.10.0 172.16.254.5 255.255.255.0 UG 0 0 0 tun1

10.1.30.0 0.0.0.0 255.255.255.0 U 0 0 0 br0

127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo

169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0

172.16.254.0 172.16.254.5 255.255.255.248 UG 0 0 0 tun1

172.16.254.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun1

192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

239.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 br0

What is weird is that on the client side the tun device has an IP of 172.16.254.6 while the gateway is 172.16.254.5 and on the server side the IP is 172.16.254.1 and the tun IP is 172.16.254.2. On the server side I can't ping 172.16.254.2 but I can ping the tun IP of the client(172.16.254.6) and vice versa on the client side I can't ping 172.16.254.5 which is the gateway but I can ping 172.16.254.1.

Server interfaces

ip addr

1: lo: mtu 16436 qdisc noqueue

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 brd 127.255.255.255 scope host lo

2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000

link/ether d8:50:e6:cb:f5:f0 brd ff:ff:ff:ff:ff:ff

inet x.x.x.x/28 brd x.x.x.x scope global eth0

3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000

link/ether d8:50:e6:cb:f5:f0 brd ff:ff:ff:ff:ff:ff

4: eth2: mtu 1500 qdisc pfifo_fast qlen 1000

link/ether d8:50:e6:cb:f5:f4 brd ff:ff:ff:ff:ff:ff

5: vlan1@eth0: mtu 1500 qdisc noqueue

link/ether d8:50:e6:cb:f5:f0 brd ff:ff:ff:ff:ff:ff

6: vlan2@eth0: mtu 1500 qdisc noop

link/ether d8:50:e6:cb:f5:f0 brd ff:ff:ff:ff:ff:ff

7: br0: mtu 1500 qdisc noqueue

link/ether d8:50:e6:cb:f5:f0 brd ff:ff:ff:ff:ff:ff

inet 10.1.10.254/24 brd 10.1.10.255 scope global br0

8: tun21: mtu 1500 qdisc

pfifo_fast qlen 100

link/[65534]

inet 172.16.254.1 peer 172.16.254.2/32 scope global tun21

Client interfaces:

ath0 Link encap:Ethernet HWaddr B0:C7:45:75:1C:F6

     UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

     RX packets:2528056 errors:0 dropped:0 overruns:0 frame:0

     TX packets:3317121 errors:0 dropped:0 overruns:0 carrier:0

     collisions:0 txqueuelen:32

     RX bytes:177453174 (169.2 MiB)  TX bytes:539912763 (514.9 MiB)

ath1 Link encap:Ethernet HWaddr B0:C7:45:75:1C:F7

     UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

     RX packets:0 errors:0 dropped:0 overruns:0 frame:0

     TX packets:12502 errors:0 dropped:0 overruns:0 carrier:0

     collisions:0 txqueuelen:32

     RX bytes:0 (0.0 B)  TX bytes:1688459 (1.6 MiB)

br0 Link encap:Ethernet HWaddr B0:C7:45:75:1C:F6

     inet addr:10.1.30.251  Bcast:10.1.30.255  Mask:255.255.255.0

     UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

     RX packets:3715741 errors:0 dropped:3772 overruns:0 frame:0

     TX packets:5006361 errors:0 dropped:0 overruns:0 carrier:0

     collisions:0 txqueuelen:0

     RX bytes:415672171 (396.4 MiB)  TX bytes:6820174338 (6.3 GiB)

br0:0 Link encap:Ethernet HWaddr B0:C7:45:75:1C:F6

     inet addr:169.254.255.1  Bcast:169.254.255.255  Mask:255.255.0.0
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth0 Link encap:Ethernet HWaddr B0:C7:45:75:1C:F6
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

     RX packets:610099 errors:0 dropped:4 overruns:18 frame:0

     TX packets:931175 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:1000

     RX bytes:263258272 (251.0 MiB)  TX bytes:833541212 (794.9 MiB)
     Interrupt:4

eth1 Link encap:Ethernet HWaddr B0:C7:45:75:1C:F6

     inet addr:192.168.2.254  Bcast:192.168.2.255  Mask:255.255.255.0

     UP BROADCAST RUNNING MULTICAST  MTU:1492  Metric:1

     RX packets:5071499 errors:0 dropped:787 overruns:0 frame:0

     TX packets:3681042 errors:0 dropped:0 overruns:0 carrier:0

     collisions:0 txqueuelen:1000

     RX bytes:2519572372 (2.3 GiB)  TX bytes:462892303 (441.4 MiB)

     Interrupt:5

lo Link encap:Local Loopback

     inet addr:127.0.0.1  Mask:255.0.0.0

     UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1

     RX packets:421 errors:0 dropped:0 overruns:0 frame:0

     TX packets:421 errors:0 dropped:0 overruns:0 carrier:0

     collisions:0 txqueuelen:0

     RX bytes:37100 (36.2 KiB)  TX bytes:37100 (36.2 KiB)

mon.ath0 Link encap:UNSPEC HWaddr B0-C7-45-75-1C-F6-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

     RX packets:462186 errors:0 dropped:0 overruns:0 frame:0

     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

     collisions:0 txqueuelen:32

     RX bytes:105722162 (100.8 MiB)  TX bytes:0 (0.0 B)

mon.ath1 Link encap:UNSPEC HWaddr B0-C7-45-75-1C-F7-00-00-00-00-00-00-00-00-00-00

     UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

     RX packets:3114 errors:0 dropped:0 overruns:0 frame:0

     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

     collisions:0 txqueuelen:32

     RX bytes:377428 (368.5 KiB)  TX bytes:0 (0.0 B)

tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

     inet addr:172.16.254.6  P-t-P:172.16.254.5  Mask:255.255.255.255

     UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

     RX packets:268 errors:0 dropped:0 overruns:0 frame:0

     TX packets:14279 errors:0 dropped:0 overruns:0 carrier:0

     collisions:0 txqueuelen:100

     RX bytes:22488 (21.9 KiB)  TX bytes:775355 (757.1 KiB)

Ping peer IP from server:

ping 172.16.254.2

PING 172.16.254.2 (172.16.254.2): 56 data bytes

— 172.16.254.2 ping statistics —

4 packets transmitted, 0 packets received, 100% packet loss

Ping tun0's client IP address from the server:

ping 172.16.254.6

PING 172.16.254.6 (172.16.254.6): 56 data bytes

64 bytes from 172.16.254.6: seq=0 ttl=64 time=30.222 ms

64 bytes from 172.16.254.6: seq=1 ttl=64 time=29.536 ms

64 bytes from 172.16.254.6: seq=2 ttl=64 time=30.918 ms

64 bytes from 172.16.254.6: seq=3 ttl=64 time=30.386 ms

64 bytes from 172.16.254.6: seq=4 ttl=64 time=30.788 ms

64 bytes from 172.16.254.6: seq=5 ttl=64 time=31.271 ms

— 172.16.254.6 ping statistics —

6 packets transmitted, 6 packets received, 0% packet loss

round-trip min/avg/max = 29.536/30.520/31.271 ms

Ping peer IP from the client:

ping 172.16.254.5

PING 172.16.254.5 (172.16.254.5): 56 data bytes

^C
— 172.16.254.5 ping statistics —

7 packets transmitted, 0 packets received, 100% packet loss

Ping tun21's IP on the server from the client

ping 172.16.254.1

PING 172.16.254.1 (172.16.254.1): 56 data bytes

64 bytes from 172.16.254.1: seq=0 ttl=64 time=29.253 ms

64 bytes from 172.16.254.1: seq=1 ttl=64 time=31.730 ms

64 bytes from 172.16.254.1: seq=2 ttl=64 time=30.010 ms

^C

— 172.16.254.1 ping statistics —

3 packets transmitted, 3 packets received, 0% packet loss

round-trip min/avg/max = 29.253/30.331/31.730 ms

I tried adding a route to 10.1.30.0(Client LAN) on the server using the ip 172.16.254.6 but it will only let me map it to 172.16.254.2

ip route add 10.1.30.0/24 via 172.16.254.6 dev tun21

RTNETLINK answers: No such process

ip route add 10.1.30.0/24 via 172.16.254.2 dev tun21

Pinging a host on client LAN from the server — no dice

PING 10.1.30.100 (10.1.30.100): 56 data bytes

— 10.1.30.100 ping statistics —

3 packets transmitted, 0 packets received, 100% packet loss

Ping a host on Server LAN from the client — no dice

ping 10.1.10.100

PING 10.1.10.100 (10.1.10.100): 56 data bytes

^C

— 10.1.10.100 ping statistics —

2 packets transmitted, 0 packets received, 100% packet loss

Logs from the server side:

LOG:1432700723,D,Client/x.x.x.x:44820 UDPv4 READ [81] from [AF_INET]x.x.x.x:44820: P_DATA_V1 kid=0 DATA len=80

LOG:1432700723,,Client/x.x.x.x:44820 MULTI: bad source address from client [10.1.30.100], packet dropped

LOG:1432700723,D,Client/x.x.x.x:44820 UDPv4 READ [81] from [AF_INET]x.x.x.x:44820: P_DATA_V1 kid=0 DATA len=80

LOG:1432700723,,Client/x.x.x.x:44820 MULTI: bad source address from client [10.1.30.106], packet dropped

LOG:1432700724,D,Client/x.x.x.x:44820 UDPv4 READ [81] from [AF_INET]x.x.x.x:44820: P_DATA_V1 kid=0 DATA len=80

LOG:1432700724,,Client/x.x.x.x:44820 MULTI: bad source address from client [10.1.30.110], packet dropped

2700729,,Client/x.x.x.x:44820 MULTI: bad source address from client [10.1.30.100], packet dropped

Logs from the client side:

LOG:1432686050,D,UDPv4 WRITE [81] to x.x.x.x:1198: P_DATA_V1 kid=0 DATA len=80

LOG:1432686050,D,UDPv4 WRITE [81] to x.x.x.x:1198: P_DATA_V1 kid=0 DATA len=80

LOG:1432686051,D,UDPv4 WRITE [81] to x.x.x.x:1198: P_DATA_V1 kid=0 DATA len=80

I even ran a tcpdump on both routers and turns out the packets from LAN on server side aren't even getting to the client router.

Any help would be appreciated.

Thanks

Best Answer

I resolved this by adding the following lines in my config

route 10.1.30.0 255.255.255.0

push "route 10.1.10.0 255.255.255.0"

push "route 10.1.30.0 255.255.255.0"

and added the following lines for my client in the CCD folder

less /tmp/etc/openvpn/server1/ccd/CALPHA

iroute 10.1.30.0 255.255.255.0

Automatically generated configuration

Custom Configuration

Best Answer

Related Solutions

Openvpn for client/server in same subnet

Linux – Port forward + openVPN + iptables

Related Topic