OpenVPN on Asus WL-500gP

[fukushimaku]

I left 1st router on 192.168.0.0/24 network and 2nd router on 192.168.1.0/24.

Not freezing anymore.

[fukushimaku]

Hello,

I am using a vpn routed configuration (see below)
and I am trying to connect two lans.
At this moment I am able to ping:

1) from pc's from asus-vpn-server's lan (192.168.0.1):
- ping 10.8.0.1 OK
- ping 10.8.0.4 OK
- ping 192.168.1.222 Request timed out.
- ping 192.168.1.1 Request timed out.

2) from asus-vpn-server (192.168.0.111):
- ping 10.8.0.4 OK
- ping 192.168.1.222 Request timed out.
- ping 192.168.1.1 Request timed out.

3) from asus-vpn-client (192.168.1.222):
- ping 10.8.0.1 OK
- ping 192.168.0.111 OK
- ping 192.168.0.1 OK

4) from pc's from asus-vpn-client's lan (192.168.1.1):
- ping 10.8.0.1 Request timed out.
- ping 10.8.0.4 OK
- ping 192.168.0.111 Request timed out.
- ping 192.168.0.1 Request timed out.

I already added a route to asus-vpn-client (192.168.1.222),
but without success (can't ping remote pc's from server's lan):
route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.1.222

I need a hint, I am out of resources, I searched and read a lot...
Thank you very much

-------------------------------------------------
--------------Configuration----------------------
-------------------------------------------------

WL-500gP1 (OpenVPN Server)
---------
LAN: 192.168.0.111 255.255.255.0
WAN: 10.10.10.10 255.255.255.0 (GW: 10.10.10.1)
VPN: 10.8.0.1 255.255.255.0

WL-500gP2 (OpenVPN Client)
---------
LAN: 192.168.1.222 255.255.255.0
WAN: 10.10.10.11 255.255.255.0 (GW: 10.10.10.1)
VPN: 10.8.0.4 255.255.255.0

----------
1. Server:
----------

/usr/local/sbin/post-firewall
=============================
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I INPUT -m udp -p udp --dport 1194 -j ACCEPT

/opt/etc/init.d/S50openvpn
==========================
# start
# ...
insmod tun.o
echo 1 > /proc/sys/net/ipv4/ip_forward
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon --config /opt/etc/openvpn/server.conf

# stop
# ...
killall openvpn 2> /dev/null
echo 0 > /proc/sys/net/ipv4/ip_forward
rmmod tun

/opt/etc/openvpn/server.conf
============================
port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
ifconfig-pool-persist /opt/etc/openvpn/ipp.txt
### content of ipp.txt:
### Client,10.8.0.4
ca /opt/etc/openvpn/easy-rsa/keys/ca.crt
cert /opt/etc/openvpn/easy-rsa/keys/server.crt
key /opt/etc/openvpn/easy-rsa/keys/server.key
dh /opt/etc/openvpn/easy-rsa/keys/dh1024.pem
tls-auth /opt/etc/openvpn/easy-rsa/keys/ta.key 0
cipher BF-CBC
push "route 192.168.0.0 255.255.255.0"
topology subnet
log-append /opt/var/log/openvpn.log
verb 3
script-security 2
up /opt/etc/openvpn/openvpn.up
### content of openvpn.up:
### #!/bin/sh
### route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.0.111
down /opt/etc/openvpn/openvpn.down
user nobody
group nobody
comp-lzo
persist-tun
persist-key
keepalive 10 60

----------
2. Client:
----------

/opt/etc/init.d/S50openvpn
==========================
# start
# ...
insmod tun.o
echo 1 > /proc/sys/net/ipv4/ip_forward
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon --config /opt/etc/openvpn/client.conf

# stop
# ...
killall openvpn 2> /dev/null
echo 0 > /proc/sys/net/ipv4/ip_forward
rmmod tun

/usr/local/sbin/post-firewall
=============================
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I INPUT -m udp -p udp --dport 1194 -j ACCEPT

/opt/etc/openvpn/client.conf
============================
client
remote 10.10.10.10 1194
proto udp
dev tun
resolv-retry infinite
nobind
ca /opt/etc/openvpn/easy-rsa/keys/ca.crt
cert /opt/etc/openvpn/easy-rsa/keys/client.crt
key /opt/etc/openvpn/easy-rsa/keys/client.key
tls-auth /opt/etc/openvpn/easy-rsa/keys/ta.key 1
cipher BF-CBC
ns-cert-type server
log-append /opt/var/log/openvpn.log
verb 3
script-security 2
comp-lzo
persist-tun
persist-key
user nobody
group nobody
keepalive 10 60

[fukushimaku]

I am able to ping from 192.168.1.0/24 hosts the hosts from 192.168.0.0/24

I added the following line in client's configuration (client.conf):

up /opt/etc/openvpn/openvpn.up

### content of openvpn.up:
#!/bin/sh
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun+ -j MASQUERADE

[fukushimaku]

According to OpenVPN's documentation,
http://openvpn.net/index.php/open-so...wto.html#scope
I added:

1. two other lines in server's configuration (../server.conf):
---
client-config-dir /opt/etc/openvpn/ccd
route 192.168.1.0 255.255.255.0 10.8.0.1
---

2. also, in the above directory (../ccd)created a file named "ABCD",
where ABCD is the content of "CN" field from the certificate-file
/opt/etc/openvpn/easy-rsa/keys/client.crt

This file contains:
---
iroute 192.168.1.0 255.255.255.0
---

The results are:

- can ping the client's pcs from the server
- cannot ping the client's pcs from the server's lan
- cannot ping anymore the server's pcs from the client's lan
- cannot ping anymore the server's pcs from the client

Throwing my eyes on net, I have read:
https://community.openvpn.net/openvpn/ticket/90

and finally add:

1. to client's file /opt/etc/openvpn/openvpn.up
---
route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.8.0.5
---

2. to server's file /opt/etc/openvpn/server.conf
---
## this line, erased >> topology subnet
## this line, erased too >> route 192.168.1.0 255.255.255.0 10.8.0.1
## add new line, below:
route 192.168.1.0 255.255.255.0
---

3. to server's file /opt/etc/openvpn/openvpn.up
---
iptables -t nat -A POSTROUTING -s 10.8.0.1/24 -o br0 -j MASQUERADE
---

Now I can ping everything. Happy Happy Joy Joy !!!

Hope it helps any other people who crush his/her
head with site-to-site routed OpenVPN on Asus/etc