OpenVPN on Asus WL-500gP

Hello,

Till yesterday my 500gp was running perfectly. Then I upgraded via ipkg and now openvpn seems to be weird.

My setup:

500gp, 1.9.2.7-7g
openvpn 2.0.9-1 (2.0.7 before)

client: Tunnelblick 3.0rc (Leopard)

If i connect from a client, everything works fine, the connection gets established. But somehow I can't connect to my fileserver via smb anymore. Ping gives me a "no buffer space available". The route gets pushed through (according to netstat).

Any ideas? I tried the new and old .conf files already. Tried to load in server and in xinetd mode, no changes.

Is there a way to downgrade to 2.0.7? Where can I find the old .ipk?

Thanks

Franz


Update: Played around with the box again, now it's working! Don't know why :) Maybe Re-installing the package solved the issue?

Tip:

Download any packages you have currently installed on a PC's harddisk. You never know if a new package will behave as it used to.

'ipkg list_installed' shows what you currently have.

download them from here:

http://ipkg.nslu2-linux.org/feeds/op.../cross/stable/

My openvpn is running and I am trying to make VOIP phone calles over it from the client PC.

When I try to ping my voip gateway (from the client PC) before making a phone call the ping is around 40 ms. When I do a VOIP phone call the sound quality is really poor and ping is around 3000 ms!!!!

http://i135.photobucket.com/albums/q...6/pingvoip.jpg

I did put a hi priority to openvpn port in QoS settings and the internet seems to be very fast over VOIP and Samba folder browsing as well, but it looks like when I run VOIP over it QoS does not keep it in high prioriry anymore or may be this is another issue????

I even disabled comp-lzo, but it did not help...

In general it was tested here,

http://openvpn.net/archive/openvpn-u.../msg00389.html

and here
http://www.networkworld.com/reviews/...voip-test.html


but again it is not working in my case for some stupid reason....

and here is the VOIP test results (http://myspeed.visualware.com/voip/) from openvpn client side-

http://i135.photobucket.com/albums/q...pclientest.jpg


Any idea how to improve it?

Hello everybody

First I'd like to thanks Oleg and his crew for his work !

My question is quite simple (I'm a newbie). I'd like to install OpenVPN on my router (WL-500gp) after installing the last Oleg firmware but is it possible to do such a thing without any hard drive or usb key connected to the routeur ?

Does the router have enough internal memory for OpenVPN ?

Thanks a lot

well.......... it would be possible if you would have enough onboard flash space... but I think that is not the case:p
also vpn is quite havy so you need more ram, to get more ram you just use swap space, for wich you need a harddrive.

You can get a verry cheap usb drive with a few gig for a few euro's, they are really cheap these days:)

I've been running OpenVPN on a WL500gx (32 MB RAM) for some years from a USB stick, and on a WL500g (16 MB RAM) before that. On the WL500 gx i'm not using any swap memory when openvpn is running, though I'm not running Samba, FTP-server or NFS server. So there should be enough memory to run Openvpn.

As for running it from flashfs without a USB-stick it may be possible, the openvpn binary file is 760 kB and the configuration files are 10-15 kB, but this depends on how much you are allowed to store in flashfs. I prefer to use the USB-stick to make it easier to allocate static IP-addresses to clients.

As for performance, i got between 1 and 1,5 Mb/s throughput with compression disabled, if you enable compression the throughput is lower due to the slow CPU. Today openvpn the WL500gx is just runnning as a backup VPN-server while my primary server is a virtual machine running on a server to have more throughput. The openvpn on router is only used as a backup when the primary server is down for maintenance.

in short, yes this is possible without using a usb stick

the WL500gP has enough flashfs space to achieve this
currently I am testing two sets of this, and it runs for about 2 months now

I have to note, that everything else is turned off (samba etc..)

Thx a lot guys you are very helpfull I ll try this ASAP I woul have fix my new issue lol thx

I'm having problems to connect to my openvpn server from WAN side.
When I make the connection through a ssh tunnel(to test the vpn itself) the vpn comes up like it has to do, but when i change the remote option to my wan ip address I can't get a connection.
I tried both tcp and udp, but both protocols fail.
I searched through the archives and googled a lot, but every time i get errors which I can't explain according to all the examples and tutorials.

client version OpenVPN 2.1_rc9 (tried also the 2.09 stable version)
server version: 2.1_rc7-2

this is running on a asus wl500gP router with oleg firmware in 'home gateway' mode
wan interface is vlan1 with br0 as internal lan and tun0 as vpn tunnel

my server config file:

Code:

---

port 1194
proto tcp
dev tun
ca /opt/etc/easy-rsa/keys/ca.crt
cert /opt/etc/easy-rsa/keys/server.crt
dh /opt/etc/easy-rsa/keys/dh1024.pem
server 172.16.0.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /opt/var/log/openvpn-status.log
log-append  /opt/var/log/openvpn.log
verb 9
management localhost 7505

---

I added the following rules to iptables:

Code:

---

iptables -I INPUT -p tcp --dport 1194 -j ACCEPT
iptables -t nat -I PREROUTING -i $1 -p tcp --dport 1194 -j DNAT --to-destination $4:1194
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

---

I get this error in the client:

Code:

---

Mon Aug 18 17:40:05 2008 OpenVPN 2.1_rc9 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Jul 31 2008
Mon Aug 18 17:40:05 2008 LZO compression initialized
Mon Aug 18 17:40:05 2008 Attempting to establish TCP connection with MY_IP:1194
Mon Aug 18 17:40:05 2008 TCP connection established with MY_IP:1194
Mon Aug 18 17:40:05 2008 TCPv4_CLIENT link local: [undef]
Mon Aug 18 17:40:05 2008 TCPv4_CLIENT link remote: MY_IP:1194
Mon Aug 18 17:40:05 2008 Connection reset, restarting [0]
Mon Aug 18 17:40:05 2008 SIGUSR1[soft,connection-reset] received, process restarting

---

Thanks in advance

Hi!

Can someone provide a tutorial/walkthrough on how to install and setup OpenVPN on the Asus WL-500gP router?

Basically there should be a client installed and setup to connect to a certain server so one can connect using the VPN or disconnect and use one's own connection.

Are there any guides for this? Or could someone explain how to configure it all? :)

Why don't you try?
http://www.wl500g.info/showthread.php?t=5312

I did not have any problem on my 500gP.

Tamadite's how-to worked like charm... I became happy user. Thanks

Hey Guys,

I have a wrinkle. I have OpenVPN installed and working just fine. Installation was made according to forum's tutorials. However, the way it works now is that openvpn starts via rc.unslung which basically means that it happens AFTER all drives have been mounted (I have an usb 160GB drive - swap partition, opt partition and normal partition there). And the problem is that if due to some reasons the drive will not mount OpenVPN will not start and I cannot even connect to see what's wrong. I haven't figured this out yet but sometimes my drive will not mount properly (ext3 partition used as a shared drive) due to errors. I have ef2sck scheduled to run after a certain number of mounts has been reached. It starts when the routes is rebooted,however, automatic check sometimes fails and I have to runn e2fsck manually, which is easy from lan side, but impossible from wan side (if the drive is not mounted, OpenVPN is not running so no connection to the router at all). From what I know, opt partition works just fine - no errors there.
As I'm now away from home for another two months and cannot do everything from the lan side, my question is if it is possible to set OpenVPN to start before partitions are mounted? This way even if they are not, I can access the router via telnet and see what is wrong (e.g. run e2fsck). I'm not an expert in linux. I think it should be possible, but any advice on how to do it is appreciated.
Another thing is the ability to access router from wan (not through vpn). I set this option in router's GUI, set port to 1024, but I cannot connect when i put my IP address:1024 in my browser. Probably it is a firewall issue This would be another way around my problem. Maybe somebody could write how to make this work, instead of diddling with OpenVPN.

Honestly, when it comes to iptables etc I'm not an expert at all. This is my post-firewall (acces from wan in Oleg's GUI is set to active, port set to 1024):

#OpenVPN access from WAN
iptables -D INPUT -j DROP
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -I PREROUTING -i eth1 -p udp --dport 1194 -j
DNAT
--to-destination $4:1194
iptables -A INPUT -j DROP

iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT

P.S. FTP works fine from outside.

Quote:

---

#OpenVPN access from WAN
iptables -D INPUT -j DROP
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -I PREROUTING -i eth1 -p udp --dport 1194 -j DNAT --to-destination $4:1194
iptables -A INPUT -j DROP

iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT

---

I have it a bit different...
you see that you have a so called chain there
usually you put the opening of ports between the 2 lines
"iptables -D INPUT -j DROP"
and
"iptables -A INPUT -j DROP"
but for openvpn you need to place the rules outside these 2 lines

example:

Quote:

---

iptables -D INPUT -j DROP
#your usual opened ports and rules...
iptables -A INPUT -j DROP

#OpenVPN settings
iptables -I INPUT -p tcp --dport 1234 -j ACCEPT
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 1234 -j DNAT --to-destination ${`nvram get lan_ipaddr`}:1234

#allow tun
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT

---

maybe you want to try a different port as well (lets say 1234 for this one:p)
since sometimes openvpn is listed in /etc/services
this might mess with your active openvpn installation
you can check it:

Quote:

---

cat /etc/services | grep 1194

---

about the harddrives... do you use fstab to mount?
sometimes it's required you make the folder before you mount anything...
this goes wrong usually during mounting with fstab or another(bad) way.
so in the pre-mount you can say to create a directory before the mounting script begins:

Quote:

---

mkdir -p /somewhere/to/mount

---

any better?:D

Thank you for advice. Maybe I complicated it too much, but my actual problem is not that OpenVPN does not work. It does pretty well. I can connect to my router from outside. The real problem is that OpenVPN starts after all drives have been mounted. If for some reason they are not mounted it will not start - and that is my concern. My question is therefore if it is possible to make OpenVPN start BEFORE drives are mounted?

The other way around I see is to make the router GUI and telnet accessible from WAN. I checked options in web-GUI but to no avail - I cannot connect to router from WAN, it does not respond. If I could, then even without OpenVPN working, I could see what is going on.

I posted post-firewall because I believe it is the culprit of not being able to connect to router from outside (not through OpenVPN). Once vpn connection is established it works perfectly fine, but for this all drives have to be mounted. If they are not there is no way I can connect to the router.

I hope this will clarify my problem :)

Quote:

---

Originally Posted by mateysz

My question is therefore if it is possible to make OpenVPN start BEFORE drives are mounted?

---

Well with some work maybe:p
If you are using the firmware from googlecode it would be the easiest since you'd have a proper crosscompiler with the right uclibc.

you see, the firmware and optware both use a different version of uclibc. SO if you would use the optware version of openvpn there might be compatibility issues when there is no optware uclibc library...

So pretty much you need to compile openvpn yourself, place it somewhere in flash and start it. It seems to be small enough:)

I don't know if you ever compiled something?
if you have linux (something like ubuntu) you can follow this how-to:
http://code.google.com/p/wl500g/wiki...CustomFirmware
just install the crosscompiler:

Quote:

---

mkdir -p /opt/brcm
tar -C /opt/brcm -jxvf hndtools-mipsel-uclibc-4.2.4.tar.bz2
ln -sf /opt/brcm/hndtools-mipsel-uclibc-4.2.4 /opt/brcm/hndtools-mipsel-uclibc
export PATH=$PATH:/opt/brcm/hndtools-mipsel-uclibc/bin

---

after that you can configure the sources by:

Quote:

---

./configure --prefix=/somewhere/to/save --host=mipsel-linux

---

To get access to router's GUI from WAN try:

Code:

---

iptables -I INPUT -p tcp --dport 1024 -j ACCEPT

---

If it does not work, execute

Code:

---

iptables -L INPUT -n -v

---

and paste the result here.

Regarding the dependencies you are having with OpenVPN and the mounting of drives, it sounds to me OpenVPN is configured to run something on one of the drives to mount, e.g. OpenVPN log. Try to configure OpenVPN so it is not depending on any drive to mount.

Hello,
I try to set up openvpn (tap mode) on a asus wl500gPv2.
The implementation of the server does not pose problem.
But on the clients (4) when I run openvpn, the connection fall. No ping, and no SSH ...
I tried with creating tap in manual and automatic, classical
openvpn - mktun - dev tap0
bridge addif br-lan tap0
ifconfig tap0 0.0.0.0 promisc up
This procedure works but when I run openvpn, nothing?? the network is down.

NB: there is a problem of time but I installed ntpdate and I will update the time regularly.

System: Backfire OpenWrt 10.03
Thank a lot.

News :
it works
but I have to start openvpn without using the init script provided and by running openvpn - config myconf
And only on clients? if someone know why

I've openvpn running, and I'm not sure what you're saying:p
btw, for dd-wrt it would be probably better to post in their forums, since we don't have many dd-wrt experts here.

I still give it a shot tho:p

I have additional firewall rules in oleg to make things work:

Quote:

---

#allow tun
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT

---

makes sure you can ping and everything:)

and... openvpn clients should be tested outside your router, not in the LAN, otherwise it usually doesn't work because it messes with the routing;)

for clients config (windows vista and above) you need 2 extra lines of config btw.. don't have them here atm:p

At my office I have a server running OpenVPN. At home I have a WL500gP with Open VPN as a client. I can connect to my office server and ping the network.
At home I want to use the WL500 as a router to my office's network but the traffic isn't going there... I inserted 2 rules on the firewall to allow forwarding of the traffic from and to tun0.
My question is: do I need masquerading? I just want a plain router...

247 166K ACCEPT all -- * tun0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0

You have to use "route", not "iptables"

This is my route table:

Destination Gateway Genmask Flags Metric Ref Use Iface
10.64.64.64 * 255.255.255.255 UH 0 0 0 ppp0
192.168.3.13 * 255.255.255.255 UH 0 0 0 tun0
192.168.3.0 192.168.3.13 255.255.255.0 UG 0 0 0 tun0
192.168.2.0 * 255.255.255.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 10.64.64.64 0.0.0.0 UG 0 0 0 ppp0

My WL500 pings 192.168.3.0 network but the clients that connect to WL500 through the br0 interface can't. I think that the problem is that tun0 is a WAN interface so it's blocked. How can I change this to a LAN interface?

Quote:

---

Originally Posted by AlexSantos

This is my route table:

Destination Gateway Genmask Flags Metric Ref Use Iface
10.64.64.64 * 255.255.255.255 UH 0 0 0 ppp0
192.168.3.13 * 255.255.255.255 UH 0 0 0 tun0
192.168.3.0 192.168.3.13 255.255.255.0 UG 0 0 0 tun0
192.168.2.0 * 255.255.255.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 10.64.64.64 0.0.0.0 UG 0 0 0 ppp0

My WL500 pings 192.168.3.0 network but the clients that connect to WL500 through the br0 interface can't. I think that the problem is that tun0 is a WAN interface so it's blocked. How can I change this to a LAN interface?

---

Can you ping 192.168.3.13?

No.
From my Ubuntu PC at home I can ping 192.168.3.14 (which is the IP of the WL500) but I cannot ping 192.168.3.13 (which is the IP of the OpenVPN ppp server)

Quote:

---

Originally Posted by AlexSantos

No.
From my Ubuntu PC at home I can ping 192.168.3.14 (which is the IP of the WL500) but I cannot ping 192.168.3.13 (which is the IP of the OpenVPN ppp server)

---

Can you paste here your ifconfig of your WL500?

br0 Link encap:Ethernet HWaddr 00:18:F3:98:D2:06
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8554 errors:0 dropped:0 overruns:0 frame:0
TX packets:8358 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:744153 (726.7 KiB) TX bytes:4008980 (3.8 MiB)

eth0 Link encap:Ethernet HWaddr 00:18:F3:98:D2:06
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8553 errors:0 dropped:0 overruns:0 frame:0
TX packets:11901 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:932261 (910.4 KiB) TX bytes:4269164 (4.0 MiB)
Interrupt:4 Base address:0x1000

eth1 Link encap:Ethernet HWaddr 00:18:F3:98:D2:06
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:29681
TX packets:0 errors:1 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:12 Base address:0x2000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:8548 errors:0 dropped:0 overruns:0 frame:0
TX packets:8548 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:734772 (717.5 KiB) TX bytes:734772 (717.5 KiB)

ppp0 Link encap:Point-Point Protocol
inet addr:93.102.43.55 P-t-P:10.64.64.64 Mask:255.255.255.255
UP POINTOPOINT RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3612 errors:0 dropped:0 overruns:0 frame:0
TX packets:3260 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:2456236 (2.3 MiB) TX bytes:439117 (428.8 KiB)

tun0 Link encap:Point-Point Protocol
inet addr:192.168.3.14 P-t-P:192.168.3.13 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

vlan0 Link encap:Ethernet HWaddr 00:18:F3:98:D2:06
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8553 errors:0 dropped:0 overruns:0 frame:0
TX packets:11901 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:778307 (760.0 KiB) TX bytes:4269164 (4.0 MiB)



Routing Table

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.64.64.64 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.3.13 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.3.0 192.168.3.13 255.255.255.0 UG 0 0 0 tun0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.1.0 192.168.3.13 255.255.255.0 UG 0 0 0 tun0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.64.64.64 0.0.0.0 UG 0 0 0 ppp0

Have you checked? http://wl500g.info/showthread.php?t=5312

pay special attention to the firewall rules.

Despite being just a static router I missed a NAT rule in iptables.

Chain POSTROUTING (policy ACCEPT 15603 packets, 1038K bytes)
pkts bytes target prot opt in out source destination
8 672 MASQUERADE all -- * tun0 192.168.2.0/24 192.168.3.0/24

My OpenVPN server (192.168.3.1) sees all machines behind my WL500 as 192.168.3.14 because of the NAT rule, which isn't what I intended to do the first place.
How can I make WL500 just route the traffic without masquerading?

Quote:

---

Originally Posted by AlexSantos

Despite being just a static router I missed a NAT rule in iptables.

Chain POSTROUTING (policy ACCEPT 15603 packets, 1038K bytes)
pkts bytes target prot opt in out source destination
8 672 MASQUERADE all -- * tun0 192.168.2.0/24 192.168.3.0/24

---

Hello,

before I submit any configurations etc, I would like to know from anyone's
previous experience why an OpenVPN client (router) freezes suddenly after
1st ping replayed, at 3 seconds of running ? It's non-responsive (request
timed outs, cannot access it through ssh, gui etc), so I have to re-plug the
power cord.

I just saw in GUI how the Router's CPU is loaded, then freezes.
The certificates are ok, the configurations looks fine; The Router#1 (server)
accept and serves very well the others OpenVPN PC clients from WAN
(internet/intermediary upstream lan).

Thank you


I can provide both logs (client & server) with 3(default) and 9 verbose levels.
Both routers has 2.1.4-2 OpenVPN packages installed.

The scheme is like:

...........................Router#3's lan[10.10.10.0/24](cisco)
.........................../.................................................\
[Router#1-OpenVPN-Server]>[tunnel 10.8.0.0]<[Router#2-OpenVPN-Client]
(wl-500gp v1)............................................(wl-500gp v2)
......(both LAN: 192.168.0.0/24, both WAN: 10.10.10.0/24)

I left 1st router on 192.168.0.0/24 network and 2nd router on 192.168.1.0/24.

Not freezing anymore.

Hello,

I am using a vpn routed configuration (see below)
and I am trying to connect two lans.
At this moment I am able to ping:

1) from pc's from asus-vpn-server's lan (192.168.0.1):
- ping 10.8.0.1 OK
- ping 10.8.0.4 OK
- ping 192.168.1.222 Request timed out.
- ping 192.168.1.1 Request timed out.

2) from asus-vpn-server (192.168.0.111):
- ping 10.8.0.4 OK
- ping 192.168.1.222 Request timed out.
- ping 192.168.1.1 Request timed out.

3) from asus-vpn-client (192.168.1.222):
- ping 10.8.0.1 OK
- ping 192.168.0.111 OK
- ping 192.168.0.1 OK

4) from pc's from asus-vpn-client's lan (192.168.1.1):
- ping 10.8.0.1 Request timed out.
- ping 10.8.0.4 OK
- ping 192.168.0.111 Request timed out.
- ping 192.168.0.1 Request timed out.

I already added a route to asus-vpn-client (192.168.1.222),
but without success (can't ping remote pc's from server's lan):
route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.1.222

I need a hint, I am out of resources, I searched and read a lot...
Thank you very much

-------------------------------------------------
--------------Configuration----------------------
-------------------------------------------------

WL-500gP1 (OpenVPN Server)
---------
LAN: 192.168.0.111 255.255.255.0
WAN: 10.10.10.10 255.255.255.0 (GW: 10.10.10.1)
VPN: 10.8.0.1 255.255.255.0

WL-500gP2 (OpenVPN Client)
---------
LAN: 192.168.1.222 255.255.255.0
WAN: 10.10.10.11 255.255.255.0 (GW: 10.10.10.1)
VPN: 10.8.0.4 255.255.255.0

----------
1. Server:
----------

/usr/local/sbin/post-firewall
=============================
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I INPUT -m udp -p udp --dport 1194 -j ACCEPT

/opt/etc/init.d/S50openvpn
==========================
# start
# ...
insmod tun.o
echo 1 > /proc/sys/net/ipv4/ip_forward
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon --config /opt/etc/openvpn/server.conf

# stop
# ...
killall openvpn 2> /dev/null
echo 0 > /proc/sys/net/ipv4/ip_forward
rmmod tun

/opt/etc/openvpn/server.conf
============================
port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
ifconfig-pool-persist /opt/etc/openvpn/ipp.txt
### content of ipp.txt:
### Client,10.8.0.4
ca /opt/etc/openvpn/easy-rsa/keys/ca.crt
cert /opt/etc/openvpn/easy-rsa/keys/server.crt
key /opt/etc/openvpn/easy-rsa/keys/server.key
dh /opt/etc/openvpn/easy-rsa/keys/dh1024.pem
tls-auth /opt/etc/openvpn/easy-rsa/keys/ta.key 0
cipher BF-CBC
push "route 192.168.0.0 255.255.255.0"
topology subnet
log-append /opt/var/log/openvpn.log
verb 3
script-security 2
up /opt/etc/openvpn/openvpn.up
### content of openvpn.up:
### #!/bin/sh
### route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.0.111
down /opt/etc/openvpn/openvpn.down
user nobody
group nobody
comp-lzo
persist-tun
persist-key
keepalive 10 60

----------
2. Client:
----------

/opt/etc/init.d/S50openvpn
==========================
# start
# ...
insmod tun.o
echo 1 > /proc/sys/net/ipv4/ip_forward
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon --config /opt/etc/openvpn/client.conf

# stop
# ...
killall openvpn 2> /dev/null
echo 0 > /proc/sys/net/ipv4/ip_forward
rmmod tun

/usr/local/sbin/post-firewall
=============================
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I INPUT -m udp -p udp --dport 1194 -j ACCEPT

/opt/etc/openvpn/client.conf
============================
client
remote 10.10.10.10 1194
proto udp
dev tun
resolv-retry infinite
nobind
ca /opt/etc/openvpn/easy-rsa/keys/ca.crt
cert /opt/etc/openvpn/easy-rsa/keys/client.crt
key /opt/etc/openvpn/easy-rsa/keys/client.key
tls-auth /opt/etc/openvpn/easy-rsa/keys/ta.key 1
cipher BF-CBC
ns-cert-type server
log-append /opt/var/log/openvpn.log
verb 3
script-security 2
comp-lzo
persist-tun
persist-key
user nobody
group nobody
keepalive 10 60

I am able to ping from 192.168.1.0/24 hosts the hosts from 192.168.0.0/24

I added the following line in client's configuration (client.conf):

up /opt/etc/openvpn/openvpn.up

### content of openvpn.up:
#!/bin/sh
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun+ -j MASQUERADE

According to OpenVPN's documentation,
http://openvpn.net/index.php/open-so...wto.html#scope
I added:

1. two other lines in server's configuration (../server.conf):
---
client-config-dir /opt/etc/openvpn/ccd
route 192.168.1.0 255.255.255.0 10.8.0.1
---

2. also, in the above directory (../ccd)created a file named "ABCD",
where ABCD is the content of "CN" field from the certificate-file
/opt/etc/openvpn/easy-rsa/keys/client.crt

This file contains:
---
iroute 192.168.1.0 255.255.255.0
---

The results are:

- can ping the client's pcs from the server
- cannot ping the client's pcs from the server's lan
- cannot ping anymore the server's pcs from the client's lan
- cannot ping anymore the server's pcs from the client

Throwing my eyes on net, I have read:
https://community.openvpn.net/openvpn/ticket/90

and finally add:

1. to client's file /opt/etc/openvpn/openvpn.up
---
route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.8.0.5
---

2. to server's file /opt/etc/openvpn/server.conf
---
## this line, erased >> topology subnet
## this line, erased too >> route 192.168.1.0 255.255.255.0 10.8.0.1
## add new line, below:
route 192.168.1.0 255.255.255.0
---

3. to server's file /opt/etc/openvpn/openvpn.up
---
iptables -t nat -A POSTROUTING -s 10.8.0.1/24 -o br0 -j MASQUERADE
---

Now I can ping everything. Happy Happy Joy Joy !!!

Hope it helps any other people who crush his/her
head with site-to-site routed OpenVPN on Asus/etc