I left 1st router on 192.168.0.0/24 network and 2nd router on 192.168.1.0/24.
Not freezing anymore.
Printable View
I left 1st router on 192.168.0.0/24 network and 2nd router on 192.168.1.0/24.
Not freezing anymore.
Hello,
I am using a vpn routed configuration (see below)
and I am trying to connect two lans.
At this moment I am able to ping:
1) from pc's from asus-vpn-server's lan (192.168.0.1):
- ping 10.8.0.1 OK
- ping 10.8.0.4 OK
- ping 192.168.1.222 Request timed out.
- ping 192.168.1.1 Request timed out.
2) from asus-vpn-server (192.168.0.111):
- ping 10.8.0.4 OK
- ping 192.168.1.222 Request timed out.
- ping 192.168.1.1 Request timed out.
3) from asus-vpn-client (192.168.1.222):
- ping 10.8.0.1 OK
- ping 192.168.0.111 OK
- ping 192.168.0.1 OK
4) from pc's from asus-vpn-client's lan (192.168.1.1):
- ping 10.8.0.1 Request timed out.
- ping 10.8.0.4 OK
- ping 192.168.0.111 Request timed out.
- ping 192.168.0.1 Request timed out.
I already added a route to asus-vpn-client (192.168.1.222),
but without success (can't ping remote pc's from server's lan):
route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.1.222
I need a hint, I am out of resources, I searched and read a lot...
Thank you very much
-------------------------------------------------
--------------Configuration----------------------
-------------------------------------------------
WL-500gP1 (OpenVPN Server)
---------
LAN: 192.168.0.111 255.255.255.0
WAN: 10.10.10.10 255.255.255.0 (GW: 10.10.10.1)
VPN: 10.8.0.1 255.255.255.0
WL-500gP2 (OpenVPN Client)
---------
LAN: 192.168.1.222 255.255.255.0
WAN: 10.10.10.11 255.255.255.0 (GW: 10.10.10.1)
VPN: 10.8.0.4 255.255.255.0
----------
1. Server:
----------
/usr/local/sbin/post-firewall
=============================
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I INPUT -m udp -p udp --dport 1194 -j ACCEPT
/opt/etc/init.d/S50openvpn
==========================
# start
# ...
insmod tun.o
echo 1 > /proc/sys/net/ipv4/ip_forward
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon --config /opt/etc/openvpn/server.conf
# stop
# ...
killall openvpn 2> /dev/null
echo 0 > /proc/sys/net/ipv4/ip_forward
rmmod tun
/opt/etc/openvpn/server.conf
============================
port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
ifconfig-pool-persist /opt/etc/openvpn/ipp.txt
### content of ipp.txt:
### Client,10.8.0.4
ca /opt/etc/openvpn/easy-rsa/keys/ca.crt
cert /opt/etc/openvpn/easy-rsa/keys/server.crt
key /opt/etc/openvpn/easy-rsa/keys/server.key
dh /opt/etc/openvpn/easy-rsa/keys/dh1024.pem
tls-auth /opt/etc/openvpn/easy-rsa/keys/ta.key 0
cipher BF-CBC
push "route 192.168.0.0 255.255.255.0"
topology subnet
log-append /opt/var/log/openvpn.log
verb 3
script-security 2
up /opt/etc/openvpn/openvpn.up
### content of openvpn.up:
### #!/bin/sh
### route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.0.111
down /opt/etc/openvpn/openvpn.down
user nobody
group nobody
comp-lzo
persist-tun
persist-key
keepalive 10 60
----------
2. Client:
----------
/opt/etc/init.d/S50openvpn
==========================
# start
# ...
insmod tun.o
echo 1 > /proc/sys/net/ipv4/ip_forward
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon --config /opt/etc/openvpn/client.conf
# stop
# ...
killall openvpn 2> /dev/null
echo 0 > /proc/sys/net/ipv4/ip_forward
rmmod tun
/usr/local/sbin/post-firewall
=============================
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I INPUT -m udp -p udp --dport 1194 -j ACCEPT
/opt/etc/openvpn/client.conf
============================
client
remote 10.10.10.10 1194
proto udp
dev tun
resolv-retry infinite
nobind
ca /opt/etc/openvpn/easy-rsa/keys/ca.crt
cert /opt/etc/openvpn/easy-rsa/keys/client.crt
key /opt/etc/openvpn/easy-rsa/keys/client.key
tls-auth /opt/etc/openvpn/easy-rsa/keys/ta.key 1
cipher BF-CBC
ns-cert-type server
log-append /opt/var/log/openvpn.log
verb 3
script-security 2
comp-lzo
persist-tun
persist-key
user nobody
group nobody
keepalive 10 60
I am able to ping from 192.168.1.0/24 hosts the hosts from 192.168.0.0/24
I added the following line in client's configuration (client.conf):
up /opt/etc/openvpn/openvpn.up
### content of openvpn.up:
#!/bin/sh
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun+ -j MASQUERADE
According to OpenVPN's documentation,
http://openvpn.net/index.php/open-so...wto.html#scope
I added:
1. two other lines in server's configuration (../server.conf):
---
client-config-dir /opt/etc/openvpn/ccd
route 192.168.1.0 255.255.255.0 10.8.0.1
---
2. also, in the above directory (../ccd)created a file named "ABCD",
where ABCD is the content of "CN" field from the certificate-file
/opt/etc/openvpn/easy-rsa/keys/client.crt
This file contains:
---
iroute 192.168.1.0 255.255.255.0
---
The results are:
- can ping the client's pcs from the server
- cannot ping the client's pcs from the server's lan
- cannot ping anymore the server's pcs from the client's lan
- cannot ping anymore the server's pcs from the client
Throwing my eyes on net, I have read:
https://community.openvpn.net/openvpn/ticket/90
and finally add:
1. to client's file /opt/etc/openvpn/openvpn.up
---
route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.8.0.5
---
2. to server's file /opt/etc/openvpn/server.conf
---
## this line, erased >> topology subnet
## this line, erased too >> route 192.168.1.0 255.255.255.0 10.8.0.1
## add new line, below:
route 192.168.1.0 255.255.255.0
---
3. to server's file /opt/etc/openvpn/openvpn.up
---
iptables -t nat -A POSTROUTING -s 10.8.0.1/24 -o br0 -j MASQUERADE
---
Now I can ping everything. Happy Happy Joy Joy !!!
Hope it helps any other people who crush his/her
head with site-to-site routed OpenVPN on Asus/etc