Route to VPN server

Question

Something wrong with routing tables, cannot sort this out :( Need a hint, do not know where start to dig.

I have two openVPN clients - one is under Win10 wich works good, the second(DD-WRT) can't even ping the server.

OpenVPN Server(TAP)

Local network 10.1.0.1/24
VPN network 10.7.0.1/24

Windows10 (10.7.0.9)

C:\Users>route print
      0.0.0.0          0.0.0.0      10.144.78.1    10.144.78.171     35
     10.1.0.0    255.255.255.0         10.7.0.1         10.7.0.9     35
     10.7.0.0    255.255.255.0         On-link          10.7.0.9    291
     10.7.0.9  255.255.255.255         On-link          10.7.0.9    291
   10.7.0.255  255.255.255.255         On-link          10.7.0.9    291
  10.144.78.0    255.255.255.0         On-link     10.144.78.171    291
10.144.78.171  255.255.255.255         On-link     10.144.78.171    291
10.144.78.255  255.255.255.255         On-link     10.144.78.171    291
    127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
    127.0.0.1  255.255.255.255         On-link         127.0.0.1    331

DD-WRT (10.7.0.2)

root@gw2:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.33.93.1 0.0.0.0 UG 0 0 0 vlan2
10.1.0.0 10.7.0.1 255.255.255.0 UG 0 0 0 tap1
10.2.0.0 * 255.255.255.0 U 0 0 0 br0
10.7.0.0 * 255.255.255.0 U 0 0 0 tap1
10.7.0.2 * 255.255.255.255 UH 0 0 0 tap1 < (this one I just added by myself to make routing table is similar to Win. Normally, openVPN does not generate this route — anyway does not help)
10.33.93.0 * 255.255.255.0 U 0 0 0 vlan2
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
169.254.0.0 * 255.255.0.0 U 0 0 0 br0

root@gw2:~# traceroute 10.1.0.1
traceroute to 10.1.0.1 (10.1.0.1), 30 hops max, 38 byte packets
 1  10.7.0.2 (10.7.0.2)  2990.779 ms !H  2989.172 ms !H  2996.663 ms !H
root@gw2:~# traceroute 10.7.0.1
traceroute to 10.7.0.1 (10.7.0.1), 30 hops max, 38 byte packets
 1  10.7.0.2 (10.7.0.2)  2999.152 ms !H  2996.294 ms !H  2996.662 ms !H
root@gw2:~# traceroute 10.7.0.9
traceroute to 10.7.0.9 (10.7.0.9), 30 hops max, 38 byte packets
 1  10.7.0.2 (10.7.0.2)  2993.690 ms !H  2995.924 ms !H  2996.669 ms !H

Windows10 OpenVPN config

proto tcp-client
remote XXX 1194
dev tap

nobind
persist-key

tls-client
ca ca.crt
cert da2.crt
key da2.key

verb 3
ns-cert-type server
cipher AES-256-CBC
auth SHA1
pull

auth-user-pass auth.cfg

route 10.1.0.0 255.255.255.0

DD-WRT OpenVPN config

root@gw2:~# ps w | grep openvpn
31434 root      3448 S    openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre /tmp/openvpncl/route-down.sh --daemon

root@gw2:~# cat /tmp/openvpncl/openvpn.conf 
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
management 127.0.0.1 16
management-log-cache 100
verb 3
mute 3
syslog
writepid /var/run/openvpncl.pid
client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
dev tap1
proto tcp-client
cipher aes-128-cbc
auth sha1
auth-user-pass /tmp/openvpncl/credentials
remote XXX 1194
comp-lzo no
tun-mtu 1500
mtu-disc yes
route 10.1.0.0 255.255.255.0
#ping 20
#ping-restart 60

root@gw2:~# cat /tmp/openvpncl/route-up.sh
#!/bin/sh
iptables -D POSTROUTING -t nat -o tap1 -j MASQUERADE
iptables -I POSTROUTING -t nat -o tap1 -j MASQUERADE
iptables -D INPUT -i tap1 -j ACCEPT
iptables -I INPUT -i tap1 -j ACCEPT

UPD1 observing with tcpdump:

root@gw2:~# tcpdump -i lo icmp
15:42:14.922679 IP 10.7.0.2 > 10.7.0.2: ICMP host 10.1.0.1 unreachable, length 46
15:42:17.920105 IP 10.7.0.2 > 10.7.0.2: ICMP host 10.1.0.1 unreachable, length 46
15:42:20.917525 IP 10.7.0.2 > 10.7.0.2: ICMP host 10.1.0.1 unreachable, length 46

Looks like infinite loop for some reason. Jumps from 10.7.0.2 to 10.7.0.2. Which hop has to be next? 10.7.0.1?

@gf_ First of all I have to sorry. Somehow I accidentally duplicated the same routing table — Windows has slightly different one, updated. What kind of configs do you need? OpenVPN server is running under RouterOS(Mikrotik). ROS generates its own OpenVPN config in the runtime but there is no possible way to have a glance under the hood. I have posted two client's configs + dd-wrt route-up.sh script. Have a feeling that masquerade is a clue. — danilabagroff, Sep 12 '17 at 22:06
Capture the packets on the router and look into them, via Wireshark for example. — gxx, Sep 12 '17 at 22:19
@gf_ I can't use wireshark on dd-wrt. tcpdump gives me a lot, but not enough though :) — danilabagroff, Sep 13 '17 at 13:07
Capture the packets via tcpdump on the router, download them to your machine, and have a look inside via Wireshark. — gxx, Sep 13 '17 at 13:26

score 0 · Answer 1 · answered Sep 13 '17 at 18:37

0

This was a reason.

comp-lzo no

Any mention about lzo has to be removed because Mikrotik does not support this feature at all.

answered Sep 13 '17 at 18:37

danilabagroff

113
4

score 0 · Answer 2 · answered Sep 14 '17 at 07:05

0

You have two networks: one for server/lan and one for openvpn client. If you want route the traffic between networks layer you must use dev-tun instead dev-tap.

answered Sep 14 '17 at 07:05

Alessandro Secchi

50
1
3

No, everything works like a charm now. The problem was with "comp-lzo no" on the dd-wrt side. Just can't accept my own answer. – danilabagroff Sep 14 '17 at 10:20
Only for best practices: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting – Alessandro Secchi Sep 14 '17 at 10:48

Route to VPN server

2 Answers2