OpenVPN client on OpenWRT not routing traffic through VPN on Linksys WRT3200ACM

Question

I am unable to get the traffic routed through the VPN tunnel, when using OpenVPN on OpenWRT firmware.

The router is a WRT3200ACM, connecting to OpenVPN server on Ubuntu.

OpenVPN client is connecting and I am able to ping ip's on the the remote network from SSH console on the router. However, all my connectet clients on the network are disconnected from the internet, when the OpenVPN connection is established.

The OpenVPN client configuration currently looks like this:

dev tun
proto udp
remote x.x.x.x 1194
cipher AES-256-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
client
redirect-gateway def1
verb 3

<ca>
-----BEGIN CERTIFICATE-----
REMOVED
-----END CERTIFICATE-----
</ca>

key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
REMOVED
-----END OpenVPN Static key V1-----
</tls-auth>


<cert>
-----BEGIN CERTIFICATE-----
REMOVED
-----END CERTIFICATE-----

</cert>

<key>
-----BEGIN PRIVATE KEY-----
REMOVED
-----END PRIVATE KEY-----

</key>

This configuration works perfectly on the Windows and MacOS clients, and traffic is being routed correctly, but as soon as I connect this on the Linksys WRT3200ACM router, things go wrong.

I have also tested using dd-wrt firmware on the router, but the problem was the same, however it was not possible to ping remote ip's when using dd-wrt, so the OpenWRT solution works slightly better.

The local network configuration is:

Network: 192.168.237.0
Subnet: 255.255.255.0
GW: 192.168.237.1

The remote network configuration is:

Network: 192.168.37.0
Subnet: 255.255.255.0
GW: 192.168.37.1

and the OpenVPN virtual network configuration is:

Network: 10.8.0.0
Subnet: 255.255.255.0
GW: 10.8.0.1

IP-range: 10.8.0.6-10
OpenVPN server: 10.8.0.5

Answer 1

I think in your case this is a routing issue. You state that the configuration works well on your clients - hence your clients get an IP-Addr within the 10.8.0.6-10/24 range and route all traffic via the Ubuntu. The sending IP here is a 10.8.0.x IP. Furthermore, the ping works with SSH from your local router when connected, but not from the clients. If you want all your clients to connect to the internet via the OpenVPN-tunnel, then the sending IP address is 192.168.237.0 - hence your local network. The Ubuntu server does not know anything by default about that network. You have two options here:

1. add a static route on your ubuntu machine that network 192.168.237.0/24 is reachable via the 10.8.0.x IP of your router. You then have to ensure that the router always gets the very same IP-Address
2. add a routing protocol - e.g. RIP2. You can easily enable this by installing quagga-zebra and quagga-ripd on openwrt and ubuntu. Then you dont have to care about the dynamic IP of the router within the OpenVPN.

If the Ubuntu server does not directly access the internet and performs a NAT you have to further distribute the route to your next device / firewall to enable it to reach back to your clients. Either via RIP or via a static route. You probably have to adjust the NAT-statement too.