OpenVPN Server with Tomato on 2nd router

3 posts / 0 new
Last post
Skyler
Skyler's picture
OpenVPN Server with Tomato on 2nd router

diagram:

Internet -> R7000 (Gateway) -> WNR3500L (in Router mode across house)

I recently got the Nighthawk R7000 router and moved my old WNR3500L across the house as a second router (not a gateway).  This means the R7000 is doing DHCP, DNS, etc for the entire network.

I'm port forwarding the OpenVPN port from the R7000 to the WNR3500L.  The WNR is running Tomato by Shibby for WNR3500Lv1 111-VPN.  The R7000 is using stock firmware right now and AFAIK, tomato isn't available for it in a stable release yet.

I cannot use the R7000 to run OpenVPN since it only supports TAP mode and Android Clients only support TUN mode.  That is why I'm port forwarding the OpenVPN port to the other router which does support TUN.

My clients were configured before and still connect to the VPN just fine.  I'm able to get to my WNR3500 router from VPN clients, but I'm unable to get to any other hosts on the network or access internet resouces through the VPN when connected to the VPN as a client.

I assume this is some kind of routing or firewall issue.  Can anyone give me an idea what I need to do to access other computers on the network through the VPN or send internet traffic?

I've tried all firewall modes and automatic is the only one that even allows access to the WNR3500L.  I'm not sure how to configure anything in "custom" mode (where to customize?).  I'm not sure if this is even the problem.

My settings:

Start with WAN: checked

Interface type: TUN

Protocol: UDP

Port: 1174

Firewall: automatic

VPN subnet: 10.8.0.0/255.255.255.0 (My internal network is 192.168.192.0/255.255.255.0)

For advanced, I've tried various settings for push lan to clients, respond to DNS, manage client specific options.

I've tried adding these lines to custom configuration:

push "route 192.168.192.0 255.255.255.0"

push "dhcp-option DNS 192.168.192.1"

 

In the status, I see info while a client is connected (replaced some parts of IP with x):

Data current as of Sat Jan 18 11:28:14 2014.

Client List
Common Name Real Address Virtual Address Bytes Received Bytes Sent Connected Since Connected Since (time_t)
client1 208.x.x.x:48045 10.8.0.6 33830 122737 Sat Jan 18 11:27:23 2014 1390073243
Routing Table
Virtual Address Common Name Real Address Last Ref
10.8.0.6 client1 208.x.x.x:48045 Sat Jan 18 11:28:11 2014
General Statistics
Name Value
Max bcast/mcast queue length 0

Do I need to add a route here?  If so how and what would that route look like?

I appreciate any tips or pointers about how to set this configuration up in Tomato.

Skyler
Skyler's picture
An update in case it's

An update in case it's helpful to others. After some more searching I found this bit on OpenVPN's web site under a rather random section of the FAQ about single NICs:

"If you are using routing rather than ethernet bridging mode and would like connecting clients to see the whole LAN rather than only the server machine itself, you need to add an internal LAN route to the LAN gateway so that the private OpenVPN subnet (declared in the server, ifconfig, or ifconfig-pool directives) is routed to the OpenVPN server machine (i.e. its internal address)."

I added a static route to the R7000 router, also, which seemed to fix the problem connecting to computers on the internal network over the VPN.

Destination Address: 10.8.0.0
IP Subnet Mask: 255.255.255.0
Gateway IP address: 192.168.192.3 (this is my WNR3500L static address)
Metric: 2 (it wouldn't let me enter anything lower)

This seems to have fixed problems connecting to the internal network, but it seems like I'm having DNS troubles still. :-/

Skyler
Skyler's picture
Also, for anyone else who has

Also, for anyone else who has a setup like this, you need to add some firewall rules on the main router if you want all internet traffic to go through the VPN tunnel. I finally found a guide gives a pretty good explanation.

https://community.openvpn.net/openvpn/wiki/BridgingAndRouting

AFAIK the R7000 with the default firmware doesn't allow adding these rules, so I can't currently route all my internet traffic through the VPN with TUN (though the changes above allow me to at least access computers inside network over VPN.)

It looks like I'll be waiting for stable Tomato releases for for the R7000.