Skip to main content

site to site openvpn with Merlin and DD-WRT




I am trying to setup an OpenVPN site to site between site A(Server-Merlin) and site B(Client DD-WRT). The tunnel comes up and both peers are able to ping each other but when anyone on the client subnet(10.1.30.0/24) tries to ping any host on the server side(10.1.10.0/24) packets are being dropped by the server since the server doesn't know how to get to client's subnet even after adding the route.
Here are the configs:



Server






daemon




server 172.16.254.0 255.255.255.248



proto udp



port 1198



dev tun21



cipher AES-256-CBC




comp-lzo adaptive



keepalive 15 60



verb 3



push "route 10.1.10.0 255.255.255.0"



client-config-dir ccd




client-to-client



duplicate-cn



ca ca.crt



dh dh.pem



cert server.crt




key server.key



status-version 2



status status





ifconfig 172.16.254.1 255.255.255.248M




management 127.0.0.1 5001M



auth none




Firewall - Server




iptables -I INPUT 2 -p udp --dport 1198 -j ACCEPT




iptables -I FORWARD -i br0 -o tun21 -j ACCEPT



iptables -I FORWARD -i tun21 -o br0 -j ACCEPT




Routing table Server:




172.16.254.2 dev tun21 proto kernel scope link src 172.16.254.1




x.x.x.x dev eth0 scope link



172.16.254.0/29 via 172.16.254.2 dev tun21



x.x.x.x/28 dev eth0 proto kernel scope link src x.x.x.x



10.1.10.0/24 dev br0 proto kernel scope link src 10.1.10.254



127.0.0.0/8 dev lo scope link




default via x.x.x.x dev eth0




Client Config:




ca /tmp/openvpncl/ca.crt



cert /tmp/openvpncl/client.crt




key /tmp/openvpncl/client.key



management 127.0.0.1 5001



management-log-cache 50



verb 4



mute 3




log-append /var/log/openvpncl



writepid /var/run/openvpncl.pid



client



resolv-retry infinite



nobind




persist-key



persist-tun



script-security 2



mtu-disc yes



dev tun1




proto udp



cipher aes-256-cbc



auth none



remote x.x.x.x 1198



comp-lzo adaptive




tun-mtu 1500



fast-io




Client Firewall




iptables -I INPUT 2 -p udp --dport 1198 -j ACCEPT




iptables -I FORWARD -i br0 -o tun1 -j ACCEPT



iptables -I FORWARD -i tun1 -o br0 -j ACCEPT




Client routing table:




Kernel IP routing table




Destination Gateway Genmask Flags Metric Ref Use Iface



0.0.0.0 192.168.2.253 0.0.0.0 UG 0 0 0 eth1



10.1.10.0 172.16.254.5 255.255.255.0 UG 0 0 0 tun1



10.1.30.0 0.0.0.0 255.255.255.0 U 0 0 0 br0



127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo




169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0



172.16.254.0 172.16.254.5 255.255.255.248 UG 0 0 0 tun1



172.16.254.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun1



192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1



239.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 br0





What is weird is that on the client side the tun device has an IP of 172.16.254.6 while the gateway is 172.16.254.5 and on the server side the IP is 172.16.254.1 and the tun IP is 172.16.254.2. On the server side I can't ping 172.16.254.2 but I can ping the tun IP of the client(172.16.254.6) and vice versa on the client side I can't ping 172.16.254.5 which is the gateway but I can ping 172.16.254.1.



Server interfaces




ip addr



1: lo: mtu 16436 qdisc noqueue




link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00



inet 127.0.0.1/8 brd 127.255.255.255 scope host lo



2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000



link/ether d8:50:e6:cb:f5:f0 brd ff:ff:ff:ff:ff:ff



inet x.x.x.x/28 brd x.x.x.x scope global eth0




3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000



link/ether d8:50:e6:cb:f5:f0 brd ff:ff:ff:ff:ff:ff



4: eth2: mtu 1500 qdisc pfifo_fast qlen 1000



link/ether d8:50:e6:cb:f5:f4 brd ff:ff:ff:ff:ff:ff



5: vlan1@eth0: mtu 1500 qdisc noqueue




link/ether d8:50:e6:cb:f5:f0 brd ff:ff:ff:ff:ff:ff



6: vlan2@eth0: mtu 1500 qdisc noop



link/ether d8:50:e6:cb:f5:f0 brd ff:ff:ff:ff:ff:ff



7: br0: mtu 1500 qdisc noqueue



link/ether d8:50:e6:cb:f5:f0 brd ff:ff:ff:ff:ff:ff




inet 10.1.10.254/24 brd 10.1.10.255 scope global br0



8: tun21: mtu 1500 qdisc



pfifo_fast qlen 100



link/[65534]



inet 172.16.254.1 peer 172.16.254.2/32 scope global tun21





Client interfaces:




ath0 Link encap:Ethernet HWaddr B0:C7:45:75:1C:F6



     UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

     RX packets:2528056 errors:0 dropped:0 overruns:0 frame:0


     TX packets:3317121 errors:0 dropped:0 overruns:0 carrier:0

     collisions:0 txqueuelen:32

     RX bytes:177453174 (169.2 MiB)  TX bytes:539912763 (514.9 MiB)


ath1 Link encap:Ethernet HWaddr B0:C7:45:75:1C:F7




     UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

     RX packets:0 errors:0 dropped:0 overruns:0 frame:0

     TX packets:12502 errors:0 dropped:0 overruns:0 carrier:0

     collisions:0 txqueuelen:32

     RX bytes:0 (0.0 B)  TX bytes:1688459 (1.6 MiB)



br0 Link encap:Ethernet HWaddr B0:C7:45:75:1C:F6



     inet addr:10.1.30.251  Bcast:10.1.30.255  Mask:255.255.255.0

     UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

     RX packets:3715741 errors:0 dropped:3772 overruns:0 frame:0

     TX packets:5006361 errors:0 dropped:0 overruns:0 carrier:0


     collisions:0 txqueuelen:0

     RX bytes:415672171 (396.4 MiB)  TX bytes:6820174338 (6.3 GiB)


br0:0 Link encap:Ethernet HWaddr B0:C7:45:75:1C:F6



     inet addr:169.254.255.1  Bcast:169.254.255.255  Mask:255.255.0.0
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1



eth0 Link encap:Ethernet HWaddr B0:C7:45:75:1C:F6
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1



     RX packets:610099 errors:0 dropped:4 overruns:18 frame:0

     TX packets:931175 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:1000


     RX bytes:263258272 (251.0 MiB)  TX bytes:833541212 (794.9 MiB)
     Interrupt:4


eth1 Link encap:Ethernet HWaddr B0:C7:45:75:1C:F6



     inet addr:192.168.2.254  Bcast:192.168.2.255  Mask:255.255.255.0

     UP BROADCAST RUNNING MULTICAST  MTU:1492  Metric:1


     RX packets:5071499 errors:0 dropped:787 overruns:0 frame:0

     TX packets:3681042 errors:0 dropped:0 overruns:0 carrier:0

     collisions:0 txqueuelen:1000

     RX bytes:2519572372 (2.3 GiB)  TX bytes:462892303 (441.4 MiB)

     Interrupt:5



lo Link encap:Local Loopback



     inet addr:127.0.0.1  Mask:255.0.0.0

     UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1

     RX packets:421 errors:0 dropped:0 overruns:0 frame:0

     TX packets:421 errors:0 dropped:0 overruns:0 carrier:0


     collisions:0 txqueuelen:0

     RX bytes:37100 (36.2 KiB)  TX bytes:37100 (36.2 KiB)


mon.ath0 Link encap:UNSPEC HWaddr B0-C7-45-75-1C-F6-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1



     RX packets:462186 errors:0 dropped:0 overruns:0 frame:0


     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

     collisions:0 txqueuelen:32

     RX bytes:105722162 (100.8 MiB)  TX bytes:0 (0.0 B)


mon.ath1 Link encap:UNSPEC HWaddr B0-C7-45-75-1C-F7-00-00-00-00-00-00-00-00-00-00




     UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

     RX packets:3114 errors:0 dropped:0 overruns:0 frame:0

     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

     collisions:0 txqueuelen:32

     RX bytes:377428 (368.5 KiB)  TX bytes:0 (0.0 B)



tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00



     inet addr:172.16.254.6  P-t-P:172.16.254.5  Mask:255.255.255.255

     UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

     RX packets:268 errors:0 dropped:0 overruns:0 frame:0

     TX packets:14279 errors:0 dropped:0 overruns:0 carrier:0


     collisions:0 txqueuelen:100

     RX bytes:22488 (21.9 KiB)  TX bytes:775355 (757.1 KiB)



Ping peer IP from server:





ping 172.16.254.2



PING 172.16.254.2 (172.16.254.2): 56 data bytes



--- 172.16.254.2 ping statistics ---



4 packets transmitted, 0 packets received, 100% packet loss




Ping tun0's client IP address from the server:





ping 172.16.254.6



PING 172.16.254.6 (172.16.254.6): 56 data bytes



64 bytes from 172.16.254.6: seq=0 ttl=64 time=30.222 ms



64 bytes from 172.16.254.6: seq=1 ttl=64 time=29.536 ms




64 bytes from 172.16.254.6: seq=2 ttl=64 time=30.918 ms



64 bytes from 172.16.254.6: seq=3 ttl=64 time=30.386 ms



64 bytes from 172.16.254.6: seq=4 ttl=64 time=30.788 ms



64 bytes from 172.16.254.6: seq=5 ttl=64 time=31.271 ms



--- 172.16.254.6 ping statistics ---




6 packets transmitted, 6 packets received, 0% packet loss



round-trip min/avg/max = 29.536/30.520/31.271 ms




Ping peer IP from the client:




ping 172.16.254.5




PING 172.16.254.5 (172.16.254.5): 56 data bytes



^C
--- 172.16.254.5 ping statistics ---



7 packets transmitted, 0 packets received, 100% packet loss




Ping tun21's IP on the server from the client





ping 172.16.254.1



PING 172.16.254.1 (172.16.254.1): 56 data bytes



64 bytes from 172.16.254.1: seq=0 ttl=64 time=29.253 ms



64 bytes from 172.16.254.1: seq=1 ttl=64 time=31.730 ms



64 bytes from 172.16.254.1: seq=2 ttl=64 time=30.010 ms




^C



--- 172.16.254.1 ping statistics ---



3 packets transmitted, 3 packets received, 0% packet loss



round-trip min/avg/max = 29.253/30.331/31.730 ms





I tried adding a route to 10.1.30.0(Client LAN) on the server using the ip 172.16.254.6 but it will only let me map it to 172.16.254.2




ip route add 10.1.30.0/24 via 172.16.254.6 dev tun21



RTNETLINK answers: No such process



ip route add 10.1.30.0/24 via 172.16.254.2 dev tun21





Pinging a host on client LAN from the server -- no dice




PING 10.1.30.100 (10.1.30.100): 56 data bytes



--- 10.1.30.100 ping statistics ---



3 packets transmitted, 0 packets received, 100% packet loss





Ping a host on Server LAN from the client -- no dice




ping 10.1.10.100



PING 10.1.10.100 (10.1.10.100): 56 data bytes



^C



--- 10.1.10.100 ping statistics ---




2 packets transmitted, 0 packets received, 100% packet loss




Logs from the server side:




LOG:1432700723,D,Client/x.x.x.x:44820 UDPv4 READ [81] from [AF_INET]x.x.x.x:44820: P_DATA_V1 kid=0 DATA len=80



LOG:1432700723,,Client/x.x.x.x:44820 MULTI: bad source address from client [10.1.30.100], packet dropped




LOG:1432700723,D,Client/x.x.x.x:44820 UDPv4 READ [81] from [AF_INET]x.x.x.x:44820: P_DATA_V1 kid=0 DATA len=80



LOG:1432700723,,Client/x.x.x.x:44820 MULTI: bad source address from client [10.1.30.106], packet dropped



LOG:1432700724,D,Client/x.x.x.x:44820 UDPv4 READ [81] from [AF_INET]x.x.x.x:44820: P_DATA_V1 kid=0 DATA len=80



LOG:1432700724,,Client/x.x.x.x:44820 MULTI: bad source address from client [10.1.30.110], packet dropped



2700729,,Client/x.x.x.x:44820 MULTI: bad source address from client [10.1.30.100], packet dropped





Logs from the client side:




LOG:1432686050,D,UDPv4 WRITE [81] to x.x.x.x:1198: P_DATA_V1 kid=0 DATA len=80



LOG:1432686050,D,UDPv4 WRITE [81] to x.x.x.x:1198: P_DATA_V1 kid=0 DATA len=80



LOG:1432686051,D,UDPv4 WRITE [81] to x.x.x.x:1198: P_DATA_V1 kid=0 DATA len=80





I even ran a tcpdump on both routers and turns out the packets from LAN on server side aren't even getting to the client router.



Any help would be appreciated.



Thanks


Answer



I resolved this by adding the following lines in my config





route 10.1.30.0 255.255.255.0



push "route 10.1.10.0 255.255.255.0"



push "route 10.1.30.0 255.255.255.0"




and added the following lines for my client in the CCD folder





less /tmp/etc/openvpn/server1/ccd/CALPHA



iroute 10.1.30.0 255.255.255.0



Comments

Post a Comment

Popular posts from this blog

linux - iDRAC6 Virtual Media native library cannot be loaded

When attempting to mount Virtual Media on a iDRAC6 IP KVM session I get the following error: I'm using Ubuntu 9.04 and: $ javaws -version Java(TM) Web Start 1.6.0_16 $ uname -a Linux aud22419-linux 2.6.28-15-generic #51-Ubuntu SMP Mon Aug 31 13:39:06 UTC 2009 x86_64 GNU/Linux $ firefox -version Mozilla Firefox 3.0.14, Copyright (c) 1998 - 2009 mozilla.org On Windows + IE it (unsurprisingly) works. I've just gotten off the phone with the Dell tech support and I was told it is known to work on Linux + Firefox, albeit Ubuntu is not supported (by Dell, that is). Has anyone out there managed to mount virtual media in the same scenario?
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits,
Post a Comment
Read more

apache 2.2 - Server Potentially Compromised -- c99madshell

So, low and behold, a legacy site we've been hosting for a client had a version of FCKEditor that allowed someone to upload the dreaded c99madshell exploit onto our web host. I'm not a big security buff -- frankly I'm just a dev currently responsible for S/A duties due to a loss of personnel. Accordingly, I'd love any help you server-faulters could provide in assessing the damage from the exploit. To give you a bit of information: The file was uploaded into a directory within the webroot, "/_img/fck_uploads/File/". The Apache user and group are restricted such that they can't log in and don't have permissions outside of the directory from which we serve sites. All the files had 770 permissions (user rwx, group rwx, other none) -- something I wanted to fix but was told to hold off on as it wasn't "high priority" (hopefully this changes that). So it seems the hackers could've easily executed the script. Now I wasn't able
Post a Comment
Read more