Need Help Configuring OpenVPN in Routed Mode

I have Nethserver installed with one NIC behind a DD-WRT router and want to use it as an OpenVPN server. My reasons for using this are to be able to access computers on my LAN, to securely brows the Internet from computers and smart phones, and to access websites without restriction from locations that may traffic.

I have it configured and working in bridged mode, but I cannot get routed mode to work.

When I tried to configure it for routed mode, my client machines (Android 4.4+ and PC Windows 7) clients connect and are assigned an IP address in the routed range below but I cannot access other computers on the LAN, or browse the web. Nor does entering an IP address rather than a name in the browser work.

I am guessing I need to either set up a static route on my home gateway or on Nethserver. but experimenting failed.

Here is my configuration:

Home gateway (DD-WRT):
External IP (DHCP with Dynamic DNS)
Internal IP: 10.20.30.1, DHCP server 10.20.30.101-10.20.30.49
Nethserver IP: 10.20.30.5
Gateway is configured to forward UDP and TCP traffic to 10.20.30.5.

Nethserver OpenVPNbridged mode configuration that works:
username, password and certificate - selected.
IP range start 10.20.30.180, end: 10.20.30.199
LZO Compression selected

The routed configuration that doesn’t work:
Network: 10.20.50.0
Netmask: 255.255.255.0
Route all client traffic through VPN - selected
Allow client-to-client network traffic - selected

I am confused, you have one NIC on the box?

P.S. I am working on openVPN albiet on a Ubuntu. However, I would like to test a Nethserver VPN at home.

Lutchy,

Yes. It only has one NIC.

@harry

I did a bit of research and it seems like you want to setup a Site to Site VPN? Something like this Bridging vs Routing

P.S. The developers should be around 3AM EST tomorrow

Cheers,
Horace

Horace,

I am not using a site to site VPN. I want a small number of users to be able to do two things:

Access the computers on my LAN from the Internet using smartphones, PCs and Macs that have OpenVPN clients, and also to be able to route all their Internet traffic to go through the VPN.

Harry

Honestly I’ve never tested VPN routing on a server configured only with one ethernet interface.

I guess the server can’t figure out a valid route for the VPN traffic.
Maybe you can try add a static route from the page “Static routes”.
Otherwise, can you post the route table of client and server when connected?

Moreover I’m not sure about lokkit (the bult-in firewall) capabilities in this scenarios.

My suggestions are:

  • check the routing table of both server and client
  • try to install nethserver-firewall-base (and check the log /var/log/firewall.log)
1 Like

probably you have to add a static route rule on the dd-wrt: something like all vpn network to nethserver :wink:

2 Likes

@harry

If I didn’t trust these guy for support… I wouldn’t be here

cheers
horace

1 Like

FWIW, I never did get OpenVPN to work with Nethserver configured with one NIC behind my NAT gateway firewall (a DD-WRT installation). This was the only thing i was trying to do with Nethserver at the time, and so I stopped spending time on it.

Recently I installed Nethserver as my NAT gateway/firewall with two NICs, and had no trouble getting it to work in routed mode on Windows PCs and my Android phone as OpenVPN clients.

EDIT: I meant to include that I did not have to any changes to the Nethserver firewall configuration or set up any routes. It just plain works.

1 Like

Glad to hear this!

Ehi Harry, happy to see you still around! What’s up? So you’re a VPN expert now :slight_smile:
Can you help @WillZen @Hunv and @firsttiger proofreading this? You can also add the Android configuration part
http://wiki.nethserver.org/doku.php?id=howto:howto_set_up_a_vpn&s[]=vpn

I read it briefly and in general, it looks good. I have an action item to put in the OS X portion of the wiki. If possible, it’d be great to outline when would someone choose to use IPSec vs OpenVPN.

Have you some time to add the macosx part? :slight_smile:

@harry Can you mark this topic as solved?
Please reply to my post above as well.