Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[cptncrnch]

I'm setting up a Raspberry Pi (RPi) as a VPN server and it is connected to the DIR-615 router. I am forwarding UDP traffic from port 1194 to the RPi. How do I route VPN tunnel traffic to go out from the RPi to the router?

I'm referencing the section from https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#UsingroutingandOpenVPNnotrunningonthedefaultgateway.

The next thing you need to do on the router is to add a route for your VPN subnet. In the routing table on your Router, add 10.8.0.0/24 to be sent via 192.168.0.10. This is needed for the traffic from your LAN clients to be able to find their way back to the VPN clients. If this is not possible, you need add such routes explicitly on all the LAN clients you want to access via the VPN.

[FurryNutz]

Link>Welcome!

• What Hardware version is your router? Look at sticker under router.
• Link>What Firmware version is currently loaded? Found on the routers web page under status.
• What region are you located?

Check to see if you have Routing options under Adanaced or Tools...

Internet Service Provider and Modem Configurations

• What ISP Service do you have? Cable or DSL?
• What ISP Modem Mfr. and model # do you have?

You may need to refer to the Mfr of the RPi for additional help and information for using there devcies.

[PacketTracer]

Hi,

How do I route VPN tunnel traffic to go out from the RPi to the router?

As far as I understand your OpenVPN scenario, the question should be just the other way round:

How do I route (unencrypted) VPN tunnel traffic to go out the router to the RPi (where it gets encrypted and enters the VPN tunnel)?

The idea behind this question is that local clients on network 192.168.0.0/24 when sending packets to the VPN subnet (10.8.0.0/24) will just send it to the router, because it is configured to be their default gateway.

So you have to tell your router to route traffic destined for 10.8.0.0/24 (back) to your RPi (192.168.0.10). You can do so in ADVANCED | ROUTING in the web GUI of your DIR-615.

In order to send the tunneled packets out to the Internet, your RPi only needs to have its default gateway configured to be your router, just like any other client on your local network.

PT

[rosede]

cptncrnch,

If I understand you correctly, you want to open a VPN tunnel to access your internal network from the outside, correct?

Daryl

[cptncrnch]

Hardware Version: E3     Firmware Version: 5.13   Region: USA
I'm looking at RPi forums for correct iptables settings. I just want to make sure I'm setting up the router correctly too.

PacketTracer, yes, that's the route I'm trying to establish. So under "Routing", would the RPi address be the Destination IP and the tunnel address be the Gateway? And just to be sure, is the Netmask masking the Gateway address?

rosede, yes, I ultimately I want to be able to open a VPN tunnel to access my home LAN.

[cptncrnch]

I entered the RPi address as the Destination IP, and 255.255.255.0 for the Netmask, and the tunnel address i.e. 10.8.0.1 as the Gateway. When I click Save Settings, I get a warning that says:

The 2nd range of IP address must be between 0

What is it asking to change?

[PacketTracer]

Hi,

to be most precise I hope this configuration will work:

• Check the checkbox of the next free (probably the first one) ROUTE LIST entry and configure this entry as follows:
• Name: VPN-NET (or whatever you like)
• Destination IP: 10.8.0.0
• Netmask: 255.255.255.0
• gateway: 192.168.0.10 (or whatever RPi's address is inside your LAN)
• Metric: 2 (but value doesn't really matter with static routing)
• Interface: LAN

It will route all traffic for your VPN subnet 10.8.0.0/24 to the LAN interface (192.168.0.10) of your RPi/OpenVPN server. In addition the router should send ICMP redirects for any single OpenVPN client address out of this range back to your LAN clients (or should I say "LAN servers" from the point of view of your Open VPN clients?), so they learn host routes to the OpenVPN clients going directly to your RPi (but these host routes are only stored temporarily in a routing cache).

EDIT: There are D-Link router models, that, depending on firmware version, refuse to select Interface: LAN, this way rendering the feature to define static routes useless, at least insofar the need to define routes for the WAN interface should arise extremely seldom. If this is the case either with DIR-615, as a workaround you have to configure the route for 10.8.0.0/24 with gateway 192.168.0.10 on each LAN client, that shall talk to OpenVPN clients.

PT

[cptncrnch]

Looks like my DIR-615 router is one of the models that refuse to select Interface: LAN.

If the RPi is the only LAN client I'm interested in connecting to via VPN, is it alright to not set a static route for tunnel traffic on the DIR-615 router?

[PacketTracer]

If the RPi is the only LAN client I'm interested in connecting to via VPN, is it alright to not set a static route for tunnel traffic on the DIR-615 router?

In this case an OpenVPN client (10.8.0.x) would address the OpenVPN server using its VPN subnet address 10.8.0.1, and this communication takes place inside VPN subnet only - no routing is needed. Hence the answer to your question is yes!

PT

[FurryNutz]

Possible to add a Virtual Server rule here. Not sure if it would help any. 

One thing to consider is that most of D-Links home class routers don't support loopback or LAN to LAN routing which is reserved for there business class routers.