Mirror Traffic With Home Router

Site-To-Site Routed VPN Between Two or More Routers using dd-wrt/o... http://wadihzaatar.com/?
p=11
Wadih Zaatar's Blog
Home Technology Site-To-Site Routed VPN Between Two Or More Routers Using Dd-wrt/openvpn
[A-] [A+]
The following details the procedure for establishing a site-to-site routed VPN between two
or more DD-WRT/vpn image-enabled routers. Other flavours may work but I havent
personally tested any.
Should you have any questions, please dont hesitate to contact me directly!
These VPN scripts have been tested starting v23 and have been confirmed to work in v24 of
DD-WRT. Before proceeding, you need to download the VPN-flavoured version of DD-WRT
from the DD-WRT Download Page.
Due to the fact that most of us have DHCP-assigned dynamic IPs, you are also
recommended to create a dynamic dns host for the server router. More information on this
1 sur 73 01/05/2017 19:10

Site-To-Site Routed VPN Between Two or More Routers using dd-wrt/o... http://wadihzaatar.com/?p=11
Finally, make sure that your two routers are not distributing an overlapping IP subnet
range. Usually, all routers come preconfigured with a 192.168.1.0 DHCP range distribution.
Since you are doing routed configurations, you need to change the 192.168.1.0 subnet to
another one. The easiest way is to adopt a sequential assignment:
Server side: 192.168.1.0

Client1 side: 192.168.2.0
Client2 side: 192.168.3.0
etc
This way, when your internal networks communicate with each other, they dont overlap
and you dont end up having miscommunication.
If you are looking for a bridged configuration, youd better check this Wiki page instead.
Prior to configuring your routers, you need to create a shared secret key. This key will be
used to authenticate and encrypt your site to site communication.
Start by downloading the latest OpenVPN package from OpenVPNs main site. Install the
package (Usually gets installed in C:\Program Files\OpenVPN if you are running Windows).
Now, get a command prompt and issue the following command from the OpenVPN
directory:
openvpn --genkey --secret static.key
This will create a text file named static.key. Opening it in Notepad, or any text editor will
2 sur 73 01/05/2017 19:10

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
aeb68165149e096d8f04252dd22fe67d
dd15d8c87e8a577c5c14ebd1ef0bf0b6
0e1d652f91fe66ed3774505e641936dd
458a6db60fb36b969d8bcd37803cf1d3
6d49383ec2daa1d2ae70e3ca49b950a4
bba985940e5e4a15fac702cbcf47f9d0
39f7939980bbb63d2964bb6216471162
0a519fe25d1e0d48044a1ad85dc94758
af6f7b7c52ccaaefa3d013fcbf621366
5ea18d9dc36c3b2a9ac277a9903998fe
45e10b0f79fd443727c3f30278981b3d
0fa525ad843645b4acc28969450bd601
4ce774aba0e830149489dc1592741580
fbd3cd24cc7baa68e06b3e3aedae2565
a36b8a3f687ddbb78411740d755249cf
45c0617c215b66eabc72f60f47b32c64
-----END OpenVPN Static key V1-----
Warning: Dont go lazy and copy the above, doing so will jeopardize your
secure connection, recreate the file from scratch.
3 sur 73 01/05/2017 19:10

Using Notepad or any text editor, create the following two configurations:
# Move to writable directory and create scripts

cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
# Config for Site-to-Site SiteA-SiteB

echo "
proto udp
port 1194
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > SiteA-SiteB.conf
# Config for Static Key

echo "
................................................
...YOUR SECRET KEY TEXT SHOULD BE PASTED HERE...
................................................
" > static.key
4 sur 73 01/05/2017 19:10

# Create interfaces
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.0.1 netmask 255.255.255.0 promisc up
# Create routes
route add -net OTHERSUBNET netmask 255.255.255.0 gw 10.0.0.2
# Initiate the tunnel

sleep 5
/tmp/myvpn --config SiteA-SiteB.conf
Warning: Watch out for the OTHERSUBNET chunk, you should replace it with your client
networks subnet (for example: 192.168.2.0 or 192.168.3.0).
Also, do note that the static key that was created in the previous step should be pasted in the
appropriate section, right after the echo text.
Now, create a second configuration with the following text.
# Open firewall holes

iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
Now, go to your Router configuration interface, click on Administration then Commands.

Paste your Config 1 in your Startup section and you Config 2 in your Firewall section.
5 sur 73 01/05/2017 19:10

The client configuration is very similar to the server configuration, with a few small
modifications.
Again, you need to create two configs:

cd /tmp
# Config for Site-to-Site SiteA-SiteB

echo "
remote REMOTEADDRESS
proto udp
port 1194
dev tun0
verb 3
comp-lzo
keepalive 15 60
daemon
" > SiteA-SiteB.conf

echo "
6 sur 73 01/05/2017 19:10

................................................
................................................
" > static.key
# Create interfaces
# Create routes
route add -net OTHERSUBNET netmask 255.255.255.0 gw 10.0.0.1

sleep 5
/tmp/myvpn --config SiteA-SiteB.conf
Warning: Watch out for the OTHERSUBNET chunk, you should replace it with your server
networks subnet (for example: 192.168.1.0).
Also, do note that the static key that was created in the previous step should be pasted in the
appropriate section, right after the echo text.
In addition to the above, and since this is your client, you need to replace the
REMOTEADDRESS with your servers IP address or the dynamic DNS address you created
in the previous Router Preparation section.
Now, create a second configuration with the following text.
7 sur 73 01/05/2017 19:10


Now, go to your Router configuration interface, click on Administration then Commands.

Paste your Config 1 in your Startup section and you Config 2 in your Firewall section.
Youre done with the client configuration!
Warning: This section is not for the faint-hearted people. Please read carefully and contact
me should you have any questions/comments/thoughts on how to make it better! I tried
keeping this technique simple and didnt use Certificates/CAs.
Lets assume we need to configure a 3-sites VPN connection as per the following figure:
You need to first start by duplicating the above Client configuration on the two Client1 and
8 sur 73 01/05/2017 19:10

your configs. In essence, both clients will have pretty much the same configuration with one
minor change. Since both will be connecting to the same server, you cannot use the same
port number for both clients, so we will be giving port 1999 for the first client and 2000
for the second client.
Also, we need to tell Client1 how to reach Client2s subnet and vice-versa. This means
including a second routing entry in our configuration. As such, our configurations will look
pretty much like the following:

cd /tmp
# Config for Site-to-Site Client1-Server

echo "
proto udp
port 2000
dev tun0
verb 3
comp-lzo
keepalive 15 60
daemon
" > Client1-Server.conf
9 sur 73 01/05/2017 19:10


echo "
................................................
................................................
" > static.key
# Create interfaces
# Create routes
route add -net SERVERINTERNALSUBNET netmask 255.255.255.0 gw 10.0.1.1
route add -net CLIENT2INTERNALSUBNET netmask 255.255.255.0 gw 10.0.1.1

sleep 5
/tmp/myvpn --config Client1-Server.conf

10 sur 73 01/05/2017 19:10


cd /tmp
# Config for Site-to-Site Client2-Server

echo "
proto udp
port 1999
dev tun0
verb 3
comp-lzo
keepalive 15 60
daemon
" > Client2-Server.conf

echo "
................................................
11 sur 73 01/05/2017 19:10


" > static.key
# Create interfaces
# Create routes
route add -net SERVERINTERNALSUBNET netmask 255.255.255.0 gw 10.0.2.1

sleep 5
/tmp/myvpn --config Client2-Server.conf

As for the server, we need to perform three modifications:
12 sur 73 01/05/2017 19:10

This can be done by running the openvpn daemon twice (As you will see in the coming
configuration, we will be creating two TUN interface, called tun0 and tun1).
2. Make sure to add a route to the two clients.
3. Allow Client-to-Client connection in the Firewall configuration script.

cd /tmp
# Config for Site-to-Site Server-Client1

echo "
proto udp
port 2000
dev tun0
verb 3
comp-lzo
keepalive 15 60
daemon
" > Server-Client1.conf
# Config for Site-to-Site Server-Client2

echo "
proto udp
port 1999
13 sur 73 01/05/2017 19:10

verb 3
comp-lzo
keepalive 15 60
daemon
" > Server-Client2.conf

echo "
................................................
................................................
" > static.key
# Create interfaces
# Create routes

sleep 5
/tmp/myvpn --config Server-Client1.conf
/tmp/myvpn --config Server-Client2.conf
14 sur 73 01/05/2017 19:10

# Open firewall holes for Client1

# Open firewall holes for Client2

# Allow Forwarding packets between Client1 and Client2

iptables -I FORWARD -i tun0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o tun0 -j ACCEPT
# Permit Communication Across the Networks

iptables -t nat -A POSTROUTING -j MASQUERADE
A question that comes often once we get our routed network up is DNS resolution. Ideally,
you would like to have all your machines on all networks to be able to speak to each other
using DNS and not just via their IP addresses. This section describes the procedure you use
to integrate DNS resolution in your routed VPN structure.
15 sur 73 01/05/2017 19:10

192.168.1.1) and Subnet2, with network ID 192.168.2.0/24 served by Router2 (ip:

192.168.2.1).
We would like to configure the two subnets as two domains: Domain1 and Domain2,
assigning Domain1 to Subnet1 and Domain2 to Subnet2. Our target is to get Router1 to
transfer all requests for Domain2 to Router2 and Router2 to transfer all requestes for
Domain1 to Router1.
First we will need to configure the DNSMasq options on Router1. Go to the Services
configuration page Services -> Services and perform the following modifications:
Set the DHCPserver to use domain on LAN & WLAN.

Set the LAN domain to be domain1.
Enable DNSMasq.
Enable Local DNS.
No DNS Rebind Disable ***NOTE
*** NOTE There are some options that may depend on your dd-wrt build. Two options in
particular you need to be concerned with that will effect the ability of your router to receive
DNS lookups from your openvpn-linked private network router: stop-dns-rebind, rebind-
domain-ok. Older builds (such as 13064) do not support rebind-domain-ok and have
stop-dns-rebind disabled by default. These builds DNS will work fine. Mid time builds (such
as 14896 mega) do not support rebind-domain-ok, but enable stop-dns-rebind by default
and provide no gui interaction to disable it. These builds your router will not accept results
from its peer and will not log the dropped query. The newest builds provide a radio button to
disable stop-dns-rebind, and it must be selected to allow private nameserver responses.
Looking in the source i believe still do not support rebind-domain-ok which is a shame, as
this would very much help protect you against the type of attack that stop-dns-rebind is
supposed to protect you against. Hopefully in the future this will be included.
16 sur 73 01/05/2017 19:10

local DNS service on the router on.
Next we need to configure Router1 to act as a DNS on both subnets (so it will answer
Router2 requests as well). To perform this operation, you need to add the following options
in the Additional DNSMasq Options text box:
interface=br0,tun0
no-dhcp-interface=tun0
server=/domain2/192.168.2.1
The first line instructs DNSMasq to listen for request from the Subnet2 on the tunnel tun0.
The second line ensures that the DHCP will not respond to remote subnet requests. And
finally, the last line will instruct DNSMasq to redirect any requests for Domain2 entries to
Router2.
In addition, we will also need to open port 53 by adding the 2 lines to the firewall section in
our configuration. To do this, you need to go to Administration > Commands and add
the following lines to your firewall configuration:
iptables -I INPUT 1 -i tun0 -p tcp dport 53 -j ACCEPT

iptables -I INPUT 1 -i tun0 -p udp dport 53 -j ACCEPT
This will allow the firewall to pass DNS request from Subnet2 to Router1.
Finally, reboot rooter1.
On Router2, you need to replicate the configuration you performed for Router1. This means
that you need to add the same frewall rule:
17 sur 73 01/05/2017 19:10

As well as: '(Watch out, its domain2 and NOT domain1)
Set the DHCPserver to use domain on LAN & WLAN.

Set the LAN domain to be domain2.
Enable DNSMasq.
Enable Local DNS.
Finally, youll need to include the DNSMasq options, watch out for the server line, the ip
address is now 192.168.1.1 instead of 192.168.2.1
interface=br0,tun0
You should notice that the options are very similar to the ones in Router1, but in this case we
are forwarding all requests to *.domain1 to Router1.
Again, reboot Router2.
To test your configuration, simply go to your Router1 status page Status -> LAN. You
should see the list of available hosts that have a DNS registration.
Next, go to a PC located on Subnet1 and try the following:
nslookup pconsubnet1.domain1 (Replace pconsubnet1 with the hostname of any PC on

Subnet 1)
18 sur 73 01/05/2017 19:10

Subnet 2)
Both resolutions should work fine. You can go ahead and try the same operation from a PC
located on Subnet 2.
The DNS query should return the correct IP adresses. Otherwise, check your configuration.
If you decide to run OpenVPN on your DD-WRT based router, make sure to disable any
DMZ as the DMZ will override the usual port forwarding needed by your OpenVPN
clients/server and would forward all connection requests to the DMZ host.
Yes, this is normal if the router is set to be not pingable (The option is set by default). To
rectify this and allow your server-side and client-side hosts to ping both routers endpoints
while making sure that external hosts (Not belonging to your networks) still dont ping your
routers interfaces, add the following entry to your Firewall section in both routers:
19 sur 73 01/05/2017 19:10

Well, in that case you will have to do the same operation as in the previous issue (i.e. Cannot
ping the remote endpoint) and add an extra iptables command in your Firewall section
in both routers:
iptables -I INPUT 1 -i tun0 -p tcp --dport 80 -j ACCEPT
Interesting question. Well, a bridged configuration will join both networks together as one,
same subnet, same IP range Looks easier, but the problem here would be that all kinds of
packets, including the infamous broadcasts will be traveling from one side of the network to
the other, resulting in less-than-optimized usage of your precious bandwidth. On the other
hand, a routed network will only send directed packets from one side of the network to the
other.
The problem here is that Chillispot insists on using tun0 as a communication tunnel. The
easiest solution is to simply replace your tun0 with another tunnel (tun2, tun3, etc)
20 sur 73 01/05/2017 19:10

accordingly.
Please take note that this VPN configuration will not work if your router(s) is/are set up as
DHCP forwarders. They must be DHCP servers in order for the VPN to connect properly.
Wadih | August 26, 2011
View all posts by Wadih
KK says:
August 26, 2014 at 9:07 pm
VPN works fine but Im unable to connect to an exchange 2003 server via
outlook 2003.
Reply
21 sur 73 01/05/2017 19:10

Hello,
Are you able to ping the Exchange server from the Outlook machine and vice-versa? If
that works, its not your VPN setup but something with your Exchange/Outlook
configuration.
Reply
KK says:
August 27, 2014 at 6:57 pm
Yes. I can ping the server from the client and vice versa.
Reply
Wadih says:
August 31, 2014 at 10:26 pm
Im assuming you are able to ping from the Outlook client to the
Outlook server. If that is the case, then the problem is not vpn-related. Its most
likely your Exchange Server configuration.
Reply
KK says:
September 2, 2014 at 10:40 pm
It seems the ISP is blocking port 135 tcp.
Wadih says:
September 3, 2014 at 5:53 am
It shouldnt matter, if your communication is going through your

VPN then port blocking will have no effect. Are you sure you are using the
Exchange servers internal IP address?
KK says:
22 sur 73 01/05/2017 19:10

ip address. Both vpn tunnel endpoints are on linksys e1200 routers flashed
with dd-wrt. The Exchange server is on a LAN behind on of the routers. I can
use PortQry and query udp port 135 and get a response from the server over
the vpn. A similar query to tcp port 135 times out.
Wadih says:
Hi KK,
Since your VPN is up and running, the ISP port blocking becomes irrelevant.
Your requests are going through the VPN tunnel itself and the ISP will not see
them! Thats the beauty of using VPNs.
As long as you are using your private IPs to communicate between the
Exchange Server and Client, communication should flow just fine AS LONG
AS THE VPN TUNNEL IS UP.
Cheers,
W.
Robert says:
March 11, 2015 at 12:40 am
Make sure your testing the internal (private) ip not the external
public ip. its probably a dns issue telling your client to use the public ip.
Gumpher says:
August 30, 2014 at 9:20 pm
I am using Buffalo v24SP2 (11/05/13) std and this configuration is not
23 sur 73 01/05/2017 19:10

suggestion?
Reply
Gumpher says:
August 30, 2014 at 10:39 pm
I was able to get it to work. I started over again and dport change allowed
it to connect.
Reply
Wadih says:
August 31, 2014 at 10:25 pm
Great! Good to hear that things went fine!
Reply
Michael says:
How would I do not only a openvpn connection from router to router but also
on the server router set it up to allow users to vpn into it and ultimately setup a server on the
client router so users can vpn into that router/subnet as well?
Reply
Wadih says:
Hi Michael,
That will be a different setup since you will need have multiple users accessing your
networking via VPN and not a static 1:1 between two routers. I would recommend you
look at the DD-WRT tutorial portal for this: http://www.dd-wrt.com/wiki/index.php
/OpenVPN
Cheers!
24 sur 73 01/05/2017 19:10

Archer says:
Thank you soo much for the write-up. I am interested in setting this up. Could
you recommend a router? Let us know which model was used for your setup.
Thanks
Archer
Reply
Wadih says:
Hi Archer,
There is a wide variety of routers that you can use, Id suggest you visit the dd-wrt router
database page (http://dd-wrt.com/site/support/router-database) for the latest updated
list. You can even start with a Linksys WRT-54GL if you can find one in the market.
Whatever model you choose, make sure you download the VPN, big or mega flavour of
the firmware.
Cheers,
W.
Reply
Ken says:
October 3, 2014 at 10:09 am
Hello! I setup your tutorial over a year ago and Ive had a site-to-site VPN
tunnel between my house and my parents flawlessly ever since!! I did have one question, not
sure if you know the answer. At my parents house (client side) all client IP addresses are
being reported through the tunnel as the server-side DD-WRT address, as opposed to their
actual IP address. I know this has something to do with NAT but Im not familiar with
25 sur 73 01/05/2017 19:10

addresses at my parents are reported as their actual and not just the DD-WRT openVPN
server IP?
Reply
Wadih says:
Hi Ken,
Happy to hear that your setup is working fine! Ive been using it for 6 years now in
several locations and works great too.
Regarding your question, do you mean that a PCs IP address at your parents house is
NATted at your own house? Or do you mean that your own EXTERNAL IP address is
used for your parents PCs?
Please email me your configs (Make sure to remove the keys please) and I can take a
look.
Cheers,
W.
Reply
Ken says:
HiPardon my ignorance but Im not able to locate your email address.

If you can my email address in the blog can you email it to me then Ill email you my
config? Thank you very much!!
Reply
Wadih says:
Email heading your way!
Reply
26 sur 73 01/05/2017 19:10

Hello, I have read and I setup your tutorial but I have a problem which I
cannot resolve by alone.
I have this type of configuration:
a server ddwrt vpn router (192.168.2. as local net behind an other router (192.168.1.1 as local
net). On that one, I have enabled the traffic redirect from first router(that use dyndns
service) to second one. The client ddwrt router works in an Office, receiving internet access
from another local net (192.168.0.115 Wan side and 192.168.31.1 for its local net)..The tunnel
vpn is on 10.0.0.0 and it works correctly, from server vpn(10.0.0.1) I can see the client
router homepage on 192.168.31.1 and also on 10.0.0.2 but cannot see other devices behind
client router, for example 192.168.31.2/24..how can I solve ? Where is the problem?
Peraphs I havent specified the gateway for VPN address?Thank you for your help.
Reply
Wadih says:
October 21, 2014 at 4:18 pm
Yes, you sound like youre missing some routing commands there. Send me
your configs (without the secret key) and a short schematic of your topology, Ill check it
out for you.
You need to add 1 or 2 routing commands since youre using static routing
Reply
Nerdface Killah says:

I am hoping you still view your comments. I had setup a main hq and a
satellite office and it was going great. I recently added a new satellite office and routing is
working between the two sites and the hq. However after adding this second satellite
location weve encountering problems with their VOIP phones having very bad latency and
sometimes rebooting on its own. Im curious is there anything I might try or do to try and
get the phones working smoother?
27 sur 73 01/05/2017 19:10

Wadih says:
Check the remaining memory on the routers, you may be overloading them
if youre using too much space in your configurations, these little devices have
notoriously small flash/RAM and memory leakage tends to happen.
I personally am running a 16-nodes network Flawlessly, so it should really work fine.
If youre still facing the issue, email me with your configs (without your shared keys
please) and Ill look into them May take some time, sorry for the delay Got a day job
Reply
Bart says:
Hi there,
I have set up openvpn between an Asus RT52ACU running firmware and linksys 1550 with
ddwrt v24-sp2 big.
I dont understand any of this, but the vpn is working. I can reach the ddwrt from a pc on the
asus network, using the openvpn ip address 10.0.57.6.
but, I cannot reach anything else. the subnet on ddwrt is 192.168.93.0, but I cannot reach
the ddwrt on 192.168.93.1 or another server on 192.168.93.2. Locally, however, these
addresses work fine.
so, this is probably very simple. I tried some things like puting routes in the asus, but to no
avail.
Can you tell me what to do?
Cheers,
Bart
Reply
28 sur 73 01/05/2017 19:10

Hi Bart,
Buddy, I need some more details. What are the Asus sides internal IP addresses? What
about the Linksys side? What subnets are you using for your site-to-site communication?
Drop me a note with your configs (Without secret keys, please), Ill check it out for you.
Cheers,
W.
Reply
29 sur 73 01/05/2017 19:10

Hi, in your tutorial you are mixing 10.0.0.2 and 192.168.2.0 ip ranges, is that
by mistake or whats the purpose of it?
route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.0.0.2
Reply
Wadih says:
Usually, home routes come preconfigured with the 192.168.x.x class, trying
to make your life easier by keeping it this way. 10.0.0.x are also private addresses that
you wont find on the live internet. I preferred to separate the site-to-site ranges from
the actual user ranges but you can change them to your liking
Its always a good practice not to use real IPs on your intranet and rely on the private
address space, heres some reading about it if you want to know more:
http://en.wikipedia.org/wiki/Private_network
Cheers,
W.
Reply
Chris says:
Hello Wadih, I have a point to point link between two offices A and B.
We are running out off bandwidth as the rate of data being transferred back and forth is
growing faster than we thought
Can this setup do data compression through the vpn ?
That will help us saving some bandwidth .
Regards,
Chris
Reply
30 sur 73 01/05/2017 19:10

Hi Chris,
Yes, you can try to add the comp-lzo command to your server and client configurations
and test.
A couple warnings:
Not all dd-wrt versions have a working compression, activate and test.
If youre using old/slow gear like the WRT-54GL for example, the compression might
overload them as its CPU-intensive. Again, best to try and test.
Cheers,
W.
Reply
Chris says:
Thanks Ill try it..
Reply
Bruhi says:
Is there a way to connect a site-to-site DD-WRT (v24-sp2 (07/31/12) vpnkong)

to a Cisco RVO42?
Reply
Wadih says:
By using a common supported VPN protocol Sure!
From the GUI, I believe you can use PPTP without much hassle (I havent tried it with an
RV042, but with Windows/Mac Clients).
31 sur 73 01/05/2017 19:10

tested it) get connectivity with the RV042. Check the following URL for information on
how to install/configure the VPNC on a DD-WRT router: http://www.dd-wrt.com
/wiki/index.php/VPNC
Reply
Rick says:
November 7, 2014 at 4:14 pm
Using 3 Buffalo wzr-600dhp2 routers.

dd-wrt 24461 v24-sp2 6/23/2014 std.
Full routed OpenVPN connectivity between
Main office and 2 remote offices.
The write up here worked well.
It took me a bit of time to understand.
Thank You very much for all the effort,
Rick M
Reply
Wadih says:
Thanks for the feedback, Rick.
Reply
Melvyn says:
November 18, 2014 at 9:39 am
wanted to run my configs and environment by you to make sure Ive got
everything. Its a simple 1server/1client. Could you sent me your e-mail address? Thanks!
(and Ill redact my key :-))
Reply
32 sur 73 01/05/2017 19:10

its me at wadihzaatar dot com
Reply
Melvyn says:
thanks. just sent my info
Reply
Melvyn says:
(just let me know if the information I sent wasnt sufficient. thanks!)
Reply
Melvyn says:
December 2, 2014 at 5:25 pm
I re-created my configs based on your tutorial and the tunnel is now up.
Just had to draw it out on paper and reread the posts. I am not yet able to ping some
addresses on my server site, but will work on it tonight. Ill resend you my configs to
see if Im missing anything. Thanks.
Reply
Wadih says:
December 21, 2014 at 6:04 am
Hi Melvyn,
Any updates on your issue? Want to schedule some time to go over the configs
and troubleshoot directly?
Reply
Melvyn says:
33 sur 73 01/05/2017 19:10

intended). Your tutorial was very helpful and the info gave me some tips in
finalizing my VPN tunnel.
Thanks for the assistance!
80sguitarist says:
Well, I tried getting this tutorial to work on two Asus RT-N16s running Build
14896. Attempted it several times and thought it just didnt work. UNTIL I found my
mistake. In both your startup scripts I was foolishly replacing the r 10.0.0.x with my subnet
of 192.168.2.0. Of course I should have been replacing the OTHERSUBNET text with the
192.168.2.0 subnet. Completely my fault. Once I set the scripts up properly and rebooted
both the OpenVPN Server RT-N16 and the OpenVPN Client RT-N16 it worked great. I was
easily able to ping needed device IPs over the VPN. Awesome tutorial! Now time to start
configuring DNS across the VPN.
One small footnote though. You state to Start by downloading the latest OpenVPN package
from OpenVPNs main site. Install the package (Usually gets installed in C:\Program
Files\OpenVPN if you are running Windows). Then you list the command to run from a
command prompt: openvpn genkey secret static.key. The problem for me was that
OPENVPN was installed in the directory C:\Program Files\OpenVPN\bin so I had to do a
little prodding around for the executable. Small issue but it may help others if they get stuck
at that part. Still a fantastic tutorial for first time OpenVPN users. Greatly appreciated!
Reply
Wadih says:
Hi Craig,
Thank you for taking the time to provided detailed feedback. Ill make sure to update the
34 sur 73 01/05/2017 19:10

Cheers,
Wadih
Reply
Ryan says:
Hello Wadih, thanks for this great tutorial!
Ive setup the basic server client configuration and it works perfectly, almost.
Print jobs dont appear to be getting through the tunnel. Im able to install the printer and I
can access its web gui just fine, but when I go to print a document nothing happens.
Have you run into this before? Thanks
Reply
Ryan says:
Solved, sort of.
If the printer is connected to the network through wifi print jobs dont get across the
firewall. (I think)
Printing to a printer thats connected through ethernet cable works perfectly.
Reply
Wadih says:
Hi Ryan,
Must be a local configuration problem. I have a similar setup with an HP wireless

printer and I can print remotely.
Also, how did you install the printer? Which protocol? Have you tried direct TCP/IP?
Cheers,
35 sur 73 01/05/2017 19:10

Reply
Ryan says:
Im not sure what it was, but the problem seems to be gone after a
30/30/30 reset on both routers.
I have a new question for you, is it possible to have road-warriors using this
setup?
Thanks again
Reply
Wadih says:
Read this post after the other one! So this confirms that TCP/IP works fine,
must be the protocol you are using to print. As a routed network, not all discovery
protocols are advertised from one side to the other, better connect to the printer directly
via TCP/IP.
Reply
Samson Fu says:
Hello Wadih,
Thanks for your grate tutorial!
Ive followed the 1 server 1 client to config my routers, but I found they are not working.
I found the tun0 become tun0-00 by the ifconfig? Ive tried to change the dport to other
values as Gumpher suggested, but still not working.
Can I send my config file to you by email ?
36 sur 73 01/05/2017 19:10

Samson Fu
Reply
Bjoern says:
January 6, 2015 at 10:26 am
Hello Wadih, great tutorial. I had used the original to configure a 3 router
setup (1 VPN server, 2 clients) with routing between all sites (192.168.2/3/4) without any
DNS requests being routed. It works flawlessly.
Then I modified the config to add a WindowsPC via OpenVPN as the 3rd client with a fixed
IP which worked up until about 6 months ago. I reinstalled my PC with Windows8.1 and as
such had to also install the latest OpenVPN package. Since then I have not been able to
connect to the VPN via my PC anymore.
I have the log files and obviously the config files. If there are any settings that need to
change between the config from about 12 months ago and today based on known changes in
the OpenVPN PC client, Id love to hear about what I should change.
Thanks in advance
Reply
37 sur 73 01/05/2017 19:10

Excellent write up. Very detailed. Question. Where your method is using static
key, there are no CN (Common Name) or certificates associated with connecting clients.
Additionally, the OpenVPN status page is not visible in DD-WRT as it sees it as disabled,
even though it is in fact running. I was able to enable the management interface and telnet
into it and see a connected client, but is there a way to pull up a more detailed status, or
assign names to the connecting clients to the main site? I plan on connecting 2 sites to a
main router, so I was curious about the ability to name those connections something unique
so I can verify they are connected.
Reply
Kiba says:
Hi Wadih,
Thanks for all the work you put into this, very well written. I have run into a issue I can not
seem to figure out. I have your site to site working. I also setup the DNS part as well, I
followed the instruction to the letter, this also worked great. nsloopup resolves as expected.
I have a samba fileserver on domain1, called mica and a computer on domain2. The
computer on domain2 can network map ok .eg. \\samba.domain1\kiba works great and I
see all the files.
The problem is if I try and join to the samba domain named mica. Works fine if Im
phyically on the domain1 subnet 192.168.1.1 (the one that also has the fileserver), but if Im
on the domain2 subnet 192.168.2.1 it fails with the error :-
Recorded in the file C:\Windows\debug\dcdiag.txt.
The following error occurred when DNS was queried for the service location (SRV) resource
record used to locate an Active Directory Domain Controller (AD DC) for domain
mica.domain1:
The error was: DNS name does not exist.

(error code 0x0000232B RCODE_NAME_ERROR)
The query was for the SRV record for _ldap._tcp.dc._msdcs.mica.domain1
38 sur 73 01/05/2017 19:10

The DNS SRV records required to locate a AD DC for the domain are not registered in
DNS. These records are registered with a DNS server automatically when a AD DC is added
to a domain. They are updated by the AD DC at set intervals. This computer is configured to
use DNS servers with the following IP addresses:
192.168.2.1
One or more of the following zones do not include delegation to its child zone:
mica.domain1
domain1
. (the root zone)
I thought maybe the port used was being blocked so I added to both routers firewall the
folowwing:
iptables -I INPUT 2 -p udp dport 1194 -j ACCEPT
iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT
Here is my smb.conf global settings

[global]
printcap name = /etc/printcap
printing = lprng
39 sur 73 01/05/2017 19:10

printer admin = machine tech

admin users = machine
security = user
wins support = yes
workgroup = mica
name resolve order = wins hosts bcast
encrypt passwords = true
domain master = yes
netbios name = Samba
domain logons = yes
logon drive = h:
logon path =
logon script = login.bat
local master = yes
preferred master = yes
preserve case = yes
interfaces = eth2 192.168.1.1/24 192.168.2.1/24
bind interfaces only = yes
passwd program = /usr/bin/passwd %u
encrypt passwords = true
passdb backend = tdbsam
pam password change = yes
unix password sync = true
passwd chat = *new*password* %n\n *new*password* %n\n *updated*
wide links = no
wins support = yes
Still no joy.
Any thoughts that might help?
Thanks,
Kiba
40 sur 73 01/05/2017 19:10

Ck says:
Im using two cisco e2500 routers running DD-WRT v24-sp2 (03/25/13) mega
wanting to run a site-to-site bridge. a lot of the tutorials i read are for other routers so im
not sure if thats the starting problem.
i was stuck on the dd-wrt instructions http://www.dd-wrt.com/wiki/index.php/OpenVPN_-

_Site-to-Site_Bridged_VPN_Between_Two_Router followed intructions as close as
possible with no luck.
I came across your tutorial and it appeared easier(less steps) to use routed VPN instead but
no luck either. i copy the script exactly not sure what im suppose to change. i made sure i
changed OTHERSUBNET on the client and server side. change the remoteaddress to my
DNS server. am i suppose to change 10.0.0.1 and 10.0.0.2 on the script, if so to what? this is
all new to me so sorry if im asking basic noob question. any help would be greatly
appreciated.
Reply
Shane says:
February 25, 2015 at 5:16 pm
Good afternoon,
Ive been running the Site-To-Site Routed VPN setup between my Main HQ site and branch
site for about a year now, and its been very stable and it works great.
I have a Windows Server at the HQ site with a domain and Active Directory setup, and all of
this works great between the HQ and branch site. The server also handles DHCP and DNS
for the domain.
The only issue Im having is that at my branch site (SiteB), my clients arent pulling IP
addresses from the HQ DHCP server (10.0.1.100). In order to get network connectivity at
the branch site, I have to manually configure all of my clients with a static IP. Once
configured, they work perfectly and can access all domain resources at either site. I have set
41 sur 73 01/05/2017 19:10

Are there any commands I need to put in the firewall scripts to allow my branch site to
send/receive DHCP requests from the HQ DHCP server?
Like I said, it works flawlessly at my main HQ site, just hoping to get that part working at
the branch site too since Im planning to add a few more branch sites in the future as well.
Thank you for your help,

Shane
Reply
Ari says:
February 26, 2015 at 12:43 pm
Hi Wadih,
thank you so much for your tutorial it is really clear. However its the first time i am doing a
VPN with dd-wrt routers, i followed you step by step,and it still doesnt seem to work ,can i
send you my file and you be able to see what i did wrong?
i made 2 network IDs

192.168.2.0
192.168.1.0
and i wasnt sure about where to pasty the password i am supposed to leave that small dots
.. ??
Thanks in advanced!
Reply
Wadih says:
May 21, 2015 at 1:11 pm
You need to create a new STATIC key password and place it there since
copying the one I have pasted would make your VPN configuration vulnerable and
obvious to outsiders (Which defeats the purpose of it).
Reply
42 sur 73 01/05/2017 19:10

Great writeup Wadih, it was super easy to follow and I got my site-to-site
connection up nicely.
However Im having an issue with the DNS part and Im a little lost as to what the problem
could be. My two routers are configured as such:
Router #1 (192.168.4.1):
DHCPserver to use domain on LAN & WLAN.

LAN domain set to domain1
DNSMasq enabled
Local DNS enabled
No DNS Rebind is disabled
Additional DNSMasq Options:
interface=br0,tun0
Router #2 (192.168.2.1):
DHCPserver to use domain on LAN & WLAN.

LAN domain set to domain2
DNSMasq enabled
Local DNS enabled
No DNS Rebind is disabled
Additional DNSMasq Options:
interface=br0,tun0
Are these settings correct? Is there something Im missing?
Reply
Wadih says:
May 21, 2015 at 1:10 pm
43 sur 73 01/05/2017 19:10

What are you trying to achieve with the DNS customizations? Maybe I can provide some
insight there.
Reply
Omar Basim says:

May 6, 2015 at 9:09 am
Dear Wadih
Sorry for my silly question . but is this way mean i can create VPN connection site to site
with DDns for both sides ???
now i have two sites with dynamic IP Addresses PPPOE connection . and also i have two
routers linksys E1200 running with DD-WRT . is that mean im able to use this way with
open VPN and Dynamic DNS to create VPN and connect Devices such as PABX or VoIP
Phones ???
Reply
Wadih says:
May 21, 2015 at 1:07 pm
Yes, you actually need one real IP. The other one doesnt need to be real
and can be a NATted IP.
Reply
Upalakshitha says:
May 10, 2015 at 8:28 am
Hi wadith,
I followed instructions & working perfectly. But i want to have 6 client routers. But main
router cannot have configuration for more than two client routers. After add 3rd tunnel
configuration, main router not working after reboot. Please help me.
Thanks.
44 sur 73 01/05/2017 19:10

Upalakshitha says:
May 10, 2015 at 8:34 am
I tried using EA2700 & WRT160N ver 3.0
Reply
Wadih says:
May 21, 2015 at 1:09 pm
Check how much NVRAM/RAM you have remaining. Did you insert any
extra commands/customizations?
Im currently running 15 nodes altogether and its working great!
Reply
Ryan says:
May 21, 2015 at 3:07 pm
Hi Wadih, Ive been using your solution for a few months now and
its been solid. However, now Im attempting to add a 3rd office into the mix and
so far have been unsuccessful. Can I email you my configs for some insight? The
original two offices are able to connect with my config, but the 3rd doesnt.
The routers Im using are all Netgear R7000s, should be more than capable for
this.
Reply
Ryan says:
May 21, 2015 at 4:03 pm
Only myself to blame, got it working. Number mismatch.
Wadih says:
June 3, 2015 at 10:18 am
If I start counting the number of times I made a mistake with the

numbers, I would still be counting!
45 sur 73 01/05/2017 19:10

Wadih says:
June 3, 2015 at 10:19 am
Yep, but please expect some delay! Between the job and life
events, its a little loaded these days.
Mark says:
June 26, 2015 at 3:33 am
Hi Wadih
Thanks for the clear tutorial. I tried to setup a tunnel, but I cant reach the other side from
neither the client or the server side. Traceroute shows the routing from the local network
192.168.93.0 to the tunnel 10.0.0.1 but after that, only time-outs.
I suspect the router of the ISP is blocking this port. Is there a reason not to use another port
or can I choose whatever I want, as long as I stay out of the standard ones. So e.g. 65889 or
whatever?
Reply
Wadih says:
July 2, 2015 at 4:57 pm
Hi Mark,
Sure, you can use any port you want, you can even try the lower ones as sometimes they
are not monitored.
Reply
Adrian Andrews says:
46 sur 73 01/05/2017 19:10

Really useful write up. Thanks.
I have just the basic setup.
Question = How can the client side be forced to access the internet (eg from their browsers)
through the server connection, and not locally ?
Reply
Wadih says:
July 2, 2015 at 5:02 pm
Two things need to be done:
On the client side, you need to add two route entries to your configuration. The first to
make sure that the route to the server-side external VPN IP address goes via your ISP
and the second one to route all traffic via your VPN endpoint.
On the server side, you need to allow all client traffic to go through the server node.
Please note the following:
Your client-side connection speed will be the lower of these two:

The server backplane or its capability to process your client-side packets.
Your ISP connection between your client and server since all your client-side traffic is
rerouted via the VPN.
Is there any reason as to why you want to pass all the traffic via VPN? You can also
consider specific routes for specific applications/ports to minimize your network load.
Hope this helps,
W.
Reply
Arvind says:
June 29, 2015 at 3:23 pm
Hi Wadih,
47 sur 73 01/05/2017 19:10

may be you help me to resolve. My Main office router IP 192.168.1.0/24 and remote office
IPs 192.168.2.0/24 and 192.168.3.0/24. in main office have one IP PBX system its IP
192.168.1.240. I want all remote office can access main office phone system. I put ip phone
in remote office and I able to ping those phone but its not working, PBX system require to
open those ports (TCP 1040-1044 AND UDP 2093-2096) to work. Can you help me how to
open those ports inside tunnel so I can able to use those phone in remote office.
Thanks
Reply
Wadih says:
July 2, 2015 at 5:05 pm
Hi Arvind,
The purpose behind this VPN is allow unblocked communication. So, by default all
traffic between your three networks should work without problems. Have you made sure
that client-to-client communication is working fine? i.e. 192.168.2.0 and 192.168.3.0 can
ping each other?
If yes, your problem resides elsewhere, but certainly not in the VPN configuration. Im
personally using this setup with 15 nodes and a PBX at one location All working great.
Cheers,
W.
Reply
Arvind says:
July 22, 2015 at 10:09 am
Thanks for your reply, yes I can ping each other and I can ping remote
pbx extension but my extension is not connecting to pbx, continuously looking pbx.
something is blocking in the network. Extension need to communicate by udp ports
2093-2096 and tcp 1040-1044. those port should be open but I am not sure those
ports are open or not. Please help me.
Thanks
Reply
48 sur 73 01/05/2017 19:10

Whats your PBX software? Asterisk, 3Cx, etc? You may have some
iptables blocking the communication.
Reply
Adrian Andrews says:

July 2, 2015 at 7:02 pm
Thanks for your helpful reply which I understand and will try soonest. I am
using a VPN over a low capacity (3Mbps down/ 1Mbps up) satellite link. The direct
(non-VPN) traffic is routed through the operators deep proxy which effectively increase the
throughput AT THE EXPENSE OF LATENCY. Any session based communications are
experiencing about 50% timeouts. I have experimented after hours with restricting the
bandwidth of my fibre to 300Kbps which is successful in that no sessions have timed out
yet. I therefore expect that routing all traffic through the VPN will solve the problem even if
the remote users have to wait longer for their webpages.
I have spelt this all out as it might help somebody else.
All the best
Reply
Rick Lambrechts says:

Hello Wadih,
Thank you very much with this tutorial, it helped us a lot.
I know you said it in the tutorial but i am hoping on a solution.
Is it possible to run the DHCP server on a Windows Server because of the Active Directory
and DNS settings?
Maybe it is possible to give the VPN client and server a static adres?
49 sur 73 01/05/2017 19:10

Wadih says:
Hi Rick,
I havent personally tried it, unfortunately!
Let me know how it goes, Ill add it to the Q&A section.
Cheers,
W.
Reply
Rick Lambrechts says:

Hi Wadih,
Because of the static tunnel adresses, is the DHCP not nessecary on the 2 routers.
For our project, whe used 2 routers and set the dhcp server on the 2 routers disabled, on
each site we had a system running Windows Server with AD, DNS and DHCP with no
problem.
Thank you!
Reply
Wadih says:
Perfect! Thanks for letting me know.
Sometimes, disabling something from one end may break something else from the
other end Hence my initial hesitation.
Have a great week.
W.
Reply
50 sur 73 01/05/2017 19:10

I am working on implementing this site to site VPN scheme.

Are you still around?
I have a couple questions. Complicated. Heh.
I have some routers (WRT54G with DDWRT Mega on each)
I have to use DDNS too. More complicated.
Reply
Wadih says:
No worries. Email me your questions.
DDNS works without any problems, dont worry.
Cheers,
W.
Reply
Marcel says:
Hi all of you,
thanks for this tutorial, really helped me a lot

Connected to dd-wrt v24-sp2 routers as described and the Connection established
successfully But a cant ping accross the VPN.
The Server can ping 10.0.0.1 but not 10.0.0.2, the client-router can ping 10.0.0.2 but not
10.0.0.1
Searched the Internet for a while, but unfortunately still no solution found yet :/ DMZ is
disabled on both sites, I also tried to set /proc/sys/net/ipv4/ip_forward ==> 1 Nothing
seems to help :/?
Does anyone experienced something similar and could give me a hint ?
Mon Oct 19 23:50:35 2015 OpenVPN 2.3.6 mips-unknown-linux-gnu [SSL (OpenSSL)]
51 sur 73 01/05/2017 19:10

Mon Oct 19 23:50:35 2015 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Mon Oct 19 23:50:35 2015 Diffie-Hellman initialized with 2048 bit key
Mon Oct 19 23:50:35 2015 Socket Buffers: R=[172032->131072] S=[172032->131072]
Mon Oct 19 23:50:35 2015 TUN/TAP device tun0 opened
Mon Oct 19 23:50:35 2015 TUN/TAP TX queue length set to 100
Mon Oct 19 23:50:35 2015 UDPv4 link local (bound): [undef]
Mon Oct 19 23:50:35 2015 UDPv4 link remote: [undef]
Mon Oct 19 23:50:35 2015 MULTI: multi_init called, r=256 v=256
Mon Oct 19 23:50:35 2015 Initialization Sequence Completed
Mon Oct 19 23:50:57 2015 XX.XXX.XXX.XXX:YYYY TLS: Initial packet from
[AF_INET]80.187.101.182:3170, sid=9cf18465 4ba40254
Mon Oct 19 23:51:00 2015 XX.XXX.XXX.XXX:YYYY VERIFY OK: depth=1, C=DE, ST=XX,
L=XX, O=XXX, OU=XXX, CN=XXXXXX, name=XXX,
emailAddress=myVpn@myMail.com
Mon Oct 19 23:51:00 2015 XX.XXX.XXX.XXX:YYYY VERIFY OK: depth=0, C=DE, ST=XX,
L=XX, O=XXX, OU=XXX, CN=XXXXXX, name=XXX,
emailAddress=myVpn@myMail.com
Mon Oct 19 23:51:01 2015 XX.XXX.XXX.XXX:YYYY Data Channel Encrypt: Cipher
BF-CBC initialized with 128 bit key
Mon Oct 19 23:51:01 2015 XX.XXX.XXX.XXX:YYYY Data Channel Encrypt: Using 160 bit
message hash SHA1 for HMAC authentication
Mon Oct 19 23:51:01 2015 XX.XXX.XXX.XXX:YYYY Data Channel Decrypt: Cipher
BF-CBC initialized with 128 bit key
Mon Oct 19 23:51:01 2015 XX.XXX.XXX.XXX:YYYY Data Channel Decrypt: Using 160 bit
message hash SHA1 for HMAC authentication
Mon Oct 19 23:51:01 2015 XX.XXX.XXX.XXX:YYYY Control Channel: TLSv1, cipher
TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Oct 19 23:51:01 2015 XX.XXX.XXX.XXX:YYYY [XXXXXXXXXXX] Peer Connection
Initiated with [AF_INET]XX.XXX.XXX.XXX:YYYY
Mon Oct 19 23:51:01 2015 XXXXXXX/XX.XXX.XXX.XXX:YYYY MULTI: no dynamic or
static remote ifconfig address is available for XXXX/XX.XXX.XXX.XXX:YYYY
52 sur 73 01/05/2017 19:10

Wadih says:
Hi Marcel,
Email me your configs without the keys. Ill check your config and reply back.
Cheers,
W.
Reply
Nycmaster says:
Hello
Thanks to your great post here, I have 1 HQ and 3 remote offices that is connected with little
to no trouble at all!! However My current setting was configured more than 3 years ago and
I am in a process of upgrade (Both hardware and configuration) I will probably get 4 x
Netgear R7000 for each location and have latest Kong K3-AC DDWRT (Dated 10.25.2015)
in there.
The configuration upgrade I need is to have my on-road sales guys (About 4-5 people) with a
laptop to have access to server resources (Files, Networked Quickbook, intranet, etc) which
is physically located in HQ when theyre on the road and not in our VPN network. The usual
case is that they visit customers site and have WiFi access from customer or use their
phones tethered wifi access.
Im guessing I need to install Openvpn client in the laptop but how would I go about to give
my on-road guys access to our VPN from outside of our network?
Reply
Dane says:
I am running dd-wrt on a linksys e1000 (client side) and a linksys e4200
53 sur 73 01/05/2017 19:10

to ping the server side from the client side but not the other way. Any thoughts on a cause
for this? There is a server on the server side network I need the client side to connect to. I
can ping it from client side but cannot connect to it. Any help you can give will be greatly
appreciated.
Reply
Stevie says:
Hello,
I was hoping you could help me out. Ive implemented a site to site VPN but I cant get the
tunnel to come up. Can I email you the logs Im getting? If so, what is your email?
Reply
Vladimir says:
January 8, 2016 at 2:33 pm
Hello.
I am trying to configure VPN-channel between the router with DD-WRT and gateway with
Linux. On the Linux machine has long been used openvpn, it is the server and router with
DD-WRT to connect to it.
Router with DD-WRT: TPLINK TL-WDR4300 v1

Firmware DD-WRT: DD-WRT v24-sp2 (06/01/15) std build 27147
Problem: tunnel seems to work, but not ping ip tunnel OpenVPN (10.10.5.1) and accordingly
does not ping internal network.
Openvpn log (Linux):

Thu Jan 8 20:36:10 2015 us=823791 OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2]
[EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 20 2012
Thu Jan 8 20:36:10 2015 us=824288 NOTE: the current script-security setting may allow
this configuration to call user-defined scripts
Thu Jan 8 20:36:10 2015 us=824554 ******* WARNING *******: all encryption and
54 sur 73 01/05/2017 19:10

Thu Jan 8 20:36:10 2015 us=824640 LZO compression initialized

Thu Jan 8 20:36:10 2015 us=824712 MTU DYNAMIC mtu=1450, flags=2, 1501 -> 1450
Thu Jan 8 20:36:10 2015 us=824926 Socket Buffers: R=[112640->131072]
S=[112640->131072]
Thu Jan 8 20:36:10 2015 us=826101 GDG: route[1] 192.168.0.0/255.255.255.0/0.0.0.0
m=0
Thu Jan 8 20:36:10 2015 us=826142 GDG: route[2] 0.0.0.0/0.0.0.0/ m=0
Thu Jan 8 20:36:10 2015 us=826334 GDG: best=[2] lm=0
Thu Jan 8 20:36:10 2015 us=830609 TUN/TAP device tun1 opened
Thu Jan 8 20:36:10 2015 us=830894 TUN/TAP TX queue length set to 100
Thu Jan 8 20:36:10 2015 us=834980 /sbin/ifconfig tun1 10.10.5.1 pointopoint 10.10.5.2
mtu 1500
Thu Jan 8 20:36:10 2015 us=843798 /etc/openvpn/route-tmp.up tun1 1500 1501 10.10.5.1
10.10.5.2 init
Thu Jan 8 20:36:10 2015 us=856330 Data Channel MTU parms [ L:1501 D:1450 EF:1
EB:135 ET:0 EL:0 AF:14/1 ]
Thu Jan 8 20:36:10 2015 us=856589 Local Options String: V4,dev-type tun,link-mtu
1501,tun-mtu 1500,proto UDPv4,ifconfig 10.10.5.2 10.10.5.1,comp-lzo
Thu Jan 8 20:36:10 2015 us=856633 Expected Remote Options String: V4,dev-type
tun,link-mtu 1501,tun-mtu 1500,proto UDPv4,ifconfig 10.10.5.1 10.10.5.2,comp-lzo
Thu Jan 8 20:36:10 2015 us=856739 Local Options hash (VER=V4): 52e725a4
Thu Jan 8 20:36:10 2015 us=856909 Expected Remote Options hash (VER=V4): 2d3ae0b8
Thu Jan 8 20:36:10 2015 us=867626 UDPv4 link local (bound):
[AF_INET]78.111.82.146:2500
Thu Jan 8 20:36:10 2015 us=867870 UDPv4 link remote: [undef]
Thu Jan 8 20:37:41 2015 us=907547 TUN READ [104]
Thu Jan 8 20:37:41 2015 us=908691 TUN READ [52]
Thu Jan 8 20:37:41 2015 us=908983 MSS: 1460 -> 1409
Openvpn log (DD-WRT):

Jan 8 17:31:17 GW2 daemon.warn openvpn[1348]: ******* WARNING *******: all
55 sur 73 01/05/2017 19:10

Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: LZO compression initialized

Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: Socket Buffers: R=[172032->131072]
S=[172032->131072]
Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: TUN/TAP device tun0 opened
Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: TUN/TAP TX queue length set to 100
Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: Data Channel MTU parms [ L:1533
D:1450 EF:1 EB:135 ET:32 EL:0 AF:14/1 ]
Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: Local Options String: V4,dev-type
tun,link-mtu 1533,tun-mtu 1532,proto UDPv4,comp-lzo
Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: Expected Remote Options String:
V4,dev-type tun,link-mtu 1533,tun-mtu 1532,proto UDPv4,comp-lzo
Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: Local Options hash (VER=V4):
642d2254
Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: Expected Remote Options hash
(VER=V4): 642d2254
Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: UDPv4 link local (bound): [undef]
Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: UDPv4 link remote: [AF_INET]:2500
Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: UDPv4 WRITE [17] to
[AF_INET]:2500: DATA len=17
Config OpenVPN (DD-WRT):

cd /tmp
echo
remote
proto udp
56 sur 73 01/05/2017 19:10

dev tun0
verb 7
comp-lzo
keepalive 10 120
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
auth none
cipher none
script-security 2
daemon
> vpn-s2s-date-tmp.conf
/tmp/myvpn mktun dev tun0
ifconfig tun0 10.10.5.2 netmask 255.255.255.255 pointopoint 10.10.5.1 promisc up
route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.10.5.1
sleep 5
/tmp/myvpn config vpn-s2s-date-tmp.conf
Config IPtables (DD-WRT):

iptables -I INPUT 1 -p udp dport 2500 -j ACCEPT
iptables -I FORWARD 1 source 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -s 10.10.0.0/24 -j ACCEPT
iptables -A FORWARD -m state state RELATED,ESTABLISHED -j ACCEPT
Routing table (DD-WRT):

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 0.0.0.0 UG 0 0 0 vlan2
10.10.5.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
57 sur 73 01/05/2017 19:10

169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0

0.0.0.0 255.255.255.252 U 0 0 0 vlan2
192.168.1.0 10.10.5.1 255.255.255.0 UG 0 0 0 tun0
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
Ifconfig (DD-WRT):
br0 Link encap:Ethernet HWaddr 14:CC:20:52:06:F3
inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3230 errors:0 dropped:0 overruns:0 frame:0
TX packets:3014 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:586509 (572.7 KiB) TX bytes:1164347 (1.1 MiB)
br0:0 Link encap:Ethernet HWaddr 14:CC:20:52:06:F3

eth0 Link encap:Ethernet HWaddr 14:CC:20:52:06:F3

RX bytes:1226423 (1.1 MiB) TX bytes:1774085 (1.6 MiB)
Interrupt:4
lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
RX bytes:340 (340.0 B) TX bytes:340 (340.0 B)
tun0 Link encap:UNSPEC HWaddr
58 sur 73 01/05/2017 19:10

inet addr:10.10.5.2 P-t-P:10.10.5.1 Mask:255.255.255.255

UP POINTOPOINT RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX bytes:0 (0.0 B) TX bytes:43367 (42.3 KiB)
vlan1 Link encap:Ethernet HWaddr 14:CC:20:52:06:F3

RX bytes:586555 (572.8 KiB) TX bytes:1164347 (1.1 MiB)
vlan2 Link encap:Ethernet HWaddr 14:CC:20:52:06:F3

inet addr: Bcast: Mask:255.255.255.252
RX bytes:538150 (525.5 KiB) TX bytes:586218 (572.4 KiB)
Config Openvpn (Linux):

dev tun
local
ifconfig 10.10.5.1 10.10.5.2
proto udp
auth none
cipher none
script-security 2
up /etc/openvpn/route-tmp.up
down /etc/openvpn/route-tmp.down
port 2500
59 sur 73 01/05/2017 19:10

verb 7
log-append /var/log/openvpn-s2s-date-tmp.log
Routing table (Linux):

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.5.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
192.168.3.0 10.10.5.2 255.255.255.0 UG 0 0 0 tun1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
0.0.0.0 0.0.0.0 UG 0 0 0 vlan386
ifconfig (Linux):
eth2 Link encap:Ethernet HWaddr 00:19:5b:fe:32:57
inet6 addr: fe80::219:5bff:fefe:3257/64 Scope:Link
RX bytes:3664262489 (3.4 GiB) TX bytes:3740640529 (3.4 GiB)
Interrupt:17 Base address:0xdc00
lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX bytes:18016 (17.5 KiB) TX bytes:18016 (17.5 KiB)
tun1 Link encap:UNSPEC HWaddr

00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.5.1 P-t-P:10.10.5.2 Mask:255.255.255.255
60 sur 73 01/05/2017 19:10


RX bytes:0 (0.0 B) TX bytes:13904 (13.5 KiB)
vlan386 Link encap:Ethernet HWaddr 00:1e:58:aa:88:7a

inet addr: Bcast: Mask:255.255.255.252
inet6 addr: fe80::21e:58ff:feaa:887a/64 Scope:Link
RX bytes:3481922440 (3.2 GiB) TX bytes:4017032006 (3.7 GiB)
Reply
61 sur 73 01/05/2017 19:10

Hi Wadi,
I followed the steps to setup the client and the server until step #4.
I dont really know how to check if the setup is correct or not but I think I did everything
correctly as instructed.
I have two locations with two different ISPs, the issue that I have is at location 1 (client) the
ISP blocks SIP protocol and Im trying to connect location 1 to location 2 so I can have the
packets go from location 1 to location 2 and avoid the blockage.
after configuring both server and client, im still having the issues with the blockage, Im not
sure if I should do more steps to complete the setup, or I should use bridged VPN instead.
Please help!
Thanks,
James
Reply
62 sur 73 01/05/2017 19:10

This is great, but isnt there a way so that the client only sees the outside world
through the VPN tunnel.
Reply
Wadih says:
Sure! Say you want to have all traffic from the Client1 Intranet side to go
through your server side, youll need to do a couple things:
1. Add a route command allowing the client to find the server via its bridge.
2. Add a route command rerouting all traffic via the tunnel.
3. Add a masquerade option on the server side to allow tunnel-based traffic to access the
internet.
Reply
Seb says:
May 26, 2016 at 11:14 am
Hello,
in case youre still checking those comments: Thank you very much for this easy and
efficient tutorial!
Machines on either side of my tunnel can access each other. I can access the router on the
side Im on, but not on the other side.
So on the HOST network 192.168.0.0, I can access 192.168.0.1 (or 10.0.0.1), but not
192.168.2.1 (or 10.0.0.2).
On the connecting network 192.168.2.0, I can access 192.168.2.1 (or 10.0.0.2), but not
192.168.0.1 (or 10.0.0.1).
Can I solve this? Is this intended?

Its no deal breaker, but it would be nice to be able to access the off-site router.
Greetings,
63 sur 73 01/05/2017 19:10

Reply
Wadih says:
May 26, 2016 at 8:01 pm
Hi Seb. Thanks for the kind note. Still checking them sporadically. Since
the tunnel is up and connectivity is established, I suspect that you probably missed
adding the firewall rules to allow ICMP or any other service on the other site.
Reply
Bobber says:
June 18, 2016 at 7:27 pm
Really useful info here, Wadih. Thanks for sharing!

I am working on a 3-cornered deployment where i will have Server, Client1, and Client2 as
you show in this tutorial. In addition to each client having regular conversations with the
server, I will also have Client1 and Client2 having frequent conversations. Is it sufficient to
use the server as middle-man when the two clients talk, or would it benefit me to configure
an additional pipe directly between the clients? Also, would your answer change if I added a
Client3?
Many thanks for any insights.
-Bobber
Reply
Wadih says:
June 18, 2016 at 7:34 pm
Thanks, Bobber.
It depends on your bandwidth requirements. The routing that your server will perform
will certainly impact its external traffic as well as Server-Client1 traffic and Server-
Client2 traffic. Hence, if youre talking about small traffic like compressed VoIP for
example, that should be ok. But if you do file transfers between Clients, then the impact
will be much bigger.
64 sur 73 01/05/2017 19:10

In one of my current implementations, I have a VoIP server at Server1 and 15 clients.

Essentially VoIP traffic circulates and redirects all day long. Works perfectly!
So, it will depend on your implementation and constraints. Feel free to email me your
particular scenario if you want to discuss further.
Cheers!
Reply
Bobber says:
June 20, 2016 at 10:30 am
Thanks for the prompt reply and for the extra insight.
I think I will proceed with the hub-and-spoke topology and stick with that until I see
a reason to change.
Reply
Robert Whitacre says:

June 19, 2016 at 4:17 am
That all depends on the throughput bandwidth between them.
Reply
Drew says:
June 21, 2016 at 8:51 pm
Wadih, I put the info in the server configuration on a new buffalo dd-wrt
router (v24?) under commands and firewall. After I clicked save, the router disconnected (I
didnt even click apply or reboot) Now the office has lost internet access entirely. Have you
heard of this before?
One guess, maybe that router doesnt have enough free space to save all that in the
commands and firewall section? Ive never seen a dd-wrt router make any changes after a
simple save operation. Im not on-site so am still waiting for someone to get there to see if
65 sur 73 01/05/2017 19:10

Thanks
Reply
Wadih says:
June 21, 2016 at 9:13 pm
Yes, may happen. Have you tried power cycling the router (turning off/on)?
What version of DD-WRT are you using?
Reply
Drew says:
June 21, 2016 at 9:24 pm
server and client configs that is. anyway, thanks for your quick response
Reply
Drew says:
June 21, 2016 at 9:23 pm
Nevermind, I found I accidentally switched the server and ip configs. Oops
Reply
Wadih says:
June 21, 2016 at 9:24 pm
No worries! Hope it works out well.
Reply
Tomas says:
July 30, 2016 at 7:02 pm
Hello friend, thanks for this great tutorial.

I need help to configurate a VPN with some modifications regarding you present here.
66 sur 73 01/05/2017 19:10

https://dl.dropboxusercontent.com/u/65615557/Network%20Transovalo.png
In this scheme there are two LANs, connected by a VPN tunnel through internet. The
intention is share a IP telephony system sevice and a NAS server physically installed in
LAN2, in a place a few kilometers from the LAN1 in where will be used those services.
In one extreme of the VPN tunnel is ROUTER1 in LAN1, as VPN server. The idea for this
ROUTER1 is to extend the local network to an other ROUTER2, in LAN2, as VPN client in
the other extreme of the VPN tunnel.
One of the particularity of this scheme is that network configuration on LAN1 (like DHCP,
network range, DNS, etc) are determinated by MODEM1, but not by ROUTER1, being this
last one just like any other device plugged at local network. Indentical situation happends in
LAN2, where MODEM2 determine local network parameters and ROUTER2 just belongs to
this.
Maybe you wonder why dont configure a VPN in modem and avoid to use 2 aditionals
routers withs all aditionals problems. The thing is, firstly, modems havent DD-WRT
firmwork (jaja), secondly, I cant have access to modem because ISP doesnt give to me the
pass of the modem, neither configuration information to configure as a bridge and put a
router after. Third, dont need all devices in LAN2 conected to VPN.
So, I understand that the configuration you explain in this post will not work in this case
because both routers will have a local IP on WAN(like 192.168.10.x), and not the public IP
who provide the ISP. It is why I think it necessary configure ROUTER1 as a bridge of LAN1,
as a bridge VPN server of LAN1, if its possible something like that. This in one extreme of
the tunnel VPN, in the other we have the ROUTER2 in LAN2. It have to be configurated in a
way which allows all connected devices to acquire automatically network configurations
belongs at LAN1.
Well, i wish i was clear enough to expose the problem to solve. I need if you can tell me, in
short, and considering that you are more experienced than I in this issue of VPN, if its
possible to make a tunneling in that way, and what is more important, if its convenient this
solution.
My regards for you and thanks for all.
Tomas from Argentina.
67 sur 73 01/05/2017 19:10

Tomas says:
August 4, 2016 at 3:56 pm
Hello friend, thanks for this great tutorial.

First, here I shared a graphic scheme as it should be the network that I need to solve.
this.
belongs at LAN1.
68 sur 73 01/05/2017 19:10

solution.
Tomas from Argentina.
Reply
Yannick says:
October 25, 2016 at 10:30 am
Hi Wadih !
Im wondering, could we adapt this method to create a tunnel between two distant DD-WRT
routers with both public IP addresses (via Internet).
I cannot manage to find a viable and secure way to achieve this, hope you can give me a hint
Thanks very much for the great work you detailed here, though !
Reply
Wadih says:
Hi Yannick,
This method works for one private IP/one public IP or two public IPs.
In your case, one of the locations would simply need to be designated as server and the
other as client.
Cheers!
Reply
Tomas says:
69 sur 73 01/05/2017 19:10

First, here I shared a graphic scheme as it should be the network that I need to solve.
this.
belongs at LAN1.
Well, i wish i was clear enough to expose the problem to solve. I need if you can tell me, in
solution.
70 sur 73 01/05/2017 19:10

Reply
Your email address will not be published. Required fields are marked *
Comment
Name *
Email *
Website
one + 4 =
Notify me of follow-up comments by email.
Notify me of new posts by email.
71 sur 73 01/05/2017 19:10

A dads thoughts
Site-To-Site Routed VPN Between Two or More Routers using dd-wrt/openvpn
December 2014
August 2011
family technology
Tweet wzaatar
Avatar @wzaatar
Honor de recevoir la plaque au nom de la @CiscoNetAcad Academy! Merci @CFPRiverains po
ur 10 ans de partenariat! https://t.co/QkxnbR5gYw
2 weeks ago
Tweet wzaatar
Avatar @wzaatar
@porterairlines PD487 leaves before PD483, not mentioning AC7974... Care to explain why? ht
tps://t.co/ARUlhXRsFW
2 weeks ago
Tweet wzaatar
Avatar @wzaatar
RT @DrRickH: .@CiscoCanada making big investments w/ @netacadcanada to help build #di
gital tech skills. @wzaatar @netacad https://t.co/7jqY8g9GhE
72 sur 73 01/05/2017 19:10

Theme: supernova by Sayed Taqui. | Supernova Themes
73 sur 73 01/05/2017 19:10

Mirror Traffic With Home Router

Uploaded by

Copyright:

Available Formats

Mirror Traffic With Home Router

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mirror Traffic With Home Router

Uploaded by

Copyright:

Available Formats

Site-To-Site Routed VPN Between Two or More Routers using dd-wrt/o... http://wadihzaatar.com/?

Wadih Zaatar's Blog

1 sur 73 01/05/2017 19:10

Server side: 192.168.1.0

openvpn --genkey --secret static.key

2 sur 73 01/05/2017 19:10

3 sur 73 01/05/2017 19:10

# Move to writable directory and create scripts

# Config for Site-to-Site SiteA-SiteB

# Config for Static Key

4 sur 73 01/05/2017 19:10

# Initiate the tunnel

Now, create a second configuration with the following text.

# Open firewall holes

Now, go to your Router configuration interface, click on Administration then Commands.

5 sur 73 01/05/2017 19:10

Again, you need to create two configs:

# Move to writable directory and create scripts

# Config for Site-to-Site SiteA-SiteB

# Config for Static Key

6 sur 73 01/05/2017 19:10

# Initiate the tunnel

Now, create a second configuration with the following text.

7 sur 73 01/05/2017 19:10

iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT

Now, go to your Router configuration interface, click on Administration then Commands.

Youre done with the client configuration!

8 sur 73 01/05/2017 19:10

# Move to writable directory and create scripts

# Config for Site-to-Site Client1-Server

9 sur 73 01/05/2017 19:10

# Config for Static Key

# Initiate the tunnel

# Open firewall holes

10 sur 73 01/05/2017 19:10

# Move to writable directory and create scripts

# Config for Site-to-Site Client2-Server

# Config for Static Key

11 sur 73 01/05/2017 19:10

-----END OpenVPN Static key V1-----

# Initiate the tunnel

# Open firewall holes

As for the server, we need to perform three modifications:

12 sur 73 01/05/2017 19:10

2. Make sure to add a route to the two clients.

3. Allow Client-to-Client connection in the Firewall configuration script.

# Move to writable directory and create scripts

# Config for Site-to-Site Server-Client1

# Config for Site-to-Site Server-Client2

13 sur 73 01/05/2017 19:10

# Config for Static Key

# Initiate the tunnel

14 sur 73 01/05/2017 19:10

# Open firewall holes for Client1

# Open firewall holes for Client2

# Allow Forwarding packets between Client1 and Client2

# Permit Communication Across the Networks

15 sur 73 01/05/2017 19:10