Site-To-Site Routed VPN Between Two or More Routers using dd-wrt/openvpn

The following details the procedure for establishing a site-to-site routed VPN between two or more DD-WRT/vpn image-enabled routers. Other flavours may work but I haven’t personally tested any.

Should you have any questions, please don’t hesitate to contact me directly!

Standard Configuration: 1 Server and 1 Client

 

Step 1: Router Preparation

These VPN scripts have been tested starting v23 and have been confirmed to work in v24 of DD-WRT. Before proceeding, you need to download the VPN-flavoured version of DD-WRT from the DD-WRT Download Page.

Due to the fact that most of us have DHCP-assigned dynamic IPs, you are also recommended to create a dynamic dns host for the server router. More information on this procedure is available here.

Finally, make sure that your two routers are not distributing an overlapping IP subnet range. Usually, all routers come preconfigured with a 192.168.1.0 DHCP range distribution. Since you are doing routed configurations, you need to change the 192.168.1.0 subnet to another one. The easiest way is to adopt a sequential assignment:

Server side: 192.168.1.0
Client1 side: 192.168.2.0
Client2 side: 192.168.3.0
etc…

This way, when your internal networks communicate with each other, they don’t overlap and you don’t end up having miscommunication.

If you are looking for a bridged configuration, you’d better check this Wiki page instead.

Step 2: Secret Key Generation

Prior to configuring your routers, you need to create a shared secret key. This key will be used to authenticate and encrypt your site to site communication.

Start by downloading the latest OpenVPN package from OpenVPN’s main site. Install the package (Usually gets installed in C:\Program Files\OpenVPN if you are running Windows).
Now, get a command prompt and issue the following command from the OpenVPN directory:

openvpn --genkey --secret static.key

This will create a text file named ‘static.key’. Opening it in Notepad, or any text editor will get you an output similar to the following one:

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
aeb68165149e096d8f04252dd22fe67d
dd15d8c87e8a577c5c14ebd1ef0bf0b6
0e1d652f91fe66ed3774505e641936dd
458a6db60fb36b969d8bcd37803cf1d3
6d49383ec2daa1d2ae70e3ca49b950a4
bba985940e5e4a15fac702cbcf47f9d0
39f7939980bbb63d2964bb6216471162
0a519fe25d1e0d48044a1ad85dc94758
af6f7b7c52ccaaefa3d013fcbf621366
5ea18d9dc36c3b2a9ac277a9903998fe
45e10b0f79fd443727c3f30278981b3d
0fa525ad843645b4acc28969450bd601
4ce774aba0e830149489dc1592741580
fbd3cd24cc7baa68e06b3e3aedae2565
a36b8a3f687ddbb78411740d755249cf
45c0617c215b66eabc72f60f47b32c64
-----END OpenVPN Static key V1-----

Warning: Don’t go lazy and copy the above, doing so will jeopardize your secure connection, recreate the file from scratch.

 

Step 3: Server Configuration

Using Notepad or any text editor, create the following two configurations:

Config 1

# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn

# Config for Site-to-Site SiteA-SiteB
echo "
proto udp          
port 1194
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > SiteA-SiteB.conf

# Config for Static Key
echo "
-----BEGIN OpenVPN Static key V1-----
................................................
...YOUR SECRET KEY TEXT SHOULD BE PASTED HERE...
................................................
-----END OpenVPN Static key V1-----
" > static.key

# Create interfaces
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.0.1 netmask 255.255.255.0 promisc up

# Create routes
route add -net OTHERSUBNET netmask 255.255.255.0 gw 10.0.0.2

# Initiate the tunnel
sleep 5
/tmp/myvpn --config SiteA-SiteB.conf

Warning: Watch out for the OTHERSUBNET chunk, you should replace it with your client network’s subnet (for example: 192.168.2.0 or 192.168.3.0).

Also, do note that the static key that was created in the previous step should be pasted in the appropriate section, right after the ”’echo” text.

Now, create a second configuration with the following text.

Config 2

# Open firewall holes
iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Now, go to your Router configuration interface, click on ‘Administration’ then ‘Commands’. Paste your ‘Config 1’ in your ‘Startup’ section and you ‘Config 2’ in your ‘Firewall’ section.

You’re done with the server configuration!

Step 4: Client Configuration

The client configuration is very similar to the server configuration, with a few small modifications.

Again, you need to create two configs:

Config 1

# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn

# Config for Site-to-Site SiteA-SiteB
echo "
remote REMOTEADDRESS
proto udp          
port 1194
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > SiteA-SiteB.conf

# Config for Static Key
echo "
-----BEGIN OpenVPN Static key V1-----
................................................
...YOUR SECRET KEY TEXT SHOULD BE PASTED HERE...
................................................
-----END OpenVPN Static key V1-----
" > static.key

# Create interfaces
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.0.2 netmask 255.255.255.0 promisc up

# Create routes
route add -net OTHERSUBNET netmask 255.255.255.0 gw 10.0.0.1

# Initiate the tunnel
sleep 5
/tmp/myvpn --config SiteA-SiteB.conf

Warning: Watch out for the OTHERSUBNET chunk, you should replace it with your server network’s subnet (for example: 192.168.1.0).

Also, do note that the static key that was created in the previous step should be pasted in the appropriate section, right after the ‘echo text.

In addition to the above, and since this is your client, you need to replace the REMOTEADDRESS with your server’s IP address or the dynamic DNS address you created in the previous Router Preparation section.

Now, create a second configuration with the following text.

Config 2

# Open firewall holes
iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Now, go to your Router configuration interface, click on ‘Administration’ then ‘Commands’. Paste your ‘Config 1’ in your ‘Startup’ section and you ‘Config 2’ in your ‘Firewall’ section.

You’re done with the client configuration!

 

Advanced Configuration: Multiple routed networks

Warning: This section is not for the faint-hearted people. Please read carefully and contact me should you have any questions/comments/thoughts on how to make it better! I tried keeping this technique simple and didn’t use Certificates/CAs.

Let’s assume we need to configure a 3-sites VPN connection as per the following figure:

3sites-vpn

You need to first start by duplicating the above Client configuration on the two ‘Client1’ and ‘Client2′ routers. Pay extra attention to the IPs and IP ranges you are using and write down your configs. In essence, both clients will have pretty much the same configuration with one minor change. Since both will be connecting to the same server, you cannot use the same ”’port”’ number for both clients, so we will be giving port 1999 for the first client and 2000 for the second client.

Also, we need to tell Client1 how to reach Client2’s subnet and vice-versa. This means including a second routing entry in our configuration. As such, our configurations will look pretty much like the following:

Client1 Configuration

Client1 — Startup

# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn

# Config for Site-to-Site Client1-Server
echo "
remote REMOTEADDRESS
proto udp          
port 2000
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > Client1-Server.conf

# Config for Static Key
echo "
-----BEGIN OpenVPN Static key V1-----
................................................
...YOUR SECRET KEY TEXT SHOULD BE PASTED HERE...
................................................
-----END OpenVPN Static key V1-----
" > static.key

# Create interfaces
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.1.2 netmask 255.255.255.0 promisc up

# Create routes
route add -net SERVERINTERNALSUBNET netmask 255.255.255.0 gw 10.0.1.1
route add -net CLIENT2INTERNALSUBNET netmask 255.255.255.0 gw 10.0.1.1

# Initiate the tunnel
sleep 5
/tmp/myvpn --config Client1-Server.conf

 

Client1 — Firewall

# Open firewall holes
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

 

 

Client2 Configuration

Client2 — Startup

# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn

# Config for Site-to-Site Client2-Server
echo "
remote REMOTEADDRESS
proto udp          
port 1999
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > Client2-Server.conf

# Config for Static Key
echo "
-----BEGIN OpenVPN Static key V1-----
................................................
...YOUR SECRET KEY TEXT SHOULD BE PASTED HERE...
................................................
-----END OpenVPN Static key V1-----
" > static.key

# Create interfaces
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.2.2 netmask 255.255.255.0 promisc up

# Create routes
route add -net SERVERINTERNALSUBNET netmask 255.255.255.0 gw 10.0.2.1
route add -net CLIENT1INTERNALSUBNET netmask 255.255.255.0 gw 10.0.2.1

# Initiate the tunnel
sleep 5
/tmp/myvpn --config Client2-Server.conf

 

Client2 — Firewall

# Open firewall holes
iptables -I INPUT 2 -p udp --dport 1999 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

 

Server Configuration

As for the server, we need to perform three modifications:

1. Tell the server to listen to 2 connections, one on port 1999 and the other on port 2000. This can be done by running the openvpn daemon twice (As you will see in the coming configuration, we will be creating two TUN interface, called ‘tun0’ and ‘tun1’).

2. Make sure to add a route to the two clients.

3. Allow Client-to-Client connection in the Firewall configuration script.

Server — Startup

# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn

# Config for Site-to-Site Server-Client1
echo "
proto udp          
port 2000
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > Server-Client1.conf

# Config for Site-to-Site Server-Client2
echo "
proto udp          
port 1999
dev tun1
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > Server-Client2.conf

# Config for Static Key
echo "
-----BEGIN OpenVPN Static key V1-----
................................................
...YOUR SECRET KEY TEXT SHOULD BE PASTED HERE...
................................................
-----END OpenVPN Static key V1-----
" > static.key

# Create interfaces
/tmp/myvpn --mktun --dev tun0
/tmp/myvpn --mktun --dev tun1
ifconfig tun0 10.0.1.1 netmask 255.255.255.0 promisc up
ifconfig tun1 10.0.2.1 netmask 255.255.255.0 promisc up

# Create routes
route add -net CLIENT1INTERNALSUBNET netmask 255.255.255.0 gw 10.0.1.2
route add -net CLIENT2INTERNALSUBNET netmask 255.255.255.0 gw 10.0.2.2

# Initiate the tunnel
sleep 5
/tmp/myvpn --config Server-Client1.conf
/tmp/myvpn --config Server-Client2.conf

 

Server — Firewall

# Open firewall holes for Client1
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

# Open firewall holes for Client2
iptables -I INPUT 2 -p udp --dport 1999 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT

# Allow Forwarding packets between Client1 and Client2
iptables -I FORWARD -i tun0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o tun0 -j ACCEPT

# Permit Communication Across the Networks
iptables -t nat -A POSTROUTING -j MASQUERADE 

 

Passing DNS requests over your Routed VPN configuration (This section would not have been possible without the augmented work of Jean-Marc L)

A question that comes often once we get our routed network up is DNS resolution. Ideally, you would like to have all your machines on all networks to be able to “speak” to each other using DNS and not just via their IP addresses. This section describes the procedure you use to integrate DNS resolution in your routed VPN structure.

Let’s say we have 2 subnets. Subnet1, with network ID 192.168.1.0/24 served by Router1 (ip: 192.168.1.1) and Subnet2, with network ID 192.168.2.0/24 served by Router2 (ip: 192.168.2.1).

We would like to configure the two subnets as two domains: Domain1 and Domain2, assigning Domain1 to Subnet1 and Domain2 to Subnet2. Our target is to get Router1 to transfer all requests for Domain2 to Router2 and Router2 to transfer all requestes for Domain1 to Router1.

Router1 DNS setup

First we will need to configure the DNSMasq options on Router1. Go to the Services configuration page ‘Services’ -> ‘Services’ and perform the following modifications:

– Set the DHCPserver to use domain on LAN & WLAN.
– Set the LAN domain to be domain1.
– Enable DNSMasq.
– Enable Local DNS.
– No DNS Rebind — Disable ***NOTE

*** NOTE There are some options that may depend on your dd-wrt build. Two options in particular you need to be concerned with that will effect the ability of your router to receive DNS lookups from your openvpn-linked private network router: stop-dns-rebind, rebind-domain-ok. Older builds (such as 13064) do not support rebind-domain-ok and have stop-dns-rebind disabled by default. These builds DNS will work fine. Mid time builds (such as 14896 mega) do not support rebind-domain-ok, but enable stop-dns-rebind by default and provide no gui interaction to disable it. These builds your router will not accept results from its peer and will not log the dropped query. The newest builds provide a radio button to disable stop-dns-rebind, and it must be selected to allow private nameserver responses. Looking in the source i believe still do not support rebind-domain-ok — which is a shame, as this would very much help protect you against the type of attack that ‘stop-dns-rebind’ is supposed to protect you against. Hopefully in the future this will be included.

This will instruct your router to use local domains when resolving adresses and turn the local DNS service on the router on.

Next we need to configure Router1 to act as a DNS on both subnets (so it will answer Router2 requests as well). To perform this operation, you need to add the following options in the ‘Additional DNSMasq Options’ text box:

interface=br0,tun0
no-dhcp-interface=tun0
server=/domain2/192.168.2.1

The first line instructs DNSMasq to listen for request from the Subnet2 on the tunnel tun0. The second line ensures that the DHCP will not respond to remote subnet requests. And finally, the last line will instruct DNSMasq to redirect any requests for Domain2 entries to Router2.

In addition, we will also need to open port 53 by adding the 2 lines to the firewall section in our configuration. To do this, you need to go to ‘Administration’ –> ‘Commands’ and add the following lines to your firewall configuration:

iptables -I INPUT 1 -i tun0 -p tcp –dport 53 -j ACCEPT
iptables -I INPUT 1 -i tun0 -p udp –dport 53 -j ACCEPT

This will allow the firewall to pass DNS request from Subnet2 to Router1.

Finally, reboot rooter1.

Router2 DNS Setup

On Router2, you need to replicate the configuration you performed for Router1. This means that you need to add the same frewall rule:

iptables -I INPUT 1 -i tun0 -p tcp –dport 53 -j ACCEPT
iptables -I INPUT 1 -i tun0 -p udp –dport 53 -j ACCEPT

As well as: ”'(Watch out, it’s domain2 and NOT domain1)”’

– Set the DHCPserver to use domain on LAN & WLAN.
– Set the LAN domain to be domain2.
– Enable DNSMasq.
– Enable Local DNS.

Finally, you’ll need to include the DNSMasq options, ”’watch out for the server line, the ip address is now 192.168.1.1 instead of 192.168.2.1”’

interface=br0,tun0
no-dhcp-interface=tun0
server=/domain1/192.168.1.1

You should notice that the options are very similar to the ones in Router1, but in this case we are forwarding all requests to *.domain1 to Router1.

Again, reboot Router2.

Testing DNS

To test your configuration, simply go to your Router1 status page ‘Status’ -> ‘LAN’. You should see the list of available hosts that have a DNS registration.

Next, go to a PC located on Subnet1 and try the following:

nslookup pconsubnet1.domain1 (Replace pconsubnet1 with the hostname of any PC on Subnet 1)

nslookup pconsubnet2.domain2 (Replace pconsubnet2 with the hostname of any PC on Subnet 2)

Both resolutions should work fine. You can go ahead and try the same operation from a PC located on Subnet 2.

The DNS query should return the correct IP adresses. Otherwise, check your configuration.

 

Troubleshooting / FAQ:
I will be including in this section any troubleshooting questions I received as well as their solution (If I have one or if the sender found a fix for it).

 

DMZ feature is used on your DD-WRT router (Thanks TJ T. for that one)

If you decide to run OpenVPN on your DD-WRT based router, make sure to disable any DMZ as the DMZ will override the usual port forwarding needed by your OpenVPN clients/server and would forward all connection requests to the DMZ host.

 

My tunnel is up but I cannot ping the remote endpoint (Thanks Ben G. for that one)

Yes, this is normal if the router is set to be not ‘pingable’ (The option is set by default). To rectify this and allow your server-side and client-side hosts to ping both routers’ endpoints while making sure that external hosts (Not belonging to your networks) still don’t ping your routers’ interfaces, add the following entry to your Firewall section in both routers:

iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT

Great! How about internal remote administration through HTTP? (Thanks Marc D. for that question)

Well, in that case you will have to do the same operation as in the previous issue (i.e. Cannot ping the remote endpoint) and add an extra iptables command in your Firewall section in both routers:

iptables -I INPUT 1 -i tun0 -p tcp --dport 80 -j ACCEPT

 

Why should I use a routed configuration and not a bridged configuration

Interesting question. Well, a bridged configuration will ‘join’ both networks together as one, same subnet, same IP range… Looks easier, but the problem here would be that all kinds of packets, including the infamous broadcasts will be traveling from one side of the network to the other, resulting in less-than-optimized usage of your precious bandwidth. On the other hand, a routed network will only send directed packets from one side of the network to the other.

 

I have a problem connecting my VPNs while using Chillispot, what’s the issue? (Thanks Chris A. for bringing this one up)

The problem here is that Chillispot insists on using ‘tun0’ as a communication tunnel. The easiest solution is to simply replace your ‘tun0’ with another tunnel (‘tun2’, ‘tun3’, etc…)

Also, you need to make sure that both your firewall and startup sections are updated accordingly.

 

DHCP Forwarder / DHCP Server feature of DD-WRT

Please take note that this VPN configuration will not work if your router(s) is/are set up as DHCP forwarders. They must be DHCP servers in order for the VPN to connect properly.

 

About

View all posts by

108 thoughts on “Site-To-Site Routed VPN Between Two or More Routers using dd-wrt/openvpn

    1. Hello,

      Are you able to ping the Exchange server from the Outlook machine and vice-versa? If that works, it’s not your VPN setup but something with your Exchange/Outlook configuration.

        1. I’m assuming you are able to ping from the Outlook client to the Outlook server. If that is the case, then the problem is not vpn-related. It’s most likely your Exchange Server configuration.

          1. It shouldn’t matter, if your communication is going through your VPN then port blocking will have no effect. Are you sure you are using the Exchange server’s internal IP address?

          2. I don’t get what you are saying about Exchange Server’s internal ip address. Both vpn tunnel endpoints are on linksys e1200 routers flashed with dd-wrt. The Exchange server is on a LAN behind on of the routers. I can use PortQry and query udp port 135 and get a response from the server over the vpn. A similar query to tcp port 135 times out.

          3. Hi KK,

            Since your VPN is up and running, the ISP port blocking becomes irrelevant. Your requests are going through the VPN tunnel itself and the ISP will not see them! That’s the beauty of using VPNs.

            As long as you are using your “private” IPs to communicate between the Exchange Server and Client, communication should flow just fine AS LONG AS THE VPN TUNNEL IS UP.

            Cheers,

            W.

          4. Make sure your testing the internal (private) ip not the external public ip. it’s probably a dns issue telling your client to use the public ip.

  1. I am using Buffalo – v24SP2 (11/05/13) std and this configuration is not working for me. I am using it in a local setup to test it. I have to of the same routers. Any suggestion?

  2. How would I do not only a openvpn connection from router to router but also on the server router set it up to allow users to vpn into it and ultimately setup a server on the client router so users can vpn into that router/subnet as well?

  3. Thank you soo much for the write-up. I am interested in setting this up. Could you recommend a router? Let us know which model was used for your setup.

    Thanks
    Archer

  4. Hello! I setup your tutorial over a year ago and I’ve had a site-to-site VPN tunnel between my house and my parents flawlessly ever since!! I did have one question, not sure if you know the answer. At my parents house (client side) all client IP addresses are being reported through the tunnel as the server-side DD-WRT address, as opposed to their actual IP address. I know this has something to do with NAT but I’m not familiar with iptables. Do you know of such a command I could use so that on the server-side, IP addresses at my parents are reported as their actual and not just the DD-WRT openVPN server IP?

    1. Hi Ken,

      Happy to hear that your setup is working fine! I’ve been using it for 6 years now in several locations and works great too.

      Regarding your question, do you mean that a PC’s IP address at your parents’ house is NATted at your own house? Or do you mean that your own EXTERNAL IP address is used for your parents’ PCs?

      Please email me your configs (Make sure to remove the keys please) and I can take a look.

      Cheers,

      W.

      1. Hi…Pardon my ignorance but I’m not able to locate your email address. If you can my email address in the blog can you email it to me then I’ll email you my config? Thank you very much!!

  5. Hello, I have read and I setup your tutorial but I have a problem which I cannot resolve by alone.
    I have this type of configuration:
    a server ddwrt vpn router (192.168.2. as local net behind an other router (192.168.1.1 as local net). On that one, I have enabled the traffic redirect from first router(that use dyndns service) to second one. The client ddwrt router works in an Office, receiving internet access from another local net (192.168.0.115 Wan side and 192.168.31.1 for its local net)..The tunnel vpn is on 10.0.0.0 and it works correctly, from server vpn(10.0.0.1) I can see the client router homepage on 192.168.31.1 and also on 10.0.0.2 but cannot see other devices behind client router, for example 192.168.31.2/24..how can I solve ? Where is the problem?
    Peraphs I haven’t specified the gateway for VPN address?Thank you for your help.

    1. Yes, you sound like you’re missing some routing commands there. Send me your configs (without the secret key) and a short schematic of your topology, I’ll check it out for you.

      You need to add 1 or 2 routing commands since you’re using static routing…

  6. I am hoping you still view your comments. I had setup a main hq and a satellite office and it was going great. I recently added a new satellite office and routing is working between the two sites and the hq. However after adding this second satellite location we’ve encountering problems with their VOIP phones having very bad latency and sometimes rebooting on its own. I’m curious is there anything I might try or do to try and get the phones working smoother?

    1. Check the remaining memory on the routers, you may be overloading them if you’re using too much space in your configurations, these little devices have notoriously small flash/RAM and memory leakage tends to happen.

      I personally am running a 16-nodes network… Flawlessly, so it should really work fine.

      If you’re still facing the issue, email me with your configs (without your shared keys please) and I’ll look into them… May take some time, sorry for the delay… Got a day job 🙂

  7. Hi there,

    I have set up openvpn between an Asus RT52ACU running firmware and linksys 1550 with ddwrt v24-sp2 big.

    I dont understand any of this, but the vpn is working. I can reach the ddwrt from a pc on the asus network, using the openvpn ip address 10.0.57.6.

    but, I cannot reach anything else. the subnet on ddwrt is 192.168.93.0, but I cannot reach the ddwrt on 192.168.93.1 or another server on 192.168.93.2. Locally, however, these addresses work fine.

    so, this is probably very simple. I tried some things like puting routes in the asus, but to no avail.

    Can you tell me what to do?

    Cheers,

    Bart

    1. Hi Bart,

      Buddy, I need some more details. What are the Asus side’s internal IP addresses? What about the Linksys side? What subnets are you using for your site-to-site communication?

      Drop me a note with your configs (Without secret keys, please), I’ll check it out for you.

      Cheers,

      W.

  8. Hi, in your tutorial you are mixing 10.0.0.2 and 192.168.2.0 ip ranges, is that by mistake or what’s the purpose of it?

    route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.0.0.2

    1. Usually, home routes come preconfigured with the 192.168.x.x class, trying to make your life easier by keeping it this way. 10.0.0.x are also private addresses that you won’t find on the “live” internet. I preferred to separate the site-to-site ranges from the actual user ranges but you can change them to your liking…

      It’s always a good practice not to use real IPs on your intranet and rely on the private address space, here’s some reading about it if you want to know more: http://en.wikipedia.org/wiki/Private_network

      Cheers,

      W.

  9. Hello Wadih, I have a point to point link between two offices A and B.
    We are running out off bandwidth as the rate of data being transferred back and forth is growing faster than we thought…
    Can this setup do data compression through the vpn ?
    That will help us saving some bandwidth ….
    Regards,
    Chris

    1. Hi Chris,

      Yes, you can try to add the “comp-lzo” command to your server and client configurations and test.

      A couple warnings:

      – Not all dd-wrt versions have a working compression, activate and test.
      – If you’re using old/slow gear like the WRT-54GL for example, the compression might overload them as it’s CPU-intensive. Again, best to try and test.

      Cheers,

      W.

    1. By using a common supported VPN protocol… Sure!

      From the GUI, I believe you can use PPTP without much hassle (I haven’t tried it with an RV042, but with Windows/Mac Clients).
      From the shell, you can install leverage VPNC on DD-WRT and should be able to (Not tested it) get connectivity with the RV042. Check the following URL for information on how to install/configure the VPNC on a DD-WRT router: http://www.dd-wrt.com/wiki/index.php/VPNC

  10. Using 3 Buffalo wzr-600dhp2 routers.
    dd-wrt 24461 v24-sp2 6/23/2014 std.
    Full routed OpenVPN connectivity between
    Main office and 2 remote offices.
    The write up here worked well.
    It took me a bit of time to understand.
    Thank You very much for all the effort,
    Rick M

  11. wanted to run my configs and environment by you to make sure I’ve got everything. It’s a simple 1server/1client. Could you sent me your e-mail address? Thanks!

    (and I’ll redact my key :-))

      1. I re-created my configs based on your tutorial and the tunnel is now up. Just had to draw it out on paper and reread the posts. I am not yet able to ping some addresses on my server site, but will work on it tonight. I’ll resend you my configs to see if I’m missing anything. Thanks.

          1. Due to my application, I had to go another route (no pun intended). Your tutorial was very helpful and the info gave me some tips in finalizing my VPN tunnel.

            Thanks for the assistance!

  12. Well, I tried getting this tutorial to work on two Asus RT-N16s running Build 14896. Attempted it several times and thought it just didn’t work. UNTIL I found my mistake. In both your startup scripts I was foolishly replacing the r 10.0.0.x with my subnet of 192.168.2.0. Of course I should have been replacing the “OTHERSUBNET” text with the 192.168.2.0 subnet. Completely my fault. Once I set the scripts up properly and rebooted both the OpenVPN Server RT-N16 and the OpenVPN Client RT-N16 it worked great. I was easily able to ping needed device IPs over the VPN. Awesome tutorial! Now time to start configuring DNS across the VPN.

    One small footnote though. You state to “Start by downloading the latest OpenVPN package from OpenVPN’s main site. Install the package (Usually gets installed in C:\Program Files\OpenVPN if you are running Windows)”. Then you list the command to run from a command prompt: “openvpn –genkey –secret static.key”. The problem for me was that OPENVPN was installed in the directory C:\Program Files\OpenVPN\bin so I had to do a little prodding around for the executable. Small issue but it may help others if they get stuck at that part. Still a fantastic tutorial for first time OpenVPN users. Greatly appreciated!

  13. Hello Wadih, thanks for this great tutorial!

    I’ve setup the basic server client configuration and it works perfectly, almost.

    Print jobs don’t appear to be getting through the tunnel. I’m able to install the printer and I can access it’s web gui just fine, but when I go to print a document nothing happens.
    Have you run into this before? Thanks 😀

    1. Solved, sort of.

      If the printer is connected to the network through wifi print jobs don’t get across the firewall. (I think)

      Printing to a printer that’s connected through ethernet cable works perfectly.

      1. Hi Ryan,

        Must be a local configuration problem. I have a similar setup with an HP wireless printer and I can print remotely.

        Also, how did you install the printer? Which protocol? Have you tried direct TCP/IP?

        Cheers,

        W.

        1. I’m not sure what it was, but the problem seems to be gone after a 30/30/30 reset on both routers.

          I have a new question for you, is it possible to have road-warriors using this setup?

          Thanks again

    2. Read this post after the other one! So this confirms that TCP/IP works fine, must be the protocol you are using to print. As a routed network, not all discovery protocols are advertised from one side to the other, better connect to the printer directly via TCP/IP.

  14. Hello Wadih,
    Thanks for your grate tutorial!

    I’ve followed the 1 server 1 client to config my routers, but I found they are not working.
    I found the tun0 become tun0-00 by the ifconfig? I’ve tried to change the dport to other values as Gumpher suggested, but still not working.
    Can I send my config file to you by email ?

    Thanks,
    Samson Fu

  15. Hello Wadih, great tutorial. I had used the original to configure a 3 router setup (1 VPN server, 2 clients) with routing between all sites (192.168.2/3/4) without any DNS requests being routed. It works flawlessly.

    Then I modified the config to add a WindowsPC via OpenVPN as the 3rd client with a fixed IP which worked up until about 6 months ago. I reinstalled my PC with Windows8.1 and as such had to also install the latest OpenVPN package. Since then I have not been able to connect to the VPN via my PC anymore.

    I have the log files and obviously the config files. If there are any settings that need to change between the config from about 12 months ago and today based on known changes in the OpenVPN PC client, I’d love to hear about what I should change.

    Thanks in advance

  16. Excellent write up. Very detailed. Question. Where your method is using static key, there are no CN (Common Name) or certificates associated with connecting clients. Additionally, the OpenVPN status page is not visible in DD-WRT as it sees it as disabled, even though it is in fact running. I was able to enable the management interface and telnet into it and see a connected client, but is there a way to pull up a more detailed status, or assign names to the connecting clients to the main site? I plan on connecting 2 sites to a main router, so I was curious about the ability to name those connections something unique so I can verify they are connected.

  17. Hi Wadih,
    Thanks for all the work you put into this, very well written. I have run into a issue I can not seem to figure out. I have your site to site working. I also setup the DNS part as well, I followed the instruction to the letter, this also worked great. nsloopup resolves as expected.

    I have a samba fileserver on domain1, called mica and a computer on domain2. The computer on domain2 can network map ok .eg. \\samba.domain1\kiba works great and I see all the files.
    The problem is if I try and join to the samba domain named “mica”. Works fine if I’m phyically on the domain1 subnet 192.168.1.1 (the one that also has the fileserver), but if I’m on the domain2 subnet 192.168.2.1 it fails with the error :-
    Recorded in the file C:\Windows\debug\dcdiag.txt.

    The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain “mica.domain1”:

    The error was: “DNS name does not exist.”
    (error code 0x0000232B RCODE_NAME_ERROR)

    The query was for the SRV record for _ldap._tcp.dc._msdcs.mica.domain1

    Common causes of this error include the following:
    – The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

    192.168.2.1

    – One or more of the following zones do not include delegation to its child zone:

    mica.domain1
    domain1
    . (the root zone)

    I thought maybe the port used was being blocked so I added to both routers firewall the folowwing:
    # Open firewall holes
    iptables -I INPUT 2 -p udp –dport 1194 -j ACCEPT
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    iptables -I INPUT 1 -i tun0 -p tcp –dport 53 -j ACCEPT
    iptables -I INPUT 1 -i tun0 -p udp –dport 53 -j ACCEPT
    iptables -I INPUT 1 -i tun0 -p tcp –dport 137 -j ACCEPT
    iptables -I INPUT 1 -i tun0 -p udp –dport 137 -j ACCEPT
    iptables -I INPUT 1 -i tun0 -p tcp –dport 139 -j ACCEPT
    iptables -I INPUT 1 -i tun0 -p udp –dport 139 -j ACCEPT
    iptables -I INPUT 1 -i tun0 -p tcp –dport 445 -j ACCEPT
    iptables -I INPUT 1 -i tun0 -p udp –dport 445 -j ACCEPT
    iptables -I INPUT 1 -i tun0 -p tcp –dport 138 -j ACCEPT
    iptables -I INPUT 1 -i tun0 -p udp –dport 138 -j ACCEPT
    iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT

    Here is my smb.conf global settings
    [global]
    printcap name = /etc/printcap
    printing = lprng
    load printers = no
    printer admin = machine tech
    admin users = machine
    security = user
    wins support = yes
    workgroup = mica
    name resolve order = wins hosts bcast
    encrypt passwords = true
    domain master = yes
    netbios name = Samba
    domain logons = yes
    logon drive = h:
    logon path =
    logon script = login.bat
    local master = yes
    preferred master = yes
    preserve case = yes
    interfaces = eth2 192.168.1.1/24 192.168.2.1/24
    bind interfaces only = yes
    passwd program = /usr/bin/passwd %u
    encrypt passwords = true
    passdb backend = tdbsam
    pam password change = yes
    unix password sync = true
    passwd chat = *new*password* %n\n *new*password* %n\n *updated*
    wide links = no
    wins support = yes

    Still no joy.
    Any thoughts that might help?

    Thanks,
    Kiba

  18. I’m using two cisco e2500 routers running DD-WRT v24-sp2 (03/25/13) mega wanting to run a site-to-site bridge. a lot of the tutorials i read are for other routers so i’m not sure if that’s the starting problem.

    i was stuck on the dd-wrt instructions http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-Site_Bridged_VPN_Between_Two_Router followed intructions as close as possible with no luck.

    I came across your tutorial and it appeared easier(less steps) to use routed VPN instead but no luck either. i copy the script exactly not sure what i’m suppose to change. i made sure i changed OTHERSUBNET on the client and server side. change the remoteaddress to my DNS server. am i suppose to change 10.0.0.1 and 10.0.0.2 on the script, if so to what? this is all new to me so sorry if i’m asking basic noob question. any help would be greatly appreciated.

  19. Good afternoon,

    I’ve been running the Site-To-Site Routed VPN setup between my Main HQ site and branch site for about a year now, and it’s been very stable and it works great.

    I have a Windows Server at the HQ site with a domain and Active Directory setup, and all of this works great between the HQ and branch site. The server also handles DHCP and DNS for the domain.

    The only issue I’m having is that at my branch site (SiteB), my clients aren’t pulling IP addresses from the HQ DHCP server (10.0.1.100). In order to get network connectivity at the branch site, I have to manually configure all of my clients with a static IP. Once configured, they work perfectly and can access all domain resources at either site. I have set the DHCP server IP to 10.0.1.100 in the branch site DD-WRT router setup but no luck…

    Are there any commands I need to put in the firewall scripts to allow my branch site to send/receive DHCP requests from the HQ DHCP server?

    Like I said, it works flawlessly at my main HQ site, just hoping to get that part working at the branch site too since I’m planning to add a few more branch sites in the future as well.

    Thank you for your help,
    Shane

  20. Hi Wadih,
    thank you so much for your tutorial it is really clear. However its the first time i am doing a VPN with dd-wrt routers, i followed you step by step,and it still doesnt seem to work ,can i send you my file and you be able to see what i did wrong?

    i made 2 network ID’s
    192.168.2.0
    192.168.1.0

    and i wasn’t sure about where to pasty the password i am supposed to leave that small dots “…..” ??

    Thanks in advanced!

    1. You need to create a new STATIC key password and place it there since copying the one I have pasted would make your VPN configuration vulnerable and obvious to outsiders (Which defeats the purpose of it).

  21. Great writeup Wadih, it was super easy to follow and I got my site-to-site connection up nicely.

    However I’m having an issue with the DNS part and I’m a little lost as to what the problem could be. My two routers are configured as such:

    Router #1 (192.168.4.1):

    DHCPserver to use domain on LAN & WLAN.
    LAN domain set to domain1
    DNSMasq enabled
    Local DNS enabled
    No DNS Rebind is disabled

    Additional DNSMasq Options:

    interface=br0,tun0
    no-dhcp-interface=tun0
    server=/domain2/192.168.2.1

    Router #2 (192.168.2.1):

    DHCPserver to use domain on LAN & WLAN.
    LAN domain set to domain2
    DNSMasq enabled
    Local DNS enabled
    No DNS Rebind is disabled

    Additional DNSMasq Options:

    interface=br0,tun0
    no-dhcp-interface=tun0
    server=/domain1/192.168.4.1

    Are these settings correct? Is there something I’m missing?

  22. Dear Wadih

    Sorry for my silly question . but is this way mean i can create VPN connection site to site with DDns for both sides ???
    now i have two sites with dynamic IP Addresses PPPOE connection . and also i have two routers linksys E1200 running with DD-WRT . is that mean i’m able to use this way with open VPN and Dynamic DNS to create VPN and connect Devices such as PABX or VoIP Phones ???

  23. Hi wadith,

    I followed instructions & working perfectly. But i want to have 6 client routers. But main router cannot have configuration for more than two client routers. After add 3rd tunnel configuration, main router not working after reboot. Please help me.
    Thanks.

      1. Check how much NVRAM/RAM you have remaining. Did you insert any extra commands/customizations?

        I’m currently running 15 nodes altogether and it’s working great!

        1. Hi Wadih, I’ve been using your solution for a few months now and it’s been solid. However, now I’m attempting to add a 3rd office into the mix and so far have been unsuccessful. Can I email you my configs for some insight? The original two offices are able to connect with my config, but the 3rd doesn’t.

          The routers I’m using are all Netgear R7000’s, should be more than capable for this.

          1. If I start counting the number of times I made a mistake with the numbers, I would still be counting!

            Glad that it’s working fine for you.

  24. Hi Wadih
    Thanks for the clear tutorial. I tried to setup a tunnel, but I can’t reach the ‘other side’ from neither the client or the server side. Traceroute shows the routing from the local network 192.168.93.0 to the tunnel 10.0.0.1 but after that, only time-outs.
    I suspect the router of the ISP is blocking this port. Is there a reason not to use another port or can I choose whatever I want, as long as I stay out of the ‘standard’ ones. So e.g. 65889 or whatever?

  25. Hi Wadih,

    Really useful write up. Thanks.

    I have just the basic setup.

    Question = How can the client side be forced to access the internet (eg from their browsers) through the server connection, and not locally ?

    1. Two things need to be done:

      On the client side, you need to add two route entries to your configuration. The first to make sure that the route to the server-side external VPN IP address goes via your ISP and the second one to route all traffic via your VPN endpoint.

      On the server side, you need to allow all client traffic to go through the server node.

      Please note the following:

      Your client-side connection speed will be the lower of these two:
      – The server backplane or its capability to process your client-side packets.
      – Your ISP connection between your client and server since all your client-side traffic is rerouted via the VPN.

      Is there any reason as to why you want to pass all the traffic via VPN? You can also consider specific routes for specific applications/ports to minimize your network load.

      Hope this helps,

      W.

  26. Hi Wadih,
    I followed your instruction and working fine with three router setup. But I have some issue may be you help me to resolve. My Main office router IP 192.168.1.0/24 and remote office IPs 192.168.2.0/24 and 192.168.3.0/24. in main office have one IP PBX system its IP 192.168.1.240. I want all remote office can access main office phone system. I put ip phone in remote office and I able to ping those phone but its not working, PBX system require to open those ports (TCP 1040-1044 AND UDP 2093-2096) to work. Can you help me how to open those ports inside tunnel so I can able to use those phone in remote office.
    Thanks

    1. Hi Arvind,

      The purpose behind this VPN is allow unblocked communication. So, by default all traffic between your three networks should work without problems. Have you made sure that client-to-client communication is working fine? i.e. 192.168.2.0 and 192.168.3.0 can ping each other?

      If yes, your problem resides elsewhere, but certainly not in the VPN configuration. I’m personally using this setup with 15 nodes and a PBX at one location… All working great.

      Cheers,

      W.

      1. Thanks for your reply, yes I can ping each other and I can ping remote pbx extension but my extension is not connecting to pbx, continuously looking pbx. something is blocking in the network. Extension need to communicate by udp ports 2093-2096 and tcp 1040-1044. those port should be open but I am not sure those ports are open or not. Please help me.
        Thanks

  27. Thanks for your helpful reply which I understand and will try soonest. I am using a VPN over a low capacity (3Mbps down/ 1Mbps up) satellite link. The direct (non-VPN) traffic is routed through the operator’s deep proxy which effectively increase the throughput AT THE EXPENSE OF LATENCY. Any “session” based communications are experiencing about 50% timeouts. I have experimented after hours with restricting the bandwidth of my fibre to 300Kbps which is successful in that no sessions have timed out yet. I therefore expect that routing all traffic through the VPN will solve the problem even if the remote users have to wait longer for their webpages.

    I have spelt this all out as it might help somebody else.

    All the best

  28. Hello Wadih,

    Thank you very much with this tutorial, it helped us a lot.

    I know you said it in the tutorial but i am hoping on a solution.

    Is it possible to run the DHCP server on a Windows Server because of the Active Directory and DNS settings?
    Maybe it is possible to give the VPN client and server a static adres?

    1. Hi Wadih,

      Because of the static tunnel adresses, is the DHCP not nessecary on the 2 routers.

      For our project, whe used 2 routers and set the dhcp server on the 2 routers disabled, on each site we had a system running Windows Server with AD, DNS and DHCP with no problem.

      Thank you!

      1. Perfect! Thanks for letting me know.

        Sometimes, disabling something from one end may break something else from the other end… Hence my initial hesitation.

        Have a great week.

        W.

  29. I am working on implementing this site to site VPN scheme.
    Are you still around?
    I have a couple questions. Complicated. Heh.
    I have some routers (WRT54G with DDWRT Mega on each)

    I have to use DDNS too. More complicated.

  30. Hi all of you,

    thanks for this tutorial, really helped me a lot…
    Connected to dd-wrt v24-sp2 routers as described and the Connection established successfully… But a can’t ping accross the VPN….
    The Server can ping 10.0.0.1 but not 10.0.0.2, the client-router can ping 10.0.0.2 but not 10.0.0.1…

    Searched the Internet for a while, but unfortunately still no solution found yet :/… DMZ is disabled on both sites, I also tried to set /proc/sys/net/ipv4/ip_forward ==> 1… Nothing seems to help :/…?
    Does anyone experienced something similar and could give me a hint ?

    Mon Oct 19 23:50:35 2015 OpenVPN 2.3.6 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 22 2014
    Mon Oct 19 23:50:35 2015 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
    Mon Oct 19 23:50:35 2015 Diffie-Hellman initialized with 2048 bit key
    Mon Oct 19 23:50:35 2015 Socket Buffers: R=[172032->131072] S=[172032->131072]
    Mon Oct 19 23:50:35 2015 TUN/TAP device tun0 opened
    Mon Oct 19 23:50:35 2015 TUN/TAP TX queue length set to 100
    Mon Oct 19 23:50:35 2015 UDPv4 link local (bound): [undef]
    Mon Oct 19 23:50:35 2015 UDPv4 link remote: [undef]
    Mon Oct 19 23:50:35 2015 MULTI: multi_init called, r=256 v=256
    Mon Oct 19 23:50:35 2015 Initialization Sequence Completed
    Mon Oct 19 23:50:57 2015 XX.XXX.XXX.XXX:YYYY TLS: Initial packet from [AF_INET]80.187.101.182:3170, sid=9cf18465 4ba40254
    Mon Oct 19 23:51:00 2015 XX.XXX.XXX.XXX:YYYY VERIFY OK: depth=1, C=DE, ST=XX, L=XX, O=XXX, OU=XXX, CN=XXXXXX, name=XXX, emailAddress=myVpn@myMail.com
    Mon Oct 19 23:51:00 2015 XX.XXX.XXX.XXX:YYYY VERIFY OK: depth=0, C=DE, ST=XX, L=XX, O=XXX, OU=XXX, CN=XXXXXX, name=XXX, emailAddress=myVpn@myMail.com
    Mon Oct 19 23:51:01 2015 XX.XXX.XXX.XXX:YYYY Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
    Mon Oct 19 23:51:01 2015 XX.XXX.XXX.XXX:YYYY Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
    Mon Oct 19 23:51:01 2015 XX.XXX.XXX.XXX:YYYY Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
    Mon Oct 19 23:51:01 2015 XX.XXX.XXX.XXX:YYYY Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
    Mon Oct 19 23:51:01 2015 XX.XXX.XXX.XXX:YYYY Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Mon Oct 19 23:51:01 2015 XX.XXX.XXX.XXX:YYYY [XXXXXXXXXXX] Peer Connection Initiated with [AF_INET]XX.XXX.XXX.XXX:YYYY
    Mon Oct 19 23:51:01 2015 XXXXXXX/XX.XXX.XXX.XXX:YYYY MULTI: no dynamic or static remote –ifconfig address is available for XXXX/XX.XXX.XXX.XXX:YYYY

  31. Hello
    Thanks to your great post here, I have 1 HQ and 3 remote offices that is connected with little to no trouble at all!! However My current setting was configured more than 3 years ago and I am in a process of upgrade (Both hardware and configuration) I will probably get 4 x Netgear R7000 for each location and have latest Kong K3-AC DDWRT (Dated 10.25.2015) in there.
    The configuration upgrade I need is to have my on-road sales guys (About 4-5 people) with a laptop to have access to server resources (Files, Networked Quickbook, intranet, etc) which is physically located in HQ when they’re on the road and not in our VPN network. The usual case is that they visit customer’s site and have WiFi access from customer or use their phone’s tethered wifi access.
    I’m guessing I need to install Openvpn client in the laptop but how would I go about to give my on-road guys access to our VPN from outside of our network?

  32. I am running dd-wrt on a linksys e1000 (client side) and a linksys e4200 (server side). I have run through the config multiple times on both sides. I end up being able to ping the server side from the client side but not the other way. Any thoughts on a cause for this? There is a server on the server side network I need the client side to connect to. I can ping it from client side but cannot connect to it. Any help you can give will be greatly appreciated.

  33. Hello,

    I was hoping you could help me out. I’ve implemented a site to site VPN but I can’t get the tunnel to come up. Can I email you the logs I’m getting? If so, what is your email?

  34. Hello.

    I am trying to configure VPN-channel between the router with DD-WRT and gateway with Linux. On the Linux machine has long been used openvpn, it is the server and router with DD-WRT to connect to it.

    Router with DD-WRT: TPLINK TL-WDR4300 v1
    Firmware DD-WRT: DD-WRT v24-sp2 (06/01/15) std – build 27147

    Problem: tunnel seems to work, but not ping ip tunnel OpenVPN (10.10.5.1) and accordingly does not ping internal network.

    Openvpn log (Linux):
    Thu Jan 8 20:36:10 2015 us=823791 OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 20 2012
    Thu Jan 8 20:36:10 2015 us=824288 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Thu Jan 8 20:36:10 2015 us=824554 ******* WARNING *******: all encryption and authentication features disabled — all data will be tunnelled as cleartext
    Thu Jan 8 20:36:10 2015 us=824640 LZO compression initialized
    Thu Jan 8 20:36:10 2015 us=824712 MTU DYNAMIC mtu=1450, flags=2, 1501 -> 1450
    Thu Jan 8 20:36:10 2015 us=824926 Socket Buffers: R=[112640->131072] S=[112640->131072]
    Thu Jan 8 20:36:10 2015 us=826101 GDG: route[1] 192.168.0.0/255.255.255.0/0.0.0.0 m=0
    Thu Jan 8 20:36:10 2015 us=826142 GDG: route[2] 0.0.0.0/0.0.0.0/ m=0
    Thu Jan 8 20:36:10 2015 us=826334 GDG: best=[2] lm=0
    Thu Jan 8 20:36:10 2015 us=830609 TUN/TAP device tun1 opened
    Thu Jan 8 20:36:10 2015 us=830894 TUN/TAP TX queue length set to 100
    Thu Jan 8 20:36:10 2015 us=834980 /sbin/ifconfig tun1 10.10.5.1 pointopoint 10.10.5.2 mtu 1500
    Thu Jan 8 20:36:10 2015 us=843798 /etc/openvpn/route-tmp.up tun1 1500 1501 10.10.5.1 10.10.5.2 init
    Thu Jan 8 20:36:10 2015 us=856330 Data Channel MTU parms [ L:1501 D:1450 EF:1 EB:135 ET:0 EL:0 AF:14/1 ]
    Thu Jan 8 20:36:10 2015 us=856589 Local Options String: ‘V4,dev-type tun,link-mtu 1501,tun-mtu 1500,proto UDPv4,ifconfig 10.10.5.2 10.10.5.1,comp-lzo’
    Thu Jan 8 20:36:10 2015 us=856633 Expected Remote Options String: ‘V4,dev-type tun,link-mtu 1501,tun-mtu 1500,proto UDPv4,ifconfig 10.10.5.1 10.10.5.2,comp-lzo’
    Thu Jan 8 20:36:10 2015 us=856739 Local Options hash (VER=V4): ’52e725a4′
    Thu Jan 8 20:36:10 2015 us=856909 Expected Remote Options hash (VER=V4): ‘2d3ae0b8’
    Thu Jan 8 20:36:10 2015 us=867626 UDPv4 link local (bound): [AF_INET]78.111.82.146:2500
    Thu Jan 8 20:36:10 2015 us=867870 UDPv4 link remote: [undef]
    Thu Jan 8 20:37:41 2015 us=907547 TUN READ [104]
    Thu Jan 8 20:37:41 2015 us=908691 TUN READ [52]
    Thu Jan 8 20:37:41 2015 us=908983 MSS: 1460 -> 1409

    Openvpn log (DD-WRT):
    Jan 8 17:31:17 GW2 daemon.warn openvpn[1348]: ******* WARNING *******: all encryption and authentication features disabled — all data will be tunnelled as cleartext
    Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: LZO compression initialized
    Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: Socket Buffers: R=[172032->131072] S=[172032->131072]
    Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: TUN/TAP device tun0 opened
    Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: TUN/TAP TX queue length set to 100
    Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: Data Channel MTU parms [ L:1533 D:1450 EF:1 EB:135 ET:32 EL:0 AF:14/1 ]
    Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: Local Options String: ‘V4,dev-type tun,link-mtu 1533,tun-mtu 1532,proto UDPv4,comp-lzo’
    Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: Expected Remote Options String: ‘V4,dev-type tun,link-mtu 1533,tun-mtu 1532,proto UDPv4,comp-lzo’
    Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: Local Options hash (VER=V4): ‘642d2254’
    Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: Expected Remote Options hash (VER=V4): ‘642d2254’
    Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: UDPv4 link local (bound): [undef]
    Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: UDPv4 link remote: [AF_INET]:2500
    Jan 8 17:31:17 GW2 daemon.notice openvpn[1348]: UDPv4 WRITE [17] to [AF_INET]:2500: DATA len=17
    Jan 8 17:31:18 GW2 daemon.notice openvpn[1348]: UDPv4 WRITE [61] to [AF_INET]:2500: DATA len=61
    Jan 8 17:31:22 GW2 daemon.notice openvpn[1348]: UDPv4 WRITE [79] to [AF_INET]:2500: DATA len=79
    Jan 8 17:31:23 GW2 daemon.notice openvpn[1348]: UDPv4 WRITE [79] to [AF_INET]:2500: DATA len=79

    Config OpenVPN (DD-WRT):
    cd /tmp
    echo ”
    remote
    proto udp
    port 2500
    dev tun0
    verb 7
    comp-lzo
    keepalive 10 120
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    auth none
    cipher none
    script-security 2
    daemon
    ” > vpn-s2s-date-tmp.conf
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn –mktun –dev tun0
    ifconfig tun0 10.10.5.2 netmask 255.255.255.255 pointopoint 10.10.5.1 promisc up
    route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.10.5.1
    sleep 5
    /tmp/myvpn –config vpn-s2s-date-tmp.conf

    Config IPtables (DD-WRT):
    iptables -I INPUT 1 -p udp –dport 2500 -j ACCEPT
    iptables -I FORWARD 1 –source 192.168.0.0/24 -j ACCEPT
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    iptables -A FORWARD -s 10.10.0.0/24 -j ACCEPT
    iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT

    Routing table (DD-WRT):
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 0.0.0.0 UG 0 0 0 vlan2
    10.10.5.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
    169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
    0.0.0.0 255.255.255.252 U 0 0 0 vlan2
    192.168.1.0 10.10.5.1 255.255.255.0 UG 0 0 0 tun0
    192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 br0

    Ifconfig (DD-WRT):
    br0 Link encap:Ethernet HWaddr 14:CC:20:52:06:F3
    inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:3230 errors:0 dropped:0 overruns:0 frame:0
    TX packets:3014 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:586509 (572.7 KiB) TX bytes:1164347 (1.1 MiB)

    br0:0 Link encap:Ethernet HWaddr 14:CC:20:52:06:F3
    inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.0.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    eth0 Link encap:Ethernet HWaddr 14:CC:20:52:06:F3
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:5651 errors:0 dropped:0 overruns:0 frame:0
    TX packets:5880 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:1226423 (1.1 MiB) TX bytes:1774085 (1.6 MiB)
    Interrupt:4

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
    RX packets:2 errors:0 dropped:0 overruns:0 frame:0
    TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:340 (340.0 B) TX bytes:340 (340.0 B)

    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:10.10.5.2 P-t-P:10.10.5.1 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:332 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:0 (0.0 B) TX bytes:43367 (42.3 KiB)

    vlan1 Link encap:Ethernet HWaddr 14:CC:20:52:06:F3
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:3231 errors:0 dropped:0 overruns:0 frame:0
    TX packets:3014 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:586555 (572.8 KiB) TX bytes:1164347 (1.1 MiB)

    vlan2 Link encap:Ethernet HWaddr 14:CC:20:52:06:F3
    inet addr: Bcast: Mask:255.255.255.252
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:2420 errors:0 dropped:0 overruns:0 frame:0
    TX packets:2866 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:538150 (525.5 KiB) TX bytes:586218 (572.4 KiB)

    Config Openvpn (Linux):
    dev tun
    local
    ifconfig 10.10.5.1 10.10.5.2
    proto udp
    auth none
    cipher none
    script-security 2
    up /etc/openvpn/route-tmp.up
    down /etc/openvpn/route-tmp.down
    port 2500
    comp-lzo
    verb 7
    log-append /var/log/openvpn-s2s-date-tmp.log

    Routing table (Linux):
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.10.5.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
    192.168.3.0 10.10.5.2 255.255.255.0 UG 0 0 0 tun1
    192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
    0.0.0.0 0.0.0.0 UG 0 0 0 vlan386

    ifconfig (Linux):
    eth2 Link encap:Ethernet HWaddr 00:19:5b:fe:32:57
    inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
    inet6 addr: fe80::219:5bff:fefe:3257/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:83704188 errors:0 dropped:0 overruns:0 frame:0
    TX packets:61330701 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:3664262489 (3.4 GiB) TX bytes:3740640529 (3.4 GiB)
    Interrupt:17 Base address:0xdc00

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:264 errors:0 dropped:0 overruns:0 frame:0
    TX packets:264 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:18016 (17.5 KiB) TX bytes:18016 (17.5 KiB)

    tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:10.10.5.1 P-t-P:10.10.5.2 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:146 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:0 (0.0 B) TX bytes:13904 (13.5 KiB)

    vlan386 Link encap:Ethernet HWaddr 00:1e:58:aa:88:7a
    inet addr: Bcast: Mask:255.255.255.252
    inet6 addr: fe80::21e:58ff:feaa:887a/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:63376975 errors:0 dropped:0 overruns:0 frame:0
    TX packets:83884712 errors:0 dropped:817 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:3481922440 (3.2 GiB) TX bytes:4017032006 (3.7 GiB)

  35. Hi Wadi,

    I followed the steps to setup the client and the server until step #4.
    I dont really know how to check if the setup is correct or not but I think I did everything correctly as instructed.
    I have two locations with two different ISPs, the issue that I have is at location 1 (client) the ISP blocks SIP protocol and Im trying to connect location 1 to location 2 so I can have the packets go from location 1 to location 2 and avoid the blockage.

    after configuring both server and client, im still having the issues with the blockage, Im not sure if I should do more steps to complete the setup, or I should use bridged VPN instead.

    Please help!

    Thanks,
    James

  36. This is great, but isn’t there a way so that the client only sees the outside world through the VPN tunnel.

    1. Sure! Say you want to have all traffic from the Client1 Intranet side to go through your server side, you’ll need to do a couple things:

      1. Add a route command allowing the client to find the server via its bridge.
      2. Add a route command rerouting all traffic via the tunnel.
      3. Add a masquerade option on the server side to allow tunnel-based traffic to access the internet.

  37. Hello,

    in case you’re still checking those comments: Thank you very much for this easy and efficient tutorial!

    Machines on either side of my tunnel can access each other. I can access the router on the side I’m on, but not on the other side.
    So on the HOST network 192.168.0.0, I can access 192.168.0.1 (or 10.0.0.1), but not 192.168.2.1 (or 10.0.0.2).
    On the connecting network 192.168.2.0, I can access 192.168.2.1 (or 10.0.0.2), but not 192.168.0.1 (or 10.0.0.1).

    Can I solve this? Is this intended?
    It’s no deal breaker, but it would be nice to be able to access the off-site router.

    Greetings,
    Seb

    1. Hi Seb. Thanks for the kind note. Still checking them sporadically. Since the tunnel is up and connectivity is established, I suspect that you probably missed adding the firewall rules to allow ICMP or any other service on the other site.

  38. Really useful info here, Wadih. Thanks for sharing!
    I am working on a 3-cornered deployment where i will have Server, Client1, and Client2 as you show in this tutorial. In addition to each client having regular conversations with the server, I will also have Client1 and Client2 having frequent conversations. Is it sufficient to use the server as middle-man when the two clients talk, or would it benefit me to configure an additional pipe directly between the clients? Also, would your answer change if I added a Client3?
    Many thanks for any insights.
    -Bobber

    1. Thanks, Bobber.

      It depends on your bandwidth requirements. The routing that your server will perform will certainly impact its external traffic as well as Server-Client1 traffic and Server-Client2 traffic. Hence, if you’re talking about small traffic like compressed VoIP for example, that should be ok. But if you do file transfers between Clients, then the impact will be much bigger.
      A client3 implementation will have the same impact.

      In one of my current implementations, I have a VoIP server at Server1 and 15 clients. Essentially VoIP traffic circulates and redirects all day long. Works perfectly!

      So, it will depend on your implementation and constraints. Feel free to email me your particular scenario if you want to discuss further.

      Cheers!

      1. Thanks for the prompt reply and for the extra insight.
        I think I will proceed with the hub-and-spoke topology and stick with that until I see a reason to change.

  39. Wadih, I put the info in the server configuration on a new buffalo dd-wrt router (v24?) under commands and firewall. After I clicked save, the router disconnected (I didn’t even click apply or reboot) Now the office has lost internet access entirely. Have you heard of this before?

    One guess, maybe that router doesn’t have enough free space to save all that in the commands and firewall section? I’ve never seen a dd-wrt router make any changes after a simple ‘save’ operation. I’m not on-site so am still waiting for someone to get there to see if the thing is even operable.

    Thanks

  40. Hello friend, thanks for this great tutorial.
    I need help to configurate a VPN with some modifications regarding you present here.
    First, here I shared a graphic scheme as it should be the network that I need to solve.
    https://dl.dropboxusercontent.com/u/65615557/Network%20Transovalo.png
    In this scheme there are two LANs, connected by a VPN tunnel through internet. The intention is share a IP telephony system sevice and a NAS server physically installed in LAN2, in a place a few kilometers from the LAN1 in where will be used those services.
    In one extreme of the VPN tunnel is ROUTER1 in LAN1, as VPN server. The idea for this ROUTER1 is to extend the local network to an other ROUTER2, in LAN2, as VPN client in the other extreme of the VPN tunnel.
    One of the particularity of this scheme is that network configuration on LAN1 (like DHCP, network range, DNS, etc) are determinated by MODEM1, but not by ROUTER1, being this last one just like any other device plugged at local network. Indentical situation happends in LAN2, where MODEM2 determine local network parameters and ROUTER2 just belongs to this.
    Maybe you wonder why dont configure a VPN in modem and avoid to use 2 aditionals routers withs all aditionals problems. The thing is, firstly, modems haven´t DD-WRT firmwork (jaja), secondly, I cant have access to modem because ISP doesn´t give to me the pass of the modem, neither configuration information to configure as a bridge and put a router after. Third, dont need all devices in LAN2 conected to VPN.
    So, I understand that the configuration you explain in this post will not work in this case because both routers will have a local IP on WAN(like 192.168.10.x), and not the public IP who provide the ISP. It is why I think it necessary configure ROUTER1 as a bridge of LAN1, as a bridge VPN server of LAN1, if its possible something like that. This in one extreme of the tunnel VPN, in the other we have the ROUTER2 in LAN2. It have to be configurated in a way which allows all connected devices to acquire automatically network configurations belongs at LAN1.
    Well, i wish i was clear enough to expose the problem to solve. I need if you can tell me, in short, and considering that you are more experienced than I in this issue of VPN, if its possible to make a tunneling in that way, and what is more important, if its convenient this solution.
    My regards for you and thanks for all.
    Tomas from Argentina.

  41. Hello friend, thanks for this great tutorial.
    I need help to configurate a VPN with some modifications regarding you present here.
    First, here I shared a graphic scheme as it should be the network that I need to solve.
    https://dl.dropboxusercontent.com/u/65615557/Network%20Transovalo.png
    In this scheme there are two LANs, connected by a VPN tunnel through internet. The intention is share a IP telephony system sevice and a NAS server physically installed in LAN2, in a place a few kilometers from the LAN1 in where will be used those services.
    In one extreme of the VPN tunnel is ROUTER1 in LAN1, as VPN server. The idea for this ROUTER1 is to extend the local network to an other ROUTER2, in LAN2, as VPN client in the other extreme of the VPN tunnel.
    One of the particularity of this scheme is that network configuration on LAN1 (like DHCP, network range, DNS, etc) are determinated by MODEM1, but not by ROUTER1, being this last one just like any other device plugged at local network. Indentical situation happends in LAN2, where MODEM2 determine local network parameters and ROUTER2 just belongs to this.
    Maybe you wonder why dont configure a VPN in modem and avoid to use 2 aditionals routers withs all aditionals problems. The thing is, firstly, modems havenŽt DD-WRT firmwork (jaja), secondly, I cant have access to modem because ISP doesnŽt give to me the pass of the modem, neither configuration information to configure as a bridge and put a router after. Third, dont need all devices in LAN2 conected to VPN.
    So, I understand that the configuration you explain in this post will not work in this case because both routers will have a local IP on WAN(like 192.168.10.x), and not the public IP who provide the ISP. It is why I think it necessary configure ROUTER1 as a bridge of LAN1, as a bridge VPN server of LAN1, if its possible something like that. This in one extreme of the tunnel VPN, in the other we have the ROUTER2 in LAN2. It have to be configurated in a way which allows all connected devices to acquire automatically network configurations belongs at LAN1.
    Well, i wish i was clear enough to expose the problem to solve. I need if you can tell me, in short, and considering that you are more experienced than I in this issue of VPN, if its possible to make a tunneling in that way, and what is more important, if its convenient this solution.
    My regards for you and thanks for all.
    Tomas from Argentina.

  42. Hi Wadih !

    I’m wondering, could we adapt this method to create a tunnel between two distant DD-WRT routers with both public IP addresses (via Internet).

    I cannot manage to find a viable and secure way to achieve this, hope you can give me a hint 🙂

    Thanks very much for the great work you detailed here, though !

    1. Hi Yannick,

      This method works for one private IP/one public IP or two public IPs.
      In your case, one of the locations would simply need to be designated as “server” and the other as “client”.

      Cheers!

  43. Hello friend, thanks for this great tutorial.
    I need help to configurate a VPN with some modifications regarding you present here.
    First, here I shared a graphic scheme as it should be the network that I need to solve.
    https://dl.dropboxusercontent.com/u/65615557/Network%20Transovalo.png
    In this scheme there are two LANs, connected by a VPN tunnel through internet. The intention is share a IP telephony system sevice and a NAS server physically installed in LAN2, in a place a few kilometers from the LAN1 in where will be used those services.
    In one extreme of the VPN tunnel is ROUTER1 in LAN1, as VPN server. The idea for this ROUTER1 is to extend the local network to an other ROUTER2, in LAN2, as VPN client in the other extreme of the VPN tunnel.
    One of the particularity of this scheme is that network configuration on LAN1 (like DHCP, network range, DNS, etc) are determinated by MODEM1, but not by ROUTER1, being this last one just like any other device plugged at local network. Indentical situation happends in LAN2, where MODEM2 determine local network parameters and ROUTER2 just belongs to this.
    Maybe you wonder why dont configure a VPN in modem and avoid to use 2 aditionals routers withs all aditionals problems. The thing is, firstly, modems haven´t DD-WRT firmwork (jaja), secondly, I cant have access to modem because ISP doesn´t give to me the pass of the modem, neither configuration information to configure as a bridge and put a router after. Third, dont need all devices in LAN2 conected to VPN.
    So, I understand that the configuration you explain in this post will not work in this case because both routers will have a local IP on WAN(like 192.168.10.x), and not the public IP who provide the ISP. It is why I think it necessary configure ROUTER1 as a bridge of LAN1, as a bridge VPN server of LAN1, if its possible something like that. This in one extreme of the tunnel VPN, in the other we have the ROUTER2 in LAN2. It have to be configurated in a way which allows all connected devices to acquire automatically network configurations belongs at LAN1.
    Well, i wish i was clear enough to expose the problem to solve. I need if you can tell me, in short, and considering that you are more experienced than I in this issue of VPN, if its possible to make a tunneling in that way, and what is more important, if its convenient this solution.
    My regards for you and thanks for all.
    Tomas from Argentina.

Leave a Reply

Your email address will not be published. Required fields are marked *