[Openvpn-users] OpenVPN and partial windows network browsing

["OverTech Argentina" <overtech.argentina@xxxxxxxxx>]

Hi, it's my first post in this list.

My situation is the following, I've got two Linksys WRT54GL with firmware DD-WRT vpn v23 SP2. This firmware has inside of it the OpenVPN. One of the WRT54GL is at the office, an the other one at home.

My ideas was to create an VPN between both WRT54GL so client's behind the home WRT54GL could connect to the VPN without need of any OpenVPN install.

At the Wiki of the DD-WRT firmware there are instructions about how can my idea of creating a VPN with both WRT54GL could be done:  
www.dd-wrt.com/wiki/index.php/OpenVPN

The idea shown at the Wiki is based in creating a VPN in bridging mode and using TCP protocol.

First of all I tweak the configuration to use UDP protocol instead of TCP protocol. After that I succesfully bridge the two WRT54GL and clients behind home WRT54GL could see clients behind office WRT54GL without any OpenVPN install in their Windows XP computers.
But with this bridging mode a little problem appear: both WRT54GL works as DHCP for the clients physically connected, but after the VPN bridge is running what a client connected to anyone of the WRT54GL sees it's a subnet with two DHCP, so sometimes happened that clients behind office WRT54GL got IP information from the home WRT54GL and vice-versa.
My first attempt to resolve this it was to do static DHCP leases to the fix computers at the office and to the ones at home, but the problem appear when customers at the office brought their notebooks and connected to the office WLAN, sometimes they get IP information provided by the home WRT54GL, so the internet traffic instead of going outside from the office WRT54GL to internet, it travels through the VPN to the home WRT54GL and then there it went out to internet.

After reading a lot at OpenVPN site I decided to implement a routing mode solution, because in that way the DHCP problem won't exist.

I implemented with a 90% of success. I say 90% because the only thing I couldn't do is browsing the windows network through the VPN like I was able to do in bridging mode.

I installed a WINS server at Windows 2003 Server primary domain controller located at the office, and I discovered that my home computer connected to my home WRT54GL, registers its name and IP in the WINS server correctly, but then when I go to My Network Places in my home Windows  XP computer I only see the home computer and not all the computers at the office.

The office subnet is 192.168.0.xxx and the home subnet is 192.168.1.xxx.

Although I cannot see al the office computers when browsing the network, I can connect network drives because I know some path to office share folders, so I connect the network computer using for example: \\SERVER\Temp (where Temp is a share folder in computer with name SERVER)

One thing that caught my attention is that I had to create another subnet for the VPN tunnel, that subnet was 192.168.50.xxx.
I tried to create the tunnel using 192.168.0.xxx subnet to see if perhaps in that why my home computer in the 
192.168.1.xxx subnet could see in network browsing computers from the 192.168.0.xxx subnet.

This is the config file from the OpenVPN server running in the office WRT54GL:

dev tun0
client-to-client
client-config-dir /tmp/vpnclients
server 192.168.50.0 255.255.255.0
push "route 
192.168.0.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
ca /tmp/ca.crt
cert /tmp/server.crt
key /tmp/server.key
dh /tmp/dh1024.pem
comp-lzo
port 1194
keepalive 15 60
verb 3

and I've also got a file with the common name of the certificate used by the OpenVPN client, in this office WRT54GL with the sentence:

iroute 192.168.1.0 255.255.255.0" > /tmp/vpnclients/client1

After the OpenVPN server is running, the route command shows this:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.50.2    *               255.255.255.255
 UH    0      0        0 tun0
192.168.50.0    192.168.50.2
    255.255.255.0   UG    0      0        0 tun0
192.168.1.0     192.168.50.2    255.255.255.0   UG    0      0        0 tun0
192.168.0.0     *               255.255.255.0   U     0      0        0 br0
24.232.165.0    *               255.255.255.0   U     0      0        0 vlan1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         GW-165.fibertel 0.0.0.0         UG    0      0        0 vlan1

and the ifconfig shows this for interface tun0:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.50.1  P-t-P:192.168.50.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1394 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1554 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:94070 (91.8 KiB)  TX bytes:664679 (649.1 KiB)

The client OpenVPN config used at home WRT54GL is:

client
dev tun1
remote xxxxxx.dyndns.org
resolv-retry infinite
nobind
persist-key
persist-tun
ca /tmp/ca.crt
cert /tmp/client1.crt
key /tmp/client1.key
ns-cert-type server
comp-lzo
verb 3
keepalive 15 60

and after the client is connected the route command shows in the home WRT54GL:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.50.5    *               255.255.255.255 UH    0      0        0 tun1
192.168.50.0    192.168.50.5    255.255.255.0   UG    0      0        0 tun1
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.168.0.0     192.168.50.5    
255.255.255.0   UG    0      0        0 tun1
200.114.159.0   *               
255.255.255.0   U     0      0        0 vlan1
127.0.0.0       *               
255.0.0.0       U     0      0        0 lo
default         GW-159-114-200. 0.0.0.0         UG    0      0        0 vlan1

and the ifconfig shows this for interface tun1 at home WRT54GL:

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
-00
          inet addr:192.168.50.6
  P-t-P:192.168.50.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1564 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1407 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:665644 (650.0
 KiB)  TX bytes:94617 (92.3 KiB)


Can anyone see if something is wrong (and I'm not seeing it) and that's why I cannot browse office computers but I can connected???

Or I have to do the VPN tunnel in another way to make the browsing works correctly?

Well, I hope someone could give me a hand, and sorry if this email resulted too long but I wanted to show everything I've done to get a better help from your part.

Regards.

                        Santiago

PS: If someone was thinking about how to make an OpenVPN tunnel with Linksys WRT54G/GS/GL routers well, in this email it's a solution implemented with some success in routing mode, another mode than the DD-WRT Wiki proposes as solution, fell free to use it.

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users