Reply

Re: Connecting DD-WRT OpenVPN to Netgear R7000 standard VPN

ithorne
Star

Connecting DD-WRT OpenVPN to Netgear R7000 standard VPN

I want to create a link between a “Remote” location (In France) and a “Home” location (in the UK) over two regular domestic ISP connections so I can access network facilities at the “home” location. I am hoping using a DD-WRT router set up as an OpenVPN client will connect to the Netgear R700 OpenVPN server at the home location.

Kit/basic description

1. “Remote” PCs/devices/laptop- Windows PCs
Wired and/or wireless connection to:

2. “DD-WRT Router provides “Remote Devices” with IP Addresses via DHCP from a TP-LINK N600 wireless router
Wired connection to:

3. “Remote ISP ADSL Router” (French ISP – Orange Livebox)

Which connects to the internet in frnace.

4. “Home” ISP cable modem (UK ISP Virgin Media Super hub 3 in “Modem Mode” i.e. not a router)
Wired connection to

5. “Home Router” – Netgear R7000 running STANDARD Netgear firmware (latest version 2 weeks ago)


I want to setup a connection from my “Remote PCs and devices” to my “Home network”.

I am trying to use the inbuilt OpenVPN SERVER in my home Netgear router. I want TAP so that all traffic from my Remote Devices is routed via my Home Network.

Remote PCs and devices
• DHCP assigned IP address
• 192.168.39.x
• 255.255.255.0

Remote DD-WRT router
• DHCP Server scope starts at 192.168.39.100 mask 255.255.255.0
• DD-WRT OpenVPN CLIENT configured to connect to Home Netgear OpenVPN server.
• The checked options are “NAT” Enabled
• The only additional config line is: route-gateway 192.168.10.1

NB: Other than route-gateway there is no non-standard stuff added to routing tables/firewalls etc. if OpenVPN, Windows 10 or DHCP doesn’t provide it, it won’t be set/changed)

Remote ISP Router
• DHCP Server scope192.168.10.2 and upwards mask 255.255.255.0
• ADSL

Home ISP modem

“dumb” Cable Modem – no non- standard settings.

Home Router
• DHCP assigned IP address
• 192.168.0.x
• 255.255.255.0


Client1.ovpn file generated by Netgear router : 

client
dev tap
proto udp
dev-node NETGEAR-VPN
remote PUBLICNAMEHIDDEN.ddns.net 12974
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
comp-lzo
verb 5


I have matched the client1.ovpn settings in the Remote DD-WRT client config to the above.


The dd-wrt VPN status page looks like this:


Serverlog Clientlog 20170801 21:37:08 I OpenVPN 2.3.0 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 25 2013
20170801 21:37:08 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20170801 21:37:08 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20170801 21:37:08 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
20170801 21:37:08 Socket Buffers: R=[163840->131072] S=[163840->131072]
20170801 21:37:08 I UDPv4 link local: [undef]
20170801 21:37:08 I UDPv4 link remote: [AF_INET]PUBLICIPHIDDEN:12974
20170801 21:37:08 TLS: Initial packet from [AF_INET]PUBLICIPHIDDEN:12974 sid=4bcdb8bb 396a2484
20170801 21:37:09 VERIFY OK: depth=1 C=TW ST=TW L=Taipei O=netgear OU=netgear CN=netgear emailAddress=mail@netgear.com
20170801 21:37:09 VERIFY OK: nsCertType=SERVER
20170801 21:37:09 NOTE: --mute triggered...
20170801 21:37:16 6 variation(s) on previous 3 message(s) suppressed by --mute
20170801 21:37:16 I [netgear] Peer Connection Initiated with [AF_INET]PUBLICIPHIDDEN:12974
20170801 21:37:18 SENT CONTROL [netgear]: 'PUSH_REQUEST' (status=1)
20170801 21:37:18 PUSH: Received control message: 'PUSH_REPLY route 192.168.0.0 255.255.255.0 route-delay 5 redirect-gateway def1 route-gateway dhcp ping 10 ping-restart 120'
20170801 21:37:18 OPTIONS IMPORT: timers and/or timeouts modified
20170801 21:37:18 NOTE: --mute triggered...
20170801 21:37:18 2 variation(s) on previous 3 message(s) suppressed by --mute
20170801 21:37:18 ROUTE_GATEWAY 192.168.10.1/255.255.255.0 IFACE=vlan2 HWADDR=f8:1a:67:5a:ce:41
20170801 21:37:18 I TUN/TAP device tap1 opened
20170801 21:37:18 TUN/TAP TX queue length set to 100
20170801 21:37:23 /sbin/route add -net PUBLICIPHIDDEN netmask 255.255.255.255 gw 192.168.10.1
20170801 21:37:23 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.10.1
20170801 21:37:23 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 192.168.10.1
20170801 21:37:23 /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.10.1

20170801 21:37:23 I Initialization Sequence Completed

20170801 21:37:56 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170801 21:37:56 D MANAGEMENT: CMD 'state'
20170801 21:37:56 MANAGEMENT: Client disconnected
20170801 21:37:56 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170801 21:37:56 D MANAGEMENT: CMD 'state'
20170801 21:37:56 MANAGEMENT: Client disconnected
20170801 21:37:56 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170801 21:37:56 D MANAGEMENT: CMD 'state'
20170801 21:37:56 MANAGEMENT: Client disconnected
20170801 21:37:56 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170801 21:37:56 D MANAGEMENT: CMD 'log 500'
19700101 00:00:00

So it looks like the connection was successful. The Route to 192.168.0.x was pushed from my home netgear and is in the routing table in the DD-WRT router:

Routing Table Entry List (from Remote DD-WRT)

Destination LAN NET Subnet Mask Gateway Flags Metric Interface
0.0.0.0 128.0.0.0 192.168.10.1 UG 0 WAN
0.0.0.0 0.0.0.0 192.168.10.1 UG 0 WAN
PUBLICIPHIDDEN 255.255.255.255 192.168.10.1 UGH 0 WAN
128.0.0.0 128.0.0.0 192.168.10.1 UG 0 WAN
169.254.0.0 255.255.0.0 0.0.0.0 U 0 LAN & WLAN
192.168.0.0 255.255.255.0 192.168.10.1 UG 0 WAN
192.168.10.0 255.255.255.0 0.0.0.0 U 0 WAN
192.168.39.0 255.255.255.0 0.0.0.0 U 0 LAN & WLAN



BUT I can’t see any devices on my home network. Pings to 192.168.0.x from my remote PCs all fail.

I’ve tried every suggestion I can find on the web including lots of suggestions about theREMOTE DD-WRT client setttings that I need to setup firewall rules, and add a config statement redirect-gateway def1 bypass-dhcp.


Over the course of my attempts I have tried all of the following (on the client /REMOTE end):

iptables -I INPUT 1 -p udp --dport 12973 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 12974 -j ACCEPT
iptables -A INPUT -i tap1 -j ACCEPT

iptables -I FORWARD -i br0 -o tap1 -j ACCEPT
iptables -I FORWARD -i tap1 -o br0 -j ACCEPT
iptables -I INPUT -i tap1 -j REJECT
iptables -t nat -A POSTROUTING -o tap1 -j MASQUERADE

With or without these statements behaviour is identical - except some make things fail altogether.

My knowledge in this area is limited. I only just understand most of what I have written but NOTHING at all about the firewall iptables.

The bottom line (finally) Can anyone tell me what I am doing wrong or what I need to do to fix this?


Two final points which may or may not help:

An attempt to tracert from a laptop connected to the remote dd-wrt router (192.168.39.0/24 to my home network 192.168.0.0/24 gets as far as my Remote ISP’s first hop (i.e. through my French ISP router (192.168.10.0/24) to the first hop at 80.x.y.z where tracert reports unreachable.

If I run the OpenVPN windows client software set up as Netgear suggest (it uses the client1.ovpn settings I gave above) I can connect my windows 10 laptop to my home network and everything works fine. This tells me there’s nothing between here and there that prevents it working. It must be a settings problem somewhere…

Thanks in advance to anyone who can help...

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 1 of 9
antinode
Guru

Re: Connecting DD-WRT OpenVPN to Netgear R7000 standard VPN

> [...] OpenVPN [...]

   I've never set up any VPN, so I know nothing, but a network's a
network, isn't it?

> [...] I want TAP so that all traffic from my Remote Devices is routed
> via my Home Network.

   As I read the docs, TAP is used for bridging, and if the two networks
are bridged, wouldn't you want the same subnetwork on both parts?  (That
is, all 192.168.0.x or all 192.168.39.x?)

      https://community.openvpn.net/openvpn/wiki/BridgingAndRouting

   Knowing what I do (that is, nothing), I'd expect that TUN would be a
better choice for you.  (You're not using any non-IP network protocols,
right?  No DECnet, no LAT, no MOP, ...?)

   With 192.168.39.x on one side, and 192.168.0.x on the other, bridging

makes no sense (to me), but routing (tunneling) does make some, and to
get traffic between those two subnets, each side needs to have a route
to the other.

> An attempt to tracert from a laptop connected to the remote dd-wrt
> router (192.168.39.0/24 to my home network 192.168.0.0/24 gets as far as
> my Remote ISP's first hop [...]

   To me (knowing nothing), that sounds like the big problem.  I'd
expect the laptop to be talking to some VPN (pseudo-)device (which I
claim should be a TUN), not to the local ISP.  (In reality, the VPN
software will send the data to the local ISP, but that should be
invisible to you.)

> [...] (i.e. through my French ISP router (192.168.10.0/24) to the
> first hop at 80.x.y.z where tracert reports unreachable.

   Which makes sense, because a 192.168.39.x (or 192.168.0.x) address is
private, so no one in the real world will route traffic to it.

   How you arrange this stuff is beyond me (because, what do I know?),
but devices in the 192.168.39.x subnet need to know of a gateway to the
192.168.0.x subnet, and the other way around.  I'd guess that you can
add such a (static) route to the router on each end (if the VPN software
doesn't do it automatically), but I'd expect that the gateway on each
side would be the TUN interface on the local VPN.  (And the VPN software
will know enough to send such inter-subnet traffic through its tunnel,
and it'll come out through the TUN interface on the other end of the
tunnel, where it should be able to find the real LAN on that side.)

> My knowledge in this area is limited. [...]

   Not as limited as mine, perhaps.  Perhaps someone who actually knows
something can contribute more.

Message 2 of 9
ithorne
Star

Re: Connecting DD-WRT OpenVPN to Netgear R7000 standard VPN

Ah, but you understand networks and bridging, I don't and thank you, you got me working - err, almost.

 

When I turned off the the DHCP server on my Remote DD-WRT router I got an IP address from my home DHCP severer and yes, I could browse my home network! Yippee...

 

But can you help with the next problem?

 

I can't browse from a device connected at the remote end through the tunnel to the Home end.  I can ping devices on my Home network but nothing off the network. i.e.

 

ping 192.168.0.2 works

ping 8.8.8.8 fails

 

A DOSBox on my "Remote" laptop (New Windows 10 Creator Powershell!) gives me

PS C:\WINDOWS\system32> ipconfig /all

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::2197:6f71:cfe3:c4a4%5(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.15(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 04 August 2017 19:00:49
   Lease Expires . . . . . . . . . . : 05 August 2017 19:56:07
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 192.168.0.2
   DHCPv6 IAID . . . . . . . . . . . : 53239820
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-44-E2-D9-2C-60-0C-47-10-
   DNS Servers . . . . . . . . . . . : 192.168.0.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

 

But no names resolve (DNS) and neither does ping work.

 

I suspect the problem is the lack of default gateway but more of your useful ideas would be greatly appreciated..!

 

many thanks again.

 

 

Message 3 of 9
ithorne
Star

Re: Connecting DD-WRT OpenVPN to Netgear R7000 standard VPN

Done a bit of testing - it's the lack of a gateway address - if I set my laptop to have a fixed IP address with the gateway set to 192.168.0.2 I can use the internet through the tunnel!

 

So, can anyone tell me how to get the my netgear R7000 to send its gateway address over my VPN? DHCP to devices on the Home end get this OK.

Message 4 of 9
antinode
Guru

Re: Connecting DD-WRT OpenVPN to Netgear R7000 standard VPN

   I'm still VPN-ignorant, but ...

> Done a bit of testing - it's the lack of a gateway address - if I set my
> laptop to have a fixed IP address with the gateway set to 192.168.0.2 I
> can use the internet through the tunnel!

   Ok.  Now, who/what is at 192.168.0.2?

> So, can anyone tell me how to get the my netgear R7000 to send its
> gateway address over my VPN? DHCP to devices on the Home end get this
> OK.

   I doubt that the R7000 is flexible enough to offer anything other
than itself (which, I assume, is 192.168.0.1?) as the DHCP default
gateway, DNS server, and so on.  But your DHCP server is 192.168.0.2:

>    DHCP Server . . . . . . . . . . . : 192.168.0.2

   If that's some VPN-related thing, then you may be able to find a way
to specify the stuff which _its_ DHCP server dispenses.


   If mysteries remain, then it might pay to make a list of who has
which address, for all the interfaces which are involved here.  I'm
easily confused, and this is getting complicated.

Message 5 of 9
ithorne
Star

Re: Connecting DD-WRT OpenVPN to Netgear R7000 standard VPN

The "Remote end" (where my laptop is currently connected) is 192.168.0.1 It's the end running the DD-WRT Client

 

The "Home end" is 192.168.0.2 is the Netgear R7000 router running thhe OpenVPN server.

 

(For historical related to a previous ISP my "home router" has been 192.168.0.2 for many years. I never changed it so when I needed to set my place in france i just made that 192.168.0.1.  the .1 address isn't used by any device on my "home" network)

 

I can actually ping every device connected on my home network -  If I have a fixed IP on my laptop with  a fixed gateway I can ping  the WAN via Home and can browse the internet normally. 

 

All this would suggest I need to allow the R7000 to send its gateway across the bridge. Do you have any ideas?

 

There is an Open VPN "command"

 

route-gateway 192.168.0.2

 

which I hoped would do this - but it doesn't work....

Message 6 of 9
ithorne
Star

Re: Connecting DD-WRT OpenVPN to Netgear R7000 standard VPN

Can anyonehelp me with this?

 

What setting do I need in dd-wrt to make the neatgear OpenVPN server pass the dhcp gateway address proeprly?

Message 7 of 9
ithorne
Star

Re: Connecting DD-WRT OpenVPN to Netgear R7000 standard VPN

This is getting tedious.

I know it is capable of working becuase if I add a fixed ip address to a client (my laptop) tthen everything works - but i have acouple of devices at the emote end which will not let me provde fixed IP addresses - I need to use resrvations on the DHCP server at the home end.

The problem is defintively that the gateway address provided by the DHCP serevr at the home end does not survive the trip across the bridge.

Key details:

Remote end
TP-LINK N600 running firmware: DD-WRT v24-sp2 (03/25/13) std Latest "stable" behind an ISP router.
DD-WRT - set to create a tunnel to my home end (TAP) suddessfully gets IP and DNS assigned from home DHCP serevr
(NO GATEWAY - field is blank) IP address scope 192.168.0.0/24
 
ISP router network 192.168.10.0/24

Home End
Netgear r7000 running stock netgear firmware with its own implemetation of OpenVPN (Firmware Version V1.0.9.6_1.2.19 (up to date)

ISP router dumb cable modem IP address of WAN from Netgear is 80.x.y.z


The Status log on the remote (client) end of the tunnel says:

20170807 20:01:29 PUSH: Received control message: 'PUSH_REPLY route 192.168.0.0 255.255.255.0 route-delay 5 redirect-gateway def1 route-gateway dhcp ping 10 ping-restart 120'
20170807 20:01:29 OPTIONS IMPORT: timers and/or timeouts modified
20170807 20:01:29 NOTE: --mute triggered...
20170807 20:01:29 2 variation(s) on previous 3 message(s) suppressed by --mute
20170807 20:01:29 ROUTE_GATEWAY 192.168.10.1/255.255.255.0 IFACE=vlan2 HWADDR=f8:1a:67:5a:ce:41
20170807 20:01:29 I TUN/TAP device tap1 opened
20170807 20:01:29 TUN/TAP TX queue length set to 100

Which suggests that the route is set:
route 192.168.0.0 255.255.255.0

the gate is redirected: (NB: I've tried this with and without the def1 parameter.)
redirect-gateway def1

the DHCP is redirected
route-gateway dhcp

TAP is established

Not sure what the timeout fails are but for now I have ignored them.

what ever I do the gaeway is just not showing in the ipconfig.

IP details: (* is from FIXED config)

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 2C-60-0C-47-10-5E
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::2197:6f71:cfe3:c4a4%5(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.15(Preferred)   *
   Subnet Mask . . . . . . . . . . . : 255.255.255.0   *
   Default Gateway . . . . . . . . . : 192.168.0.2   *
   DHCPv6 IAID . . . . . . . . . . . : 53239820
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-44-E2-D9-2C-60-0C-47-10-5E
   DNS Servers . . . . . . . . . . . : 8.8.8.8   *
                                       8.8.4.4   *
   NetBIOS over Tcpip. . . . . . . . : Enabled

Everythng works


DHCP supplied (over bridge from home server)

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 2C-60-0C-47-10-5E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::2197:6f71:cfe3:c4a4%5(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.15(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 07 August 2017 20:32:46
   Lease Expires . . . . . . . . . . : 08 August 2017 20:32:45
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 192.168.0.2
   DHCPv6 IAID . . . . . . . . . . . : 53239820
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-44-E2-D9-2C-60-0C-47-10-5E
   DNS Servers . . . . . . . . . . . : 192.168.0.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

NB: Default Gateway field is blank.  I can browse remote network, ping, http,even print but i can't get off the network at the home end.
e.g.
PS C:\WINDOWS\system32> ping 192.168.0.2

Pinging 192.168.0.2 with 32 bytes of data
Reply from 192.168.0.2: bytes=32 time=49ms TTL=64
Reply from 192.168.0.2: bytes=32 time=48ms TTL=64
Reply from 192.168.0.2: bytes=32 time=48ms TTL=64
Reply from 192.168.0.2: bytes=32 time=48ms TTL=64

Ping statistics for 192.168.0.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 48ms, Maximum = 49ms, Average = 48ms


PS C:\WINDOWS\system32> ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data
Reply from 192.168.10.3: Destination host unreachable.
Reply from 192.168.10.3: Destination host unreachable.
Reply from 192.168.10.3: Destination host unreachable.
Reply from 192.168.10.3: Destination host unreachable.

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
PS C:\WINDOWS\system32>


 (Not sure where 192.168.10.3 comes in - it is on the remote end ISPs network which my dd-wrt router connects to. (192.168.10.0/24)

When a fixed IP address is supplied with a valid gateway - everything works as expected....

I saw this on the DD-WRT web interface:

 OpenVPN ClientPolicy based Routing:
Add IPs/NETs in the form 0.0.0.0/0 to force clients to use the tunnel as default gateway. One line per IP/NET.
IP Address/Netmask:
Must be set when using DHCP-Proxy mode and local TAP is NOT bridged


So as suggested somewhere i added these routes to the remote/dd-wrt/client end of the BRIDGE:

route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

no difference.

incidentally the routes which show up in the OpenVPN status log (web gui) are this:


20170807 20:01:35 /sbin/route add -net 86.12.63.20 netmask 255.255.255.255 gw 192.168.10.1
20170807 20:01:35 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.0.1
20170807 20:01:35 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 192.168.0.1
20170807 20:01:35 /sbin/route add -net 0.0.0.0 netmask 192.0.0.0 gw 192.168.10.1
20170807 20:01:35 /sbin/route add -net 64.0.0.0 netmask 192.0.0.0 gw 192.168.10.1
20170807 20:01:35 /sbin/route add -net 128.0.0.0 netmask 192.0.0.0 gw 192.168.10.1
20170807 20:01:35 /sbin/route add -net 192.0.0.0 netmask 192.0.0.0 gw 192.168.10.1
20170807 20:01:35 /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.1
20170807 20:01:35 I Initialization Sequence Completed

But I notice all the gw addresses are the remote gateway (192.168.0.1) not the "home" gateway (102.168.0.2) as (in my ignorance ) I would expect - any suggestions

Please?

 

Ian

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 8 of 9
ithorne
Star

Re: Connecting DD-WRT OpenVPN to Netgear R7000 standard VPN

I've been away on vacation and have continued to work on this since I got back.   This isn't a netgear problem, sadly OpenVPN is working as defined.  Thanks to @JamesGL for the support calls.  This is posted in part to update him.

It seems that in a TAP configuration OpenVPN does remove the gateway, https://forums.openvpn.net/viewtopic.php?t=13494 although a little argumentative, explains it. The "fix" if there is one is to add

--server-bridge nogw

to the server config. This inhibits a

push "route-gateway dhcp"

However in this case I can't do that as the Netgear OpenVPN implementation is completely locked down and there is no access to the server config.

So the questions are: Can I inhibit "push" or is there a way to re-instate the gateway from CLIENT end? If so, which Gateway should I use – the client/remote end or the server end?


I have found a workaround: I've defined two non-overlapping IP ranges and a second DHCP server on the client end. By letting my devices at the client end get IP addresses from the remote (client end) DHCP scope they get a gateway , then enabling the VPN I get the connectivity over the VPN as I want.

BUT (there’s always a but) if I enable the VPN first, my remote (client end) devices don’t get their IP addresses from the remote DHCP server – they get them from the OpenVPN server end – minus a gateway!

And just to add to the list, Once I re-enable the VPN I lose the ability to access the router via the web GUI….. Not sure what that’s about but my guess is it tells us something. The router seems to work properly otherwise – data flows at normal speeds, IP addresses get assigned – all across over the VPN.

 

I know this isn't a Netgear problem (unless you count the fact it sends a push "route-gateway dhcp" which causes all this) but does anyone here have any ideas?

Message 9 of 9
Top Contributors
Discussion stats
  • 8 replies
  • 5991 views
  • 0 kudos
  • 2 in conversation
Announcements

Orbi WiFi 6E