AR300M as OpenVPN Client - can ping router, can't ping devices

twcc · October 6, 2021, 10:54am

Hi,

I have an issue which smells like firewall, but so far even disabling the firewall did not help.

I run Synology NAS with OpenVPN server on my home network.
OpenVPN server IP: 10.0.0.1

My laptop is connected via OpenVPN to this server and always receives 10.0.0.20

I run multiple AR300M’s as VPN clients, each set up like this:
AR300M #10
Local IP 192.168.10.1
IP received from VPN Server: 10.0.0.10

AR300M #11
Local IP 192.168.11.1
IP received from VPN Server: 10.0.0.11

The VPN Server is set up with push routes and iroutes and CCD’s, to always give those specific IP’s to specific AR300M’s. When I run “route” via SSH on Synology, It knows the 192.168.11.X 192.168.10.X range is reachable via 10.0.0.2 (.2 because it is something to do with how IP’s work in pairs on OpenVPN). When I run route command on the AR300M, it pushes everything back to 10.0.0.1 via tun0.

Connection from my laptop should go as follows:
ping 192.168.10.10
10.0.0.20 → 10.0.0.1 → 10.0.0.10 → 192.168.10.1 → 192.168.10.10
I can ping all the way up to 192.168.10.1, which is AR300M local IP, but can’t reach any devices after it. Same deal if I ping from OpenVPN server directly.
When pinging from AR300M, I can ping successfully both ways - down to local devices at 192.168.10.10, or up via server to 10.0.0.1 and 10.0.0.20.
AR300M #10 can ping AR300M #11, but again, no devices past the router #11.
192.168.10.1 → 192.168.10.10 OK
192.168.10.1 → 10.0.0.1 → 10.0.0.11 → 192.168.11.1 OK
192.168.10.1 → 10.0.0.1 → 10.0.0.11 → 192.168.11.1 → 192.168.11.10 FAIL

While testing, I have set AR300M’s firewall to accept everything between zones.
Firewall Zones

I will admit that Firewall Traffic rules screen turned to mess after ~30th try to fix this.
I have a rule to accept everything from OVPN to LAN with any protocol.
There were rules to accept OVPN to this device, from OVPN to any zone, the firewall was even completely stopped via ssh. And yet, I can’t ping from VPN server to router’s local LAN.

How can I make it easier for anyone who would like to help? Do I add entire /etc/config/firewall here?

Also, I have already tried full restore and going from blank, unfortunately without much luck. I am more than open to try again though - restore the entire thing, load VPN config, leave all rules default and report back.

Routers are running 3.201 and 3.203 firmware, with no apparent change of behaviour between the two. I have had this entire setup running before with no problems regarding connections a couple months ago, but can’t seem to fix it now.

Thanks!

twcc · October 6, 2021, 3:04pm

Issue resolved. I resorted to completely resetting firewall to factory settings and only added ACCEPT rule to ovpn->lan and lan->ovpn for any protocol.
It looks like the VPN policy had fingers in this.
The entire issue disappeared after:
Enabling the VPN policy, setting it to NOT use VPN based on a list, and leaving the list empty. Something tells me this should force all clients to VPN, but nope.
Disabling the VPN policy. Suddenly, pings all around.