openVPN and GoodCloud on GL-AR750S

eschmann · August 21, 2019, 5:32pm

I’m using GoodCloud to connect two networks with GL-AR750S routers (router 1 and route 2). This works fine.
Additionally I want to connect one external PC via openVPN. Therefore I have setup an openVPN server on router 1. I can connect the PC via openVPN to the network of router 1, but I can’t communicate from the PC with devices connected on router 2.
Please can you advice me how to configure the routers? Thanks a lot.

luochongjun · August 22, 2019, 4:31am

How does route1 connect to route2?
What is their topological relationship?

eschmann · August 22, 2019, 6:55am

Router 1 and Router 2 are connected via GoodCloud. Router1 can be accessed from internet, while Router2 can’t be accessed from internet directly.

dzwghx · August 22, 2019, 7:51am

Can you draw your network topology map?

eschmann · August 22, 2019, 8:31am

It looks like this. Objective is, that PC can directly communicate with devices connected to Router2.

dzwghx · August 22, 2019, 10:33am

You can open the “Access Local Network” and try it out.

eschmann · August 22, 2019, 12:27pm

This is already activated. With this I can access the local network of Router 1, but not Router 2.

dzwghx · August 23, 2019, 6:08am

You need to ssh to the router1, modify the file “/etc/init.d/vpn-service”, add a line “iptables -I FORWARD -i tun-SERVER -j ACCEPT” , as follows:

Then restart the openvpn server, the PC openvpn client reconnects. You can try.

luochongjun · August 23, 2019, 11:28am

You need to do a port forwarding on router1’s VPN server to access the devices below router2.
Assuming that your VPN server address is 10.0.0.1 and the device address under router2 is 192.168.8.153, you may need to add the following rules

iptables -t nat -I PREROUTING -s 10.0.0.0/24 -p tcp --dport 655  -j DNAT --to 192.168.8.153

Your PC can access router2 devices through 10.0.0.1:655
It’s just my idea, not proven

eschmann · August 23, 2019, 8:29pm

This doesn’t help on it’s own. One additional point is needed:.

It seems that all forward traffic is accepted already in iptables: I had to add access to the VPN subnet in the site-2-site configuration of the Router1. Then all other site-2-site peers will automatically adapt their routing tables accordingly.

Some background infos: In fact, it’s not a firewalling issue but rather a routing issue. The root cause is, that the ip packets are routed from router1 to router2, but router2 didn’t have the correct routing information for the response. This is a pit fall of the site-2-site connection: You don’t have a strict tree hierarchy for routing, and therefore the default gateway will not help one to answer the requests sent from the PC (i.e. vpn client). This will be solved by the site-2-site configuration as explained above.

@luochongjun, @dzwghx: Thanks a lot for your support.