I have successfully set up a second Linksys E2500 router flashed with Shibby's Tomato on my network, and it is functioning just fine. Devices can successfully connect and access other systems on my network, as well as the internet.
I am now trying to set up a VPN connection between an iOS device and my home network using OpenVPN. I want the ability to access other systems on my home network, as well as route all internet traffic through my home internet connection.
I am using the OpenVPN client on my iPhone, and am able to successfully establish a VPN connection.
However, the only address I can successfully ping when connected is 10.8.0.1. I cannot ping any other systems on my network (such as 10.88.55.11), nor can I browse the internet — implying WAN traffic is not getting routed. So I suspect I am missing some routing rules.
Any ideas what is wrong with my configuration?
All configs and (cleansed) logs below.
Thanks in advance.
I have the following setup:
- DLink DIR-655 with stock firmware, connected to my cablemodem
- Linksys E2500 v2 running Shibby's Tomato
- OpenVPN configured
- iPhone 5s with OpenVPN client
DLink DIR-655 config:
- IP: 10.88.55.1
- subnet mask: 255.255.255.0
- virtual server: 10.88.55.2, udp public port 443, udp private port 443, allow all
E2500 config:
- static IP of 10.88.55.2
- subnet mask: 255.255.255.0
- wired connection to the DLink DIR-655
- "router" mode
Routing rules:
Destination Gateway / Next Hop Subnet Mask Metric Interface
10.8.0.2 * 255.255.255.255 0 tun21
10.88.55.0 * 255.255.255.0 0 br0 (LAN)
10.8.0.0 10.8.0.2 255.255.255.0 0 tun21
127.0.0.0 * 255.0.0.0 0 lo
default 10.88.55.1 0.0.0.0 0 br0 (LAN)
Mode: Router
OpenVPN Server Config:
Interface Type: TUN
Protocol: UDP
Port: 443
Firewall: Automatic
Authorization Mode: TLS
Extra HMAC authorization: Disabled
VPN subnet/netmask: 10.8.0.0 255.255.255.0
Poll Interval: 0
Push LAN to clients: checked
Direct clients to redirect Internet traffic: checked
Respond to DNS: checked
Advertise DNS to clients: no
Encryption cipher: Use default
Compression: Adaptive
TLS Renegotiation Time: -1
Manage Client-Specific Options: no
Allow User/Pass Auth: no
Custom Configuration: <none>
iOS Client ovpn file:
client
dev tun
proto udp
remote <WAN IP> 443
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 5
<ca>
-BEGIN CERTIFICATE-
…
-END CERTIFICATE-
</ca>
<cert>
-BEGIN CERTIFICATE-
…
-END CERTIFICATE-
</cert>
<key>
-BEGIN RSA PRIVATE KEY-
…
-END RSA PRIVATE KEY-
</key>
E2500 Log (from OpenVPN startup):
Apr 10 19:36:14 unknown user.info kernel: tun: Universal TUN/TAP device driver, 1.6
Apr 10 19:36:14 unknown user.info kernel: tun: (C) 1999-2004 Max Krasnyansky <moc.mmoclauq|kxam#moc.mmoclauq|kxam>
Apr 10 19:36:14 unknown user.info kernel: device tun21 entered promiscuous mode
Apr 10 19:36:15 unknown daemon.notice openvpn[1052]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jan 19 2014
Apr 10 19:36:15 unknown daemon.notice openvpn[1052]: Diffie-Hellman initialized with 1024 bit key
Apr 10 19:36:15 unknown daemon.notice openvpn[1052]: Socket Buffers: R=[112640->131072] S=[112640->131072]
Apr 10 19:36:15 unknown daemon.notice openvpn[1052]: TUN/TAP device tun21 opened
Apr 10 19:36:15 unknown daemon.notice openvpn[1052]: TUN/TAP TX queue length set to 100
Apr 10 19:36:15 unknown daemon.notice openvpn[1052]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Apr 10 19:36:15 unknown daemon.notice openvpn[1052]: /sbin/ifconfig tun21 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Apr 10 19:36:15 unknown daemon.notice openvpn[1052]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Apr 10 19:36:15 unknown daemon.notice openvpn[1062]: UDPv4 link local (bound): [undef]
Apr 10 19:36:15 unknown daemon.notice openvpn[1062]: UDPv4 link remote: [undef]
Apr 10 19:36:15 unknown daemon.notice openvpn[1062]: MULTI: multi_init called, r=256 v=256
Apr 10 19:36:15 unknown daemon.notice openvpn[1062]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Apr 10 19:36:15 unknown daemon.notice openvpn[1062]: Initialization Sequence Completed
Apr 10 19:36:19 unknown daemon.err openvpn[1062]: event_wait : Interrupted system call (code=4)
Apr 10 19:36:19 unknown daemon.notice openvpn[1062]: TITLE,OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jan 19 2014
Apr 10 19:36:19 unknown daemon.notice openvpn[1062]: TIME,Thu Apr 10 19:36:19 2014,1397172979
Apr 10 19:36:19 unknown daemon.notice openvpn[1062]: HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username
Apr 10 19:36:19 unknown daemon.notice openvpn[1062]: HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
Apr 10 19:36:19 unknown daemon.notice openvpn[1062]: GLOBAL_STATS,Max bcast/mcast queue length,0
Apr 10 19:36:19 unknown daemon.notice openvpn[1062]: END
Apr 10 19:43:39 unknown daemon.err openvpn[1062]: event_wait : Interrupted system call (code=4)
Apr 10 19:43:39 unknown daemon.notice openvpn[1062]: TITLE,OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jan 19 2014
Apr 10 19:43:39 unknown daemon.notice openvpn[1062]: TIME,Thu Apr 10 19:43:39 2014,1397173419
Apr 10 19:43:39 unknown daemon.notice openvpn[1062]: HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username
Apr 10 19:43:39 unknown daemon.notice openvpn[1062]: HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
Apr 10 19:43:39 unknown daemon.notice openvpn[1062]: GLOBAL_STATS,Max bcast/mcast queue length,0
Apr 10 19:43:39 unknown daemon.notice openvpn[1062]: END
Apr 10 20:00:01 unknown syslog.info root: - MARK -
Apr 10 20:19:44 unknown daemon.err openvpn[1062]: event_wait : Interrupted system call (code=4)
Apr 10 20:19:44 unknown daemon.notice openvpn[1062]: TITLE,OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jan 19 2014
Apr 10 20:19:44 unknown daemon.notice openvpn[1062]: TIME,Thu Apr 10 20:19:44 2014,1397175584
Apr 10 20:19:44 unknown daemon.notice openvpn[1062]: HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username
Apr 10 20:19:44 unknown daemon.notice openvpn[1062]: HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
Apr 10 20:19:44 unknown daemon.notice openvpn[1062]: GLOBAL_STATS,Max bcast/mcast queue length,0
Apr 10 20:19:44 unknown daemon.notice openvpn[1062]: END
Apr 10 20:23:16 unknown daemon.err openvpn[1062]: event_wait : Interrupted system call (code=4)
Apr 10 20:23:16 unknown daemon.notice openvpn[1062]: TITLE,OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jan 19 2014
Apr 10 20:23:16 unknown daemon.notice openvpn[1062]: TIME,Thu Apr 10 20:23:16 2014,1397175796
Apr 10 20:23:16 unknown daemon.notice openvpn[1062]: HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username
Apr 10 20:23:16 unknown daemon.notice openvpn[1062]: HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
Apr 10 20:23:16 unknown daemon.notice openvpn[1062]: GLOBAL_STATS,Max bcast/mcast queue length,0
Apr 10 20:23:16 unknown daemon.notice openvpn[1062]: END
Apr 10 20:38:36 unknown daemon.notice openvpn[1062]: <iPhone WAN IP>:57379 TLS: Initial packet from [AF_INET]<iPhone WAN IP>:57379, sid=3a50a9ff 3901073c
Apr 10 20:38:37 unknown daemon.notice openvpn[1062]: <iPhone WAN IP>:57379 VERIFY OK: depth=1, C=xx, ST=xx, L=xx, O=xx, CN=xx-OpenVPN, emailAddress=moc.liamg|liaMyM#moc.liamg|liaMyM
Apr 10 20:38:37 unknown daemon.notice openvpn[1062]: <iPhone WAN IP>:57379 VERIFY OK: depth=0, C=xx, ST=xx, L=xx, O=xx, OU=changeme, CN=iphone-5s, name=changeme, emailAddress=moc.liamg|liaMyM#moc.liamg|liaMyM
Apr 10 20:38:38 unknown daemon.notice openvpn[1062]: <iPhone WAN IP>:57379 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 10 20:38:38 unknown daemon.notice openvpn[1062]: <iPhone WAN IP>:57379 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 10 20:38:38 unknown daemon.notice openvpn[1062]: <iPhone WAN IP>:57379 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 10 20:38:38 unknown daemon.notice openvpn[1062]: <iPhone WAN IP>:57379 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 10 20:38:38 unknown daemon.notice openvpn[1062]: <iPhone WAN IP>:57379 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Apr 10 20:38:38 unknown daemon.notice openvpn[1062]: <iPhone WAN IP>:57379 [iphone-5s] Peer Connection Initiated with [AF_INET]<iPhone WAN IP>:57379
Apr 10 20:38:38 unknown daemon.notice openvpn[1062]: iphone-5s/<iPhone WAN IP>:57379 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Apr 10 20:38:38 unknown daemon.notice openvpn[1062]: iphone-5s/<iPhone WAN IP>:57379 MULTI: Learn: 10.8.0.6 -> iphone-5s/<iPhone WAN IP>:57379
Apr 10 20:38:38 unknown daemon.notice openvpn[1062]: iphone-5s/<iPhone WAN IP>:57379 MULTI: primary virtual IP for iphone-5s/<iPhone WAN IP>:57379: 10.8.0.6
Apr 10 20:38:39 unknown daemon.notice openvpn[1062]: iphone-5s/<iPhone WAN IP>:57379 PUSH: Received control message: 'PUSH_REQUEST'
Apr 10 20:38:39 unknown daemon.notice openvpn[1062]: iphone-5s/<iPhone WAN IP>:57379 send_push_reply(): safe_cap=940
Apr 10 20:38:39 unknown daemon.notice openvpn[1062]: iphone-5s/<iPhone WAN IP>:57379 SENT CONTROL [iphone-5s]: 'PUSH_REPLY,route 10.88.55.0 255.255.255.0,redirect-gateway def1,route 10.8.0.1,topology net30,ping 15,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Apr 10 20:54:40 unknown daemon.warn openvpn[1062]: iphone-5s/<iPhone WAN IP>:57379 IP packet with unknown IP version=2 seen
Apr 10 20:56:40 unknown daemon.notice openvpn[1062]: iphone-5s/<iPhone WAN IP>:57379 [iphone-5s] Inactivity timeout (—ping-restart), restarting
Apr 10 20:56:40 unknown daemon.notice openvpn[1062]: iphone-5s/<iPhone WAN IP>:57379 SIGUSR1[soft,ping-restart] received, client-instance restarting
iOS OpenVPN Client Log:
2014-04-10 20:38:37 - OpenVPN Start (iOS 64-bit) -
2014-04-10 20:38:37 UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [user] [nobody]
7 [group] [nobody]
8 [persist-key]
9 [persist-tun]
12 [verb] [5]
2014-04-10 20:38:37 LZO-ASYM init swap=0 asym=0
2014-04-10 20:38:37 EVENT: RESOLVE
2014-04-10 20:38:37 Contacting <WAN IP>:443 via UDP
2014-04-10 20:38:37 EVENT: WAIT
2014-04-10 20:38:37 Connecting to <WAN IP>:443 (<WAN IP>) via UDPv4
2014-04-10 20:38:37 EVENT: CONNECTING
2014-04-10 20:38:37 Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2014-04-10 20:38:37 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.4-140
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1
2014-04-10 20:38:38 VERIFY OK: depth=1
cert. version : 3
serial number : xx:xx:xx:xx:xx:xx:xx:xx
issuer name : C=Xx, ST=Xx, L=Xx, O=Xx, CN=Xx-OpenVPN, emailAddress=moc.liamg|liamyM#moc.liamg|liamyM
subject name : C=xx, ST=xx L=Xx, O=Xx, CN=Xx-OpenVPN, emailAddress=moc.liamg|liamyM#moc.liamg|liamyM
issued on : 2014-03-17 00:06:49
expires on : 2024-03-14 00:06:49
signed using : RSA+SHA1
RSA key size : 1024 bits
2014-04-10 20:38:38 VERIFY OK: depth=0
cert. version : 3
serial number : 01
issuer name : C=Xx, ST=Xx, L=xx, O=Xx, CN=Xx-OpenVPN, emailAddress=moc.liamg|liamyM#moc.liamg|liamyM
subject name : C=xx, ST=xx, L=xx, O=xxxx, OU=changeme, CN=server, 0x29=changeme, emailAddress=moc.liamg|liamyM#moc.liamg|liamyM
issued on : 2014-03-17 00:08:20
expires on : 2024-03-14 00:08:20
signed using : RSA+SHA1
RSA key size : 1024 bits
2014-04-10 20:38:39 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
2014-04-10 20:38:39 Session is ACTIVE
2014-04-10 20:38:40 EVENT: GET_CONFIG
2014-04-10 20:38:40 Sending PUSH_REQUEST to server…
2014-04-10 20:38:40 OPTIONS:
0 [route] [10.88.55.0] [255.255.255.0]
1 [redirect-gateway] [def1]
2 [route] [10.8.0.1]
3 [topology] [net30]
4 [ping] [15]
5 [ping-restart] [60]
6 [ifconfig] [10.8.0.6] [10.8.0.5]
2014-04-10 20:38:40 LZO-ASYM init swap=0 asym=0
2014-04-10 20:38:40 EVENT: ASSIGN_IP
2014-04-10 20:38:40 Google DNS fallback enabled
2014-04-10 20:38:40 Connected via tun
2014-04-10 20:38:40 EVENT: CONNECTED @<WAN IP>:443 (<WAN IP>) via /UDPv4 on tun/10.8.0.6/
2014-04-10 20:38:40 NET WiFi:NotReachable/WR t--
2014-04-10 20:38:40 NET Internet:ReachableViaWWAN/WR t——l-