RV50 OpenVPN routing problem

hello!

I have an RV50 and i have set up the OpenVPN tunnel with success (thanks to others in this forum, without their help i would not succeed). The WAN is a 3G connection, there is a wired device connected to the LAN port of the RV50. I am able to ping the both ends of the tunnel. I would like to route traffic over the tunnel to reach the host behind the RV50 (the wired device). This device has its default gateway set to the RV50s internal (LAN) IP (192.168.13.31)
The problem is: i can not reach the device form the OpenVPN server side. I can reach the server from the device, but not vice versa. The server has a route set up to send packets desired for 192.168.13.0/24 (RV50 LAN network), the packets enter the tunnel, but there is no response. The RV50 simply does not forward them to its LAN interface. I had FW 4.9.3 installed, i updated it to 4.9.13, but it does the same. I also tried NAT, but it does not NAT packets coming from the tunnel… Also it does not route traffic coming from the LAN into the tunnel when NAT is diabled in the OpenVPN settings. Is there an option i am missing? To me it seems, that packets coming from the tunnel gets dropped by some rule. I factory reseted the RV50, all port filtering is also disabled. I even tried to set the DMZ IP to the devices IP address, but the same happens. If You have any idea or suggestion, please share it.
Thank You!
regards,
Richard

Hi @lionsgi ,

I follow the link below to config OpenVPN server and successfully ping from both side. You can see the picture.


OpenVPN link:

It seems that it’s about your server configuration. Please make sure the following steps are correct:

  1. In config file at directory \OpenVPN\config\server.ovpn, 2 lines should be added
    client-config-dir ccd
    route 192.168.13.0 255.255.255.0
  2. At \OpenVPN\config\ccd, create file with name “client” and add route to the file:
    iroute 192.168.13.0 255.255.255.0

Note that: “client” is the name of Common Name at the steps that you generate certificates & keys for your gateway device, so you need to change the name accordingly.
3. Restart the tunnel.

Thanks,

If your question is answered, please help to mark Solution

hello Cherokee!

i just tried out Your suggestions and it works!
I was missing the “iroute” option. I knew somehow that the client is the point where the packets get lost, but i did not know why. I do not know why the client (RV50) does not know where to route the packets, he knows (should know) all routes… I basically do not understand, how the iroute option fixes this problem, because it configures the server AFAIK… I already added a static route by hand for 192.168.13.0/24 to tun0 before, and the packets (icmp ping) went into the tunnel (i checked this with tcpdump) but no answer packets came from the tunnel.

i tried it out earlier with this setup to put another openvpn client (a laptop with linux) onto the RV50’s LAN and it worked without iroute.

I am happy that it works now :slight_smile:
So thank You!
regards,
Richard

Hi @lionsgi Can you please tell me which file type you uploaded on rv50 ? I am trying to set up a tunnel between rv55 and ovpn server (on Ubuntu 18.04). I uploaded certificates in .CRT format, still couldn’t establish the tunnel.

Thanks

hello!

i wrote a little HOWTO on this, hope You are able to read it:
https://forum.sierrawireless.com/t/rv50x-to-an-openvpn-access-server/20897/2
if not, please let me know, i will send it for You too…

the CRT format was “as-is” (as generated by easy-rsa on Debian/Ubuntu) but i had to convert the KEY to PEM format to make it work.

regards,
Richard

Hey @lionsgi I am not able to read the HOWTO. Could you please send it to me? thanks.

hello!

i had a hard time getting it work (RV50 with OpenVPN) but once it is working it is pretty stable. Thanks to Others i gathered this information:

to get the certs work with the RV50 you need NS support when generating new certs/keys, so i had to set
#Sierra RV50 compaibility add
export EASYRSA_NS_SUPPORT=“yes”
in /usr/share/easy-rsa/vars and start with key/cert building.

once done with this i had to convert the key for FirmWare version 4.9.13 (maybe for prior versions also):
openssl rsa -in rv50.key -out rv50.pem
so it can be used on the RV50 with the newer FW (the older FW i had 4.9.3 used to accept the key that was generated by easy-rsa as it was made, i did not need to convert the format)

then i set up the OpenVPN server like this:
port 9300
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh dh1024.pem
server 192.168.15.0 255.255.255.0
route-gateway 192.168.15.1
ifconfig-pool-persist ipp.txt
client-config-dir ccd
push “route 192.168.13.0 255.255.255.0”
push “route 192.168.12.0 255.255.255.0”
route 192.168.13.0 255.255.255.0
route 192.168.12.0 255.255.255.0
client-to-client
keepalive 10 120
tls-server #Sierra RV50
tls-version-min 1.0 #Sierra RV50
auth sha256 #Sierra RV50
tun-mtu 1500 #Sierra RV50
mssfix 1400 #Sierra RV50
fragment 1300 #Sierra RV50
cipher AES-256-CBC #Sierra RV50
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
topology subnet

(i have 2 RV50 devices with subnets 192.168.12.0 and 192.168.13.0 behind them) the VPN tunnel uses subnet 192.168.15.0

after that i uploaded ca.crt, rv50.crt and rv50.key/rv50.pem (depending on the key format that is requiered by different FWs on the RV50) and set the config like this:

i had to create client configs on the server (/etc/openvpn/ccd/rv50):
iroute 192.168.13.0 255.255.255.0

finally it did not connect :smiley: because the time/date was way too off on the RV50, so i had to set a time server too. after that (and since then; it was months ago) it finally connected and i was able to reach devices on the subnets behind the RV50s

hope that helps, aaand good luck!

1 Like

Thankyou so much @lionsgi This worked perfectly fine.
After uploading certs it didn’t worked actually but later enabling the SNTP server (ACEmanager>Services>Time(SNTP)>enable) the status changed to connected.