[solved] OpenVPN: Allow Clients To Access Hosts on LAN

If your problem doesn't fall into one of the other categories, report it here.

Moderator: Moderators

vdmz
Posts: 14
Joined: Tue Nov 14, 2017 4:30 pm

Re: [solved] OpenVPN: Allow Clients To Access Hosts on LAN

Post by vdmz »

The lines in script /usr/lib/gargoyle/openvpn.sh:
echo "push \"route $subnet_ip $subnet_mask $openvpn_server_internal_ip\"" >> "$client_ccd_file"
echo "push \"route $subnet_ip $subnet_mask $openvpn_ip\"" >> "$client_ccd_file"
should be changed accordingly to:
echo "push \"route $subnet_ip $subnet_mask vpn_gateway\"" >> "$client_ccd_file"
echo "push \"route $subnet_ip $subnet_mask vpn_gateway\"" >> "$client_ccd_file"
The changed part in the strings is bold.
Router Model: Archer C7 V2 EU
Firmware: Gargoyle 1.10.0-ar71xx

Lantis
Moderator
Posts: 7172
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia
Contact:

Re: [solved] OpenVPN: Allow Clients To Access Hosts on LAN

Post by Lantis »

Until this is tested on all clients (especially Gargoyle) we can’t make that change.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
https://lantisproject.com/blog

ispyisail
Moderator
Posts: 5218
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: [solved] OpenVPN: Allow Clients To Access Hosts on LAN

Post by ispyisail »

I'm working on some tests, been sick

ispyisail
Moderator
Posts: 5218
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: [solved] OpenVPN: Allow Clients To Access Hosts on LAN

Post by ispyisail »

Router to Router Fail

The original config files works fine but the new one does not, can't see much difference

Image

ispyisail
Moderator
Posts: 5218
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: [solved] OpenVPN: Allow Clients To Access Hosts on LAN

Post by ispyisail »

@vdmz Whats tests have you done?

vdmz
Posts: 14
Joined: Tue Nov 14, 2017 4:30 pm

Re: [solved] OpenVPN: Allow Clients To Access Hosts on LAN

Post by vdmz »

ispyisail wrote:Router to Router Fail

The original config files works fine but the new one does not, can't see much difference

Image
Your error about missing configuration file, is not related to the change which i provide above.

Probably you do something wrong or incorrectly modified the script file.

My change is two words change in openvpn.sh script, which does not brake any config files creation, it changes only "route" line in CCD directory.

Send me all changed files by you, to see how you did it.
Router Model: Archer C7 V2 EU
Firmware: Gargoyle 1.10.0-ar71xx

ispyisail
Moderator
Posts: 5218
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: [solved] OpenVPN: Allow Clients To Access Hosts on LAN

Post by ispyisail »

I have two test routers and changed the script /usr/lib/gargoyle/openvpn.sh in both

Code: Select all

#!/bin/sh



# global config directory
OPENVPN_DIR="/etc/openvpn"

# init script
OPENVPN_INIT_SCRIPT="/etc/init.d/openvpn"

# Assume time values are this many bits
# This is needed for setting expiration of certs to max
TIME_BITS=32



server_regenerate_credentials="false"



##################################################
# detect path for EASY RSA automatically
#
# if we're on a system other than debian/gargoyle
# thes may need to be updated.  
#
# If EASY_RSA_PATH variable is exported in calling shell script
# that will get detected here and used
#
################################################################
if [ -z "$EASY_RSA_PATH" ] ; then
	
	debian_ubuntu_easyrsa_path="/usr/share/doc/openvpn/examples/easy-rsa/2.0"
	gargoyle_easyrsa_path="/usr/lib/easy-rsa"

	if [ -d "$debian_ubuntu_easyrsa_path" ] ; then
		EASY_RSA_PATH="$debian_ubuntu_easyrsa_path"
	elif [ -d "$gargoyle_easyrsa_path" ] ; then
		EASY_RSA_PATH="$gargoyle_easyrsa_path"
	fi
fi
if [ -z "$EASY_RSA_PATH" ] ; then
	echo "ERROR: could not find easy-rsa library, exiting"
	exit
fi

EXPIRATION_MAX=99999
if [ "$TIME_BITS" -lt 64 ] ; then
	#handle 2038 bug the best we can
	year=$(date +%Y)
	year_day=$(date +%j | awk '{printf "%d", $1}')
	EXPIRATION_MAX=$(( (365*(2038-$year)) - $year_day  ))
fi



random_string()
{
	if [ ! -n "$1" ];
		then LEN=15
		else LEN="$1"
	fi

	echo $(</dev/urandom tr -dc a-z | head -c $LEN) # generate a random string
}


load_def()
{
	passed_var_def="$1"
	vpn_var="$2"
	default="$3"

	result=""
	if [ -z "$passed_var_def" ] ; then passed_var_def=$default ; fi
	if [ "$passed_var_def" = "true" ] || [ "$passed_var_def" = "1" ] ; then result="$vpn_var" ; fi
	
	
	printf "$result"

}

copy_if_diff()
{
	new_file="$1"
	old_file="$2"

	if   [ ! -f "$new_file" ] ; then
		return
	elif [ ! -f "$old_file" ] ; then
		cp "$new_file" "$old_file"
	else
		old_md5=$(md5sum "$old_file")
		old_md5=${old_md5% *}
		new_md5=$(md5sum "$new_file")
		new_md5=${new_md5% *}
		if [ "$old_md5" != "$new_md5" ] ; then
			cp "$new_file" "$old_file"
		fi	
	fi
}

create_server_conf()
{
	#required vars
	openvpn_server_internal_ip="$1"
	openvpn_netmask="$2"
	openvpn_port="$3"
	
	#optional vars
	openvpn_server_local_subnet_ip="$4"
	openvpn_server_local_subnet_mask="$5"

	#optional vars, but with defaults
	openvpn_protocol="$6"
	if [ -z "$openvpn_protocol" ] ; then openvpn_protocol="udp" ; fi
	if [ "$openvpn_protocol" = "tcp" ] ; then openvpn_protocol="tcp-server" ; fi

	openvpn_cipher="$7"
	if [ -z "$openvpn_cipher" ] ; then openvpn_cipher="BF-CBC" ; fi
	openvpn_keysize="$8"
	if [ -z "$openvpn_keysize" ] && [ "$openvpn_cipher" = "BF-CBC" ] ; then openvpn_keysize="128" ; fi
	if [ -n "$openvpn_keysize" ] ; then openvpn_keysize="keysize               $openvpn_keysize" ; fi


	openvpn_client_to_client=$(load_def "$9" "client-to-client" "false")
	openvpn_duplicate_cn=$(load_def "${10}" "duplicate-cn" "false")
	openvpn_pool="${11}"
	openvpn_redirect_gateway=$(load_def "${12}" "push \"redirect-gateway def1\"" "true")
	openvpn_regenerate_cert="${13}"

	if [ -n "$openvpn_pool" ] ; then
		openvpn_pool="ifconfig-pool $openvpn_pool"
	fi

	if [ ! -f "$OPENVPN_DIR/ca.crt" ]  || [ ! -f "$OPENVPN_DIR/dh1024.pem" ] || [ ! -f "$OPENVPN_DIR/server.crt" ] || [ ! -f "$OPENVPN_DIR/server.key" ] || [ ! -f "$OPENVPN_DIR/ta.key" ] ; then
		openvpn_regenerate_cert="true"
	fi
	server_regenerate_credentials="$openvpn_regenerate_cert"

	#make necessary directories
	mkdir -p "$OPENVPN_DIR/client_conf"
	mkdir -p "$OPENVPN_DIR/ccd"
	mkdir -p "$OPENVPN_DIR/route_data"

	mkdir -p /var/run
	touch /var/run/openvpn_status
	if [ ! -h /etc/openvpn/current_status ] ; then
		rm -rf /etc/openvpn/current_status
		ln -s  /var/run/openvpn_status /etc/openvpn/current_status 
	fi

	random_dir_num=$(random_string)
	random_dir="/tmp/ovpn-client-${random_dir_num}"
	mkdir -p "$random_dir"


	#generate dh1024.pem if necessary
	if [ "$openvpn_regenerate_cert" = "true" ] || [ "$openvpn_regenerate_cert" = "1" ] ; then

		cd "$random_dir"
		cp -r "$EASY_RSA_PATH/"* .
		mkdir keys

		name=$( random_string 15 )
		random_domain=$( random_string 15 )
		cat << 'EOF' >vars
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
export KEY_SIZE=1024
export KEY_COUNTRY="??"
export KEY_PROVINCE="UnknownProvince"
export KEY_CITY="UnknownCity"
export KEY_ORG="UnknownOrg"
export KEY_OU="UnknownOrgUnit"
EOF
cat << EOF >>vars
export CA_EXPIRE=$EXPIRATION_MAX
export KEY_EXPIRE=$EXPIRATION_MAX
export KEY_EMAIL='$name@$random_domain.com'
export KEY_EMAIL='$name@$random_domain.com'
export KEY_CN='$name'
export KEY_NAME='$name'
EOF
		. ./vars
		./clean-all
		./build-dh
		./pkitool --initca
		./pkitool --server server
		openvpn --genkey --secret ta.key
		cp keys/server.crt keys/server.key keys/ca.crt keys/ca.key keys/dh1024.pem ta.key "$OPENVPN_DIR"/
	fi

	touch "$OPENVPN_DIR/server.conf"
	touch "$OPENVPN_DIR/route_data/server"
	touch "$random_dir/route_data_server"


	# server config
	cat << EOF >"$random_dir/server.conf"
mode                  server
port                  $openvpn_port
proto                 $openvpn_protocol
tls-server
ifconfig              $openvpn_server_internal_ip $openvpn_netmask
topology              subnet
client-config-dir     $OPENVPN_DIR/ccd
$openvpn_client_to_client

$openvpn_duplicate_cn
$openvpn_pool

cipher                $openvpn_cipher
$openvpn_keysize

dev                   tun
keepalive             25 180
status                /var/run/openvpn_status
verb                  3


dh                    $OPENVPN_DIR/dh1024.pem
ca                    $OPENVPN_DIR/ca.crt
cert                  $OPENVPN_DIR/server.crt
key                   $OPENVPN_DIR/server.key
tls-auth              $OPENVPN_DIR/ta.key 0

persist-key
persist-tun
comp-lzo

push "topology subnet"
push "route-gateway $openvpn_server_internal_ip"
$openvpn_redirect_gateway

EOF
	
	if [ -n "$openvpn_redirect_gateway" ] ; then
		touch "$OPENVPN_DIR/block_non_openvpn"
	else
		rm -rf "$OPENVPN_DIR/block_non_openvpn"
	fi

	if [ -n "$openvpn_server_local_subnet_ip" ] && [ -n "$openvpn_server_local_subnet_mask" ] ; then
		# save routes -- we need to update all route lines 
		# once all client ccd files are in place on the server
		echo "$openvpn_server_local_subnet_ip $openvpn_server_local_subnet_mask $openvpn_server_internal_ip" > "$random_dir/route_data_server"
	fi

	copy_if_diff "$random_dir/server.conf"        "$OPENVPN_DIR/server.conf"
	copy_if_diff "$random_dir/route_data_server"  "$OPENVPN_DIR/route_data/server"


	cd /tmp
	rm -rf "$random_dir"

}



create_allowed_client_conf()
{

	#required
	openvpn_client_id="$1"
	openvpn_client_remote="$2"

	#optional
	openvpn_client_internal_ip="$3"
	openvpn_client_local_subnet_ip="$4"
	openvpn_client_local_subnet_mask="$5"

	#load from server config
	openvpn_protocol=$( awk ' $1 ~ /proto/     { print $2 } ' /etc/openvpn/server.conf )
	openvpn_port=$(     awk ' $1 ~ /port/      { print $2 } ' /etc/openvpn/server.conf )
	openvpn_netmask=$(  awk ' $1 ~ /ifconfig/  { print $3 } ' /etc/openvpn/server.conf )
	openvpn_cipher=$(   awk ' $1 ~ /cipher/    { print $2 } ' /etc/openvpn/server.conf )
	openvpn_keysize=$(  awk ' $1 ~ /keysize/   { print $2 } ' /etc/openvpn/server.conf )
	if [ "$openvpn_protocol" = "tcp-server" ] ; then
		openvpn_protocol="tcp-client"
	fi
	if [ -z "$openvpn_keysize" ] && [ "$openvpn_cipher" = "BF-CBC" ] ; then openvpn_keysize="128" ; fi
	if [ -n "$openvpn_keysize" ] ; then openvpn_keysize="keysize               $openvpn_keysize" ; fi

	
	openvpn_regenerate_cert="$6"
	client_enabled="$7"
	if [ -z "$client_enabled" ] ; then
		client_enabled="true"
	fi

	client_conf_dir="$OPENVPN_DIR/client_conf/$openvpn_client_id"
	if [ ! -f "$client_conf_dir/$openvpn_client_id.crt" ]  || [ ! -f "$client_conf_dir/$openvpn_client_id.key" ] || [ ! -f "$client_conf_dir/ca.crt" ]  ; then
		openvpn_regenerate_cert="true"
	fi

	#if we regenerated server credentials, force regeneration of client credentials too
	if [ "$server_regenerate_credentials" = "true" ] || [ "$server_regenerate_credentials" = "1" ] ; then
		openvpn_regenerate_cert="true"
	fi

	mkdir -p "$OPENVPN_DIR/client_conf"
	mkdir -p "$OPENVPN_DIR/ccd"
	mkdir -p "$OPENVPN_DIR/route_data"
	
	random_dir_num=$(random_string)
	random_dir="/tmp/ovpn-client-${random_dir_num}"
	mkdir -p "$random_dir"



	if [ "$openvpn_regenerate_cert" = "true" ] || [ "$openvpn_regenerate_cert" = "1" ] ; then

		cd "$random_dir"
		cp -r "$EASY_RSA_PATH/"* .
		mkdir keys

		random_domain=$( random_string 15 )
		cat << 'EOF' >vars
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
export KEY_SIZE=1024
export KEY_COUNTRY="??"
export KEY_PROVINCE="UnknownProvince"
export KEY_CITY="UnknownCity"
export KEY_ORG="UnknownOrg"
export KEY_OU="UnknownOrgUnit"
EOF
		cat << EOF >>vars
export CA_EXPIRE=$EXPIRATION_MAX
export KEY_EXPIRE=$EXPIRATION_MAX
export KEY_EMAIL='$openvpn_client_id@$randomDomain.com'
export KEY_EMAIL='$openvpn_client_id@$randomDomain.com'
export KEY_CN='$openvpn_client_id'
export KEY_NAME='$openvpn_client_id'
EOF
		. ./vars
		./clean-all
		cp "$OPENVPN_DIR/server.crt" "$OPENVPN_DIR/server.key" "$OPENVPN_DIR/ca.crt"  "$OPENVPN_DIR/ca.key" "$OPENVPN_DIR/dh1024.pem" ./keys/

	
		./pkitool "$openvpn_client_id"

		mkdir -p "$OPENVPN_DIR/client_conf/$openvpn_client_id"
		cp "keys/$openvpn_client_id.crt" "keys/$openvpn_client_id.key" "$OPENVPN_DIR/ca.crt" "$OPENVPN_DIR/ta.key" "$client_conf_dir/"
		
		if [ -n "$openvpn_client_local_subnet_ip" ] && [ -n "$openvpn_client_local_subnet_mask" ] ; then
			echo "ipaddr    $openvpn_client_local_subnet_ip"    >'network'
			echo "netmask   $openvpn_client_local_subnet_mask" >>'network'
			mv network "$client_conf_dir/network"
		fi
	fi

	
	
	
	
	if [ "$client_enabled" != "false" ] && [ "$client_enabled" != "0" ] ; then
		if [ ! -e "$OPENVPN_DIR/$openvpn_client_id.crt" ] ; then
			ln -s "$OPENVPN_DIR/client_conf/$openvpn_client_id/$openvpn_client_id.crt" "$OPENVPN_DIR/$openvpn_client_id.crt"
		fi
		touch "$OPENVPN_DIR/route_data_${openvpn_client_id}"
		touch "$random_dir/route_data_${openvpn_client_id}"

	else
		if [ -e "$OPENVPN_DIR/$openvpn_client_id.crt" ] ; then
			rm "$OPENVPN_DIR/$openvpn_client_id.crt"
		fi
		if [ -e "$OPENVPN_DIR/route_data/${openvpn_client_id}" ] ; then
			rm "$OPENVPN_DIR/route_data/${openvpn_client_id}" 
		fi
	fi

	if [ -e  "$OPENVPN_DIR/block_non_openvpn" ] ; then
		touch "$OPENVPN_DIR/client_conf/${openvpn_client_id}/block_non_openvpn"
	else
		rm -rf "$OPENVPN_DIR/client_conf/${openvpn_client_id}/block_non_openvpn"
	fi
		

	touch "$random_dir/ccd_${openvpn_client_id}"
	touch "$OPENVPN_DIR/ccd/${openvpn_client_id}"


	cat << EOF >"$random_dir/$openvpn_client_id.conf"

client
remote          $openvpn_client_remote $openvpn_port
dev             tun
proto           $openvpn_protocol
status          current_status
resolv-retry    infinite
remote-cert-tls server
topology        subnet
verb            3

cipher          $openvpn_cipher
$openvpn_keysize

ca              ca.crt
cert            $openvpn_client_id.crt
key             $openvpn_client_id.key
tls-auth        ta.key 1

nobind
persist-key
persist-tun
comp-lzo
EOF


	#update info about assigned ip/subnet
	if [ -n "$openvpn_client_internal_ip" ] ; then
		echo "ifconfig-push $openvpn_client_internal_ip $openvpn_netmask"                                                                      > "$random_dir/ccd_${openvpn_client_id}"
		if [ -n "$openvpn_client_local_subnet_ip" ] && [ -n "$openvpn_client_local_subnet_mask" ] ; then
			echo "iroute $openvpn_client_local_subnet_ip $openvpn_client_local_subnet_mask"                                               >> "$random_dir/ccd_${openvpn_client_id}"

			# save routes -- we need to update all route lines 
			# once all client ccd files are in place on the server
			if  [ "$client_enabled" != "false" ] && [ "$client_enabled" != "0" ] ; then
				echo "$openvpn_client_local_subnet_ip $openvpn_client_local_subnet_mask $openvpn_client_internal_ip \"$openvpn_client_id\"" > "$random_dir/route_data_${openvpn_client_id}"
			fi
		fi
	fi
	
	copy_if_diff "$random_dir/$openvpn_client_id.conf"          "$client_conf_dir/$openvpn_client_id.conf"
	if [ ! -h "$client_conf_dir/$openvpn_client_id.ovpn" ] ; then
		ln -s "$client_conf_dir/$openvpn_client_id.conf" "$client_conf_dir/$openvpn_client_id.ovpn"	
	fi
	copy_if_diff "$random_dir/ccd_${openvpn_client_id}"         "$OPENVPN_DIR/ccd/${openvpn_client_id}"
	if  [ "$client_enabled" != "false" ] && [ "$client_enabled" != "0" ] ; then
		copy_if_diff "$random_dir/route_data_${openvpn_client_id}"  "$OPENVPN_DIR/route_data/${openvpn_client_id}"
	fi
	
	

	cd /tmp
	rm -rf "$random_dir"
}


update_routes()
{
	openvpn_server_internal_ip=$(awk ' $1 ~ /ifconfig/  { print $2 } ' /etc/openvpn/server.conf )


	# Change "Internal Field Separator" (IFS variable)
	# which controls separation in for loop variables
	IFS_ORIG="$IFS"
	IFS_LINEBREAK="$(printf '\n\r')"
	IFS="$IFS_LINEBREAK"
	
	
	random_dir_num=$(random_string)
	random_dir="/tmp/ovpn-client-${random_dir_num}"
	mkdir -p "$random_dir"
	cp -r "$OPENVPN_DIR/ccd" "$random_dir"/
	cp -r "$OPENVPN_DIR/server.conf" "$random_dir"/
	
	
	# clear out old route data
	for client_ccd_file in $(ls "$random_dir/ccd/"* 2>/dev/null) ; do
		sed -i '/^push .*route/d' "$client_ccd_file"
	done
	sed -i '/^route /d' "$random_dir/server.conf"
	
	
	# set updated route data
	route_lines=$( cat "$OPENVPN_DIR/route_data/"* )
	for route_line in $route_lines ; do
		line_parts=$(  echo "$route_line" | awk '{ print NF }')
		subnet_ip=$(   echo "$route_line" | awk '{ print $1 }')
		subnet_mask=$( echo "$route_line" | awk '{ print $2 }')
		openvpn_ip=$(  echo "$route_line" | awk '{ print $3 }')

		if [ $line_parts -gt 3 ] ; then
			# routes for client subnet
			config_name=$( echo "$route_line" | sed 's/\"$//g' | sed 's/^.*\"//g')
			for client_ccd_file in $(ls "$random_dir/ccd/"* 2>/dev/null) ; do
				if [ "$random_dir/ccd/$config_name" != "$client_ccd_file" ] ; then
					echo "push \"route $subnet_ip $subnet_mask vpn_gateway\"" >> "$client_ccd_file" 
				fi
			done
			echo "route $subnet_ip $subnet_mask $openvpn_ip" >> "$random_dir/server.conf"

		else
			# routes for server subnet
			for client_ccd_file in $(ls "$random_dir/ccd/"* 2>/dev/null) ; do
				echo "push \"route $subnet_ip $subnet_mask vpn_gateway\"" >> "$client_ccd_file" 
			done
		fi
	done

	cd "$random_dir/ccd/"
	for client_ccd_file in $(ls 2>/dev/null) ; do
		copy_if_diff "$client_ccd_file" "$OPENVPN_DIR/ccd/$client_ccd_file"
	done
	cd "$random_dir"
	copy_if_diff "server.conf" "$OPENVPN_DIR/server.conf"

	cd /tmp
	rm -rf "$random_dir"
	
	
	# change IFS back now that we're done
	IFS="$IFS_ORIG"
}

remove_allowed_client()
{
	client_id="$1"
	rm -rf "$OPENVPN_DIR/client_conf/$current_client"
	rm -rf "$OPENVPN_DIR/$current_client.crt"
	rm -rf "$OPENVPN_DIR/route_data/$current_client"
	rm -rf "$OPENVPN_DIR/ccd/$current_client"
}

generate_test_configuration()
{

	# server
	create_server_conf	10.8.0.1           \
				255.255.255.0      \
				7099               \
				192.168.15.0       \
				255.255.255.0      \
				"tcp"              \
				"BF-CBC"           \
				"128"              \
				"true"             \
				"false"            \
				""                 \
				"true"             \
				"false"



	# clients
	create_allowed_client_conf "client1" "[YOUR_SERVER_IP]" "10.8.0.2" "" "" "false" "true"
	create_allowed_client_conf "client2" "[YOUR_SERVER_IP]" "10.8.0.3" "192.168.16.0" "255.255.255.0" "false" "true"
	create_allowed_client_conf "client3" "[YOUR_SERVER_IP]" "10.8.0.4" "192.168.17.0" "255.255.255.0" "false" "true"

	# update routes
	update_routes 

}

regenerate_allowed_client_from_uci()
{
	section="$1"
	ac_vars="id remote ip subnet_ip subnet_mask regenerate_credentials enabled"
	for var in $ac_vars ; do
		config_get "$var" "$section" "$var"
	done
	
	config_get "duplicate_cn" "server" "duplicate_cn"
	if [ "$duplicate_cn" = "true" ] || [  "$duplicate_cn" = "1" ] ; then
		ip=""
		subnet_ip=""
		subnet_mask=""
	fi	
	

	if [ "$enabled" != "false" ] || [ "$enabled" != "0" ] ; then
		create_allowed_client_conf "$id" "$remote" "$ip" "$subnet_ip" "$subnet_mask" "false" "$enabled"
	fi
}


regenerate_server_and_allowed_clients_from_uci()
{
	. /lib/functions.sh
	config_load "openvpn_gargoyle"
	
	server_vars="internal_ip internal_mask port proto cipher keysize client_to_client duplicate_cn redirect_gateway subnet_access regenerate_credentials subnet_ip subnet_mask pool"
	for var in $server_vars ; do
		config_get "$var" "server" "$var"
	done



	create_server_conf	"$internal_ip"             \
				"$internal_mask"           \
				"$port"                    \
				"$subnet_ip"               \
				"$subnet_mask"             \
				"$proto"                   \
				"$cipher"                  \
				"$keysize"                 \
				"$client_to_client"        \
				"$duplicate_cn"            \
				"$pool"                    \
				"$redirect_gateway"        \
				"$regenerate_credentials"


	server_regenerate_credentials="$regenerate_credentials"
	config_foreach regenerate_allowed_client_from_uci "allowed_client"

	for current_client in "$OPENVPN_DIR/client_conf/"* ; do
		if [ -d "$current_client" ] ; then
			current_client=$(echo $current_client | sed 's/^.*\///g')
			client_def=$(uci get openvpn_gargoyle.${current_client} 2>/dev/null)
			if [ "$client_def" != "allowed_client" ] ; then
				remove_allowed_client "$current_client"
			fi
		fi
	done
	

	update_routes

}


# apt-get update
# apt-get install aptitude
# aptitude install -y openvpn
# generate_test_configuration


vdmz
Posts: 14
Joined: Tue Nov 14, 2017 4:30 pm

Re: [solved] OpenVPN: Allow Clients To Access Hosts on LAN

Post by vdmz »

ispyisail wrote:I have two test routers and changed the script /usr/lib/gargoyle/openvpn.sh in both

Code: Select all

#!/bin/sh



# global config directory
OPENVPN_DIR="/etc/openvpn"

# init script
OPENVPN_INIT_SCRIPT="/etc/init.d/openvpn"

# Assume time values are this many bits
# This is needed for setting expiration of certs to max
TIME_BITS=32



server_regenerate_credentials="false"



##################################################
# detect path for EASY RSA automatically
#
# if we're on a system other than debian/gargoyle
# thes may need to be updated.  
#
# If EASY_RSA_PATH variable is exported in calling shell script
# that will get detected here and used
#
################################################################
if [ -z "$EASY_RSA_PATH" ] ; then
	
	debian_ubuntu_easyrsa_path="/usr/share/doc/openvpn/examples/easy-rsa/2.0"
	gargoyle_easyrsa_path="/usr/lib/easy-rsa"

	if [ -d "$debian_ubuntu_easyrsa_path" ] ; then
		EASY_RSA_PATH="$debian_ubuntu_easyrsa_path"
	elif [ -d "$gargoyle_easyrsa_path" ] ; then
		EASY_RSA_PATH="$gargoyle_easyrsa_path"
	fi
fi
if [ -z "$EASY_RSA_PATH" ] ; then
	echo "ERROR: could not find easy-rsa library, exiting"
	exit
fi

EXPIRATION_MAX=99999
if [ "$TIME_BITS" -lt 64 ] ; then
	#handle 2038 bug the best we can
	year=$(date +%Y)
	year_day=$(date +%j | awk '{printf "%d", $1}')
	EXPIRATION_MAX=$(( (365*(2038-$year)) - $year_day  ))
fi



random_string()
{
	if [ ! -n "$1" ];
		then LEN=15
		else LEN="$1"
	fi

	echo $(</dev/urandom tr -dc a-z | head -c $LEN) # generate a random string
}


load_def()
{
	passed_var_def="$1"
	vpn_var="$2"
	default="$3"

	result=""
	if [ -z "$passed_var_def" ] ; then passed_var_def=$default ; fi
	if [ "$passed_var_def" = "true" ] || [ "$passed_var_def" = "1" ] ; then result="$vpn_var" ; fi
	
	
	printf "$result"

}

copy_if_diff()
{
	new_file="$1"
	old_file="$2"

	if   [ ! -f "$new_file" ] ; then
		return
	elif [ ! -f "$old_file" ] ; then
		cp "$new_file" "$old_file"
	else
		old_md5=$(md5sum "$old_file")
		old_md5=${old_md5% *}
		new_md5=$(md5sum "$new_file")
		new_md5=${new_md5% *}
		if [ "$old_md5" != "$new_md5" ] ; then
			cp "$new_file" "$old_file"
		fi	
	fi
}

create_server_conf()
{
	#required vars
	openvpn_server_internal_ip="$1"
	openvpn_netmask="$2"
	openvpn_port="$3"
	
	#optional vars
	openvpn_server_local_subnet_ip="$4"
	openvpn_server_local_subnet_mask="$5"

	#optional vars, but with defaults
	openvpn_protocol="$6"
	if [ -z "$openvpn_protocol" ] ; then openvpn_protocol="udp" ; fi
	if [ "$openvpn_protocol" = "tcp" ] ; then openvpn_protocol="tcp-server" ; fi

	openvpn_cipher="$7"
	if [ -z "$openvpn_cipher" ] ; then openvpn_cipher="BF-CBC" ; fi
	openvpn_keysize="$8"
	if [ -z "$openvpn_keysize" ] && [ "$openvpn_cipher" = "BF-CBC" ] ; then openvpn_keysize="128" ; fi
	if [ -n "$openvpn_keysize" ] ; then openvpn_keysize="keysize               $openvpn_keysize" ; fi


	openvpn_client_to_client=$(load_def "$9" "client-to-client" "false")
	openvpn_duplicate_cn=$(load_def "${10}" "duplicate-cn" "false")
	openvpn_pool="${11}"
	openvpn_redirect_gateway=$(load_def "${12}" "push \"redirect-gateway def1\"" "true")
	openvpn_regenerate_cert="${13}"

	if [ -n "$openvpn_pool" ] ; then
		openvpn_pool="ifconfig-pool $openvpn_pool"
	fi

	if [ ! -f "$OPENVPN_DIR/ca.crt" ]  || [ ! -f "$OPENVPN_DIR/dh1024.pem" ] || [ ! -f "$OPENVPN_DIR/server.crt" ] || [ ! -f "$OPENVPN_DIR/server.key" ] || [ ! -f "$OPENVPN_DIR/ta.key" ] ; then
		openvpn_regenerate_cert="true"
	fi
	server_regenerate_credentials="$openvpn_regenerate_cert"

	#make necessary directories
	mkdir -p "$OPENVPN_DIR/client_conf"
	mkdir -p "$OPENVPN_DIR/ccd"
	mkdir -p "$OPENVPN_DIR/route_data"

	mkdir -p /var/run
	touch /var/run/openvpn_status
	if [ ! -h /etc/openvpn/current_status ] ; then
		rm -rf /etc/openvpn/current_status
		ln -s  /var/run/openvpn_status /etc/openvpn/current_status 
	fi

	random_dir_num=$(random_string)
	random_dir="/tmp/ovpn-client-${random_dir_num}"
	mkdir -p "$random_dir"


	#generate dh1024.pem if necessary
	if [ "$openvpn_regenerate_cert" = "true" ] || [ "$openvpn_regenerate_cert" = "1" ] ; then

		cd "$random_dir"
		cp -r "$EASY_RSA_PATH/"* .
		mkdir keys

		name=$( random_string 15 )
		random_domain=$( random_string 15 )
		cat << 'EOF' >vars
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
export KEY_SIZE=1024
export KEY_COUNTRY="??"
export KEY_PROVINCE="UnknownProvince"
export KEY_CITY="UnknownCity"
export KEY_ORG="UnknownOrg"
export KEY_OU="UnknownOrgUnit"
EOF
cat << EOF >>vars
export CA_EXPIRE=$EXPIRATION_MAX
export KEY_EXPIRE=$EXPIRATION_MAX
export KEY_EMAIL='$name@$random_domain.com'
export KEY_EMAIL='$name@$random_domain.com'
export KEY_CN='$name'
export KEY_NAME='$name'
EOF
		. ./vars
		./clean-all
		./build-dh
		./pkitool --initca
		./pkitool --server server
		openvpn --genkey --secret ta.key
		cp keys/server.crt keys/server.key keys/ca.crt keys/ca.key keys/dh1024.pem ta.key "$OPENVPN_DIR"/
	fi

	touch "$OPENVPN_DIR/server.conf"
	touch "$OPENVPN_DIR/route_data/server"
	touch "$random_dir/route_data_server"


	# server config
	cat << EOF >"$random_dir/server.conf"
mode                  server
port                  $openvpn_port
proto                 $openvpn_protocol
tls-server
ifconfig              $openvpn_server_internal_ip $openvpn_netmask
topology              subnet
client-config-dir     $OPENVPN_DIR/ccd
$openvpn_client_to_client

$openvpn_duplicate_cn
$openvpn_pool

cipher                $openvpn_cipher
$openvpn_keysize

dev                   tun
keepalive             25 180
status                /var/run/openvpn_status
verb                  3


dh                    $OPENVPN_DIR/dh1024.pem
ca                    $OPENVPN_DIR/ca.crt
cert                  $OPENVPN_DIR/server.crt
key                   $OPENVPN_DIR/server.key
tls-auth              $OPENVPN_DIR/ta.key 0

persist-key
persist-tun
comp-lzo

push "topology subnet"
push "route-gateway $openvpn_server_internal_ip"
$openvpn_redirect_gateway

EOF
	
	if [ -n "$openvpn_redirect_gateway" ] ; then
		touch "$OPENVPN_DIR/block_non_openvpn"
	else
		rm -rf "$OPENVPN_DIR/block_non_openvpn"
	fi

	if [ -n "$openvpn_server_local_subnet_ip" ] && [ -n "$openvpn_server_local_subnet_mask" ] ; then
		# save routes -- we need to update all route lines 
		# once all client ccd files are in place on the server
		echo "$openvpn_server_local_subnet_ip $openvpn_server_local_subnet_mask $openvpn_server_internal_ip" > "$random_dir/route_data_server"
	fi

	copy_if_diff "$random_dir/server.conf"        "$OPENVPN_DIR/server.conf"
	copy_if_diff "$random_dir/route_data_server"  "$OPENVPN_DIR/route_data/server"


	cd /tmp
	rm -rf "$random_dir"

}



create_allowed_client_conf()
{

	#required
	openvpn_client_id="$1"
	openvpn_client_remote="$2"

	#optional
	openvpn_client_internal_ip="$3"
	openvpn_client_local_subnet_ip="$4"
	openvpn_client_local_subnet_mask="$5"

	#load from server config
	openvpn_protocol=$( awk ' $1 ~ /proto/     { print $2 } ' /etc/openvpn/server.conf )
	openvpn_port=$(     awk ' $1 ~ /port/      { print $2 } ' /etc/openvpn/server.conf )
	openvpn_netmask=$(  awk ' $1 ~ /ifconfig/  { print $3 } ' /etc/openvpn/server.conf )
	openvpn_cipher=$(   awk ' $1 ~ /cipher/    { print $2 } ' /etc/openvpn/server.conf )
	openvpn_keysize=$(  awk ' $1 ~ /keysize/   { print $2 } ' /etc/openvpn/server.conf )
	if [ "$openvpn_protocol" = "tcp-server" ] ; then
		openvpn_protocol="tcp-client"
	fi
	if [ -z "$openvpn_keysize" ] && [ "$openvpn_cipher" = "BF-CBC" ] ; then openvpn_keysize="128" ; fi
	if [ -n "$openvpn_keysize" ] ; then openvpn_keysize="keysize               $openvpn_keysize" ; fi

	
	openvpn_regenerate_cert="$6"
	client_enabled="$7"
	if [ -z "$client_enabled" ] ; then
		client_enabled="true"
	fi

	client_conf_dir="$OPENVPN_DIR/client_conf/$openvpn_client_id"
	if [ ! -f "$client_conf_dir/$openvpn_client_id.crt" ]  || [ ! -f "$client_conf_dir/$openvpn_client_id.key" ] || [ ! -f "$client_conf_dir/ca.crt" ]  ; then
		openvpn_regenerate_cert="true"
	fi

	#if we regenerated server credentials, force regeneration of client credentials too
	if [ "$server_regenerate_credentials" = "true" ] || [ "$server_regenerate_credentials" = "1" ] ; then
		openvpn_regenerate_cert="true"
	fi

	mkdir -p "$OPENVPN_DIR/client_conf"
	mkdir -p "$OPENVPN_DIR/ccd"
	mkdir -p "$OPENVPN_DIR/route_data"
	
	random_dir_num=$(random_string)
	random_dir="/tmp/ovpn-client-${random_dir_num}"
	mkdir -p "$random_dir"



	if [ "$openvpn_regenerate_cert" = "true" ] || [ "$openvpn_regenerate_cert" = "1" ] ; then

		cd "$random_dir"
		cp -r "$EASY_RSA_PATH/"* .
		mkdir keys

		random_domain=$( random_string 15 )
		cat << 'EOF' >vars
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
export KEY_SIZE=1024
export KEY_COUNTRY="??"
export KEY_PROVINCE="UnknownProvince"
export KEY_CITY="UnknownCity"
export KEY_ORG="UnknownOrg"
export KEY_OU="UnknownOrgUnit"
EOF
		cat << EOF >>vars
export CA_EXPIRE=$EXPIRATION_MAX
export KEY_EXPIRE=$EXPIRATION_MAX
export KEY_EMAIL='$openvpn_client_id@$randomDomain.com'
export KEY_EMAIL='$openvpn_client_id@$randomDomain.com'
export KEY_CN='$openvpn_client_id'
export KEY_NAME='$openvpn_client_id'
EOF
		. ./vars
		./clean-all
		cp "$OPENVPN_DIR/server.crt" "$OPENVPN_DIR/server.key" "$OPENVPN_DIR/ca.crt"  "$OPENVPN_DIR/ca.key" "$OPENVPN_DIR/dh1024.pem" ./keys/

	
		./pkitool "$openvpn_client_id"

		mkdir -p "$OPENVPN_DIR/client_conf/$openvpn_client_id"
		cp "keys/$openvpn_client_id.crt" "keys/$openvpn_client_id.key" "$OPENVPN_DIR/ca.crt" "$OPENVPN_DIR/ta.key" "$client_conf_dir/"
		
		if [ -n "$openvpn_client_local_subnet_ip" ] && [ -n "$openvpn_client_local_subnet_mask" ] ; then
			echo "ipaddr    $openvpn_client_local_subnet_ip"    >'network'
			echo "netmask   $openvpn_client_local_subnet_mask" >>'network'
			mv network "$client_conf_dir/network"
		fi
	fi

	
	
	
	
	if [ "$client_enabled" != "false" ] && [ "$client_enabled" != "0" ] ; then
		if [ ! -e "$OPENVPN_DIR/$openvpn_client_id.crt" ] ; then
			ln -s "$OPENVPN_DIR/client_conf/$openvpn_client_id/$openvpn_client_id.crt" "$OPENVPN_DIR/$openvpn_client_id.crt"
		fi
		touch "$OPENVPN_DIR/route_data_${openvpn_client_id}"
		touch "$random_dir/route_data_${openvpn_client_id}"

	else
		if [ -e "$OPENVPN_DIR/$openvpn_client_id.crt" ] ; then
			rm "$OPENVPN_DIR/$openvpn_client_id.crt"
		fi
		if [ -e "$OPENVPN_DIR/route_data/${openvpn_client_id}" ] ; then
			rm "$OPENVPN_DIR/route_data/${openvpn_client_id}" 
		fi
	fi

	if [ -e  "$OPENVPN_DIR/block_non_openvpn" ] ; then
		touch "$OPENVPN_DIR/client_conf/${openvpn_client_id}/block_non_openvpn"
	else
		rm -rf "$OPENVPN_DIR/client_conf/${openvpn_client_id}/block_non_openvpn"
	fi
		

	touch "$random_dir/ccd_${openvpn_client_id}"
	touch "$OPENVPN_DIR/ccd/${openvpn_client_id}"


	cat << EOF >"$random_dir/$openvpn_client_id.conf"

client
remote          $openvpn_client_remote $openvpn_port
dev             tun
proto           $openvpn_protocol
status          current_status
resolv-retry    infinite
remote-cert-tls server
topology        subnet
verb            3

cipher          $openvpn_cipher
$openvpn_keysize

ca              ca.crt
cert            $openvpn_client_id.crt
key             $openvpn_client_id.key
tls-auth        ta.key 1

nobind
persist-key
persist-tun
comp-lzo
EOF


	#update info about assigned ip/subnet
	if [ -n "$openvpn_client_internal_ip" ] ; then
		echo "ifconfig-push $openvpn_client_internal_ip $openvpn_netmask"                                                                      > "$random_dir/ccd_${openvpn_client_id}"
		if [ -n "$openvpn_client_local_subnet_ip" ] && [ -n "$openvpn_client_local_subnet_mask" ] ; then
			echo "iroute $openvpn_client_local_subnet_ip $openvpn_client_local_subnet_mask"                                               >> "$random_dir/ccd_${openvpn_client_id}"

			# save routes -- we need to update all route lines 
			# once all client ccd files are in place on the server
			if  [ "$client_enabled" != "false" ] && [ "$client_enabled" != "0" ] ; then
				echo "$openvpn_client_local_subnet_ip $openvpn_client_local_subnet_mask $openvpn_client_internal_ip \"$openvpn_client_id\"" > "$random_dir/route_data_${openvpn_client_id}"
			fi
		fi
	fi
	
	copy_if_diff "$random_dir/$openvpn_client_id.conf"          "$client_conf_dir/$openvpn_client_id.conf"
	if [ ! -h "$client_conf_dir/$openvpn_client_id.ovpn" ] ; then
		ln -s "$client_conf_dir/$openvpn_client_id.conf" "$client_conf_dir/$openvpn_client_id.ovpn"	
	fi
	copy_if_diff "$random_dir/ccd_${openvpn_client_id}"         "$OPENVPN_DIR/ccd/${openvpn_client_id}"
	if  [ "$client_enabled" != "false" ] && [ "$client_enabled" != "0" ] ; then
		copy_if_diff "$random_dir/route_data_${openvpn_client_id}"  "$OPENVPN_DIR/route_data/${openvpn_client_id}"
	fi
	
	

	cd /tmp
	rm -rf "$random_dir"
}


update_routes()
{
	openvpn_server_internal_ip=$(awk ' $1 ~ /ifconfig/  { print $2 } ' /etc/openvpn/server.conf )


	# Change "Internal Field Separator" (IFS variable)
	# which controls separation in for loop variables
	IFS_ORIG="$IFS"
	IFS_LINEBREAK="$(printf '\n\r')"
	IFS="$IFS_LINEBREAK"
	
	
	random_dir_num=$(random_string)
	random_dir="/tmp/ovpn-client-${random_dir_num}"
	mkdir -p "$random_dir"
	cp -r "$OPENVPN_DIR/ccd" "$random_dir"/
	cp -r "$OPENVPN_DIR/server.conf" "$random_dir"/
	
	
	# clear out old route data
	for client_ccd_file in $(ls "$random_dir/ccd/"* 2>/dev/null) ; do
		sed -i '/^push .*route/d' "$client_ccd_file"
	done
	sed -i '/^route /d' "$random_dir/server.conf"
	
	
	# set updated route data
	route_lines=$( cat "$OPENVPN_DIR/route_data/"* )
	for route_line in $route_lines ; do
		line_parts=$(  echo "$route_line" | awk '{ print NF }')
		subnet_ip=$(   echo "$route_line" | awk '{ print $1 }')
		subnet_mask=$( echo "$route_line" | awk '{ print $2 }')
		openvpn_ip=$(  echo "$route_line" | awk '{ print $3 }')

		if [ $line_parts -gt 3 ] ; then
			# routes for client subnet
			config_name=$( echo "$route_line" | sed 's/\"$//g' | sed 's/^.*\"//g')
			for client_ccd_file in $(ls "$random_dir/ccd/"* 2>/dev/null) ; do
				if [ "$random_dir/ccd/$config_name" != "$client_ccd_file" ] ; then
					echo "push \"route $subnet_ip $subnet_mask vpn_gateway\"" >> "$client_ccd_file" 
				fi
			done
			echo "route $subnet_ip $subnet_mask $openvpn_ip" >> "$random_dir/server.conf"

		else
			# routes for server subnet
			for client_ccd_file in $(ls "$random_dir/ccd/"* 2>/dev/null) ; do
				echo "push \"route $subnet_ip $subnet_mask vpn_gateway\"" >> "$client_ccd_file" 
			done
		fi
	done

	cd "$random_dir/ccd/"
	for client_ccd_file in $(ls 2>/dev/null) ; do
		copy_if_diff "$client_ccd_file" "$OPENVPN_DIR/ccd/$client_ccd_file"
	done
	cd "$random_dir"
	copy_if_diff "server.conf" "$OPENVPN_DIR/server.conf"

	cd /tmp
	rm -rf "$random_dir"
	
	
	# change IFS back now that we're done
	IFS="$IFS_ORIG"
}

remove_allowed_client()
{
	client_id="$1"
	rm -rf "$OPENVPN_DIR/client_conf/$current_client"
	rm -rf "$OPENVPN_DIR/$current_client.crt"
	rm -rf "$OPENVPN_DIR/route_data/$current_client"
	rm -rf "$OPENVPN_DIR/ccd/$current_client"
}

generate_test_configuration()
{

	# server
	create_server_conf	10.8.0.1           \
				255.255.255.0      \
				7099               \
				192.168.15.0       \
				255.255.255.0      \
				"tcp"              \
				"BF-CBC"           \
				"128"              \
				"true"             \
				"false"            \
				""                 \
				"true"             \
				"false"



	# clients
	create_allowed_client_conf "client1" "[YOUR_SERVER_IP]" "10.8.0.2" "" "" "false" "true"
	create_allowed_client_conf "client2" "[YOUR_SERVER_IP]" "10.8.0.3" "192.168.16.0" "255.255.255.0" "false" "true"
	create_allowed_client_conf "client3" "[YOUR_SERVER_IP]" "10.8.0.4" "192.168.17.0" "255.255.255.0" "false" "true"

	# update routes
	update_routes 

}

regenerate_allowed_client_from_uci()
{
	section="$1"
	ac_vars="id remote ip subnet_ip subnet_mask regenerate_credentials enabled"
	for var in $ac_vars ; do
		config_get "$var" "$section" "$var"
	done
	
	config_get "duplicate_cn" "server" "duplicate_cn"
	if [ "$duplicate_cn" = "true" ] || [  "$duplicate_cn" = "1" ] ; then
		ip=""
		subnet_ip=""
		subnet_mask=""
	fi	
	

	if [ "$enabled" != "false" ] || [ "$enabled" != "0" ] ; then
		create_allowed_client_conf "$id" "$remote" "$ip" "$subnet_ip" "$subnet_mask" "false" "$enabled"
	fi
}


regenerate_server_and_allowed_clients_from_uci()
{
	. /lib/functions.sh
	config_load "openvpn_gargoyle"
	
	server_vars="internal_ip internal_mask port proto cipher keysize client_to_client duplicate_cn redirect_gateway subnet_access regenerate_credentials subnet_ip subnet_mask pool"
	for var in $server_vars ; do
		config_get "$var" "server" "$var"
	done



	create_server_conf	"$internal_ip"             \
				"$internal_mask"           \
				"$port"                    \
				"$subnet_ip"               \
				"$subnet_mask"             \
				"$proto"                   \
				"$cipher"                  \
				"$keysize"                 \
				"$client_to_client"        \
				"$duplicate_cn"            \
				"$pool"                    \
				"$redirect_gateway"        \
				"$regenerate_credentials"


	server_regenerate_credentials="$regenerate_credentials"
	config_foreach regenerate_allowed_client_from_uci "allowed_client"

	for current_client in "$OPENVPN_DIR/client_conf/"* ; do
		if [ -d "$current_client" ] ; then
			current_client=$(echo $current_client | sed 's/^.*\///g')
			client_def=$(uci get openvpn_gargoyle.${current_client} 2>/dev/null)
			if [ "$client_def" != "allowed_client" ] ; then
				remove_allowed_client "$current_client"
			fi
		fi
	done
	

	update_routes

}


# apt-get update
# apt-get install aptitude
# aptitude install -y openvpn
# generate_test_configuration

Well the lines which i asked to change are correct. If you did not change anything else in that file it should work. Cannot compare your changes with original file right now... In your previous post i see the router cannot find the configuration file. Could you see in logs which file is missing? I guess you do something wrong, maybe forgot to add configuration file for VPN client or did not save the changes... ?

The problem: "canot find config file" has nothing common with word change for the "route" line inside the client-config file indise CCD directory.
Router Model: Archer C7 V2 EU
Firmware: Gargoyle 1.10.0-ar71xx

ispyisail
Moderator
Posts: 5218
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: [solved] OpenVPN: Allow Clients To Access Hosts on LAN

Post by ispyisail »

Reset both routers to defaults.

Made changes as per openvpn.sh to both routers then proceeded to setup OpenVPN as per normal procedure.

vdmz
Posts: 14
Joined: Tue Nov 14, 2017 4:30 pm

Re: [solved] OpenVPN: Allow Clients To Access Hosts on LAN

Post by vdmz »

ispyisail,

1. You got error about non-existing config file, in router which you configured as client or server?

2. What was your action when you got popup with error, you pushed "SAVE" button?

3. Did you try to connect using ssh and check if config file physically exists in directory?
Router Model: Archer C7 V2 EU
Firmware: Gargoyle 1.10.0-ar71xx

Post Reply