You are not logged in.

Pages: 1

#1 2016-04-30 04:09:02

Hoodoo
Member
Registered: 2016-04-29
Posts: 3

OpenVPN - LAN access

Hi,
I've done a fair bit of reading on how to get a VPN Client to talk to the all the PCs on a Server side LAN. I figure it is something to do with routing but I'm right in the bleeding edge of my understanding of networking and have succumbed to asking for help.

I want to have the Client connect to the Server using OpenVPN and then act as if it is a member of the 192.168.1.0 LAN where all the computers can access each other

The following represents my network topology where both Modem/Routers act as the gateway to the internet and DHCP servers for each LAN:
http://www.users.on.net/~matberry/Network.JPG

Using the following Server and Client config files I can establish a connection and have the Client and Server talking to each other nicely, however the Client can't ping other computers on 192.168.1.0 and vice-versa.

My Server config file is which seems to correctly assign 192.168.1.220 to the VPN client:

dev tun
ifconfig 192.168.1.100 192.168.1.220
secret static.key
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
user nobody
group nobody
push "route 192.168.1.0 255.255.255.0"
route 192.168.0.0 255.255.255.0

The Client config file is:

remote made-up-foo.no-ip.biz
dev tun
ifconfig 192.168.1.220 192.168.1.100
secret static.key
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
user nobody
group nobody

It was my understanding that push "route 192.168.1.0 255.255.255.0" tells the Client route traffic to the broader 192.168.1.0 subnet - but this is where I misunderstand routing.

I suspect that the Server side Modem/Router (as the DHCP) does not know who 192.168.1.220 is as this only exists in the OpenVPN Server on /dev/tun0. So when other computers on the 192.168.1.0 LAN try and talk to it, it falls of deaf ears.

I'd appreciate any tips.
Thanks

Last edited by x33a (2016-04-30 04:48:30)

Offline

#2 2016-04-30 04:47:46

TheChickenMan
Member
From: United States
Registered: 2015-07-25
Posts: 354

Re: OpenVPN - LAN access

Your config looks correct. Did you setup the box which is acting as the VPN server to be able to route?
https://wiki.archlinux.org/index.php/In … Enable_NAT

You can check if the client knows how to find that address by inspecting its routing table.
$ ip route

Last edited by TheChickenMan (2016-04-30 04:51:45)

If quantum mechanics hasn't profoundly shocked you, you haven't understood it yet.
Niels Bohr

Offline

#3 2016-04-30 04:52:33

x33a
Forum Fellow
Registered: 2009-08-15
Posts: 4,587

Re: OpenVPN - LAN access

Please don't post large images. I have edited your post.

https://wiki.archlinux.org/index.php/Fo … s_and_code

As for the problem, I too tried a similar configuration in the past and could get the client to reach other machines on the 192 series (for that I also had to configure nat on the openvpn server), but couldn't get the other machines to access the openvpn client.

Offline

#4 2016-05-01 00:21:42

Hoodoo
Member
Registered: 2016-04-29
Posts: 3

Re: OpenVPN - LAN access

TheChickenMan wrote:

Your config looks correct. Did you setup the box which is acting as the VPN server to be able to route?

I think this is the point where I lose understanding. $ip route returns the following

default via 192.168.1.1 dev eth0
192.168.0.0/24 via 192.168.1.220 dev tun0
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.100
192.168.1.220 dev tun0  proto kernel  scope link  src 192.168.1.100

I'm not really sure what this is saying. My gateway in 192.168.1.1. Do I need to route /dev/tun0 traffic to 192.168.1.1?

edit:

I added these from your NAT link in the hope that it would forward tun0 traffic to eth0, but the VPN client still cant ping the other machines.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

The bit I don't understand is that the ASDL Modem/Router (192.168.1.1) in my diagram above does not know who 192.168.1.220 is when it is established by tun0 on the OpenVPN Server. So when 192.168.1.15 (PC1) goes to ping 192.168.1.220, all it knows to do is to send traffic via the gateway (192.168.1.1)  - which will go nowhere.

Finally, here is my ifconfig output, does it matter that the netmasks for eth0 and tun0 are different?

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.100  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fd00::ba27:ebff:fe99:a502  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::ba27:ebff:fe99:a502  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:99:a5:02  txqueuelen 1000  (Ethernet)
        RX packets 12606  bytes 3745079 (3.5 MiB)
        RX errors 0  dropped 44  overruns 0  frame 0
        TX packets 6489  bytes 1497250 (1.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 192.168.1.100  netmask 255.255.255.255  destination 192.168.1.220
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 14  bytes 1176 (1.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 140  bytes 51471 (50.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Last edited by Hoodoo (2016-05-01 01:01:07)

Offline

#5 2016-05-01 00:48:08

djgera
Developer
From: Buenos Aires - Argentina
Registered: 2008-12-24
Posts: 723
Website

Re: OpenVPN - LAN access

Hi

is a typo or you are trying to mix LAN and VPN on the same network? Not a good idea...

If you want a client talk to all hosts the server side then do this, setup openvpn to assign any other unrelated with your current networks.

server:

...
ifconfig 10.7.0.1 10.7.0.2
...
push "route 192.168.1.0 255.255.255.0"
...

client

...
ifconfig 10.7.0.2 10.7.0.1
...

on the server, setup forwarding on both tun0 and eth0 interfaces

sysctl -w net.ipv4.conf.eth0.forwarding=1
sysctl -w net.ipv4.conf.tun0.forwarding=1

, then,

iptables -t nat -A POSTROUTING -s 10.7.0.2/32 -o eth0 -j SNAT --to-source 192.168.1.100

and maybe FORWARD (filter) rules depending on your setup.

EDIT: you can find more complex setup on my wiki: https://wiki.archlinux.org/index.php/Us … ra/papucho

Last edited by djgera (2016-05-01 01:03:43)

Offline

#6 2016-05-01 01:53:55

Hoodoo
Member
Registered: 2016-04-29
Posts: 3

Re: OpenVPN - LAN access

Thanks djgera, I'll change the config files and play forwarding rules some more.

Offline

Pages: 1

Board footer

Powered by FluxBB