LAN access over OpenVPN on Merlin 384.16 [solved]

[SKSSF]

Hi all--

Sorry--I know it's been asked before and well documented, but I cannot seem to get access to my LAN over OpenVPN on Merlin 384.16 using TUN. I've spent about 2 hours reading various forums and trying custom configs, static routes, etc, windows firewall rules, but no dice.

What I can't do:
* access file shares via ip address in Windows from my PC (e.g. navigating to \\[local ip address])
* ping PCs on my LAN

What I can do:
* Remote desktop to PCs on my LAN
* Ping the router
* Ping PCs on the LAN and access shares when the client computer is physically on the LAN (I.e. no VPN; I don't think that this is a firewall issue).

I've got the VPN set to LAN only, and the advanced options are as follows:

My local IP address pool is 192.168.205.xxx. I've tried adding allowed clients, but I'm not entirely certain how to specify the subnet. I've also tried custom configs (e.g. push "route 192.168.205.0 255.255.255.0") with no luck.

Thanks!
Sandheep

 

[mr-nobody]

I have the same issue and searching solutions...

 

[ColinTaylor]

What I can't do:
* access file shares via ip address in Windows from my PC (e.g. navigating to \\[local ip address])
* ping PCs on my LAN

Temporarily turn of the Windows firewall and test again. Windows Firewall will block pings and SMB connections originating from outside the local subnet by default.

 

[madfusker]

What is in your manage client specific options? Maybe disable that until you get it working.

 

[martinr]

Try setting the VPN to Both (instead of LAN only) (just a stab in the dark).

 

[martinr]

Better idea: change the compression to Disable (from LZO Adaptive). Not sure if you need to exort a new .ovpn file to the client).

 

[ColinTaylor]

@martinr It's not a VPN issue because he can RDP onto a PC on the LAN. It's a Windows firewall issue.

 

[martinr]

@martinr It's not a VPN issue because he can RDP onto a PC on the LAN. It's a Windows firewall issue.

“Should’ve gone to Specsavers”

 

[AurelM]

@SKSSF, take @martinr advice and set Compression to Disabled (for more information check The VORACLE attack vulnerability).

Just as @ColinTaylor says, there is nothing wrong on the router's OpenVPN server configuration or the client side of things (as you can use remote desktop over vpn), and indeed the problem is with the firewall on the server/target computer(s) that you try to access.
You can try disabling the firewall for testing purposes to make sure that's the problem, but you should keep it enabled and modify the relevant rules for long term usage.

I'll list the steps you need to do for windows 10's integrated firewall, again, on the server/target computer. If you use another firewall application, you need to edit its rules.

- type wf.msc in start menu and hit enter to open Windows Defender Firewall with Advanced Security;

- check which profile is active, Private or Public or (it won't be Domain because in that case you should already be able to access the shares over vpn);

- select Inbound Rules and open the properties of the File and Printer Sharing (SMB-In) for the active profile by double clicking it or right clicking and selecting Properties (it should already be enabled because you said you can access the shares on your lan);

- go to the Scope tab and click Add... button on the Remote IP address section. Type 10.8.0.0/24 on the selected field and click OK button. Click the OK button to close the rule's properties.


Now you should have access to the shares on that computer from any vpn client.

For ping to work, I'm not sure, but I guess you should do the same steps as above for the File and Printer Sharing (Echo Request - ICMPv4-In) rule.

 

[SKSSF]

Well, hell, y'all, when I thought about what I could/couldn't do, WF seems very obvious in hindsight. (to be embarrassingly honest, I had configured WF as you mentioned...but on the remote/VPN PC, not the LAN resource I was trying to reach--DUH!). @AurelM, thanks for the explicit instructions--these were crystal clear. And thanks to all of you for your suggestions--I can properly work from home now!

And will disable compression too.

 

[stansoltz]

@SKSSF, take @martinr advice and set Compression to Disabled (for more information check The VORACLE attack vulnerability).

Just as @ColinTaylor says, there is nothing wrong on the router's OpenVPN server configuration or the client side of things (as you can use remote desktop over vpn), and indeed the problem is with the firewall on the server/target computer(s) that you try to access.
You can try disabling the firewall for testing purposes to make sure that's the problem, but you should keep it enabled and modify the relevant rules for long term usage.

I'll list the steps you need to do for windows 10's integrated firewall, again, on the server/target computer. If you use another firewall application, you need to edit its rules.

- type wf.msc in start menu and hit enter to open Windows Defender Firewall with Advanced Security;
View attachment 24027
- check which profile is active, Private or Public or (it won't be Domain because in that case you should already be able to access the shares over vpn);
View attachment 24028
- select Inbound Rules and open the properties of the File and Printer Sharing (SMB-In) for the active profile by double clicking it or right clicking and selecting Properties (it should already be enabled because you said you can access the shares on your lan);
View attachment 24029
- go to the Scope tab and click Add... button on the Remote IP address section. Type 10.8.0.0/24 on the selected field and click OK button. Click the OK button to close the rule's properties.
View attachment 24030

Now you should have access to the shares on that computer from any vpn client.

For ping to work, I'm not sure, but I guess you should do the same steps as above for the File and Printer Sharing (Echo Request - ICMPv4-In) rule.

THANK YOU! THIS SOLVED MY PROBLEM. XOXO