OpenVPN Issue connecting to LAN Device

[Wishmaster1965]

My Setup

I have OpenVPN setup as Both so I can have Diversion being used when I am mobile

So on my phone I can see the windows 10 box but the Sat Linux box no.....

The Sat linux box has a web site, no firewall and can be accessed by the Win10 box but not when on openvpn on my phone.

I have the client config set to 'push "route 192.168.1.0 255.255.255.0"'

iptables Output

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1194
YazFiINPUT  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
logdrop    all  --  anywhere             anywhere             state INVALID
PTCSRVWAN  all  --  anywhere             anywhere
PTCSRVLAN  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
OVPN       all  --  anywhere             anywhere             state NEW
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     ipv6 --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ipttolan   all  --  anywhere             anywhere
iptfromlan  all  --  anywhere             anywhere
TCPMSS     tcp  --  anywhere             anywhere             tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
YazFiDNSFILTER_DOT  tcp  --  anywhere             anywhere             tcp dpt:853
YazFiFORWARD  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
other2wan  all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere             state INVALID
SECURITY   all  --  anywhere             anywhere
NSFW       all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
OVPN       all  --  anywhere             anywhere             state NEW
DNSFILTER_DOT  tcp  --  anywhere             anywhere             tcp dpt:853
logdrop    all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain ACCESS_RESTRICTION (0 references)
target     prot opt source               destination

Chain DNSFILTER_DOT (1 references)
target     prot opt source               destination
REJECT     all  --  anywhere            !RT-AC88U-EB98.HOME   reject-with icmp-port-unreachable

Chain FUPNP (0 references)
target     prot opt source               destination

Chain INPUT_ICMP (0 references)
target     prot opt source               destination

Chain INPUT_PING (0 references)
target     prot opt source               destination

Chain NSFW (1 references)
target     prot opt source               destination

Chain OVPN (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain PControls (0 references)
target     prot opt source               destination
logdrop    all  --  anywhere             anywhere

Chain PTCSRVLAN (1 references)
target     prot opt source               destination

Chain PTCSRVWAN (1 references)
target     prot opt source               destination

Chain SECURITY (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
logdrop    icmp --  anywhere             anywhere             icmp echo-request
RETURN     all  --  anywhere             anywhere

Chain YazFiDNSFILTER_DOT (1 references)
target     prot opt source               destination

Chain YazFiFORWARD (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
YazFiREJECT  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
YazFiREJECT  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain YazFiINPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             base-address.mcast.net/4
ACCEPT     udp  --  anywhere             anywhere             multiport dports bootps,ntp
ACCEPT     icmp --  anywhere             anywhere
YazFiREJECT  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             base-address.mcast.net/4
ACCEPT     udp  --  anywhere             anywhere             multiport dports bootps,ntp
ACCEPT     icmp --  anywhere             anywhere
YazFiREJECT  all  --  anywhere             anywhere

Chain YazFiREJECT (4 references)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain default_block (0 references)
target     prot opt source               destination

Chain iptfromlan (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.1.0/255.255.255.0 name: lan
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.1.0/255.255.255.0 name: lan

Chain ipttolan (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.1.0/255.255.255.0 name: lan
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.1.0/255.255.255.0 name: lan

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (10 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain other2wan (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere

What am I missing for me to see the linux site on my phone on openvpn ?

 

[eibgrad]

When dumping iptables, please include the full options, as NOT doing so often leaves out useful information.

iptables -vnL INPUT
iptables -vnL FORWARD
iptables -vnL OVPN

IIRC, the router automatically push's the local network to the OpenVPN client (not that adding it yourself is going to do any harm). Also, unless Diversion is on a different IP network, using Both is unnecessary. If that was the case, you'd have to be push'ing that other IP network explicitly.

All that said, on the face of it, I see no reason if both the targets are on the same IP network and one is accessible, and the other isn't, and the latter doesn't even have a firewall, that it shouldn't be working. Not unless the Linux box doesn't have a default gateway specified (which seems highly unlikely).

Is the Linux box at least pingable? Maybe the specific application being targeted is sensitive to the source IP (e.g., it will only accept the 192.168.1.0/24 and public networks).

 

[eibgrad]

P.S. I just noticed you said you have the *client* config set to 'push "route 192.168.1.0 255.255.255.0"'. Only the *server* can push routes (to the client). IOW, the server informs the client about the IP network(s) available over the tunnel.

 

[Wishmaster1965]

Server config is where I push the settings from.

Might need a bit more testing from my side.