OpenVPN server: Can't see network behind router from client

[Narbat]

I need help with openvpn. I can't get the openvpn server on my AC66U to route packets to/from the LAN side of the router.

+----------------+  +----------------+
|LAN 192.168.1.2 |  |LAN 192.168.1.3 | ....
+----------------+  +----------------+
         |                   |
         +-------------------+-------- ....
                  |
                {lan}
                  |
         +----------------+
         |LAN 192.168.1.1 |
         |                | server
         |WAN xx.xx.xx.xx | (rt-ac66u)
         |VPN 10.150.207.5|
         +----------------+
                  |
                {vpn}
                  |
         +----------------+
         |VPN 10.150.207.6| client
         +----------------+

The client *does* connect to the VPN. From the client I can ping the server's VPN address and the LAN address. I can also ssh, http, etc to the server's LAN address from the client. That all works perfectly. I cannot, however, ping or connect to any of the other hosts on the LAN.

To be perfectly clear: From the client I ping 192.168.1.1 and I get a response. I ping 192.168.1.2 and I get nothing back. I can also ssh to 192.168.1.1 but get a timeout when I ssh to 192.168.1.2.

I'm 99% sure my client is configured correctly. The routing tables look right, and I've verified with Wireshark that packets to 192.168.1.0/24 are being sent on the client's VPN interface. Looking at my client's physical interface I can see encrypted packets caused by the pings. So packets are leaving the client.

These packets are not arriving at the hosts on the LAN, with the exception of the router's LAN port. There must be some routing magic not happening on the router.

Here's the openvpn config and the routing tables from the router. I've tried a million variations with and without the custom config lines, with and without the client config file, etc. I can't find anything that works. Suggestions? Please?

# Automatically generated configuration
daemon
server 10.150.207.0 255.255.255.0
proto udp
port 1194
dev tun21
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0"
client-config-dir ccd
route 192.168.1.0 255.255.255.0
push "dhcp-option DNS 192.168.1.1"
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

# Custom Configuration
multihome
route 192.168.1.0 255.255.255.0
route 10.150.207.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "route 10.150.207.0 255.255.255.0"

admin@RT-AC66R:/tmp/etc/openvpn/server1# cat ccd/marimac
iroute 192.168.1.0 255.255.255.0

admin@RT-AC66R:/tmp/etc/openvpn/server1# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.150.207.2    0.0.0.0         255.255.255.255 UH    0      0        0 tun21
98.209.16.1     0.0.0.0         255.255.255.255 UH    0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
10.150.207.0    10.150.207.2    255.255.255.0   UG    0      0        0 tun21
xx.xx.xx.0      0.0.0.0         255.255.252.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         xx.xx.xx.1      0.0.0.0         UG    0      0        0 eth0

 

[extensi0n]

What's your OpenVPN Server set to for Firewall? Automatic, External Only, or Custom?

Almost sounds like something I ran across...

 

[Narbat]

extensi0n, I think you've nailed it. I had it set "External Only" but after changing to "Automatic" everything's working. And looking at /tmp/etc/openvpn/fw/server1-fw.sh it appears that that setting controls how iptables is configured for forwarding. Cool. Thanks a lot!

 

[extensi0n]

I give RMerlin all the credit to this, as it was his help that helped me fix that via email, on a couple weekend nights.

I knew it seemed like a firewall issue, but if the firewall is not set to Automatic, the proper rules aren't created for passing traffic past the server router...or client router, I believe that is the case as well too, if you are doing site to site OVPN as I am. (coming from memory)

Trying to pay it back.

Still learning the OVPN, since advanced networking isn't my specialty...

 

[cuekay]

hello. I had a similar issue, except that mine was related to my Windows hosts not being able to be reached by my VPN client outside of disabling the private Windows firewall profile on each of them. I didn't like the trade-off between unreachability and exposing the LAN by disarming the firewall.

But I found the solution here: http://www.sevenforums.com/network-...ion-incoming-scope-rule-different-subnet.html

While I don't know the details on why/how this works, this way the Windows firewall will be open to multiple subnets, which was my issue as the firewall is by default set up for packets not received by its own subnet.