[Solved] Cannot see my LAN with openvpn

[cowst]

Hi,
I started an openvpn server on my N66U, I can connect from my Android phone and from my office PC (but not from my laptop in my own guest net somehow), I can access the web interface using the LAN ip, but I cannot reach any address within the LAN (no ping, no http. didn't try shared folders, don't care for now).

I concluded that pushing the lan address and client routes work fine, otherwise I couldn't connect to the lan ip of the router. Right?

Then the problem should be in the router configuration itself (my guess is iptables or routes).
I think this is a pretty common configuration, is there anything obvious I have to set?
Here are my configs:
### Server
# Automatically generated configuration
daemon
topology subnet
server 10.8.0.0 255.255.255.0
proto udp
rcvbuf 0
sndbuf 0
port 1194
dev tun21
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.2.0 255.255.255.0"
duplicate-cn
push "dhcp-option DNS 192.168.2.1"
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

# Custom Configuration


### Client
client
dev tun
proto udp
remote myaddress.asuscomm.com 1194
float
comp-lzo adaptive
keepalive 15 60
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
secret
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
secret
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
secret
-----END PRIVATE KEY-----
</key>
resolv-retry infinite
nobind

 

[kvic]

The issue could be on your client OS. Android and Windows might not share the same cause though phenomenum seems same.

You can debug the issue from starting with the routing table in your client OS.

 

[martinr]

In the Advanced Settings page in the OpenVPN Server tab in the webui, down the bottom of the page there is a block of 4, starting with Push LAN to clients down to advertise DNS to clients. All mine are set to Yes. It allows me to browse remotely through the vpn as well as seeing my LAN. Not totally sure, but I thimk the setting you want is Push LAN to clients. Sounds right, but I'm sure 5 minutes of experimentation will confirm it.

 

[cowst]

Both push Lan and DNS selected (also visible from the config I posted if I understand them correctly).
I'll check that all are selected though.

I doubt it's OS related.
Router is linux, my office pc is linux, the machine in the lan is a Linux satellite receiver, and the phone is android, which is linux based.
0 windows taint
Also, I tend to not blame the client because if I can access the router with the internal ip, it should mean that the routes are pushed correctly (both from Android and office pc).

 

[kvic]

Also, I tend to not blame the client because if I can access the router with the internal ip, it should mean that the routes are pushed correctly (both from Android and office pc).

Being a Linux house sounds good.

Why not simply check routing table of client OS to confirm/diagnosis?

 

[cowst]

I did, but I didn't take it as a problem since I could reach the internal router ip.
But now I have the feeling the following is missing something...

u0_a118@hammerhead:/ $ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.38.81.224 0.0.0.0 255.255.255.224 U 0 0 0 rmnet0
10.74.210.210 10.38.81.241 255.255.255.255 UGH 0 0 0 rmnet0
10.74.210.211 10.38.81.241 255.255.255.255 UGH 0 0 0 rmnet0

I will check tonight also on a rooted phone.
Could be that without root the app cannot modify routes?
But does it mean only rooted phones can successfully vpn?
It makes no sense.

 

[kvic]

I have no problem with oepnvpn client adding routes in iOS and Android (no rooting nor jailbreak)

If you check openvpn client log, may be able to find error messages of failing to add route or perhaps honouring server push requests.

 

[octopus]

I did, but I didn't take it as a problem since I could reach the internal router ip.
But now I have the feeling the following is missing something...

u0_a118@hammerhead:/ $ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.38.81.224 0.0.0.0 255.255.255.224 U 0 0 0 rmnet0
10.74.210.210 10.38.81.241 255.255.255.255 UGH 0 0 0 rmnet0
10.74.210.211 10.38.81.241 255.255.255.255 UGH 0 0 0 rmnet0

I will check tonight also on a rooted phone.
Could be that without root the app cannot modify routes?
But does it mean only rooted phones can successfully vpn?
It makes no sense.

Maby you miss this iptabels rule!?
http://www.mcbsys.com/blog/2011/11/set-up-vlan-and-site-to-site-vpn-with-tomato/

 

[cowst]

My problem is not lan-to-lan, but the rule forwarding br0-tun21 makes sense, although being this a router, openvpn server, pushing lan, i would expect it to know that it needs to bridge them, not letting me manually do it.
Anyway, it didn't work.

On client side i would expect a "route 192.168.0.2 tun0", or anything unrecognised to go through 10.8.0.1 tun0, but I guess that's not the case and I couldn't add it from terminal emulator.
However I know of people doing nothing on client side on Android and it just works (one above here ), so I hoped to focus on the router.

 

[octopus]

Are you sure client and server not use TUN 11 or TUN21 I see you use TUN0? look in your ovpn.conf file

 

[cowst]

on client route shows tun0.
is it wrong?
should I do something specific about it?
I just used the client1.ovpn provided by the router.

 

[octopus]

on client route shows tun0.
is it wrong?
should I do something specific about it?
I just used the client1.ovpn provided by the router.

Make sure they match each other on server and client side.

 

[martinr]

.

Hi,
.......I can connect from my Android phone and from my office PC (but not from my laptop in my own guest net somehow),

You can't connect from inside your own network. I don't know why. I'd have to check but I think you can with the PPTP vpn; anyway, my point is that not being able to connect from inside is normal.

 

[cowst]

@octopus: are you saying that how the tun interface is called is relevant to the connection? server says "dev tun21", and the generated client file says "dev tun" and takes tun0.

@martinr: thanks. in order to see the server config, ssh or telnet to your router, and "cat /etc/openvpn/server1/config.ovpn"

 

[octopus]

Usually server1 use TUN21 and client1 use TUN11, If you use TUN0 maby your firewall rule not match.
Check client1 firewall rule with: cat /etc/openvpn/fw/client1-fw.sh with eg putty or xshell when client1 running.

 

[cowst]

thanks, i'll check tomorrow from the office, it is very frustrating to do it with a phone client, especially if i am in the same lan i want to reach through vpn

for now on the server
@RT-N66U:/tmp/home/root# cat /etc/openvpn/fw/server1-fw.sh
#!/bin/sh
iptables -t nat -I PREROUTING -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -i tun21 -j ACCEPT
iptables -I FORWARD 2 -i tun21 -j ACCEPT

 

[martinr]

The network

@octopus: are you saying that how the tun interface is called is relevant to the connection? server says "dev tun21", and the generated client file says "dev tun" and takes tun0.

@martinr: thanks. in order to see the server config, ssh or telnet to your router, and "cat /etc/openvpn/server1/config.ovpn"

Many thanks. I finally remembered.

My server config file screenshot is at:

https://www.dropbox.com/s/u1t639neip6gtli/File 13-12-2015, 21 44 23.png?dl=0

I see a couple of differences between mine and yours such as:

Push "redirect-gateway def1". Unfortunately, I don't know enough about this to know how relevant the differences are and whether or not they account for the problem.

 

[cowst]

i played around with options and currently i have a config almost exactly like yours.
i think the issue is not in openvpn, but rather firewall.
did you set anything special on firewall, wan, or anywhere?
tomorrow first thing i want to try to figure (traceroute or wireshark) from the office where is the traffic dying.
if it seems to leave the client i know the issue is on the router, which is what i think, otherwise i cannot explain why from my client 10.8.0.2 i can open 192.168.2.1 (router internal ip).

 

[martinr]

........
did you set anything special on firewall, wan, or anywhere?

No, definitely not. I try to mess around with the router as little as possible for obvious reasons - and my knowledge is quite limited eg I've not graduated to wireshark yet. That said, most of what I have learned is thanks to custom firmware and forums like this.

 

[kvic]

Are you sure client and server not use TUN 11 or TUN21 I see you use TUN0? look in your ovpn.conf file

Make sure they match each other on server and client side.

Usually server1 use TUN21 and client1 use TUN11, If you use TUN0 maby your firewall rule not match.
Check client1 firewall rule with: cat /etc/openvpn/fw/client1-fw.sh with eg putty or xshell when client1 running.

A couple of clarifications:

1) On the router, OpenVPN client and OpenVPN server operate independently.

2) OpenVPN client on the router is not involved in anyway for an external OpenVPN client (e.g. a laptop from office) to connect to OpenVPN server on the router.

3) The TUN device is only meaningful in the context of its underlying OS. In OP's example, TUN0 is in the context of the Android phone that runs the OpenVPN client. TUN21 is in the context of ASUS router that runs OpenVPN server.

Not that I'm nitpicking... but I read you're confused and spread the confusion to readers of the forum.