unable to reach specific LAN device when connected to OpenVPN Server

[#TY]

Follow-up. Im connected to the office VPN with the setup mod above but I cant ping the internal IPs in 192.168.1.x. Did I miss something?

 

[eibgrad]

0 0 SNAT all -- * br0 10.8.0.0/24 0.0.0.0/0 to:192.168.1.1

The above line is the applied NAT rule.

 

[#TY]

0 0 SNAT all -- * br0 10.8.0.0/24 0.0.0.0/0 to:192.168.1.1

The above line is the applied NAT rule.

I see. So theoretically, I should be able to ping the internal network right? If so, atm I am unable to do so.

 

[eibgrad]

What's the local network on which the OpenVPN client is running? Could it be 192.168.1.x, just like the server side? As I said, that's going to be a big problem in most cases, esp. when dealing w/ home users.

 

[#TY]

Not a

What's the local network on which the OpenVPN client is running? Could it be 192.168.1.x, just like the server side? As I said, that's going to be a big problem in most cases, esp. when dealing w/ home users.

Not at all. Its 10.0.10.x

 

[eibgrad]

The problem here is that only have a keyhole perspective at the moment. I can see your OpenVPN server config, but that's it. No idea how you configured the client, what the logs of both the client and server are reporting, no way to know the state of their respective routing tables, etc. I don't even know if the clients are other routers or Windows.

 

[#TY]

The problem here is that only have a keyhole perspective at the moment. I can see your OpenVPN server config, but that's it. No idea how you configured the client, what the logs of both the client and server are reporting, no way to know the state of their respective routing tables, etc. I don't even know if the clients are other routers or Windows.

The VPN client is on an Asus running merlin 384.19. Same for the OpenVPN Server. Its running on an Asus router also running the latest Merlin firmware.

As for the way I setup the client, I simply exported the config file from the server and imported into the client. Do I have to redo this procedure after applying the mod you suggested?

 

[#TY]

From my system log files (the client):

Oct 26 19:33:13 ovpn-client2[13297]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 26 19:33:13 ovpn-client2[13297]: TUN/TAP device tun12 opened
Oct 26 19:33:13 ovpn-client2[13297]: TUN/TAP TX queue length set to 1000
Oct 26 19:33:13 ovpn-client2[13297]: /sbin/ifconfig tun12 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Oct 26 19:33:13 lldpd[480]: removal request for address of 10.8.0.2%34, but no knowledge of it
Oct 26 19:33:13 lldpd[480]: removal request for address of 10.8.0.2%34, but no knowledge of it
Oct 26 19:33:13 ovpn-client2[13297]: ovpn-up 2 client tun12 1500 1552 10.8.0.2 255.255.255.0 init
Oct 26 19:33:16 ovpn-client2[13297]: /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 metric 500 gw 10.8.0.1
Oct 26 19:33:16 ovpn-client2[13297]: Initialization Sequence Completed
Oct 26 19:33:48 miniupnpd[2412]: remove port mapping 51413 TCP because it has expired

 

[eibgrad]

The VPN client is on an Asus running merlin 384.19. Same for the OpenVPN Server. Its running on an Asus router also running the latest Merlin firmware.

As for the way I setup the client, I simply exported the config file from the server and imported into the client. Do I have to redo this procedure after applying the mod you suggested?

The NAT rule is merely an enhancement, a way of disguising the fact the tunnel is using a different IP network from the private network. It helps in situations where the target is for reasons of its own not willing/able to respond to the tunnel's IP network (common w/ Windows). You should be able to reach at least *some* other device, even the remote router itself (presumably 192.168.1.1). Try a ping of 192.168.1.1

 

[#TY]

The NAT rule is merely an enhancement, a way of disguising the fact the tunnel is using a different IP network from the private network. It helps in situations where the target is for reasons of its own not willing/able to respond to the tunnel's IP network (common w/ Windows). You should be able to reach at least *some* other device, even the remote router itself (presumably 192.168.1.1). Try a ping of 192.168.1.1

My router is connected to the office VPN. The VPN Client on the router received an IP of 10.8.0.2

from my laptop, Im trying to ping 192.168.1.1

ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4

 

[eibgrad]

Btw, are you testing this from a device *behind* the router supporting the OpenVPN client, or from the router itself? Make sure you NAT the tunnel on the OpenVPN client or the former won't work.

 

[#TY]

Btw, are you testing this from a device *behind* the router supporting the OpenVPN client, or from the router itself? Make sure you NAT the tunnel on the OpenVPN client or the former won't work.

You mean run the exact same script you provided on my router at home as well?

 

[eibgrad]

You mean run the exact same script you provided on my router at home as well?

No. I'm talking about your attempts to access a remote device on 192.168.1.x from the OpenVPN client. That could be from the router itself (e.g., during an ssh session), OR, a client, like the laptop, that's *behind* the OpenVPN client. For the latter to work, you must have NAT enabled on the OpenVPN client config.

 

[#TY]

No. I'm talking about your attempts to access a remote device on 192.168.1.x from the OpenVPN client. That could be from the router itself (e.g., during an ssh session), OR, a client, like the laptop, that's *behind* the OpenVPN client. For the latter to work, you must have NAT enabled on the OpenVPN client config.

Yes, I am trying to ping from my laptop, which is behind the OpenVPN Client router.

How do I enable NAT in the OpenVPN Client Config? That could be the missing link.

 

[eibgrad]

Yes, I am trying to ping from my laptop, which is behind the OpenVPN Client router.

How do I enable NAT in the OpenVPN Client Config? That could be the missing link.

That's an option in the OpenVPN client GUI.

 

[#TY]

That's an option in the OpenVPN client GUI.

This is how it currently is setup:

 

[eibgrad]

Ok, that's good. While on the router supporting the OpenVPN client, using an ssh session, can you ping 192.168.1.1 (I presume that's the remote router supporting the OpenVPN server)?

 

[#TY]

Ok, that's good. While on the router supporting the OpenVPN client, using an ssh session, can you ping 192.168.1.1 (I presume that's the remote router supporting the OpenVPN server)?

I SSH into my router at 10.0.10.1, then I ran ping 192.168.1.1... no response. Yes, the remote Asus router is supporting the OpenVPN server.

 

[#TY]

On the OpenVPN server, I still get this:

master@RT-AX88U-5920:/tmp/home/root# iptables -t nat -vnL POSTROUTING
Chain POSTROUTING (policy ACCEPT 1986 packets, 229K bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * br0 10.8.0.0/24 0.0.0.0/0 to:192.168.1.1
0 0 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0 policy match dir out pol ipsec
8945 667K PUPNP all -- * ppp0 0.0.0.0/0 0.0.0.0/0
5100 405K MASQUERADE all -- * ppp0 !70.50.248.251 0.0.0.0/0
0 0 MASQUERADE all -- * eth0 !169.254.89.118 0.0.0.0/0
839 180K MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0/24
master@RT-AX88U-5920:/tmp/home/root#


Is this line normal?
0 0 MASQUERADE all -- * eth0 !169.254.89.118 0.0.0.0/0

 

[eibgrad]

Time to see what's actually happening there by dumping the relevant data structures.

On the OpenVPN *server*, post the output from the following commands.

ip route
iptables -vnL INPUT
iptables -vnL FORWARD
iptables -t nat -vnL POSTROUTING
cat /tmp/etc/openvpn/server1/config.ovpn

On the OpenVPN *client*, post the output from the following commands.

ip route
iptables -vnL FORWARD
iptables -t nat -vnL POSTROUTING
cat /tmp/etc/openvpn/client1/config.ovpn