Connecting to hosts through OpenVPN

zorro_kwh · 08-19-2019, 10:35 AM

Hi,
I have the following configuration:

OpenVPN Server on a raspi with address 192.168.0.14 and 10.5.5.2 for the OpenVPN side.
Hardware router with OpenWRT on address 192.168.0.1
File Server to access 192.168.0.11

The good news is I can connect from the internet using OpenVPN apps without problem. I can login with ssh on my OpenVPN server. I can access all hosts within my local network 192.168.0.* using ping on my OpenVPN-server without problems. But I cannot reach the file server or any other host except the OpenVPN-server and the router directly from the OpenVPN client!

My OpenVPN client gets an address like 10.5.5.6

I have the following routing tables:
On OpenVPN-Server:

Code:

$ netstat -nr
Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags   MSS Fenster irtt Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 eth0
10.5.5.0        10.5.5.2        255.255.255.0   UG        0 0          0 tun0
10.5.5.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

On Router:

Code:

$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth1
10.5.5.0        192.168.0.14    255.255.255.0   UG        0 0          0 br-lan
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 br-lan
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1

On my file server:

Code:

$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 eth0

When I ping my file server from the OpenVPN client I get no responce.
When I traceroute my client I get:

Code:

$  traceroute 10.5.5.6
traceroute to 10.5.5.6 (10.5.5.6), 30 hops max, 60 byte packets
 1  OpenWrt.lan (192.168.0.1)  2.156 ms  2.102 ms  2.077 ms
 2  OpenWrt.lan (192.168.0.1)  2.062 ms  2.797 ms  2.787 ms

When I add the following route:

Code:

# route add -net 10.5.5.0 netmask 255.255.255.0 gateway 192.168.0.14

I can traceroute my OpenVPN client:

Code:

$  traceroute 10.5.5.6
traceroute to 10.5.5.6 (10.5.5.6), 30 hops max, 60 byte packets
 1  raspberrypi.lan (192.168.0.14)  4.336 ms  4.304 ms  4.282 ms
 2  10.5.5.6 (10.5.5.6)  89.269 ms  92.398 ms  92.388 ms

Why is it not sufficient to set a route to the VPN-Server on my router?

I would expect that a ping from my client to a host in my network will go the following path:

10.5.5.6-->10.5.5.2-->192.168.0.14-->192.168.0.11

The responce should go:

192.168.0.11-->192.168.0.1-->192.168.0.14-->10.5.5.2-->10.5.5.6

But only with the manually added static route it goes:

192.168.0.11-->192.168.0.14-->10.5.5.2-->10.5.5.6

As a short workaround I added this static route manually to some of the hosts I want to connect using my OpenVPN clients.

But why is the route to the VPN-Server on the router (default gateway for all hosts in the local network) not sufficient? A packet to a host with address 10.5.5.6 should be sent to the default gateway and the forwarded to the OpenVPN-server by the deafault gateway. Why is that not working?

Can anybody explain?

Skaperen · 08-20-2019, 05:43 PM

can you draw a map of your network with IP addresses labled and show us?

zorro_kwh · 11-23-2019, 11:38 AM

Click image for larger version

Name: Netzproblem.png
Views: 32
Size: 34.4 KB
ID: 31949

OpenVPN Server IP is not 10.5.5.4. It is 10.5.5.2! I made a typo.

I think that when the server replys, the router send the packet to the internet and not back to the OpenVPN server.

How can I change the priority of the route destination, so that packets with desitnation 10.5.5.6 will be forwarded to 192.168.0.14 (the OpenVPN Server) instead of the default route destination?

ferrari · 11-23-2019, 03:52 PM

FWIW, your question seems to be similar to this one
https://superuser.com/questions/5376...openvpn-server
In particular...

Quote:

I finally found out what the problem was. I am using OpenVPN's "routing" option which creates a new subnet for all OpenVPN connections. My client was getting assigned an IP address from this subnet, and so was my server, so they could talk to each other across this network. With IPv4 forwarding enabled on my server, I was also able to send packets out onto my LAN, and was obviously able to talk to the server via it's LAN ip address.

When the client tried to talk to other computers on my LAN, the packets from my client were reaching my LAN hosts (I didn't verify this, but I'm pretty sure they were), but the source address of these packets was the address from the OpenVPN network. The LAN hosts knew this wasn't on their LAN, and the only thing they knew to do in that case was to send them to the default gateway, which was my router. I doubt it did anything with them as sending a packet to a private IP range out onto the internet is pointless.

The solution is to add a static route to all LAN hosts, or use OpenVPN's "bridging" option instead of "routing". I have not done this yet, but am sure this is the way to go.

zorro_kwh · 11-24-2019, 03:04 AM

I have tried the additional route for source IP 10.5.5.* to OpenVPN server 192.168.0.14 without success.

The other option "adding a static rout on all hosts of the lan" doesn't work for me, because I cannot add additional routes to my IP-camera which I want to access using OpenVPN. This device has only the default route to the router (192.168.0.1) and no possibility to add any additional routes. For the file servers I can add additional static routes (and that works).

I thought that adding a static route on the default gateway (an OpenWRT router) will fix this but it doesn't.

Can anybody explain why? - If there is a way to make it work. What settings must I make on my OpenWRT router?

michaelk · 11-24-2019, 11:02 AM

I am far from being an OpenVPN expert but as far as I understand your creating a tunnel between the client and your Pi. The router by forwarding port 1149 is just passing traffic between the two and there should not be any bridge etc necessary on the router. The tunnel being the 10.5.5.0 network and the Pi should route the 10.5.5.0 traffic to your local LAN i.e 192.168.0.0. I expect the traffic should flow like:

10.5.5.6-->10.5.5.2-->192.168.0.14-->192.168.0.11

It could be a OpenVPN or Pi configuration problem maybe iptables related? Have you checked the openvpn logs i.e /var/log/openvpn.log Are you running pivpn? If so running it in debug mode might provide some help.