Access to an OpenVPN client on my LAN

patrikx3 · July 13, 2019, 12:38pm

Hello!
I have 2 routers. My office is connecting to my home network via as an OpenVpn.
All works, awesome.
Now the problem that happens is, that on my home network I can ping and access the OpenVpn client from my office client, in my router via ssh, I can ping it:

root@home:~# ping 192.168.17.2
PING 192.168.17.2 (192.168.17.2): 56 data bytes
64 bytes from 192.168.17.2: seq=0 ttl=64 time=20.901 ms
64 bytes from 192.168.17.2: seq=1 ttl=64 time=24.463 ms
64 bytes from 192.168.17.2: seq=2 ttl=64 time=18.000 ms
64 bytes from 192.168.17.2: seq=3 ttl=64 time=16.572 ms

Now what I want to do is to access these OpenVPN clients via my LAN, eg:

patrikx3@bitang:~$ ping 192.168.17.2
PING 192.168.17.2 (192.168.17.2) 56(84) bytes of data.
From 192.168.78.1 icmp_seq=1 Destination Port Unreachable
From 192.168.78.1 icmp_seq=2 Destination Port Unreachable
From 192.168.78.1 icmp_seq=3 Destination Port Unreachable
From 192.168.78.1 icmp_seq=4 Destination Port Unreachable
From 192.168.78.1 icmp_seq=5 Destination Port Unreachable

But I cannot access that OpenVPN client from my LAN, but it would be nice! As I could access my remote office router.

My OpenVPN client subnet is 192.168.17.0/24, and my lan on my home router subnet is 192.168.78.0/24

I tried all kind of routes:

route add -net 192.168.17.0/24 gw 192.168.17.1
route add -net 192.168.17.0/24 gw 192.168.78.1

But not working. Is it although is possible?

vgaetera · July 13, 2019, 12:47pm

https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#site-to-site

patrikx3 · July 13, 2019, 3:07pm

i followed this info, but it started to hide my OpenVPN in Luci config, besides it is not working, although I could connect with this config, but still it is weird.
What think that happened, that helped is I set using like this:

Now, I can access the VPN client (eg. 192.168.17.2), so now I can ping from my LAN, but not the remote LAN. This setting that forwarded my OpenVPN LAN to my home LAN: Allow forward from source zones:

This is how I followed:
Implement plain routing between server side LAN and client side LAN assuming that:

192.168.78.0/24 - server side LAN
192.168.70.0/24 - client side LAN
192.168.17.0/24 - VPN network
192.168.17.2/24 - VPN client

Enable CCD on VPN server, add route to client side LAN, push route to server side LAN (actually OpenVpn is in UIC, so based on this I used this after this).

VPN_CCD="/etc/openvpn/ccd"
mkdir -p "${VPN_CCD}" 
cat << EOF > "${VPN_CCD}/vpnclient" 
ifconfig-push 192.168.17.2 255.255.255.0 
iroute 192.168.70.0 255.255.255.0 
EOF 
cat << EOF >> /etc/openvpn/vpnserver.conf 
client-config-dir ${VPN_CCD}
route 192.168.70.0 255.255.255.0 192.168.17.2
push "route 192.168.78.0 255.255.255.0" 
EOF
service openvpn restart

So because my OpenVpn settings is in UCI

VPN_CCD="/etc/openvpn/ccd"
mkdir -p "${VPN_CCD}" 
cat << EOF > "${VPN_CCD}/vpnclient" 
ifconfig-push 192.168.17.2 255.255.255.0 
iroute 192.168.70.0 255.255.255.0 
EOF 
# this changed
cat << EOF >> /etc/config/openvpn 
client-config-dir ${VPN_CCD}
route 192.168.70.0 255.255.255.0 192.168.17.2
push "route 192.168.78.0 255.255.255.0" 
EOF
# service is missing in 18.06.4, so I used
# but because of this i try to commit to uci
uci commit
# result: Parse error (invalid command) at line 38, byte 4
# looks like it is not liking the client-config-dir directive!!!
#service openvpn restart
/etc/init.d/openvpn

Consider VPN network as private and assign VPN interface to LAN zone on VPN client.

uci -q delete firewall.@zone[1].device
uci set firewall.@zone[0].device="tun0" 
uci commit firewall 
service firewall restart

As I had totally different settings, I did not changed the firewall at all. I do not understanding, why I would delete zone[1] and set uci set firewall.@zone[0].device.

How would if I even use this settings, how would my firewall would work via LUCI or even via UCI, but which appropriate firewall settings?

this is what it is not liking:

client-config-dir ${VPN_CCD}
route 192.168.70.0 255.255.255.0 192.168.17.2
push "route 192.168.78.0 255.255.255.0"

how i can translate to uci?
the problem is, this is not the raw openvpn setting, but it is using UCI by now...

patrikx3 · July 13, 2019, 3:23pm

the, /etc/openvpn/openvpn.conf is totally missing in 18.06.4.

patrikx3 · July 13, 2019, 3:39pm

here is the uci setting (translated from raw openvpn config):

config openvpn 'digi'
    option client_config_dir '/etc/openvpn/ccd'
    option route '192.168.70.0 255.255.255.0 192.168.17.2'
    list push "route 192.168.78.0 255.255.255.0"

vgaetera · July 13, 2019, 3:40pm

AFAIR, it should be list route.

The guide assumes that both client and server side LANs as well as VPN network are trusted, so it is assigned to LAN zone, however you can change it as you see fit.

patrikx3 · July 13, 2019, 3:49pm

so like this?

client-config-dir ${VPN_CCD}
route 192.168.70.0 255.255.255.0 192.168.17.2
push "route 192.168.78.0 255.255.255.0"

from openvpn.conf translated to uci as:

    option client_config_dir '/etc/openvpn/ccd'
    list route '192.168.70.0 255.255.255.0 192.168.17.2'
    list push "route 192.168.78.0 255.255.255.0"

patrikx3 · July 13, 2019, 3:58pm

but what is weird is, that on the generated config it is not pusing to the client, see what it generates:

client-to-client
persist-key
persist-tun
tls-server
ca /etc/easy-rsa/keys/ca.crt
cert /etc/easy-rsa/keys/digi.crt
cipher AES-256-CBC
client-config-dir /etc/openvpn/ccd
compress lzo
dev tun
dh /etc/easy-rsa/keys/dh2048.pem
group nogroup
keepalive 10 120
key /etc/easy-rsa/keys/digi.key
log /var/log/openvpn.log
mode server
mute 5
port 1194
proto udp
push "persist-key"
push "persist-tun"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.78.20"
push "route 192.168.78.0 255.255.255.0"
# isn't should missing (you are saying the list route should happen on both server and client):
# push "route 192.168.70.0 255.255.255.0 192.168.17.2"
route 192.168.70.0 255.255.255.0 192.168.17.2
route-gateway dhcp
server 192.168.17.0 255.255.255.0
status /var/log/openvpn_status.log
tls-auth /etc/easy-rsa/keys/ta.key 0
topology subnet
user nobody
verb 3

patrikx3 · July 13, 2019, 4:01pm

i can still can't ping the remote client lan:

root@home:~# ping 192.168.70.1
PING 192.168.70.1 (192.168.70.1): 56 data bytes

but the old remote vpn ip is available, but it is firewalled, and i want the remote client lan:

root@home:~# ping 192.168.17.2
PING 192.168.17.2 (192.168.17.2): 56 data bytes
64 bytes from 192.168.17.2: seq=0 ttl=64 time=44.973 ms
64 bytes from 192.168.17.2: seq=1 ttl=64 time=63.585 ms
64 bytes from 192.168.17.2: seq=2 ttl=64 time=18.554 ms
64 bytes from 192.168.17.2: seq=3 ttl=64 time=20.000 ms

so the seettings looks like right, but i still cannot ping on the router the remote lan.

vgaetera · July 13, 2019, 4:04pm

head -v -n -0 /etc/openvpn/ccd/*

patrikx3 · July 13, 2019, 4:05pm

looks right:

root@home:~# head -n -0 /etc/openvpn/ccd/*
# vpn client ip right, i can ping it
ifconfig-push 192.168.17.2 255.255.255.0 
# remote lan ip, i cannot ping the router on 192.168.70.1
iroute 192.168.70.0 255.255.255.0

patrikx3 · July 13, 2019, 4:07pm

besides, it is bothering me here:

uci -q delete firewall.@zone[1].device
uci set firewall.@zone[0].device="tun0"
uci commit firewall
service firewall restart

what am i doing? this part i did not changed, only what i shown you on the picture.
is the firewall is still missing something?
but shouldnt without work on the router though? as to access the vpn client ip address, with this setting as it is on the picture gave me the ping from my home lan ping, but it is not the vpn client i want to connect, but the remote(office) lan... which is not working...

vgaetera · July 13, 2019, 4:16pm

Disable the masquerading in the VPN zone.
Then post the diagnostics from both VPN client and server:

uci show network; uci show firewall; uci show openvpn
ip addr show; ip route show; ip rule show; iptables-save

patrikx3 · July 13, 2019, 4:25pm

this is overflow:
https://cdn.corifeus.com/archive/router.txt

patrikx3 · July 13, 2019, 4:32pm

can you let me know when you shown it as there are passwords. i fucked up, please do not break into me

patrikx3 · July 13, 2019, 4:34pm

ok i asterixed the passwords...

patrikx3 · July 13, 2019, 4:47pm

ok, but right now i cannot access the client remote office router, as i am at home and drinking whiskey.
so it looks like something is wrong on the office side, dont you think?

patrikx3 · July 13, 2019, 4:50pm

I think i have to do something with the office router client vpn, now i understand, this part

Consider VPN network as private and assign VPN interface to LAN zone on VPN client.

uci -q delete firewall.@zone[1].device
uci set firewall.@zone[0].device="tun0"
uci commit firewall
service firewall restart

patrikx3 · July 13, 2019, 4:51pm

i cannot do it until i am in the office on monday!
that is the problem right?
i have to set the firewall on the office router to connect the openvpn client and the lan somehow.
right?

vgaetera · July 13, 2019, 5:08pm

Both client and server firewalls should be configured accordingly to allow traffic forwarding in the directions you want.
Then you can use traceroute to test the routing.