Access to an OpenVPN client on my LAN

ok thanks, i might ask you on monday, but i think the problem is that i cannot configure the firewall on my office, so we are doing good, but it is in office. etc etc etc etc

thanks so much for helping @vgaetera !

1 Like

still not working, on my office remote vpnclient i created a firewall zone:


then the firewall on my office router:

but i have to use Masquerading, as i do not working without, but the firewall looks like this:

but for my home vpn i cannot access. which am i missing?

now what is good, it is that the vpn ip 192.168.17.2, now it accepting the firewall.
so i can access the vpn client eg:
https://192.168.17.2/cgi-bin/luci/admin/network/firewall

but now, how i can accept form my home to accept the office lan?
instead of:
https://192.168.17.2/cgi-bin/luci/admin/network/firewall (openvclient ip)
to be able to access:
https://192.168.70.1/cgi-bin/luci/admin/network/firewall (which is my remote office lan, that i am not able to access)
what is missing? i allowed everything on my remote office router.

Make sure that firewall configuration is fine including all the destination hosts.
Check the routing with traceroute from server and client LANs in both directions.
Verify that iroute option applies properly.

i allowed everything, i had to enable Masquerading, to at least access in office from home.
same allows in both directions. but still from home i can't accept the office LAN.
i can access the office VPN ip address, but not itself the office LAN
HOME => access VPN ip, no OFFICE LAN
OFFICE => access VPN ip, access HOME LAN

i set everything that is perfect as the site-to-site page says.
in office i can home lan as route says:

in home i can see the office lan route correct:

still, for some reason i cannot see at home my office lan.
so sad.
only the vpn client 192.168.17.2

SAME SETTINGS, NOT BI-DRECTION :frowning:
from my home firewall, where i cannot see my office LAN:


from my office firewall, where i can see my home LAN:


via teamviwer i try to traceroute my office lan, but blank:

looks like the vpn client server 192.168.17.2 is not providing the office LAN

# VPN client
service log restart; service openvpn restart; sleep 10; logread -e openvpn
root@hawk:~# /etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10; logread -e openvpn
Mon Jul 15 12:02:23 2019 daemon.err openvpn(vpnclient)[5938]: event_wait : Interrupted system call (code=4)
Mon Jul 15 12:02:23 2019 daemon.notice openvpn(vpnclient)[5938]: /sbin/ifconfig tun0 0.0.0.0
Mon Jul 15 12:02:23 2019 daemon.notice openvpn(vpnclient)[5938]: SIGTERM[hard,] received, process exiting
Mon Jul 15 12:02:23 2019 daemon.notice openvpn(vpnclient)[8389]: OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Jul 15 12:02:23 2019 daemon.notice openvpn(vpnclient)[8389]: library versions: OpenSSL 1.0.2s  28 May 2019, LZO 2.10
Mon Jul 15 12:02:23 2019 daemon.warn openvpn(vpnclient)[8389]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jul 15 12:02:23 2019 daemon.notice openvpn(vpnclient)[8389]: TCP/UDP: Preserving recently used remote address: [AF_INET]86.101.8.160:1194
Mon Jul 15 12:02:23 2019 daemon.notice openvpn(vpnclient)[8389]: UDP link local: (not bound)
Mon Jul 15 12:02:23 2019 daemon.notice openvpn(vpnclient)[8389]: UDP link remote: [AF_INET]86.101.8.160:1194
Mon Jul 15 12:02:23 2019 daemon.notice openvpn(vpnclient)[8389]: [digi] Peer Connection Initiated with [AF_INET]86.101.8.160:1194
Mon Jul 15 12:02:24 2019 daemon.notice openvpn(vpnclient)[8389]: TUN/TAP device tun0 opened
Mon Jul 15 12:02:24 2019 daemon.notice openvpn(vpnclient)[8389]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Jul 15 12:02:24 2019 daemon.notice openvpn(vpnclient)[8389]: /sbin/ifconfig tun0 192.168.17.2 netmask 255.255.255.0 mtu 1500 broadcast 192.168.17.255
Mon Jul 15 12:02:24 2019 daemon.notice openvpn(vpnclient)[8389]: Initialization Sequence Completed
root@hawk:~# cat /etc/openvpn/vpnclient.ovpn 
client
dev tun
proto udp
remote home.router.patrikx3.com 1194
resolv-retry infinite
nobind
mute-replay-warnings
# 
# maybe only in Windows?
# if not working, use this
# ns-cert-type
remote-cert-tls server
key-direction 1
verb 1
mute 20
comp-lzo
askpass /etc/openvpn/secret.key
pull-filter ignore redirect-gateway
cipher AES-256-CBC
# uncomment for Windows 7 clients
#route-method exe
#route-delay 2
# VPN server
service log restart

# VPN client
service openvpn restart

# VPN server
sleep 10; logread -e openvpn
root@hawk:~# /etc/init.d/log restart
root@hawk:~# /etc/init.d/openvpn restart
root@hawk:~# sleep 10; logread -e openvpn
Mon Jul 15 12:08:30 2019 daemon.err openvpn(vpnclient)[8389]: event_wait : Interrupted system call (code=4)
Mon Jul 15 12:08:30 2019 daemon.notice openvpn(vpnclient)[8389]: /sbin/ifconfig tun0 0.0.0.0
Mon Jul 15 12:08:30 2019 daemon.notice openvpn(vpnclient)[8389]: SIGTERM[hard,] received, process exiting
Mon Jul 15 12:08:30 2019 daemon.notice openvpn(vpnclient)[8795]: OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Jul 15 12:08:30 2019 daemon.notice openvpn(vpnclient)[8795]: library versions: OpenSSL 1.0.2s  28 May 2019, LZO 2.10
Mon Jul 15 12:08:30 2019 daemon.warn openvpn(vpnclient)[8795]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jul 15 12:08:30 2019 daemon.notice openvpn(vpnclient)[8795]: TCP/UDP: Preserving recently used remote address: [AF_INET]86.101.8.160:1194
Mon Jul 15 12:08:30 2019 daemon.notice openvpn(vpnclient)[8795]: UDP link local: (not bound)
Mon Jul 15 12:08:30 2019 daemon.notice openvpn(vpnclient)[8795]: UDP link remote: [AF_INET]86.101.8.160:1194
Mon Jul 15 12:08:31 2019 daemon.notice openvpn(vpnclient)[8795]: [digi] Peer Connection Initiated with [AF_INET]86.101.8.160:1194
Mon Jul 15 12:08:32 2019 daemon.notice openvpn(vpnclient)[8795]: TUN/TAP device tun0 opened
Mon Jul 15 12:08:32 2019 daemon.notice openvpn(vpnclient)[8795]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Jul 15 12:08:32 2019 daemon.notice openvpn(vpnclient)[8795]: /sbin/ifconfig tun0 192.168.17.2 netmask 255.255.255.0 mtu 1500 broadcast 192.168.17.255
Mon Jul 15 12:08:32 2019 daemon.notice openvpn(vpnclient)[8795]: Initialization Sequence Completed

Increase the log verbosity to verb 3 at least.

root@hawk:~# /etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10; logread -e openvpn
Mon Jul 15 12:12:15 2019 daemon.err openvpn(vpnclient)[8795]: event_wait : Interrupted system call (code=4)
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[8795]: /sbin/ifconfig tun0 0.0.0.0
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[8795]: SIGTERM[hard,] received, process exiting
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[9198]: OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[9198]: library versions: OpenSSL 1.0.2s  28 May 2019, LZO 2.10
Mon Jul 15 12:12:15 2019 daemon.warn openvpn(vpnclient)[9198]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[9198]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[9198]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[9198]: TCP/UDP: Preserving recently used remote address: [AF_INET]86.101.8.160:1194
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[9198]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[9198]: UDP link local: (not bound)
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[9198]: UDP link remote: [AF_INET]86.101.8.160:1194
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[9198]: TLS: Initial packet from [AF_INET]86.101.8.160:1194, sid=f353b00b aad06117
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[9198]: VERIFY OK: depth=1, C=HU, ST=Hungary, L=Balaton, O=Corifeus, OU=Development, CN=digi, name=digi, emailAddress=alabard@gmail.com
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[9198]: VERIFY KU OK
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[9198]: Validating certificate extended key usage
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[9198]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[9198]: VERIFY EKU OK
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[9198]: VERIFY OK: depth=0, C=HU, ST=Hungary, L=Balaton, O=Corifeus, OU=Development, CN=digi, name=digi, emailAddress=alabard@gmail.com
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[9198]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Jul 15 12:12:15 2019 daemon.notice openvpn(vpnclient)[9198]: [digi] Peer Connection Initiated with [AF_INET]86.101.8.160:1194
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: SENT CONTROL [digi]: 'PUSH_REQUEST' (status=1)
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: PUSH: Received control message: 'PUSH_REPLY,persist-key,persist-tun,redirect-gateway def1,dhcp-option DNS 192.168.78.20,route 192.168.78.0 255.255.255.0,route-gateway 192.168.17.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.17.2 255.255.255.0,peer-id 1,cipher AES-256-GCM'
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: Pushed option removed by filter: 'redirect-gateway def1'
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: OPTIONS IMPORT: timers and/or timeouts modified
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: OPTIONS IMPORT: --persist options modified
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: OPTIONS IMPORT: --ifconfig/up options modified
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: OPTIONS IMPORT: route options modified
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: OPTIONS IMPORT: route-related options modified
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: OPTIONS IMPORT: peer-id set
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: OPTIONS IMPORT: adjusting link_mtu to 1625
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: OPTIONS IMPORT: data channel crypto options modified
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: TUN/TAP device tun0 opened
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: TUN/TAP TX queue length set to 100
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: /sbin/ifconfig tun0 192.168.17.2 netmask 255.255.255.0 mtu 1500 broadcast 192.168.17.255
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: /sbin/route add -net 192.168.78.0 netmask 255.255.255.0 gw 192.168.17.1
Mon Jul 15 12:12:16 2019 daemon.notice openvpn(vpnclient)[9198]: Initialization Sequence Completed

but the problem is not on the office, as i can access everything in the office, the problem is at home, isn't be the reverse to check the log on my home? as on my home i cannot access my office lan, isn't that?

Show the VPN server log with verb 3 at least including incoming client connection.

i think i found the problem, isn`t it, that my office is behind a proxy? it is not able to receive to a public ip address?
i am in a big building with a main network and every office has its own router, so basically my office router is not open to the public isn't that? or that is not a problem, because it is talking to the openvpn gateway?

server log of openvpn:

root@home:~# tail -f /var/log/openvpn.log
Mon Jul 15 12:12:15 2019 MULTI: new connection by client 'digi-client' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Mon Jul 15 12:12:15 2019 MULTI_sva: pool returned IPv4=192.168.17.2, IPv6=(Not enabled)
Mon Jul 15 12:12:15 2019 MULTI: Learn: 192.168.17.2 -> digi-client/79.121.80.30:46272
Mon Jul 15 12:12:15 2019 MULTI: primary virtual IP for digi-client/79.121.80.30:46272: 192.168.17.2
Mon Jul 15 12:12:16 2019 digi-client/79.121.80.30:46272 PUSH: Received control message: 'PUSH_REQUEST'
Mon Jul 15 12:12:16 2019 digi-client/79.121.80.30:46272 SENT CONTROL [digi-client]: 'PUSH_REPLY,persist-key,persist-tun,redirect-gateway def1,dhcp-option DNS 192.168.78.20,route 192.168.78.0 255.255.255.0,route-gateway 192.168.17.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.17.2 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1)
Mon Jul 15 12:12:16 2019 digi-client/79.121.80.30:46272 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Jul 15 12:12:16 2019 digi-client/79.121.80.30:46272 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Jul 15 12:12:16 2019 digi-client/79.121.80.30:46272 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Jul 15 12:26:23 2019 digi-client/79.121.80.30:46272 write UDPv4: Operation not permitted (code=1)
Mon Jul 15 12:31:04 2019 79.121.80.30:49668 TLS: Initial packet from [AF_INET]79.121.80.30:49668, sid=bcb62dbd f409c19b
Mon Jul 15 12:31:04 2019 79.121.80.30:49668 VERIFY OK: depth=1, C=HU, ST=Hungary, L=Balaton, O=Corifeus, OU=Development, CN=digi, name=digi, emailAddress=alabard@gmail.com
Mon Jul 15 12:31:04 2019 79.121.80.30:49668 VERIFY OK: depth=0, C=HU, ST=Hungary, L=Balaton, O=Corifeus, OU=Development, CN=digi-client, name=digi-client, emailAddress=alabard@gmail.com
Mon Jul 15 12:31:04 2019 79.121.80.30:49668 peer info: IV_VER=2.4.5
Mon Jul 15 12:31:04 2019 79.121.80.30:49668 peer info: IV_PLAT=linux
Mon Jul 15 12:31:04 2019 79.121.80.30:49668 peer info: IV_PROTO=2
Mon Jul 15 12:31:04 2019 79.121.80.30:49668 peer info: IV_NCP=2
Mon Jul 15 12:31:04 2019 79.121.80.30:49668 peer info: IV_LZ4=1
Mon Jul 15 12:31:04 2019 79.121.80.30:49668 peer info: IV_LZ4v2=1
Mon Jul 15 12:31:04 2019 79.121.80.30:49668 peer info: IV_LZO=1
Mon Jul 15 12:31:04 2019 79.121.80.30:49668 peer info: IV_COMP_STUB=1
Mon Jul 15 12:31:04 2019 79.121.80.30:49668 peer info: IV_COMP_STUBv2=1
Mon Jul 15 12:31:04 2019 79.121.80.30:49668 peer info: IV_TCPNL=1
Mon Jul 15 12:31:04 2019 79.121.80.30:49668 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Jul 15 12:31:04 2019 79.121.80.30:49668 [digi-client] Peer Connection Initiated with [AF_INET]79.121.80.30:49668
Mon Jul 15 12:31:04 2019 MULTI: new connection by client 'digi-client' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Mon Jul 15 12:31:04 2019 MULTI_sva: pool returned IPv4=192.168.17.2, IPv6=(Not enabled)
Mon Jul 15 12:31:04 2019 MULTI: Learn: 192.168.17.2 -> digi-client/79.121.80.30:49668
Mon Jul 15 12:31:04 2019 MULTI: primary virtual IP for digi-client/79.121.80.30:49668: 192.168.17.2
Mon Jul 15 12:31:07 2019 digi-client/79.121.80.30:49668 PUSH: Received control message: 'PUSH_REQUEST'
Mon Jul 15 12:31:07 2019 digi-client/79.121.80.30:49668 SENT CONTROL [digi-client]: 'PUSH_REPLY,persist-key,persist-tun,redirect-gateway def1,dhcp-option DNS 192.168.78.20,route 192.168.78.0 255.255.255.0,route-gateway 192.168.17.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.17.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Jul 15 12:31:07 2019 digi-client/79.121.80.30:49668 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Jul 15 12:31:07 2019 digi-client/79.121.80.30:49668 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Jul 15 12:31:07 2019 digi-client/79.121.80.30:49668 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

On the VPN server:

ls -l /etc/openvpn/ccd
cat /etc/openvpn/ccd/digi-client
cat: can't open '/etc/openvpn/ccd/digi-client': No such file or directory

should it be named as digi-client? is that the problem?