Accessing LAN devices via OpenVPN clients

Clovus · February 26, 2023, 10:54am

I'm having some trouble accessing my media server and other services hosted on my home computer over the internet as I'm behind a CG-NAT. I have a remote server running OpenVPN and I'd like to bridge it with my home network so that devices connected to the VPN can communicate with the devices on my LAN interface.

I've setup an OpenVPN client on my router with a VPN IP of 10.8.0.5, Server IP: 10.8.0.1. My LAN devices are tunnelled through the VPN successfully and can connect to the internet through the VPNs internet connection. Devices connected to the VPN can successfully ping my router, but they can't seem to communicate with devices on the LAN interface that use IPs of 192.168.1.123 and gateway 192.168.1.1.

I've tried some solutions I found in previous posts, such as changing my LAN IPs to match the VPN subnet and bridging tun0 with the LAN, but that didn't work. I also experimented with changing my VPN from TUN to TAP, but that caused all devices connected through the VPN to loose internet access.

I'm new to OpenWRT and networking in general so please forgive my ignorance as It's likely I've missed something obvious.

I should also mention that I'm only routing some devices on the LAN through the VPN tunnel with policy-based routing.

My setup is an AVM Fritz!Box 7530 running OpenWRT 22.03. My OpenVPN server is running on Ubuntu 20.04.1 LTS.

My Config:

Server Config

local x.x.x.x
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS x.x.x.x"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify

Client Config

client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
pull-filter ignore redirect-gateway
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3

Network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'x:x:x::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 4 3 2'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '911'
        option ports '0t 1t'

config interface 'WAN'
        option proto 'pppoe'
        option device 'eth0.911'
        option username 'xxx@xxx.com'
        option password 'xxxxx'
        option ipv6 'auto'

config device
        option name 'eth0'

config interface 'OVPN'
        option proto 'none'
        option peerdns '0'
        list dns 'x.x.x.x'
        option device 'tun0'

Firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'WAN'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config zone
        option name 'ovpn'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'OVPN'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'ovpn'

config forwarding
        option src 'ovpn'
        option dest 'lan'

ulmwind · February 26, 2023, 11:20am

See Routed LAN, iroute.
https://community.openvpn.net/openvpn/wiki/RoutedLans

Clovus · February 27, 2023, 5:59pm

Thanks for the quick response, that was exactly what was needed. All working now.

On a side note would it be possible to access devices through the public IP of the VPN server and route it to a LAN device to replicate the behavior of port forwarding on a LAN device to access it via the public IP? Since that's not possible with my WAN connection being behind the CG-NAT I was wondering if I could do it through the remote server's IP as it's not behind the CG-NAT.

ulmwind · February 27, 2023, 8:38pm

Yes, it should work.

Clovus · March 3, 2023, 2:42pm

Can't access anything from servers external IP.

I cannot even ping devices on the LAN from the server. However I can ping devices on the LAN from other VPN clients. So as long as I'm connected to the VPN I can access the LAN devices via their local IP but any attempt to connect via public IP is refused.

I have opened ports in my remote servers firewall and forwarded the ports on my OpenWRT firewall but still connection is refused from external IP.

I added this to the server config as per the guide:

route 192.168.1.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"

My ccd:

iroute 192.168.1.0 255.255.255.0

Do I also need to add a push route on the client config?

system · March 13, 2023, 2:43pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.