Can OpenVPN server listen on LAN side?

I always just set the DHCP server off and plug in one of my re-purposed router LAN ports into the existing fiber-modem/router LAN when I need any of the various non-routing solutions of OpenWRT (file server, access point, etc.) I am wondering if there is an easy way to make the OpenVPN server on OpenWRT listen on the LAN interface for port 1194 instead of the WAN interface listening? This would allow my non-OpenWRT fiber-modem/router to forward the port to the LAN side of the router and thus the OpenWRT device would provide access to the same subnet as the local LAN that has a gateway of the non-replacable fiber-modem./router.

Normally this should be true for the default setup...

Check the command netstat -lnp | grep openvpn for listening ip addresses.
If you see here 0.0.0.0:1194 or :::1194 then your openvpn server does listen on all interfaces on port 1194.

2 Likes

OK, I have OpenVPN configured on a stand alone device on the local LAN and it is NOT the gateway. The DHCP server in the stand alone device running OpenVPN is shut down and the LAN from this stand-alone OpenVPN device is plugged in the LAN of the gateway. The static IP of the LAN in this stand-alone OpenVPN device (router) has a static IP defined outside of the DHCP range of the non-OpenWRT gateway (a fiber modem/router). Now I successfully forwarded port 443 (1194 was blocked by ISP) from the non-OpenWRT gateway via the LAN input of the OpenWRT OpenVPN device. From an outside network I was able to tunnel into my OpenVPN server and access it using the remote subnet IP address of it. However I could not reach any other IP address on the LAN and the gateway or DNS was not working either.

I read here what looks like I have to do something on the fiber-modem/router in order to change a routing table, which doesn't appear to be an option on this Adyan fiber-modem/router that I have. https://openvpn.net/community-resources/setting-up-routing/.

Actually, routing the DNS and Gateway through the OpenVPN tunnel is not as important as reaching other devices on the subnet where the OpenVPN stand-alone server is running..

The client routing table needs to have the LAN IP subnet gatewayed via the server end of the VPN tunnel. OpenVPN can do this with a push route.

Then if you want all client Internet access via the VPN, make the client's default gateway the LAN IP of the main router back at the house. This will necessarily route through your LAN first. It also required a route in the main router to gateway the client's subnet back through the VPN server machine.

I operate my OpenWrt VPN server a bit differently...

The OpenWrt box is not my primary router. The LAN side of my main router is connected to the WAN of the OpenWrt device -- in other words, my OpenVPN router's LAN would be double-NAT'd, if I used the LAN side). From there, I enabled forwarding from the VPN zone in the firewall to the WAN zone. In the OpenVPN config, I have defined a route to my actual LAN (WAN side of the OpenWrt router), as well as the DNS. This has the effect of making my VPN emerge the WAN port of the OpenWrt router as if it was part of my normal LAN.

Thus far, the only downside I have found is that all VPN clients are masqueraded on the WAN. I only see the singular device/IP with no additional visibility/granularity regarding access controls on the VPN clients. The other consequence of the masquerading is the it is not really possible to initiate a connection from a host on my LAN to a VPN client, but there is no issue with the VPN client initiating connections to hosts on the LAN. Neither of these things are issues for me, but could be important details for some environments.

Would there be any way you would be willing to help by explaining explicitly what I need to do to make this work? Since my home router is phone company combo fiber, modem and VOIP gateway device, it cannot be replaced by an OpenWRT device and if I bridge to an external device, I lose the proprietary ATA (VOIP) device built into the device which provides phone service.

=======================================================

Home Router:
Fiber modem-router - Arcadyan  	VRV7006BW22
Gateway/DNS: 192.168.26.254 
DHCP range: 192.168.26.10 - 192.168.26.200

Port forwarding:  Port 443 is forwarded to 192.168.26.252

Configuration options - slim; there is an option for "Route" and it displays a routing table:
Routing Table

List Routing Table:

Destination	Gateway address	Flags	Interface	Cost
200.38.193.226	0.0.0.0	UH	ppp0	0
192.168.26.0	0.0.0.0	U	br-lan	0
0.0.0.0	200.38.193.226	UG	ppp0	0

Also there is an option to enter a "static route":
Static Route Parameter

Please Enter the Following Configuration Parameters:

Index 	Network Address 	Subnet Mask 	Next Hop 	Outgoing Interface 	Configure

(((( could I enter something here to make this configuration work???  ))))

=======================================================

OpenVPN device:
Firmware - latest OpenWRT
WAN - not used
LAN - DHCP disabled and static IP assigned
Static IP on LAN side - 192.168.26.252
Software - OpenVPN-openssl

OpenVPN server cconfiguration files:

/etc/config/openvpn:

config openvpn 'myvpn'
	option enabled '1'
	option config '/etc/openvpn/mydefault.ovpn'

/ect/openvpn/mydefault.ovpn

verb 3
port 443
proto udp
dev tun
server 10.8.0.0 255.255.255.0
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/key.key
dh /etc/openvpn/dh2048.pem
keepalive 10 120
push "route 192.168.26.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.26.254"

=======================================================

Road warior client config:

client
dev tun
proto udp
remote-cert-tls server
remote mysever.dyndns.org 443
ca client.crt
cert client.crt
key client.key
ns-cert-type server
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.26.254"

((( This works from outside Internet but I can only access 192.168.26.252
    but access nothing on the local 192.168.26.* subnet )))


=======================================================

Thinking about this some more I agree with @psherman with NATting the VPN users onto the home LAN. Then no foreign IPs appear on the home lan-- everything that VPN users do, whether its a connection to a LAN machine or to the Internet, appears to come from the VPN server machine. The downside is as @psherman said, it isn't really possible to originate a connection from a LAN machine to a VPN user.

This doesn't require having a LAN / WAN setup on the VPN server. It can continue to be bridged into the LAN. Enable masquerade on the lan firewall zone and a forwarding rule from the VPN tunnel to lan.

My NAT'd setup is a bit unconventional, but it works perfectly for my use case.

  • primary user is me
  • I mostly utilize my VPN connection for remote admin of my networks and hosts (my own, my father's, my in-law's), occasionally for accessing files or other network resources
  • I also have the VPNs in place for the road warrior scenario (security when on a public/untrusted network; bypassing geo-restrictions when traveling abroad -- my traffic appears to originate from my own house, just the same as if I was at home).
  • My family may occasionally use the VPN as well for the security and geo-restriction elements.

In my case, the added 'security' is purely a local consideration -- from my 'current' location to my home, making MITM and other such attacks from a public network (like a cafe) far less likely. The actual internet traffic of interest traverses over my regular ISP without going through a commercial VPN service or anything like that (queue the debate: to use a VPN or not to use a VPN, that is the question :crazy_face:).

I am not sure how to accomplish this task of enabling masquerade on the OpenVPN server. Here are my configuration files and I don't know if they are even valid since I am not coming into the server from the WAN side but instead coming from a static IP on the LAN side, plugged into the LAN port of the home router.

===============================================

Edit file /etc/config/firewall:

(( Use the port that YOU WISH TO USE, NOt MINE))
((ADD THIS TO THE BOTTOM OF THE FILE:))

# begin of DJ add
config rule
	option name  Allow-OpenVPN-Inbound 
	option target  ACCEPT 
	option src  * 
	option proto  udp 
	option dest_port  1194 

config zone
	option name 'vpn'
	option input 'ACCEPT'
#https://forum.openwrt.org/t/cant-run-ping-under-diagnostics-with-openvpn-client-active/59977/7
#	option forward 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
  	option network 'vpn0'

config forwarding
	option src  vpn 
	option dest  wan 

config forwarding
        option src  vpn 
        option dest  lan 

config forwarding
        option src  lan 
        option dest  vpn 

# end of DJ add

===================================================

Edit file /etc/config/network:

((ADD THIS TO THE BOTTOM OF THE FILE:))
# begin of DJ add

config interface 'vpn0'
	option ifname 'tun0'
	option proto 'none'
	option auto '1'

# end of DJ add

===================================================

Can you copy the parts of your files in the /etc/config/ directory named dhcp, firewall, network where you have defined this to perform as you described here? Thank you.

What you posted, except also find the lan firewall zone definition and add option masq '1' and option mtu_fix '1' to it.

1 Like

I'll give you my 'recipe' for OpenVPN in this context, but I'm not going to share the complete files because it could confuse the issue (I have OpenVPN, Wireguard, Shadowsocks, and a few other things happening on my system -- I don't mind sharing, but doing so could make things look more complex than they really are or need to be). What I'll provide below is the changes to each relevant file

First, notes about my setup:

  1. Hardware/connectivity: I use the WAN port (both physically labeled as, and logically assigned as WAN) of my Ubiquiti RouterStation Pro as my uplink to my LAN (I utilize an EdgeRouter X as my main router). There is nothing connected to the LAN ports (OpenWrt LAN is technically double-NAT'd, but not used in my setup anyway)
  2. Main LAN: My main LAN's subnet is 10.0.1.0/24 -- router at 10.0.1.1 and the router also serves as the DHCP and DNS server for the network.
  3. My OpenWrt WAN address is configured using DHCP, and my main router has a static map (DHCP reservation) to ensure that the OpenWrt VPN server always has the same address on the network (a static IP would be fine, too, as long as it does not conflict with the DHCP range or any other static assignments).
  4. The OpenWrt LAN must still be defined with a different subnet (vs my main LAN) so that the OpenWrt WAN and LAN do not end up on the same network (which causes problems).
  5. Port forwarding: My main router has ports forwarded to my OpenWrt router (VPN server) to allow inbound connections. The OpenWrt router also needs the ports opened (traffic rules to 'local' or 'input').

Relevant files (not counting OpenVPN certs/keys) -- deltas only:

Firewall -- see note below
config zone
	option name 'vpn'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'vpn0'

config forwarding
	option dest 'wan'
	option src 'vpn'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '1194'
	option name 'Allow-UDP1194-Inbound'
	option src '*'

config rule
	option target 'ACCEPT'
	option proto 'tcp'
	option dest_port '80'
	option name 'LuCi-from-WAN'
	option src '*'

config rule
	option target 'ACCEPT'
	option proto 'tcp'
	option dest_port '22'
	option name 'SSH-from-WAN'
	option src '*'
Network
config interface 'vpn0'
	option proto 'none'
	option ifname 'tun0'
OpenVPN
config openvpn 'OVPN'
	option proto 'udp'
	option port '1194'
	option dev 'tun0'
	option server '10.0.2.0 255.255.255.0'
	option ca '/etc/openvpn/ServerKeys/ca.crt'
	option cert '/etc/openvpn/ServerKeys/OVPN.crt'
	option key '/etc/openvpn/ServerKeys/OVPN.key'
	option dh '/etc/openvpn/ServerKeys/dh.pem'
	option verb '4'
	option passtos '1'
	option auth 'SHA256'
	option cipher 'AES-256-CBC'
	option mute '5'
	option tun_ipv6 '1'
	option tun_mtu '1500'
	option keepalive '10 120'
	option tls_server '1'
	option persist_key '1'
	option persist_tun '1'
	list push 'route 10.0.1.0 255.255.255.0'
	list push 'dhcp-option DNS 10.0.1.1'
    option remote_cert_tls 'client'
	option enabled '1'

NOTE about my OpenWrt firewall file: I have opened ports 80 and 22 to allow access to the router from the WAN side. Normally this would be ill-advised, but because the WAN of this device is part of my trusted LAN, it does not present a security risk. This allows me to access the administration (LuCI/ssh) directly from my main LAN (I do not need to plug into the OpenWrt LAN or establish the VPN tunnel to configure access the router).

EDIT: I meant to say that because the WAN has masquerading enabled by default, I didn't need to change anything about the WAN configuration in network or firewall, with the exception of opening the relevant ports on the WAN zone to the device itself).

EDIT 2: GAHHH, sorry about the formatting. Don't know why it didn't work properly. I'll try to fix that. Fixed.

1 Like