OpenVPN Client to Server LAN Access Issues

Hi all,

I know this is a commonly discussed problem but I've read through related threads and haven't been able to solve my issues yet. I can connect to the VPN, but I cannot access my local lan clients from the remote VPN clients but I can ping my VPN server's local IP from VPN Clients.

I have a home network running OpenWrt 18.06.4, r7808-ef686b7292 on a WRT1900ACS with an OpenVPN server on this same device.

I followed the OpenWrt basic tutorial which doesn't involve setting up a 'vpn' interface, at least as far as I can tell, but it seems that a lot of other people set one up, along with a 'vpn' firewall zone. However, the basic guide seems to just set the 'tun0' interface as private and part of the lan interface which I have done.

I don't need all traffic routed through the tunnel, I simply need remote access to some local LAN clients.

My overall network setup:

LAN on 192.168.1.0/24 (eth0.1) - local lan I would like to access remotely
WAN - (eth1.2) DHCP from ISP with cloudflare DNS
OpenVPN 2.4.5 on 192.168.2.0/24 - subnet of remote clients
Guest on 10.0.0.0/24 (eth0.200) - guest vlan which is unrelated to this, I don't need any connection for VPN/Guest

My /etc/config/network/ file:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'
        option peerdns '0'
        option dns '1.1.1.1 1.0.0.1'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        option dns '2606:4700:4700::1111 2606:4700:4700::1001'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'
        option vid '2'

config interface 'guest'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.0.0.1'
        option ifname 'eth0.200'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '200'
        option ports '3t 5t'

and the /etc/config/firewall config:

config redirect

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'lan'
	option forward 'ACCEPT'
	option device 'tun0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'guest'
	option input 'REJECT'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'guestDNS'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'guestDHCP'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'tcp'
	option dest_port '8880'
	option name 'guestPortal'
	option src 'guest'
	option dest 'lan'
	option dest_ip '192.168.1.10'

config rule 'vpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '443'
	option proto 'tcp udp'

config rule
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'tcp udp'
	option src '*'
	option src_ip '192.168.2.0/24'
	option dest_ip '192.168.1.0/24'
	option name 'Allow VPN -> LAN'

config rule
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'tcp udp'
	option src '*'
	option src_ip '192.168.2.0/24'
	option dest '*'
	option dest_ip '192.168.1.0/24'
	option name 'Allow FWD VPN -> LAN'

config rule
	option target 'ACCEPT'
	option proto 'icmp'
	option src '*'
	option src_ip '192.168.2.0/24'
	option name 'Allow ICMP VPN -> LAN'
	option dest 'lan'

config forwarding
	option dest 'wan'
	option src 'guest'

config forwarding
	option dest 'wan'
	option src 'lan'

and finally my /etc/config/openvpn config:

config openvpn 'vpn'
	option verb '3'
	option proto 'tcp4-server'
	option server '192.168.2.0 255.255.255.0'
	option keepalive '10 120'
	option client_to_client '1'
	option resolv_retry 'infinite'
	option dev 'tun0'
	option persist_tun '1'
	option persist_key '1'
	option port '443'
	option user 'nobody'
	option group 'nogroup'
	option ca '/etc/easy-rsa/pki/ca.crt'
	option dh '/etc/easy-rsa/pki/dh.pem'
	option cert '/etc/easy-rsa/pki/issued/vpnserver.crt'
	option key '/etc/easy-rsa/pki/private/vpnserver.key'
	option tls_crypt '/etc/easy-rsa/pki/tc.pem'
	option enabled '1'
	option topology 'subnet'
	list push 'route 192.168.1.0 255.255.255.0'
	list push 'dhcp-option DNS 192.168.2.1'
	list push 'dhcp-option DOMAIN local'
	list push 'persist-tun'
	list push 'persist-key'
	

I have tried with and without redirect-gateway def1 even though I don't need all traffic routed through the VPN. I typically connect my laptop to my phone's LTE hotspot on T-Mobile to test remotely and I can ping my local OpenWrt router with hostname and 192.168.1.1 successfully, and traceroute produces:

PING <gateway-hostname>.local (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=51.475 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=74.544 ms

but the other client (192.168.1.10) I would like to access results in:

PING <lanclient-hostname>.local (192.168.1.10): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

and traceroute:

traceroute to <clientlan-hostname>.local (192.168.1.10), 64 hops max, 52 byte packets
 1  192.168.2.1 (192.168.2.1)  35.358 ms  59.286 ms  65.082 ms
 2  * * *
 3  * * *

this continues to hang.

Running route on the router returns:

default         <public ip>.h 0.0.0.0         UG    0      0        0 eth1.2
10.0.0.0        *               255.255.255.0   U     0      0        0 eth0.200
<public ip>     *               255.255.254.0   U     0      0        0 eth1.2
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0.1
192.168.2.0     *               255.255.255.0   U     0      0        0 tun0

I don't have a ton of networking experience so any advice and insight is greatly appreciated,
thanks a ton.

Make sure that 192.168.1.1 is the default gateway for 192.168.1.10.
Verify that the firewall on 192.168.1.10 allows access form outside of the local subnet.
Run Wireshark or tcpdump on 192.168.1.10 and check the traffic when you try to access from the VPN.
Post the output from OpenWrt:

iptables-save

Interfaces tun0 and lan are in the same firewall zone with forward policy ACCEPT, so there's no need for additional permissive rules to access one another.

Bingo on the firewall for the local lan client! Thanks a ton for your advice. I simply added a Windows firewall rule to allow Inbound traffic on any port for the remote subnet 192.168.2.0/24 and pings, etc worked great immediately.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.