OpenVPN Server Site-to-Site for clients without subnet

Installing and Using OpenWrt
1

Hey guys, how's going?

I've just configured my OpenVPN Server to have site-to-site function, so both routers that I own (one in my home and the other in my office) are capable to talk to each other. So far, so good.

My current set-up is the following:

Home network (server) - OpenVPN in OpenWRT router:
Local Lan IP: 192.168.1.1 (subnet: 192.168.1.0/24)
Local OpenVPN IP: 10.8.0.1 (subnet: 10.8.0.0/24)

Server Config

	option server '10.8.0.0 255.255.255.0'
	option dev 'tun-server'
	option keepalive '10 120'
	option topology 'subnet'
	option port '1234'
	option ca '/etc/openvpn/CA.crt'
	option dh '/etc/openvpn/dh2048.pem'
	option cert '/etc/openvpn/Server.crt'
	option key '/etc/openvpn/Server.key'
	option client_to_client '1'
	option persist_key '1'
	option persist_tun '1'
	option proto 'udp'
	option verb '5'
	option mssfix '1500'
	option cipher 'AES-256-CBC'
	option auth 'SHA512'
	option keysize '256'
	list push 'route 192.168.1.0 255.255.255.0'
	list push 'dhcp-option DNS 192.168.1.1'
	option route '192.168.31.0 255.255.255.0 10.8.0.1'
	option log '/tmp/openvpn-server.log'
	option status '/tmp/openvpn-server-status.log'
	option client_config_dir '/etc/openvpn/ccd/'
	option enabled '1'

CCD File - Office

ifconfig-push 10.8.0.2 255.255.255.248 
iroute 192.168.31.0 255.255.255.0

Office network (client) - OpenVPN in OpenWRT Router:
Local Lan IP: 192.168.31.1 (subnet: 192.168.31.0/24)
OpenVPN IP set in ccd: 10.8.0.2

So with this current setting, all my clients in both networks can talk to each other. Great!

But now I need to set up standalone clients (like android clients using LTE connection), and although I'm able to let them talk to all clients in the server side, I'm unable to let them talk to my office network (192.168.31.0/24), but I can ping the office router if I use the OpenVPN IP (10.8.0.2).

This is what it look like:

Android client using LTE connection:
Local Lan IP: ????? It's not a router, so it doesn't have a local subnet.
OpenVPN IP set in ccd: 10.8.0.3

CCD File - Standalone Client - Android Client
ifconfig-push 10.8.0.3 255.255.255.248

How do I make all clients, no matter which one, to be able to see and talk to all clients in all networks where OpenVPN is running, not only those running a subnet (routers)?

Besides Android I also have a laptop which I could use a Hotel Wifi for example. Since I don't own the router in the Hotel, I think this "standalone" config would also work here, right? I don't need to expose the client subnet here, since I don't have access to it, but I want to have this client to access all networks exposed in my OpenVPN server, not only the server subnet.

This question was also posted in OpenVPN forum, but an user there told me it could be a route/firewall issue, but I couldn't figure it out by myself. Can someone help me here?

Unfortunately all links that send me to openwrt wiki are broken. So I have no place to search for a solution for this =/

And by the way, is my config safe enough or should I explicitly have all ciphers that I want listed in the "ovpn" file in the server?

Thanks in advance.

2

Push the route to the client side LAN via the respected client, like this:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#site-to-site
You can also specify custom metric to avoid collisions.

2 Likes
3

I don't get it....

Taking my own Android client to connect, this is the current CCD file for it:
ifconfig-push 10.8.0.3 255.255.255.248

Should it be like this?

ifconfig-push 10.8.0.3 255.255.255.248 
iroute 192.168.1.0 255.255.255.0

or like this?

ifconfig-push 10.8.0.3 255.255.255.248 
iroute 192.168.31.0 255.255.255.0

Or should I use both?

ifconfig-push 10.8.0.3 255.255.255.248 
iroute 192.168.1.0 255.255.255.0
iroute 192.168.31.0 255.255.255.0

Because none of them worked O_o.
Since my network 192.168.31.0/24 is the route that I want to be exposed as well, I tried:
push "route 192.168.31.0 255.255.255.0 10.8.0.1"
In my openvpn server file, but it didn't work either.

The mentioned site-to-site explanation you sent me is exactly what my Openvpn server and Office CCD files look like. So I can't understand why this is not working.

Considering I can access my Office subnet from my Home network, shouldn't the Office subnet be available to any other client in my OpenVPN server? I just can't understand why the routes are not being pushed properly in my Android client.

I think I may have confused you. The site-to-site between the 2 routers is working as expected (I guess). But any other client which are not routers, I'm only having access to my openvpn server lan (192.168.1.0/24). I'd like to have any other OpenVPN client to access the other network as well (192.168.31.0/24).

Between 192.168.1.0/24 and 192.168.31.0/.24, they can talk to each subnet just fine. The problem is a random client like 10.8.0.3 which is an Android phone, to connect to both 192.168.1.0/24 AND ALSO 192.168.31.0/24

4

Change network mask to 255.255.255.0.

Yep, this one, but change the gateway to 10.8.0.2.

If you still experience issues, post connection log from the client.

2 Likes
5

Yes .248 isn't necessary here. Take a /24 block for the VPN IPs.

Also don't use 192.168.1.0/24 for any of your networks because it's likely to conflict with hotel networks etc.

The VPN "backbone" is the group of 10.8.0.0 IPs. The route from the road warrior to the office LAN, while it is a VPN client of the home router, is the office's IP on the backbone, not the home. OpenVPN will internally route this, but the client-to-client server option must be enabled.

2 Likes
6 
19:59:33.844 -- ----- OpenVPN Start -----

19:59:33.845 -- EVENT: CORE_THREAD_ACTIVE

19:59:33.871 -- OpenVPN core 3.git:released:662eae9a:Release android arm64 64-bit PT_PROXY

19:59:33.872 -- Frame=512/2048/512 mssfix-ctrl=1250

19:59:33.873 -- UNUSED OPTIONS
3 [verb] [5] 

19:59:33.873 -- EVENT: RESOLVE

19:59:34.162 -- Contacting myserverip:PORT via UDP

19:59:34.162 -- EVENT: WAIT

19:59:34.164 -- Connecting to [myserverddns]:PORT (myserverip) via UDPv4

19:59:34.240 -- EVENT: CONNECTING

19:59:34.241 -- Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client

19:59:34.242 -- Creds: UsernameEmpty/PasswordEmpty

19:59:34.242 -- Peer Info:
IV_VER=3.git:released:662eae9a:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.android_3.2.4-5891
IV_SSO=openurl
IV_BS64DL=1


19:59:34.369 -- VERIFY OK: depth=0, /CN=OpenVPN_Server

19:59:34.485 -- SSL Handshake: CN=OpenVPN_Server, TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 2048 bit RSA

19:59:34.485 -- Session is ACTIVE

19:59:34.485 -- EVENT: GET_CONFIG

19:59:34.487 -- Sending PUSH_REQUEST to server...

19:59:34.601 -- OPTIONS:
0 [route] [192.168.1.0] [255.255.255.0] 
1 [dhcp-option] [DNS] [192.168.1.1] 
2 [route] [192.168.31.0] [255.255.255.0] [10.8.0.2] 
3 [route-gateway] [10.8.0.1] 
4 [topology] [subnet] 
5 [ping] [10] 
6 [ping-restart] [120] 
7 [ifconfig] [10.8.0.3] [255.255.255.0] 
8 [peer-id] [0] 
9 [cipher] [AES-256-GCM] 


19:59:34.602 -- PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: NONE
  compress: NONE
  peer ID: 0

19:59:34.603 -- EVENT: ASSIGN_IP

19:59:34.605 -- exception parsing IPv4 route: [route] [192.168.31.0] [255.255.255.0] [10.8.0.2]  : tun_prop_route_error: route destinations other than vpn_gateway or net_gateway are not supported

19:59:34.644 -- Connected via tun

19:59:34.644 -- EVENT: CONNECTED info='myserverddns:PORT (myserverip) via /UDPv4 on tun/10.8.0.3/ gw=[10.8.0.1/]'

This is my Android connection log.

By the way, this is what my server ovpn looks like now:

option server '10.8.0.0 255.255.255.0'
option dev 'tun-server'
option keepalive '10 120'
option topology 'subnet'
option port '1234'
option ca '/etc/openvpn/CA.crt'
option dh '/etc/openvpn/dh2048.pem'
option cert '/etc/openvpn/Server.crt'
option key '/etc/openvpn/Server.key'
option client_to_client '1'
option persist_key '1'
option persist_tun '1'
option proto 'udp'
option verb '5'
option mssfix '1500'
option cipher 'AES-256-CBC'
option auth 'SHA512'
option keysize '256'
list push 'route 192.168.1.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.1.1'
option route '192.168.31.0 255.255.255.0 10.8.0.1'
list push 'route 192.168.31.0 255.255.255.0 10.8.0.2'
option log '/tmp/openvpn-server.log'
option status '/tmp/openvpn-server-status.log'
option client_config_dir '/etc/openvpn/ccd/'
option enabled '1'

And my Android CCD:
ifconfig-push 10.8.0.3 255.255.255.0

No other file was modified besides these 2.
I still can't reach 192.168.31.0/24 network from my Android device, while 192.168.1.0/24 is working just fine.

1 Like
7

I will change it later. Forgot about that.
I will avoid 10.0.0.0/24 / 192.168.0.0/24 / 192.168.1.0/24 after setting all this up.

8

OK. I found out by googling the error there.
In my OVPN file I basically removed all mentions to the local OpenVPN ip's in the routes.

Now it looks like:

option server '10.8.0.0 255.255.255.0'
option dev 'tun-server'
option keepalive '10 120'
option topology 'subnet'
option port '1234'
option ca '/etc/openvpn/CA.crt'
option dh '/etc/openvpn/dh2048.pem'
option cert '/etc/openvpn/Server.crt'
option key '/etc/openvpn/Server.key'
option client_to_client '1'
option persist_key '1'
option persist_tun '1'
option proto 'udp'
option verb '5'
option mssfix '1500'
option cipher 'AES-256-CBC'
option auth 'SHA512'
option keysize '256'
list push 'route 192.168.1.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.1.1'
option route '192.168.31.0 255.255.255.0'
list push 'route 192.168.31.0 255.255.255.0'
option log '/tmp/openvpn-server.log'
option status '/tmp/openvpn-server-status.log'
option client_config_dir '/etc/openvpn/ccd/'
option enabled '1'

Thanks @vgaetera and @mk24 !!!!

1 Like
9

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.