Routing VPN to LAN

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello,

I need some help, as my Network-IT-skills are not good enough.

First I want to apologize for my English. Im from Germany.

Ive the following setup:

-Linux Server (Debian9) with OpenVPN-Server installed
-10 Routers (Nexx WT3020H) with LEDE 17.01.4, OpenVPN/depencies installed

I generated the client.ovpn files on the Server and copied them to the router. After that I did the clientconfig as described in the OpenWRT-Wiki.
So far, so good. If I start the router it connects to the VPN. If I test my IP in a Browser it shows the IP from the Server.

Now Ive one problem.....or letz say I dont understand it exactly.

The LAN-IP of the router is 192.168.1.1 (So DHCP gives IPs in this range to devices that are connected to LAN. The VPN-Server IP is 10.8.0.1
If I connect to the VPN from my Windows-Computer I get the 10.8.0.2

But my problem is, that on the OpenWRT-router is has this 192.168.1.*-range.
I really like to have it that way, that I have my routers in the IP-range from 10.8.0.50-10.8.0.60. So if I connect to the VPN from my Windows-machine I simply can connect to the IP I wish to transfair data.
It is important that I can access all devices that are connected to the LAN-Ports of the routers. Nobody has access to the LAN-Ports,so I dont need to seperate Networks, or stuff like that.

I hope someone understand what I mean,as I find it hard to describe.

A good start for me where if someone could help me, that for example one router gets the 10.8.0.50 so I try to ping it from my Desktop (10.8.0.2). I was not able to manage this :frowning:

Any help is welcome

Gerd

2

OK, just to tell it in short:

I dont understand how I can route the VPN that way that LAN-connected devices could communicate client2client. Also I need to assign a static IP for each router.

3

If I understand you correctly, you will have to renumber one of these networks, as they cannot be identical.

4

Ohh no, you did understand that wrong. The IP of the router is: 192.168.1.1 (standard-configuration) and DHCP gives IPs of this range to the LAN-Port. (So I only have one Network in this range)
OpenVPN starts and connects correctly then the router starts. I checked it bye surfing, and my external IP was the same like my OpenVPN-Server.
The router should now get the IP 10.8.0.3 (as 10.8.0.1 is the server und 10.8.0.2 is a client connected from another location)
I want it that way that the router gets the 10.8.0.50, so that I can connect to everything connected to the LAN-Port bye using this IP.
But like I told: I do not understand how routing is done between this both IP-ranges.
Maybe I should change the LAN-IP on the 10 routers so the DHCP starts one from 10.8.0.50-10.8.0.59 (So I can Connect to Luci bye the 10.8.0.50 and the rest is assigned to the LAN-Ports. Next Router goes from 10.8.0.60-10.9.0.69 and so on.
Then I would not have 2 seperated Networks and all could communicate. But Still I dont understand it correctly, so this solution is not the best I think.
I simply need it that way I can connect from anywhere bye typing the specific IP then Im in the VPN

5

If you're using a TUN VPN, which is recommended for a situation like this where you only want Internet access through the VPN server, each client tunnel gets one IP address on the VPN.

So, at the client router, you would route VPN users by NATting them into the tunnel. Set up another network e.g. "vpnuser". This network needs a local DHCP server. Set up a firewall rule to forward from vpnuser to the vpn tunnel. The VPN tunnel firewall zone must have masq and mtu_fix turned on.

Attach Ethernet ports or wifi APs to the vpnuser interface as desired.

I like the stock LAN interface of the router to be not VPNd. It should be used only for internal operations such as setting the time with NTP. And of course the VPN client needs to reach the Internet in the regular way to connect with the server.

1 Like
6

Please post server and client configs

7

I also like it that way. I simply need a setup where I can reach each router on a fixed local IP and I also need to reach a device connected to the LAN-Port (in my case a data-logger) without port-forwarding.
So if I have the router get the 10.8.0.3 bye the VPN-Server, but the connected device gets the 192.168.1.115 how can I make it that way I have full access to the LAN-device?

8

I installed the OpenVPN-Server with this script
The .ovpn-file generated on the Server contains this:

client
proto udp
remote xxx 1194  #xxx=ServerIP
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name xxxxxx
auth SHA256
auth-nocache
cipher AES-128-CBC
tls-client
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns
verb 3
<ca>
-----BEGIN CERTIFICATE-----
........

After that I copied the .ovpn-file on the Router and used this tutorial from the OpenWRT-Wiki-Page to setup the router as OpenVPN-Client.

So under "Interface and Firewall Setup" you can see this:

# a new OpenVPN instance:
uci set openvpn.provider=openvpn
uci set openvpn.provider.enabled='1'
uci set openvpn.provider.config='/etc/openvpn/ipvanish-US-Los-Angeles-lax-a01.ovpn'  # NOTE: use whatever your file is above.

# a new network interface for tun:
uci set network.providervpn=interface
uci set network.providervpn.proto='none' #dhcp #none
uci set network.providervpn.ifname='tun0'

# a new firewall zone (for VPN):
uci add firewall zone
uci set firewall.@zone[-1].name='vpn'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='providervpn'

# enable forwarding from LAN to VPN:
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpn'

# Finally, you should commit UCI changes:
uci commit

Can you say me what I have to do to get the config you need to see?

Gerd

9
  • If I understand your previous posts correctly, you're utilizing OpenVPN for remote access to your local devices, and the OpenVPN server is running on your Debian9 server, of which is behind the OpenWrt router?
    • If so, you're likely going to need to utiliz Gateway Redirect since your server's IP will be an RFC1918 LAN IP.
    • If you're not using a third party VPN provider, OpenWrt's VPN interface's firewall setting should be ACCEPT for input, output, and forward

  • Are you trying to have the OpenWrt router be a client, thereby negating each client to have to be configured as an OpenVPN client?

  • Are you intending to have more than one router as a client, with each router having it's own LAN subnet?
    • If so, a TAP configuration should be utilized. Generally, TUN should be used, however, there are specific use cases for when TAP is appropriate.

I need your server config, which, if that script wasn't modified, should be at: /etc/openvpn/server.conf

Please place all code, config, and log output within code boxes (three ways to do so)
1 Like
10

Nope the Debian 9 Server is a virtual Server I rented, that has a fixed external IP. It acts as OpenVPN-Server and the routers connect as clients. Now the only thing I need is access to every LAN-device of the 10 Routers from my HomeOffice (Windows 10 with OpenVPN-client installed). So the routers are in different locations in the hole country.

Here is my server.conf:


port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 84.200.69.80"
push "dhcp-option DNS 84.200.70.40"
push "redirect-gateway def1 bypass-dhcp" 
crl-verify crl.pem
ca ca.crt
cert server_DsCVzySRePgp8eJw.crt
key server_DsCVzySRePgp8eJw.key
tls-auth tls-auth.key 0
dh dh.pem
auth SHA256
cipher AES-128-CBC
tls-server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
status openvpn.log
verb 3

THX 4 helping me out
Gerd

11

CODE BOXES PLEASE...

The link is in my previous post on how to do so

12

The router should to the VPN-Stuff in that way, that new-connected devices on the LAN-Ports are reachable from my home-office without further configuration (port-forwarding, etc)
(I think thats the best way to describe it)

13

The Setup is: 10 routers configurated as OpenVPN-clients and 2 Windows Computers that connect to LAN-devices, that are attached to this routers.

So your advice is to switch to TAP?

EDIT: The author of the OpenVPN-install-script says that I have to enable the TUN-module, otherwise OpenVPN will not work.

14

Server Config

  • Enable client to client acces
  • EC [Elliptic Curve] Ciphers are more efficient (OpenVPN 2.4 added support for EC)
    • Replace: tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA

  • Set NTP, as it avoids potential problems with encryption handshakes
    • Add: push 'dhcp-option NTP 129.6.15.30'
      • That IP is NIST's, however if you're server is in Germany, pull from whatever is the official NTP Germany hosts (I'm assuming Germany has their own NIST-like agency), or whichever NTP you trust with a ping time of ~50ms or less.

  • Change verbosity to 4
    • Replace: verb 4

Client Config(s)

  • Prevent client side DHCP issues
    • Add: float

  • IIRC, tls-cipher is not a valid option in the client config
    • Remove: tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

  • Continuously try to resolve hostname if resolution fails
    • Add: resolv-retry infinite

  • You're missing tls-auth, unless all your certs and keys were the only things after <ca>

  • Change verbosity to 5
    • Replace: verb 5

Additional Info

  • I abhor Easy-RSA, as OpenVPN maintainers have consistently chosen to be lazy about certificates
    • Because of this, all certs generated by Easy-RSA are:
      • Not properly created, as their certs
        • Severely limit what encryption ciphers can be utilized (ECDSA cannot be utilized for instance)
        • Lack the correct EKUs
        • Violate RFC rules about hostnames being the common name
          • This was depreciated around two decades ago in the RFC

    • OpenSSL should be utilized directly via an openssl.cnf and you can utilize the OpenSSL Wiki to generate the certs
      • Generating the certs the proper way, with the proper values will result in obsoleting certain options that are used purely due to Easy-RSA certs. If you choose to regenerate your certs, I can list what needs to be changed.

  • If you're utilizing x64 devices, SHA512 should be utilized, as x64 CPUs process SHA512 more efficiently than SHA256
    • You can see this with: openssl speed
1 Like
15

Thx for the help. But after changing my server/client-config in that way you described (without CCD and Easy-RSA) I cant connect to my test-router any more....think Ive to reset.
I cant connect to 192.168.1.1 in any way (SSH, SCP), also my firewall shows that Im trying to join a Network (169.254.100.52/4). I tried to give fixed IPs to my LAN-Adapter. I think some thing is really messed up with DHCP.
Strange-fact: If I get to 192.168.1.1 via browser I sometimes can see the button to enter LuCi. But when I press nothing happens :((
I think it is a bad idea to follow one guide, then implement some parts of another solution

16

Im sry,was a bit frustrating to fight with all that configuration. I try to gather more information. read more and give feedback
thx 4 help

17

For your next post, please perform the steps under Troubleshooting for your server and client.

If you regenerated your certs using the OpenSSL Wiki linked to, you have to change a few options in your configs, which is why I stated "If you choose to regenerate your certs, I can list what needs to be changed."

  • Client Config
    • Remove:
      • tls-client
      • remote-cert-tls server
      • verify-x509-name xxxxxx

    • Add:
      • client
      • remote-cert-eku 'TLS Web Server Authentication'

I recommend utilizing the configs in the OpenVPN Server (Comprehensive) wiki, as they're fully tuned configs.

You're missing tls-auth in your client config... either way, without the full configs of each and the logs from each, nothing can be troubleshooted.

1 Like
18

Client and server configs are the same across any setup, with OpenWrt having a slightly different layout, utilizing option, list, and underscores vs dashes.

The only things that are different between setups are the way in which interfaces and firewalls are configured.

1 Like
19

Ohh my mistake. I did not post the full client-config, of course there are the keys after

I now edited server/client-configs according to your tipps. I switched to "elliptic curves". I did not generate new certificates, as the VPN is working now and I first try to get the forwarding to LAN work. Then, if all work, I fine-tune stuff.

Here is my new server.conf:

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 84.200.69.80"
push "dhcp-option DNS 84.200.70.40"
push "redirect-gateway def1 bypass-dhcp" 
crl-verify crl.pem
ca ca.crt
cert server_DsCVzxxxPgp8eJw.crt
key server_DsCVzxxxPgp8eJw.key
tls-auth tls-auth.key 0
dh dh.pem
auth SHA256
cipher AES-128-CBC
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA
status openvpn.log
client-to-client
push 'dhcp-option NTP 212.18.3.18'
verb 4

Client-config:

client
proto udp
remote xx.xx.xx.xx 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_xxxxxxxxx name
auth SHA256
auth-nocache
cipher AES-128-CBC
tls-client
tls-version-min 1.2
setenv opt block-outside-dns
verb 5
float
resolv-retry infinite

<ca>
-----BEGIN CERTIFICATE-----
xxxxxx
-----END CERTIFICATE-----
</ca>
<cert>
xxxxxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
xxxxxx
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxxx
-----END OpenVPN Static key V1-----
</tls-auth>

Ok, with this settings the router is connecting correct to the server like before, but now im on elliptic curves.

The Problem:

after I add these lines to server.conf:

push 'route 192.168.1.0 255.255.255.0'
push 'dhcp-option DNS 192.168.1.1'
push 'dhcp-option WINS 192.168.1.1'

the router is not reachable any more from the LAN-Port on the 192.168.1.1 (not reachable via browser, putty, winSCP)

I tried to troubleshoot like you told me, but I had some difficulties to translate it to my config, as the wiki is written for OpenWRT-routers, but my OpenVPN is running on a debianserver. I was a little bit afraid to mess with my firewall-config as I did not know how to revert these changed, just in case.

I will try to get the debug-logs tommorow, but it seems, that VPN is working right, just the push-route conflicts with something. Maybe there is another way to route this via LuCI?

greets Gerd

20

Ok, one thing I found out, that will help:

If I add this line to server.conf:

push 'route 192.168.1.0 255.255.255.0'

Router is not reachable any more, like I told. Anyway if it works, this will be no solution for me, as this has to be configurated clientside on the routers only. Then I connect to the VPN via my Windows-machine I dont want that this rule is applied. So I think the only thing I have to understand is how routing in LuCi is accomplished the right way, as the VPN seems to work fine (openvpn.log shows me all clients).

I dont understand the concept of all these virtual-adapters and the Firewallrules, how they act together.

Gerd