[SOLVED] Connecting to VPN Server, can reach Lan by IP but cannot reach Lan by hostname

Hello,

I managed to setup both vpn server and vpn client on my router. With help @stangri 's vpn-policy-routing app I managed to have a single IP connect to my vpn provider, rest normal to wan.
With help of stangri, via vpn tunnel to my vpn server I managed to reach all devices by IP address.

However I cannot reach the devices by hostnames :frowning:
Locally it works. Dnsmasq does this I learned. In 'network' under 'dhcp and dns' I setup static leases for each device. DNS servers are setup like this:

uci -q del dhcp.@dnsmasq[-1].server
uci add_list dhcp.@dnsmasq[-1].server='8.8.8.8'
uci add_list dhcp.@dnsmasq[-1].server='4.4.4.4'
uci commit

/etc/config/openvpn looks like this (torguard is vpn client):

config openvpn 'torguard'
        option client '1'
        option dev_type 'tun'
        option dev 'tun0'
        option proto 'udp'
        option resolv_retry 'infinite'
        option nobind '1'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/luci-uploads/cbid.openvpn.torguard.ca'
        option route_nopull '1'
        option remote_cert_tls 'server'
        option cipher 'AES-128-CBC'
        option comp_lzo 'yes'
        option verb '3'
        option fast_io '1'
        option auth_user_pass '/etc/openvpn/userpass.txt'
        option remote_random '0'
        option auth 'SHA1'
        option reneg_sec '0'
        list remote 'nl.torguardvpnaccess.com 80'
        option sndbuf '393216'
        option rcvbuf '393216'
        option mute_replay_warnings '1'
        option auth_nocache '1'
        option enabled '1'
        option log '/tmp/openvpnclient.log'

config openvpn 'vpnserver'
        option port '1194'
        option proto 'udp'
        option dev_type 'tun'
        option dev 'tun1'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/server.crt'
        option key '/etc/openvpn/server.key'
        option dh '/etc/openvpn/dh1024.pem'
        option server '192.168.10.0 255.255.255.0'
        option keepalive '10 120'
        option comp_lzo 'yes'
        option persist_key '1'
        option persist_tun '1'
        option verb '3'
        list push 'route 192.168.1.0 255.255.255.0'
        option log '/tmp/openvpnserver.log'
        option enabled '1'

The vpn part of /etc/config/firewall looks like this:

config zone 'vpnserverfw'
        option name 'vpnserverfw'
        option network 'vpnserver'
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option masq '1'

config forwarding 'vpnserverfw_forwarding_lan_in'
        option src 'vpnserverfw'
        option dest 'lan'

config forwarding 'vpnserverfw_forwarding_lan_out'
        option src 'lan'
        option dest 'vpnserverfw'

config forwarding 'vpnserverfw_forwarding_wan'
        option src 'vpnserverfw'
        option dest 'wan'

config policy
        option comment 'hummingboard'
        option local_addresses '192.168.1.103'
        option local_ports '8081,22,9091,6789,8888,'
        option interface 'wan'

config policy
        option comment 'vero2'
        option local_addresses '192.168.1.110'
        option local_ports '8081,22,9091,6789,8888,9117,9090'
        option interface 'wan'

hummingboard and vero2 are the 2 only devices that connect to the vpn provider. To reach them via vpn connection to my vpn server I had to add the last 2 config policies.
Can somebody help me here?

PS: In vpn server conf I already tried to add list push 'dhcp-option DNS 192.168.1.1' and also list push 'redirect-gateway def1' with no sucess.

I'm assuming you're trying to access a LAN device via it's hostname only? If so, the following should (if not must) be set:

  • Local domain should (if not must) be the same across all devices, of which is set on the router
    • /etc/config/dhcp, via option domain 'LEDE', where LEDE is the local domain.

  • Each device must have it's local domain (also referred to as the workgroup name) echo the local domain configured on the router.

  • Each device being accessed via it's hostname must have a static IP set with a hostname assigned (via the router, not the device itself)

  • Depending on the OS, and what's being accessed (WebUI, network share, etc), a host file entry may be required, on the device which is accessing another via it's hostname only, in the format of
    • <IP> <Hostname> <Hostname.LocalDomain>
      • For example: 192.168.2.2 FreeNAS FreeNAS.LEDE

Yes. But it still should be accessable via IP too.

So, a static lease in dhcp doesn't suffice?
Does it mean I ditch the whole dnsmasq setup? Or only the dhcp part?
I never set up static IP's before, I'll try to. I guess, like with static leases they mustn't be in dhcp address range, right?
Anything else I have to watch out for?

Thx so far for the help, I ask these things because I don't wanna end up with a more complicated setup that maybe meeds additional work to get everything working.
Vpn client gets Ip by dhcp now, I think?...
Is it then no problem if that client wants to reach a static Ip?
...As you see, I'm a noob in this field, theres so much basic stuff I'm lacking but I don't plan on getting deeper in it than I need to.

Where exactly would I put this in /etc/config/dhcp?
Under config dnsmasq I already have option domain 'lan'.

Or do you mean it hast to be under every host entry like this:

config host
        option name 'pc'
        option dns '1'
        option mac '<mac>'
        option ip '<ip>'
        option domain 'home'

And after everything is set up I should be able to reach devices with pc.home ?

No, a static IP, with a hostname, must be configured, else the DNS server on the router has no clue where to route traffic if a hostname is not specified for a local device attempting to be accessed via it's hostname.

  • /etc/config/dhcp
    • Not a full dhcp config, just the relevant part we're speaking about
    #
    
        ##::[[---  LEDE LAN DHCP Config  ---]]::##
    
    ####################################################
                 ##----- DNS Server -----##
    ####################################################
    
        # DNSmasq #
    #---------------------------------------------------
    config dnsmasq
        option  domain      'lan'
    
    ####################################################
                 ##----- Static IPs -----##
    ####################################################
    
    config host
        option  ip          192.168.2.2
        option  mac         'AA:BB:CC:DD:EE:FF'
        option  name        'FreeNAS'
    

You can change this if you want, otherwise, if you're looking to access:

  • A WebUI, such as FreeNAS', you would enter: https://freenas.lan
  • A network share, you would enter: //freenas/<share name>

Ok, I set up all as you wrote it but still no success.
Over vpn tunnel this works:
ssh to router and ping vero2.home gives response
ssh to 3rd debian device, adding line in /etc/hosts and pinging vero2.home gives response

But entering http://vero2.home:8081/ in browser (vpn tunnel active, of course) doesnt work. Chrome says ERR_NAME_NOT_RESOLVED.

Any more ideas?
PS: I haven't set up the vpn server according to your very detailed wiki, I guess you saw it in the provided files.

You're missing configuration options in your VPN config.

  # Push DNS to clients
    list    push                    'dhcp-option    DNS 192.168.1.1'

  # WINS may be required, depending on your environment
    list    push                    'dhcp-option    WINS 192.168.1.1'

  # Client to Client is required to have VPN clients access other devices
    option  client_to_client        1
  • Firewall rules must mirror those in this post

It's tough to for me to figure out how they need to be changed to fit my setup. I already have the first rule from your linked post. The firewall of vpn server is named vpnserverfw. So change every vpn entry in your rules to that? Also the ips....Change 10.1.0.0/28 to 192.168.10.0/28?
Is this right?

config rule
     option  target          'ACCEPT'
     option  family          'ipv4'
     option  proto           'tcp udp'
     option  src             'vpnserverfw'
     option  src_ip          '192.168.10.0/28'
     option  dest_ip         '192.168.1.0/24'
     option  name            'Allow OpenVPN -> LAN'

 config rule
     option  target          'ACCEPT'
     option  family          'ipv4'
     option  proto           'tcp udp'
     option  src             'vpnserverfw'
     option  dest            *
     option  name            'Allow Forwarded OpenVPN -> <device>'

 config rule
     option  target          'ACCEPT'
     option  family          'ipv4'
     option  proto           'icmp'
     option  src             'vpnserverfw'
     option  src_ip          '192.168.10.0/28'
     option  dest            'lan'
     option  name            'Allow OpenVPN (ICMP) -> LAN'

 config rule
     option  target          'ACCEPT'
     option  family          'ipv4'
     option  proto           'icmp'
     list    icmp_type       'echo-request'
     option  src             'vpnserverfw'
     option  src_ip          '192.168.10.0/28'
     option  dest            'wan'
     option  name            'Allow OpenVPN (echo-request) -> WAN'

Please review the rules and input your own settings accordingly, as you're missing information above that is within the rules I posted... also, hierarchy matters and those rules should be in the order I laid out.

  • If your firewall rules match, and the options i noted above are added, the vpn server restarted, and the clients disconnected, then reconnected, the issue is not the server config or firewall rules.

  • You can determine r/w requests on the vpn server by upping it's verbosity to 6 or above, however, the vpn server wouldn't be the issue if you've added the 3 options above.

If you are still unable to narrow down where your issue is at, I'd recommend, if you've customized your dhcp config or are not using OpenWrt defaults, reviewing the DHCP Configuration wiki. Otherwise, I'd recommend starting with known working config options, then compare to see where the issue is at.

  • Known working configs for accessing LAN devices by hostname:
    • Firewall
      • I've updated the firewall config with the config in the aforementioned post above.
    • VPN Server
      • Unless Net30 topology was removed from OpenVPN 2.4 as the default toplogy, you have to specify subnet topology: option topology 'subnet'
    • VPN Clients

Yeah, seems like I have something for the weekend now..changing and pasting in the rules + vpn config does not work, I guess I'll start over using your wiki. It's better anyway..
I made the certs with easy-rsa and the vpn connection also throws mtu error. Seems like with your config everything is worked out and optimized. I'm gonna go for that.

Only thing I didn't find is where you create a firewall zone for vpnserver ... :thinking:

Scratch that, I saw it's not done with uci command, it's in the fw config file. The ways to make changes are a bit confusing for me: Theres via uci commands, via luci webif and just write it in the file...and every way has different 'syntax'

If you pasted in what I mentioned above, the issue doesn't appear to be VPN related. The three options mentioned above for the server config are all thats required to push the DNS server to the client, and client to client allows communication between the VPN client and other devices on the network.

Perhaps I missed it above, but are you able to access devices by hostname when not connected through the VPN?

  • Are you reloading/restarting the firewall and VPN server after making changes?
    • Did you restart dnsmasq, odhcpd, and network after making changes to the dhcp config?
      • cd /etc/init.d ; ./dnsmasq restart ; ./odhcpd restart ; ./network restart
    • Did you reboot the LAN device after making changes to it's static entry in the dhcp config? Rebooting the router would also accomplish the same.
      • Router: reboot

  • UCI [Unified Configuration Interface] is mainly for scripting, else it becomes more work than it's worth.
    • Outside of scripting, it's far faster and more efficient to simply edit configs directly with vi or nano

  • LuCI [Lua Configuration Interface] is the GUI for making changes to the router and is also known as the WebUI/WebAdmin.
    • Unless a wiki specifically states to make changes via LuCI, this should not be utilized when following wikis.

  • Config files are a more sane way to edit and when done editing, to apply the changes, the affected daemons must be restarted to load the config changes.
    • I prefer editing configs directly versus that of utilizing LuCI, mainly because LuCI destroys the formatting of configs, of which makes reading & editing them directly more cumbersome and inefficient.
      • You can see this by comparing my syntax highlighted code boxes above to the bland code box created via the toolbar (for a starker comparison, compare my post here with this post).
        • If you're editing configs with vi, add # to the first line of the config, save the change, then re-open the file and vi should have applied basic syntax highlighting to the config. This is why all my configs start with a # on the first line.

Setting it up via the wiki anyway.
But I'm already stuck here:
https://openwrt.org/docs/user-guide/openvpn.server#tab__prerequisites1

Does it matter what I put in the Servers and clients line 201-225 in openssl.cnf?..
Also are these entries [ alt_freenas ] [ alt_sophos ]... just headlines and I can delete servers I dont need and change these?

Simply follow the wiki as written...

  • Does it state to modify lines 201 - 225?
    • I see the confusion is with the heading in that tabbox... (1) is what you need to edit, (2) is telling you where server and clients can be found in the openssl.cnf.

You don't need to re-issue certs... @stangri's wiki for creating certs is likely going to be easier for you to follow.

  • Again, your VPN is likely not the issue... as such, there's no reason to redo the setup.

Ok, it was not clear to me.

And here:
Change the SAN DNS from VPNserver-Client1-Device-Hostname to match client username.

To match which client username? There was no mention of any client username so far. I thought maybe later in vpn client conf there is a username specified but cant find such entry. Can it be one of my choosing?

As I said I couldn't make it working. I don't want to patch sth. together I don't fully understand so I'm trying to follow the complete wiki.

Hmm.. now I'm trying to generate ca crl and I get:
.\index: No such file or directory unable to open '.\index'

I did touch rand before.

You don't need to re-issue certs either way... utilize the certs you created when you followed @stangri's wiki.

This is explained in the bullet under 1.a.I in the Client Certs Prerequisite box.

  • While you're not the first user to have questions or issues with the certificate creation process in my wiki, I included all information required to answer questions regarding the certification creation process in the wiki.
    • For users not wishing to take the time to refer to the documentation contained in the wiki, such as the wealth of information here, here, and here, @stangri's wiki is what would likely be a better fit.

You're not following the wiki and I will no longer troubleshoot your issues with the certificate creation process because you're not following the wiki as written. Again, you do not need to re-generate certs

  • At this point, please refer to the Wiki Documentation, as I can no longer help you with any of your troubleshooting.

I'd strongly encourage re-reading this post, as it likely contains where your issue is

  • Your issue is not VPN related at this point

Initially I used this tutorial to set up vpn server.

Thing is, I'm still not sure if the adjusted firewall rules I posted here are correct.

Also like I mentioned there's also a openvpn client on my router and one device goes through that vpn tunnel with the help @stangri's vpn-policy-routing app, so in vpn server conf. route-nopullis used.
I don't know if that could affect sth.
Also DNS servers are set up like this:
uci -q del dhcp.@dnsmasq[-1].server uci add_list dhcp.@dnsmasq[-1].server='8.8.8.8' uci add_list dhcp.@dnsmasq[-1].server='4.4.4.4' uci commit
because I want to use different dns servers.

This I don't know since I've never configured a router as a VPN client, however this shouldn't have any bearing on a remote client connecting to the VPN server and accessing devices by IP or hostname

That specific post is missing the initial rule for accepting the initial VPN connection request, of which I assumed was in your config, just that your copy/paste missed it.

  • These are your rules for your VPN server (double check I have everything correct)
     config zone
         option  name            'vpn'
         option  network         'tun1'
         option  input           'ACCEPT'
         option  output          'ACCEPT'
         option  forward         'ACCEPT'
    
     config rule
         option  target          'ACCEPT'
         option  family          'ipv4'
         option  proto           'tcp udp'
         option  src             *
         option  dest_port       1194
         option  name            'Allow Forwarded OpenVPN Request -> <device>'
    
     config rule
         option  target          'ACCEPT'
         option  family          'ipv4'
         option  proto           'tcp udp'
         option  src             'vpn'
         option  src_ip          '192.168.10.0/24'
         option  dest_ip         '192.168.1.0/24'
         option  name            'Allow OpenVPN -> LAN'
    
     config rule
         option  target          'ACCEPT'
         option  family          'ipv4'
         option  proto           'tcp udp'
         option  src             'vpn'
         option  dest            *
         option  name            'Allow Forwarded OpenVPN -> <device>'
    
     config rule
         option  target          'ACCEPT'
         option  family          'ipv4'
         option  proto           'icmp'
         option  src             'vpn'
         option  src_ip          '192.168.10.0/24'
         option  dest            'lan'
         option  name            'Allow OpenVPN (ICMP) -> LAN'
    
     config rule
         option  target          'ACCEPT'
         option  family          'ipv4'
         option  proto           'icmp'
         list    icmp_type       'echo-request'
         option  src             'vpn'
         option  src_ip          '192.168.10.0/24'
         option  dest            'wan'
         option  name            'Allow OpenVPN (echo-request) -> WAN'
    
     config forwarding
         option  dest            'vpn'
         option  src             'lan'
    
     config forwarding
         option  dest            'lan'
         option  src             'vpn'
    
     config forwarding
         option  dest            'wan'
         option  src             'vpn'
    

Please post your dhcp config [/etc/config/dhcp], unless you're utilzing a dnsmasq.conf directly, and if you are, that is something I don't have the knowledge to help you with.