Networking isnt my strongest suit so this one has me a little stumped.
My setup is 2x routers running OpenWrt 18.06.2, linksys wrt1900ac + 1200ac. The 1900 is the master (which runs the VPN server, plus other services) and the 1200 is a dumb AP. Everything works great locally and I can connect remotely via openvpn and connect to physical machines, but I cannot connect to 2 virtual machines that are on the network. I can connect to the physical VM host via VPN and connecting to the VMs works when connected locally (via IP or hostname).
VMs are VirtualBoxes running Ubuntu 18.04. Network config is:
Ive tried changing the network config to no avail.
Google isnt giving me much and I'm at a loss as to where to start looking for a solution. I'm not sure what else to provide in terms of info from OpenWrt as everything is configured the same for all network hosts in OpenWrt, so please let me know if something would help diagnose the issue.
Anyone have any ideas on how to access VM's on the network when connected via OpenVPN?
: ip route
0.0.0.0/1 via 10.42.10.5 dev tun0
default via 192.168.123.254 dev enp0s3 proto dhcp src 192.168.123.150 metric 100
10.42.10.1 via 10.42.10.5 dev tun0
10.42.10.5 dev tun0 proto kernel scope link src 10.42.10.6
86.105.25.74 via 192.168.123.254 dev enp0s3
128.0.0.0/1 via 10.42.10.5 dev tun0
192.168.123.0/24 dev enp0s3 proto kernel scope link src 192.168.123.150
192.168.123.254 dev enp0s3 proto dhcp scope link src 192.168.123.150 metric 100
if theres anything else that would help, please let me know
I just tried something and its helped point in a direction on where to look. Each VM connects to a externally hosted VPN provider for WAN traffic. When I turn off the external VPN I can connect to the services via my private VPN. As soon as I turn the external VPN on they stop working again... but having the external VPN on or off doesnt impact connecting to the services while locally on my LAN and thats why I didnt think that could be the problem as I thought using a VPN would enable me to access my local network remotely. So I need to poke around my OpenVPN server and client configs to see what the issue could be.
Client config:
client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ
remote-random
auth-nocache
mute-replay-warnings
auth-user-pass login
up up.sh
down down.sh
script-security 2
ping-restart 300
#keep-alive
#remote servers
....
Anyone have any idea on what the problem with the OpenVPN configs could be?
You need to draw a diagram explaining where the 5 vpn's are.... the description is confusing.
I think I know what's going on but.... you have to be clear....
We know there are VM's that have a VPN connection to outside.
Other than that, you're not clear on where your testing from.... and the segments + devices that are involved here....
Your talk of server configuration.... but do you mean your LAN edge ROUTER runs an OPENVPN server and while testing from a REMOTE client ..... etc. etc.....
Either way..... you sit down on the end devices and view the routes.... if they are present you check the routes in the chain......
Agreed, it gets confusing real fast... Hope this is ok, its my first I've left out unrelated devices and the second VM as it has the same config and issue.
Everything works great when on LAN from every device and in its current state. I can connect to the troublesome VM without issue.
When I try to connect to LAN via the WRT1900 OpenVPN server from a remote android phone I am unable to connect to the VM. I am able to connect to the VM host and other machines.
If I disable the PIA VPN connection on the VM I am able to connect to the VM from the remote android phone connected via the WRT1900 OpenVPN server.
WRT1900 OpenVPN server config:
verb 3
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN local"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
.....
PIA OpenVPN client config:
client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ
remote-random
auth-nocache
mute-replay-warnings
auth-user-pass login
up up.sh
down down.sh
script-security 2
ping-restart 300
#keep-alive
#remote servers
....
ip route from VM with PIA OpenVPN connected:
: ip route
0.0.0.0/1 via 10.42.10.5 dev tun0
default via 192.168.123.254 dev enp0s3 proto dhcp src 192.168.123.150 metric 100
10.42.10.1 via 10.42.10.5 dev tun0
10.42.10.5 dev tun0 proto kernel scope link src 10.42.10.6
86.105.25.74 via 192.168.123.254 dev enp0s3
128.0.0.0/1 via 10.42.10.5 dev tun0
192.168.123.0/24 dev enp0s3 proto kernel scope link src 192.168.123.150
192.168.123.254 dev enp0s3 proto dhcp scope link src 192.168.123.150 metric 100
Wrt1900 192.168.123.254
VM host 192.168.123.30
VM 192.168.123.150
VM needs route to 192.168.8.0 /24 via its LANIF-enp0s3(or via 192.168.123.254) you could upscale that route to 192.168.0.0/16 later on....
When it's VPN(vm-pia) is not connected it gets to 192.168.8.0 via it's default route. When it's VPN is connected it tries to send 192.168.8.x via VMs-tun0 ( pia ).
( most peeps would have the PIA connect out from the edge ... in this situation the VM-default route makes it universally 192.168.8.x aware )
These two routes(on-pia-connected-vm) override a default because they are more specific;
0.0.0.0/1 via 10.42.10.5 dev tun0
OVERIDDEN default via 192.168.123.254 OVERIDDEN
128.0.0.0/1 via 10.42.10.5 dev tun
One way to define your setup is to say "i have a road warrior subnet handled by the edge/LAN-gatway router 192.168.8.0" and call the pia-vm-vpn-conection just that..... "remote" gets ambiguous.....
Try statically-from-vm-to-.8 first.....if it works you can put 1) an ip route add / remove in its up down scripts..... 2) via a route statement in its pia-client.conf or 3) you could also try sending the 192.168.8.0 route from the the LAN dhcp server ( not all clients will honor this );
uci add_list dhcp.lan.dhcp_option="121,192.168.8.0/24,192.168.123.254"
uci commit dhcp
service dnsmasq restart