[SOLVED] Unable to connect to VM when using OpenVPN

Hi Guys,

Networking isnt my strongest suit so this one has me a little stumped.
My setup is 2x routers running OpenWrt 18.06.2, linksys wrt1900ac + 1200ac. The 1900 is the master (which runs the VPN server, plus other services) and the 1200 is a dumb AP. Everything works great locally and I can connect remotely via openvpn and connect to physical machines, but I cannot connect to 2 virtual machines that are on the network. I can connect to the physical VM host via VPN and connecting to the VMs works when connected locally (via IP or hostname).

VMs are VirtualBoxes running Ubuntu 18.04. Network config is:


Ive tried changing the network config to no avail.

Google isnt giving me much and I'm at a loss as to where to start looking for a solution. I'm not sure what else to provide in terms of info from OpenWrt as everything is configured the same for all network hosts in OpenWrt, so please let me know if something would help diagnose the issue.

Anyone have any ideas on how to access VM's on the network when connected via OpenVPN?

If you're computer and VM are plugged into eth0, you should be OK.

Is this VPN via a different interface?

If it's on your LAN, then disconnect the VPN. They're on the same LAN.

1 Like

Hi,

Yes, both the VM host and VMs are connected to the LAN via eth0

VM host:

─╼ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.123.30  netmask 255.255.255.0  broadcast 192.168.123.255
        inet6 fe80::df78:930a:4401:da7d  prefixlen 64  scopeid 0x20<link>
        inet6 fd1b:ff41:964:0:b40d:8b5b:b1a:6ff6  prefixlen 64  scopeid 0x0<global>
        inet6 fd1b:ff41:964::612  prefixlen 128  scopeid 0x0<global>
        inet6 fd1b:ff41:964:0:f1a1:e482:9fb1:9b55  prefixlen 64  scopeid 0x0<global>
        ether 50:3e:aa:03:76:ff  txqueuelen 1000  (Ethernet)
        RX packets 31090875  bytes 10725618188 (10.7 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 65262695  bytes 72888735919 (72.8 GB)
        TX errors 1  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 5456418  bytes 1129557549 (1.1 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5456418  bytes 1129557549 (1.1 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

VM:

: ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.123.150  netmask 255.255.255.0  broadcast 192.168.123.255
        inet6 fe80::a00:27ff:fe74:4cb1  prefixlen 64  scopeid 0x20<link>
        inet6 fd1b:ff41:964::f3d  prefixlen 128  scopeid 0x0<global>
        inet6 fd1b:ff41:964:0:a00:27ff:fe74:4cb1  prefixlen 64  scopeid 0x0<glob                                                                           al>
        ether 08:00:27:74:4c:b1  txqueuelen 1000  (Ethernet)
        RX packets 5842701  bytes 907636271 (907.6 MB)
        RX errors 0  dropped 107  overruns 0  frame 0
        TX packets 10093087  bytes 11520917116 (11.5 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 35446  bytes 7128586 (7.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 35446  bytes 7128586 (7.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.42.10.6  netmask 255.255.255.255  destination 10.42.10.5
        inet6 fe80::7d90:70c3:7972:31e5  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100                                                                             (UNSPEC)
        RX packets 5632711  bytes 324270743 (324.2 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9912762  bytes 10546920611 (10.5 GB)
        TX errors 0  dropped 50199 overruns 0  carrier 0  collisions 0

Everything is on the LAN interface:


OpenVPN server config:

verb 3
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN local"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
.....

I do all the tests via a mobile hotspot or on my android phone that are not connected to my LAN, so this shouldn't be an issue?

Thanks for taking the time to help me get to the bottom of this.

on the vm

ip route
1 Like
: ip route
0.0.0.0/1 via 10.42.10.5 dev tun0
default via 192.168.123.254 dev enp0s3 proto dhcp src 192.168.123.150 metric 100
10.42.10.1 via 10.42.10.5 dev tun0
10.42.10.5 dev tun0 proto kernel scope link src 10.42.10.6
86.105.25.74 via 192.168.123.254 dev enp0s3
128.0.0.0/1 via 10.42.10.5 dev tun0
192.168.123.0/24 dev enp0s3 proto kernel scope link src 192.168.123.150
192.168.123.254 dev enp0s3 proto dhcp scope link src 192.168.123.150 metric 100

if theres anything else that would help, please let me know

I just tried something and its helped point in a direction on where to look. Each VM connects to a externally hosted VPN provider for WAN traffic. When I turn off the external VPN I can connect to the services via my private VPN. As soon as I turn the external VPN on they stop working again... but having the external VPN on or off doesnt impact connecting to the services while locally on my LAN and thats why I didnt think that could be the problem as I thought using a VPN would enable me to access my local network remotely. So I need to poke around my OpenVPN server and client configs to see what the issue could be.

Client config:

client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ

remote-random
auth-nocache
mute-replay-warnings
auth-user-pass login
up up.sh
down down.sh
script-security 2
ping-restart 300
#keep-alive

#remote servers
....    

Anyone have any idea on what the problem with the OpenVPN configs could be?

You need to draw a diagram explaining where the 5 vpn's are.... the description is confusing.

I think I know what's going on but.... you have to be clear....

We know there are VM's that have a VPN connection to outside.

Other than that, you're not clear on where your testing from.... and the segments + devices that are involved here....

Your talk of server configuration.... but do you mean your LAN edge ROUTER runs an OPENVPN server and while testing from a REMOTE client ..... etc. etc.....

Either way..... you sit down on the end devices and view the routes.... if they are present you check the routes in the chain......

2 Likes

Agreed, it gets confusing real fast... Hope this is ok, its my first :slight_smile: I've left out unrelated devices and the second VM as it has the same config and issue.

  • Everything works great when on LAN from every device and in its current state. I can connect to the troublesome VM without issue.
  • When I try to connect to LAN via the WRT1900 OpenVPN server from a remote android phone I am unable to connect to the VM. I am able to connect to the VM host and other machines.
  • If I disable the PIA VPN connection on the VM I am able to connect to the VM from the remote android phone connected via the WRT1900 OpenVPN server.

WRT1900 OpenVPN server config:

verb 3
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN local"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
.....

PIA OpenVPN client config:

client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ

remote-random
auth-nocache
mute-replay-warnings
auth-user-pass login
up up.sh
down down.sh
script-security 2
ping-restart 300
#keep-alive

#remote servers
....    

ip route from VM with PIA OpenVPN connected:

: ip route
0.0.0.0/1 via 10.42.10.5 dev tun0
default via 192.168.123.254 dev enp0s3 proto dhcp src 192.168.123.150 metric 100
10.42.10.1 via 10.42.10.5 dev tun0
10.42.10.5 dev tun0 proto kernel scope link src 10.42.10.6
86.105.25.74 via 192.168.123.254 dev enp0s3
128.0.0.0/1 via 10.42.10.5 dev tun0
192.168.123.0/24 dev enp0s3 proto kernel scope link src 192.168.123.150
192.168.123.254 dev enp0s3 proto dhcp scope link src 192.168.123.150 metric 100

Wrt1900 192.168.123.254
VM host 192.168.123.30
VM 192.168.123.150

1 Like

That is MUCH BETTER! Thankyou.....

VM needs route to 192.168.8.0 /24 via its LANIF-enp0s3(or via 192.168.123.254) you could upscale that route to 192.168.0.0/16 later on....

When it's VPN(vm-pia) is not connected it gets to 192.168.8.0 via it's default route. When it's VPN is connected it tries to send 192.168.8.x via VMs-tun0 ( pia ).

( most peeps would have the PIA connect out from the edge ... in this situation the VM-default route makes it universally 192.168.8.x aware )

These two routes(on-pia-connected-vm) override a default because they are more specific;

0.0.0.0/1 via 10.42.10.5 dev tun0
OVERIDDEN default via 192.168.123.254 OVERIDDEN
128.0.0.0/1 via 10.42.10.5 dev tun

One way to define your setup is to say "i have a road warrior subnet handled by the edge/LAN-gatway router 192.168.8.0" and call the pia-vm-vpn-conection just that..... "remote" gets ambiguous.....

Try statically-from-vm-to-.8 first.....if it works you can put 1) an ip route add / remove in its up down scripts..... 2) via a route statement in its pia-client.conf or 3) you could also try sending the 192.168.8.0 route from the the LAN dhcp server ( not all clients will honor this );

uci add_list dhcp.lan.dhcp_option="121,192.168.8.0/24,192.168.123.254"
uci commit dhcp
service dnsmasq restart
2 Likes

Thanks for the reply, we're getting somewhere :slight_smile:
So to try "statically-from-vm-to-.8" I would run the following command on the VM?

ip route add 192.168.123.150 via 192.168.8.0/24 dev eth0
ip route add 192.168.8.0/24 via 192.168.123.254
1 Like

BINGO!
Thats has done the trick. Those commands enable me to connect and Ive added them to the up.sh + down.sh scripts and it works a treat.

Thanks so much for your patience and help! :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.