Unable to access LAN subnet server using OpenVPN

StuartP · July 5, 2021, 3:19pm

In the diagram below I am trying to access server 4 on 192.168.10.2 over an OpenVPN connection. The BT router forwards the VPN UDP packets to the WAN side of the OpenWRT router at 192.168.2.102. The LAN side of the router is set with a static address of 192.168.100.30 which is the same subnet on the connected port on the Cisco switch.
I can access any of the devices in the 192.168.2.0 network. I can ping the LAN side of the router at 192.168.100.30 from the VPN. I cannot ping the 192.168.100.1 gateway from the VPN, however I can ping it from the router. I couldn't ping Server 4 from the router until I added a static route via the 192.168.100.1 gateway. The VPN interface does not exist when viewed through LUCI and is only referenced in the firewall configuration under the zone 'lan' as list device 'tun+'. I have run tcpdump on both the tun0 interface and br-lan, they show a ping request when I send this across the VPN from a connected laptop.

From the laptop A connection I can run a bespoke application and access the resources on Server 4. This is what I am trying to achieve across the VPN connection.

Firewall configuration

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
 
config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
 
config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
 
config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'tun+'
 
config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
 
config forwarding
        option src 'lan'
        option dest 'wan'

Tcpdump running on br-lan

root@TPLinkV1:~# tcpdump -i br-lan -evn host 192.168.100.1
tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
15:47:04.291677 f8:d1:11:44:10:28 > 00:00:0c:9f:f0:14, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 36318, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.8.2 > 192.168.100.1: ICMP echo request, id 1, seq 1211, length 40
15:47:09.243002 f8:d1:11:44:10:28 > 00:00:0c:9f:f0:14, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 36319, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.8.2 > 192.168.100.1: ICMP echo request, id 1, seq 1212, length 40
15:47:09.291915 f8:d1:11:44:10:28 > 00:00:0c:9f:f0:14, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.1 tell 192.168.100.30, length 28
15:47:09.294071 00:00:0c:9f:f0:14 > f8:d1:11:44:10:28, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Reply 192.168.100.1 is-at 00:00:0c:9f:f0:14, length 46
15:47:14.245334 f8:d1:11:44:10:28 > 00:00:0c:9f:f0:14, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 36320, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.8.2 > 192.168.100.1: ICMP echo request, id 1, seq 1213, length 40
15:47:19.247958 f8:d1:11:44:10:28 > 00:00:0c:9f:f0:14, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 36321, offset 0, flags [none], proto ICMP (1), length 60)

vgaetera · July 5, 2021, 6:04pm

Collect diagnostics from the VPN server and post to pastebin.com redacting the private parts:

ip address show; ip route show table all; ip rule show; iptables-save

StuartP · July 5, 2021, 8:50pm

Requested diagnostics

PasteBin Link

vgaetera · July 5, 2021, 8:56pm

Test with masquerading enabled on the LAN firewall zone.

StuartP · July 5, 2021, 9:45pm

Thanks, enabling masquerade on the LAN zone is giving me full access. Is there any downsides to using this setting on the LAN?

I'm thinking with the access I now have I need to look at hardening the VPN connection, is there settings with OpenWRT that can modified to achieve this or do I need to change the OpenVPN settings instead?

trendy · July 5, 2021, 9:54pm

You might not want it in all cases and you are adding an extra cpu cycle for all packets going to lan.
It would be better to keep your network simpler, without all these loops which guarantee routing asymmetries.

vgaetera · July 5, 2021, 11:25pm

Unfortunately the scheme is a bit messy since you miss the key point such as the default gateway.
According to the diagnostics it should be 192.168.2.254 which is missing on the scheme.
The default gateways for the other routers and the target server are also unclear.
If I guess correctly, you should specify 192.168.100.30 as the default gateway for 192.168.100.1.
Or add a route to 192.168.8.0/24 via 192.168.100.30 on 192.168.2.40.