VPN client with customer Access

Hi Guys , I have a custom home setup that I would like to work to be able to access my computer/server VMs thru openvpn . The not helping part is that my carrier uses CGnat so that is why I actually decided to do this in the first place.the openvpn client on the LEDE is causing me some issues that i think is related to routing , but before that I would like you to take a look and advise if you think what am trying to acheive is doable. I am using an EC2 AWS machine as the openvpn server.

https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#site-to-site
It's almost the same, just use routed mode.
Push OpenWrt client-LAN route with increased metric for all VPN-clients.

This is very possible, but consider if using wireguard is possible, it's substantially easier and faster

2 Likes

thanks @vgaetera . I will review this config and advise. Currently with my config , i have the tunnel up but i cannot ping the server(gateway) , while from another vpn client i can pnig the gateway fine. I think i have to focus again on using the details iroute/route/push route. I will check and post any problem later this evening. Thanks

Reading good stuff about wireguard. Any docos for server config ubuntu linux , client on led

Did you open the firewall?

https://www.wireguard.com/quickstart/

Just follow the same manual for both.

opkg update
opkg install kmod-udptunnel4 kmod-udptunnel6 kmod-wireguard wireguard-tools wireguard luci-proto-wireguard luci-app-wireguard

Thanks I will try it out . But since I started with openvpn . I thought id see where it goes. I can ping client to client , but i cannot ping subnets behind the openvpn client "192.168.2.200" ,, below is my config:
thats under server ```
root@ip-172-31-31-96:/etc/openvpn/ccd# cat openwrt

iroute 192.168.2.0 255.255.255.0

ifconfig-push 10.8.0.9 10.8.0.10


relevant part from the server.conf is :slight_smile:
client-config-dir ccd
route 192.168.2.0 255.255.255.0 10.8.0.9
client-config-dir ccd
route 10.8.0.8 255.255.255.252 

am confused as i cannot see a route for 192.168.2.0/24 on the linux machine , havent added that . is that the problem

default via 172.31.16.1 dev eth0 proto dhcp src 172.31.31.96 metric 100 
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 
10.8.0.8/30 via 10.8.0.2 dev tun0 
172.31.16.0/20 dev eth0 proto kernel scope link src 172.31.31.96 
172.31.16.1 dev eth0 proto dhcp scope link src 172.31.31.96 metric 100

Use network mask instead of peer address.

Utilize topology subnet on VPN-server.

Remove duplicates.
Specify full path to CCD-directory.

Make sure your client certificate CN is openwrt.

its confusing. I can ping from 192.168.2.200 ( machine after openwrt client) to 10.8.0.8 ( another opevpn client)
but i cannot ping from the 10.8.0.8 to 192.168.2.200

server.conf :slight_smile:

client-config-dir /etc/openvpn/ccd
route 10.8.0.8 255.255.255.252
route 192.168.2.0 255.255.255.0 10.8.0.9
topology subnet 

for LEDE:

root@LEDE:/etc/openvpn# ls -l
-rw-------    1 root     root          5023 Mar  6 12:01 openwrt.conf
root@LEDE:/etc/openvpn# 


for ccd directory:

ubuntu@ip-172-31-31-96:/etc/openvpn/ccd$ cat openwrt 
ifconfig-push 10.8.0.9 255.255.255.0
iroute 192.168.2.0 255.255.255.0        

ubuntu@ip-172-31-31-96:/etc/openvpn/ccd$ 

i added the last route to the linux machine but no luck too :

ubuntu@ip-172-31-31-96:/etc/openvpn/ccd$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.31.16.1     0.0.0.0         UG    100    0        0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
10.8.0.8        10.8.0.2        255.255.255.252 UG    0      0        0 tun0
172.31.16.0     0.0.0.0         255.255.240.0   U     0      0        0 eth0
172.31.16.1     0.0.0.0         255.255.255.255 UH    100    0        0 eth0
192.168.2.0     10.8.0.9        255.255.255.0   UG    0      0        0 tun0

Looks like a firewall issue. Can you verify that flows are open for the return traffic and that no NAT is applied?

1 Like

Also make sure you have done this:

so I should create another ccd file for the other client ? can you please give an example ?
shouldnt "

route 192.168.2.0 255.255.255.0 10.8.0.9

in the server.conf do the needful ?

cat << EOF >> /etc/openvpn/vpnserver.conf
push "route 192.168.2.0 255.255.255.0 10.8.0.9 2048"
EOF

Or ensure that other VPN-clients use redirect-gateway def1.

the route 192.168.2.0 255.255.255.0 10.8.0.9 is already in the server.conf

If VPN-clients don't use redirect-gateway def1, they don't know about that route.

Can I push it with ccd file , because i dont want all the traffic goes thru the tunnel. But its confusing, if the client doesnt know the route , then I wouldnt be able to ping from 192.168.2.200 to 10.8.0.8 ( the other openvpn client) , but i cannot do the opposite .

the sysmptom is firewall as you said, but the return traffic is opened and no NAT applied. I can ping from the lan behind the client to the other client. But i cannot ping from the client to the LAN behind the openwrt client.

You can also add the route to VPN-client profile.

Anyway, use traceroute/tracepath and tcpdump for troubleshooting.

You can post here the firewall configurations for both openwrt and ubuntu to check if you have missed something.

I am not sure why it was not pushed by the server to the other host . looks like i need ccd for the other client too. I edited the ovpn file and added " route 192.168.2.0 255.255.255.0 10.8.0.9" and the route solved the issue.

Thanks alot for all the support.