1 (edited by Protestallianz 2017-03-17 11:55:24)

Topic: OpenVPN access Clients LAN from Server

Hi,
I setup a tun based OpenVPN Server/Client connection between two Routers (running openwrt/lede). Server side LAN is on subnet 192.168.1.1/24 and Client side LAN is on subnet 192.168.3.1/24. I am able to ping the servers lan (all devices) from the client network but not vice versa. I already made a ccd file to tell the OpenVPN-Server that 192.168.3.1/24 subnet is on "Client3" (currently no client1 or client2 in use).
This made me able to ping the client router (192.168.3.1) but trying to ping other lan members 192.168.3.1/24 gets me stuck in the tunnel.

I am using mwan3 to forward all traffic from the server with dest 192.168.3.1/24 to use tun0.
On the client I have a mwan3 rule ass well making destinations to 192.168.1.1/24 use tun0 as well.
I feel like I am missing the last piece.

Two Tracroutes from a lan pc on the server subnet to theVPN-Client subnet indicate the problem:

traceroute 192.168.3.1
traceroute to 192.168.3.1 (192.168.3.1), 64 hops max, 52 byte packets
 1  lede (192.168.1.1)  7.034 ms  0.759 ms  0.712 ms
 2  192.168.3.1 (192.168.3.1)  2.653 ms  2.235 ms  3.562 ms
traceroute 192.168.3.110
traceroute to 192.168.3.110 (192.168.3.110), 64 hops max, 52 byte packets
 1  lede (192.168.1.1)  5.638 ms  0.829 ms  0.774 ms
 2  10.8.0.6 (10.8.0.6)  14.173 ms  2.029 ms  1.840 ms
 3  10.8.0.6 (10.8.0.6)  3149.064 ms !H  3071.258 ms !H  3071.644 ms !H

Server:
cat /etc/config/openvpn

config openvpn 'vpnTUN'
    option enabled '1'
    option verb '3'
    option port '1194'
    option proto 'udp'
    option dev 'tun'
    option server '10.8.0.0 255.255.255.0'
    option keepalive '10 120'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/my-server.crt'
    option key '/etc/openvpn/my-server.key'
    option dh '/etc/openvpn/dh2048.pem'
    option client_to_client '1'
    option log 'openvpn.log'
    list 'route' '192.168.3.0 255.255.255.0'
    list 'push' 'route 192.168.1.0 255.255.255.0'
    list 'push' 'route 192.168.3.0 255.255.255.0'
    option client_config_dir '/etc/openvpn/ccd'

cat /etc/openvpn/ccd/client3

iroute 192.168.3.0 255.255.255.0

cat /etc/config/network

...
config interface 'lan'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option _orig_ifname 'eth1 wlan0 wlan1 wlan1-1'
    option _orig_bridge 'true'
    option ifname 'eth1'

config interface 'vpn0'
    option proto 'none'
    option ifname 'tun0'
...

cat /etc/config/firewall

...
config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'

config rule 'Allow_OpenVPN_Inbound'
    option target 'ACCEPT'
    option src '*'
    option proto 'udp'
    option dest_port '1194'

config zone 'vpn'
    option name 'vpn'
    option network 'vpn0'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option masq '1'

config forwarding 'vpn_forwarding_lan_in'
    option src 'vpn'
    option dest 'lan'

config forwarding 'vpn_forwarding_lan_out'
    option src 'lan'
    option dest 'vpn'

cat /etc/config/mwan3

config rule 'wg_route'
    option proto 'all'
    option sticky '0'
    option use_policy 'tap0_only'
    option dest_ip '192.168.3.0/24'

config rule 'default_rule'
    option dest_ip '0.0.0.0/0'
    option proto 'all'
    option sticky '0'
    option use_policy 'wan_only'

config policy 'wan_only'
    list use_member 'wan1'


config member 'wan1'
    option interface 'wan'

config interface 'wan'
    option enabled '1'

config interface 'vpn0'
    option enabled '1'

config member 'tap01'  #thats just the old name where I used tap
    option interface 'vpn0'

config policy 'tap0_only' #thats just the old name where I used tap
    list use_member 'tap01'
    option last_resort 'unreachable'

Client

cat /etc/config/openvpn

config openvpn 'vpnTUN'
    option enabled '1'
    option dev 'tun'
    option proto 'udp'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/my-client-3.crt' # has common name client3
    option key '/etc/openvpn/my-client-3.key'
    option client '1'
    option remote_cert_tls 'server'
    option remote '130.xx.x.x' #Servers public ip
    option port '1194'
    option log 'openvpn.log'
    option verb '3'
    option pull '1'

cat /etc/config/network

...
config interface 'lan'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option _orig_ifname 'eth1 wlan0 wlan1 wlan1-1'
    option _orig_bridge 'true'
    option ipaddr '192.168.3.1'
    option ifname 'eth1'

config interface 'vpn0'
    option proto 'none'
    option ifname 'tun0'

cat /etc/config/firewall

...
config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'

config zone 'vpn'
    option name 'vpn'
    option network 'vpn0'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option masq '1'

config forwarding 'vpn_forwarding_lan_in'
    option src 'vpn'
    option dest 'lan'

config forwarding 'vpn_forwarding_lan_out'
    option src 'lan'
    option dest 'vpn'

config rule 'Allow_OpenVPN_Inbound'
    option target 'ACCEPT'
    option src '*'
    option proto 'udp'
    option dest_port '1194'

Based on: community.openvpn.net/openvpn/wiki/RoutedLans

Re: OpenVPN access Clients LAN from Server

No idea if it works but try this:
The Server should be the IP: 10.8.0.1
The Client3 should be the IP: 10.8.0.3
/etc/config/openvpn

config openvpn 'vpnTUN'
    option enabled '1'
    option verb '3'
    option port '1194'
    option proto 'udp'
    option dev 'tun'
    option server '10.8.0.0 255.255.255.0'
    option keepalive '10 120'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/my-server.crt'
    option key '/etc/openvpn/my-server.key'
    option dh '/etc/openvpn/dh2048.pem'
    option client_to_client '1'
    option log 'openvpn.log'
    option client_config_dir '/etc/openvpn/ccd'
    list 'push' 'route 192.168.1.0 255.255.255.0'
    list 'route' '192.168.3.0 255.255.255.0 10.8.0.3'
    list 'push' 'route 192.168.3.0 255.255.255.0 10.8.0.3'  

etc/openvpn/ccd/client3

ifconfig-push 10.8.0.3 255.255.255.0
iroute 192.168.3.0 255.255.255.0

And of course
the devices inside the 192.168.3.0/24 need to know the route to 10.8.0.0/24 and 192.168.1.0/24.
the devices inside the 192.168.1.0/24 need to know the route to 10.8.0.0/24 and 192.168.3.0/24.

What are not working inside this configuration is to automatic connect the client3-network-devices from a other openvpn-client.
(The Server network should work)
You have to add the route manuelly to the openvpn-client.
(it should work automatic but i have no idea how)

3 (edited by Protestallianz 2017-03-20 16:04:31)

Re: OpenVPN access Clients LAN from Server

I tried every possible configuration, the following worked:

config openvpn 'WGvpnTUN'
    option enabled '1'
    option verb '3'
    option port '1194'
    option proto 'udp'
    option dev 'tun'
    option server '10.8.0.0 255.255.255.0'
    option keepalive '10 120'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/my-server.crt'
    option key '/etc/openvpn/my-server.key'
    option dh '/etc/openvpn/dh2048.pem'
    option client_to_client '1'
    option log 'openvpn.log'
    option route '192.168.3.0 255.255.255.0'
    option ccd_exclusive '1'
    option client_config_dir '/etc/openvpn/ccd'
    list 'route' '192.168.3.0 255.255.255.0'
    option route '192.168.3.1 255.255.255.0'
    list push "route 192.168.1.0 255.255.255.0"

And left the ccd/client3 as it was:

iroute 192.168.3.0 255.255.255.0

Now my server and his local clients in the 192.168.1.0/24 range have full access to vpn client and his local clients in the range 192.168.3.0/24.

As I am forced to switch back to tap (damn mDNS) I did not investigate which "route, list, push" command did the magic but maybe it was just "option ccd_exclusive '1'". I hope this will help somebody else.