0

We are using OpenVPN to allow employees to connect to the office network. The office uses 172.20.1.0/24, the VPN clients use 10.8.0.0/24. Our VPN server is a QNAP NAS. When connected, clients can access every IP in the office network. However, I want to achive the opposite ping a remote client from the office.

I tried adding a route on an office PC to route all traffic destinated to 10.8.0.0/24 to the QNAP's IP, however this did not have any effect on its own. It was neccessary to add another route on the remote PC, and modify its firewall, as described in this answer.

I find this very confusing, as I already can ping the office from the remote client, so there is already a route to the office (marked with an arrow below), and reply packets come back (even without any explicit route). Here is the routing table of a remote client:

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.155     25
        10.8.0.20  255.255.255.252   Auf Verbindung         10.8.0.22    262
        10.8.0.22  255.255.255.255   Auf Verbindung         10.8.0.22    262
        10.8.0.23  255.255.255.255   Auf Verbindung         10.8.0.22    262
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    331
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    331
                                      ...
       172.20.1.0    255.255.255.0        10.8.0.21        10.8.0.22     262  <-----
      192.168.1.0    255.255.255.0   Auf Verbindung     192.168.1.155    281
                                      ...

And here is the route I had to add on the client to make it pingable from the office:

route add 0.0.0.0 mask 0.0.0.0 10.8.0.21 metric 500 if 11

It seems like it does nothing due to it's high metric. I guess it is just for windows so you can set is as a trusted network. Can anyone explain how this works, and how I can automate this? (For example either by adding a push option to OpenVPN or a group policy to make this network trusted, ...)

jdm
  • 191
  • 1
  • 11
  • 1
    Why do office computers need to ping VPN connected computers? For what purpose? How is that useful in any way? – joeqwerty Mar 24 '20 at 12:41
  • Don't take it too literally - you're right that ping on itself is not very useful. What I want to do is to access the VPN connected computers from my (office network) computer, via Powershell remoting, PSExec, WMI or other means to do admin tasks. For example, I want to see which user is logged in currently. The first thing I tried was to ping a computer I knew was connected, and *that* failed already. I'd like to remove this road block before I try more complex, useful, tasks. Think of ping as a "MWE" example for my problem. – jdm Mar 24 '20 at 15:14

0 Answers0