0

I've got a running OpenVPN server with following configuration

  • VPN network is 10.7.0.0/16
  • LAN network is 192.168.100.0/24

Client is able to connect, but I can not reach LAN hosts located behind VPN connection (192.168.100.*).

traceroute no answer

push "route 192.168.100.0 255.255.255.0" configuration line should solve this, but not. Where is my error ?

Analysis

After connection, here is my netstat -rn result

default            10.7.0.5           UGScIg      utun10
10.7/16            10.7.0.5           UGSc        utun10
10.7.0.5           10.7.0.6           UHr         utun10
10.7.0.5/32        link#23            UCS         utun10
192.168.100        10.7.0.5           UGSc        utun10

I would have expected 10.7.0.1 gateway on last line, no ?

ifconfig Maybe a clue, my ifconfig on client gives me ifconfig on client

I expected something like inet 10.7.0.2 --> 10.7.0.1 as it works on other VPN I got on other context.

↳ Answered with @lacek answer.

Packets Capture

A tcpdump on VPN server, during client pings, gives me

  • Just on way sent ping (no return) on LAN ping.
    lan ping
  • Ping & return on VPN host ping.
    vpn ping

If I capture any ICMP traffic on target, there is no log about ping request. (I've tried from another LAN host, it works. From VPN host directly, it also works.).

The point is that OpenVPN service do not forward my packets to LAN network.

Config

server.conf conf

proto udp
ifconfig-pool-persist ipp.txt
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn.log
verb 3
mute 10
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
port 1194
dev tun
server 10.7.0.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 192.168.100.0 255.255.255.0 "
client-to-client

On server side, I'm running OpenVPN 2.4.0 on Debian OS.

Damien C
  • 162
  • 1
  • 2
  • 13
  • I've tried to change push route with `push "route 192.168.100.0 255.255.255.0"`→ not working either. It put a route on my client with LAN gateway (not `utun10` one) – Damien C May 28 '21 at 07:15
  • I've added TCPDump to my question + put @lacek answer – Damien C May 28 '21 at 12:43

2 Answers2

1

Everything looks good at first glance, so my guess would be that either a firewall is blocking the packages from VPN to LAN, or computers on the LAN don't have a proper routing set up, so packages cannot reach back from the LAN to the VPN.

Regarding the ifconfig output: when using net30 topology (the default), openvpn sets up a point-to-point connection where for every client a /30 network is allocated. One IP from that network belongs to the client, and the other is for the server. So the output you got is correct.

Lacek
  • 7,233
  • 24
  • 28
  • I've tried to switch on topology `subnet`. It's a first step : my routing table is now right : ```192.168.100 10.7.0.1 UGSc utun10```. `ifconfig` looks also better : ```utun10: flags=8051 mtu 1500 inet 10.7.0.4 --> 10.7.0.4 netmask 0xffff0000``` I'm still unable to ping 192.168.100.x hosts – Damien C May 28 '21 at 12:14
  • About first point, my VPN server can ping any 192.168.100.0 network hosts. And I have no firewall between my vpn server and targeted ping host. Anyway, I've tried to capture any ICMP packet on global LAN firewall : nothing to declare => this indicates that no packet go though from my VPN server – Damien C May 28 '21 at 12:14
  • The firewall I suspect is between the VPN client and the LAN host. If nothing else, this could be the VPN server itself. I suspect there is some kind of firewall set up there, since it is accessible from the internet (I presume). Is forwarding between the two subnets set up properly on the VPN server? – Lacek May 28 '21 at 13:32
1

Thanks to @Lacek, I found the solution.

On OpenVPN wiki, I found an article about my particular case where openVpn Server is not LAN gateway

So

  • My push "route 10.7.0.0 255.255.0.0" was good for OpenVPN server
  • But I need to configure route on my LAN firewall by adding this route
    10.7.0.0/24 on gateway 192.168.100.88
    where .88 is my static IP on OpenVPN server
  • And to configure IP forwarding on OpenVPN server by typing following command (from this wiki article).
    echo 1 > /proc/sys/net/ipv4/ip_forward

Everything works fine now.

Damien C
  • 162
  • 1
  • 2
  • 13
  • IP forwarding was what I was missing. Since OpenVPN reorganizes their site often enough that links tend to break quickly, I'll mention here that you can enable IP forwarding on macOS with a command like `sudo sysctl -w net.inet.ip.forwarding=1`. – fakedad Jun 25 '23 at 19:00