0

I have the following network topology. I'm physically located at VPN Client 1. First, I successfully establish VPN Tunnel 1 and VPN Client 1 connects to VPN Server 2 and is able to talk to VPN Client 2 which is connected to the same LAN as VPN Server 2.

However, when I try to establish VPN Tunnel 2 from VPN Client 2 to VPN Server 1 (having SSH'd through VPN Tunnel 1 into VPN Client 2), I lose connectivity to VPN Client 2 and I can't even ping it (VPN Tunnel 1 remains up). Any ideas what might be wrong here?

All VPN tunnels are implemented using OpenVPN servers/clients.

Thanks a lot!

Topology Diagram

Cur10usMind
  • 1
  • 2
  • your description is not clear, try to use "machine" for a machine and client and server for openvpn service, so everyone will understand which machine is connected to which using which method. it is important because openvpn server is also a router by itself that drive his client behavior. – dominix Jan 11 '22 at 01:03
  • @dominix I wanted to reduce the amount of words I used to a minimum. The question only makes sense if you also look at the attached diagram. – Cur10usMind Jan 11 '22 at 19:04

1 Answers1

0

Here is what we got (your image will be unavailable soon)

           v-------<<--VPN2---------------v
[CLI1]---[SRV1]---{Internet}---[SRV2]---[CLI2]
   ^------------VPN1->>-----------^

What you are doing when establishing the second VPN is setting a second route for the same link CLI1 to CLI2. So when CLI2 try to reach CLI1 using VPN2, CLI1 use VPN1 to reach back to CLI2. So I am quite sure you got some NAT or MASQUERADE on the way that do not allow TCP to establish.

once your first VPN is established you should use this one for a way back, so CLI2 will reach CLI1 using a route that CLI1 already knows and it will works. basically you may NOT establish VPN2, but give route back to your CLI1 at your openvpn at SVR2

Another (better,simpler) way to do the same will be to establish a VPN between SRV1 ans SRV2 and instruct both of the route of the other so the ensemble will be seen as a simple route between two LAN that every client in both side will use to connect to any other client on the other side of the VPN.

[CLI1]---[SRV1]---{Internet}---[SRV2]---[CLI2]
            ^-------VPN1->>-------^

Keep in mind that openVPN is two things, 1/ an interface manager with crypto between local and distant interfaces, 2/ a router inside a machine that usually act as a router. So you have to give route to your SRV1 and SRV2 and give route to your openVPN process => look at iroute and client-config-dir options in openVPN;

[CLI1]---[SRV1]---{Internet}---[SRV2]---[CLI2]
            ^                     ^
        RouteToLAN2        RouteBackToLAN1
            ^-------VPN1->>-------^
dominix
  • 446
  • 2
  • 4
  • 13
  • Thanks for getting the time to explain! Symmetrical VPN tunnels between the two routers would be the ideal scenario, however they don't support (Open)VPN clients. Therefore, I have to run these clients on a different device in the corresponding LANs. – Cur10usMind Jan 16 '22 at 00:29
  • I've also noticed that for some reason the OpenVPN interface tun0 on VPN Client 2 (when it connects to VPN Server 1) is causing its eth0 LAN interface to go down and, as a consequence, the initial connection between it and VPN Client 1 is dropped. I reinstalled OpenVPN on VPN client 2 and the problem was solved. I haven't gotten to the bottom of it yet. I'll give an update once I (hopefully) do! – Cur10usMind Jan 16 '22 at 00:29
  • I don't know why you said so, it is completely supported and natural to have both client and server on a same machine. Try to explain why you think you couldn't. However, on my proposal, you just need one server on SRV2 and one client on SRV1. – dominix Jan 16 '22 at 02:00
  • please show an example of your openvpn config client2 on your original post. I (or some others) can point out any misconfiguration. – dominix Jan 16 '22 at 02:04
  • The routers where OpenVPN server is running on, do not support VPN client. – Cur10usMind Jan 16 '22 at 11:01
  • it is the same binary that act as server or client, so the term "support" here is inappropriate. If it act as a openvpn-server it _support_ openvpn, so by config it should support openvpn client as well. Show the errors, or the config you use, and will see. – dominix Jan 17 '22 at 05:13
  • The home routers I'm using unfortunately don't support OpenVPN client through their config menu. – Cur10usMind Jan 18 '22 at 20:01
  • So t is no more an issue with route or openVPN but an issue with your home router misconception. You should accept my response or delete your question. – dominix Jan 20 '22 at 20:31
  • I think you got a misunderstanding. My question was about what could be wrong with the topology I presented i.e. VPN clients running on machines behind the routers. I also pointed out that reinstalling OpenVPN appeared to have resolved the issue. You mentioned the possibility of running the VPN clients on the routers and I replied that this is not possible due to the lack of such configurability on the routers. So I'm not sure at which point my question became a "home router misconception", since you were the one who brought it up in the first place anyways. – Cur10usMind Jan 22 '22 at 16:57
  • I am not going to delete my question since I believe other users might be facing a similar issue and the reinstallation of OpenVPN on the clients could be one way around it. – Cur10usMind Jan 22 '22 at 17:01