15

My server LAN IP is 192.168.1.1 and there is an intranet web server on 192.168.1.2 The OpenVPN daemon is configured to give clients 192.168.2.* addresses.

There is push "route 192.168.1.0 255.255.255.0" line in the config which I expect to enable the VPN clients to access the entire 192.168.1.0 net, but they can only access 192.168.1.1 - the VPN server itself.

I've tried enabling net.ipv4.ip_forward = 1 in /etc/sysctl.conf but this doesn't help.

Any ideas?

PS: The server runs Ubuntu 12.04.
PPS: OpenVPN runs in tun mode over UDP.

Ivan
  • 3,398
  • 19
  • 50
  • 71
  • Dear @FrandsHansen, I only accept answers which at the same time 1. are logically correct answers to the questions, 2. have been tested by me to work. – Ivan Sep 10 '12 at 21:08

2 Answers2

19

Make sure that the ip forwarding is acutally enabled

echo 1 > /proc/sys/net/ipv4/ip_forward

Also, in order for route push to work, the servers on the inside also needs to know the route to your OpenVPN client IP address. So they will need to know the route to 192.168.2.0/24

You can most likely make iptables do the routing via masquerade using

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
Frands Hansen
  • 4,657
  • 1
  • 17
  • 29
  • `echo 1 > /proc/sys/net/ipv4/ip_forward` gives `-bash: /proc/sys/net/ipv4/ip_forward: Permission denied` - what does it mean in this case? – Ivan Aug 16 '12 at 19:37
  • Most likely it means that you are not doing it as root. Try doing it as root – Frands Hansen Aug 16 '12 at 19:59
  • It's just the same effect with `sudo`. What the result is intended to be? – Ivan Aug 16 '12 at 20:14
  • This is it. After setting port forwarding, route push and defining the subdomain for VPN clients, it should work – Alfabravo Aug 16 '12 at 21:52
  • 2
    Putting sudo in front of the command won't add the privileges to the file (after the > ), so you need to elevate to root and then do it. – Frands Hansen Aug 17 '12 at 06:46
  • 2
    or use `echo 1 | sudo tee` – ygrek Feb 27 '13 at 03:48
  • Can make ping to other ip adress but canot connect to other tcp ports, by example http(80), from vpn user access only to send icmp packets – e-info128 Dec 16 '16 at 16:56
2

If Your LAN network really is 192.168.1.0/24, then you can get a lot of problems. Because most routers have that default network. So, when You are on guest network, Your computer can get an ip from 192.168.1.0/24 network. So, You cannot access your remote network, but guest network. I suggest choose another network for your LAN and VPN. for example 192.170.15.0/24 for LAN and 10.0.5.0/xx for vpn. xx depends on how much vpn clients are connecting to LAN.

here is my fw script for openvpn

#!/bin/sh

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT

# Allow packets from private subnets
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT

# i have multiple vpn networks
# 192.123.123.0/24 = LAN
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.9.0.0/30 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.9.1.0/30 -o eth1 -d 192.123.123.39 -j MASQUERADE # to single server access only

echo 1 > /proc/sys/net/ipv4/ip_forward
Guntis
  • 683
  • 1
  • 10
  • 22