4

I've set up an OpenVPN server on my work network, and I am able to access the server from a remote machine over the vpn. However I can't work out how to access the lan behind the server.

The network layout is:

----------   -------   --------   ----------------  
|Internet|-->|Modem|-->|Switch|-->|OpenVPN Server|  
----------   -------   --------   ----------------

The server is an ubuntu server. I have enabled IP forwarding on the server.

Our gateway/modem is a Linksys WAG54G2, and connecting with a WinXP machine.

Does anyone know how to open up be subnet that the OpenVPN server is on???

fnord_ix
  • 213
  • 4
  • 8

3 Answers3

2

This setup is CentOS-specific but your install will probably be similar. The config is also for the 2.0 version, the 2.1 series appears to use a different format of config file. It also assumes you're using two linux boxes to do this, and not just join a Windows XP endpoint - so you'll need to make adaptations for the Windows XP install you're using. In this example, the addresses have been chosen at random, so here's how they are assigned:

  • 1.1.1.1 is the public address of your server at work facing towards the internet
  • 2.2.2.2 is the public address of your server at home facing towards the internet
  • 192.168.1.0/24 is the network at your work
  • 192.168.1.1 is the internal address of your machine that has 1.1.1.1
  • 192.168.1.254 will be the VPN end-point of the machine that has 1.1.1.1
  • 192.168.2.0/24 is the network at your home
  • 192.168.2.1 is the internal address of your machine that has 2.2.2.2
  • 192.168.2.254 will be the VPN end-point of the machine that has 2.2.2.2

and

  • both 1.1.1.1 and 2.2.2.2 accept traffic through your firewall on port 1194 from each other only. No sense in accepting traffic from anywhere else and it will cut down on potential attacks.

Secret Static Key

It will be easiest for you to use a static key. Read instructions here on how to make one. Here's the short version done from 1.1.1.1 as root:

openvpn --genkey --secret > /etc/openvpn/secret.key
chmod 600 /etc/openvpn/secret.key
scp /etc/openvpn/static.key root@2.2.2.2:/etc/openvpn/secret.key
ssh root@2.2.2.2
chmod 600 /etc/openvpn/secret.key
exit

Sample Local (Work LAN) Config:

You would place this text in /etc/openvpn/home-vpn on your work machine (1.1.1.1), assuming that OpenVPN reads the contents of /etc/openvpn at startup.

#daemon home-vpn 
local 1.1.1.1 
remote 2.2.2.2 
proto tcp-server 
port 1194 
dev tun0 
ifconfig 192.168.1.254 192.168.2.254 
route 192.168.2.0 255.255.255.0 192.168.1.254 6
route-delay 5
verb 3 
nice 1
secret /etc/openvpn/secret.key
comp-lzo
passtos

Sample Remote (Home LAN) Config:

You would place this text in /etc/openvpn/work-vpn on your home machine (2.2.2.2), assuming that OpenVPN reads the contents of /etc/openvpn at startup.

#daemon work-vpn 
local 2.2.2.2 
remote 1.1.1.1 
proto tcp-server 
port 1194 
dev tun0 
ifconfig 192.168.2.254 192.168.1.254
route 192.168.1.0 255.255.255.0 192.168.2.254 6
route-delay 5
verb 3 
nice 1
secret /etc/openvpn/secret.key
comp-lzo
passtos

Commentary

The examples here have the openvpn service running with a nice priority of 1; if you do not desire this, remove the entire line that reads nice 1 to have it run like any other program. Compression is enabled via comp-lzo on both ends, and passtos allows for TOS packet bits to survive across the VPN. Both of these can also be disabled if you like. Some will notice that the route cost of 6 seems a bit high, which is true, it can be much lower (4-5 depending on the setup) but 6 provides enough "reach" for subnets and additional routing.

And lastly, as I'm posting this at 1:31am, I'm sure that I forgot something or marked something incorrectly, so please feel free to go over the settings and double-check them.

Avery Payne
  • 14,536
  • 1
  • 51
  • 88
  • Thanks, I should have mentioned that I am using OpenVPN 2.1, but I will try some configs and see how they go – fnord_ix Aug 28 '09 at 01:11
1

Complete Answer.

  • see Avery Payne's detailed notes, it's all there.

Short Answer.

  • Remote Client needs to route traffic to your LAN through the VPN connection
  • LAN Hosts need to route traffic for VPN Private LAN to the OpenVPN Server

Medium Answer.

Remote Client

When your OpenVPN Client connects to the OpenVPN Server, the client will now have at least 2 IP Addresses.

  • "IP Address A" client uses to connect to the Internet and OpenVPN Server
  • "IP Address B" set up by the OpenVPN Client

The problem is that in the normal circumstance, your client doesn't know where to send traffic for the IP Range inside your Lan. The Client will normally have a 'default gateway (i.e. where do I send traffic for destinations I do not know) that forwards to your ISP.

The better solution for this dilemma is to have the OpenVPN Client set up the routing once it has successfully set up the VPN tunnel. Take a look at the push functionality for OpenVPN's server configuration. For example:

push "route LAN-IP SUBNET"

(if your remote client is a Windows box you may need to add something like the below to its client configuration)

route-method exe

A combination of the above should get traffic from you remote-client, through the VPN, to the LAN Hosts, but now you need to have the LAN Hosts know where to send responses.

LAN Hosts

If you're only connection outside of work is through the OpenVPN Server, then you can just make sure that that VPN Server is your LAN's default gateway. Otherwise, ...

  • on LAN Host, set a route for the "IP Address B" subnet to gateway through your OpenVPN Server
samt
  • 713
  • 4
  • 10
0
  • You can bridge your lan and the openvpn network.
  • Add machines in your lan to the vpn.
scyldinga
  • 178
  • 1
  • 6