4

I am trying to find a way to turn on my work PCs remotely via OpenVPN. The PCs are connected to a router which is on the subnet of another router owned by the people who manage our building. When the PCs are powered on, I can access them fine using RDP via my OpenVPN connection.

I can power the PCs on by going into my router management GUI and starting them from there, however I don't want to give my staff access to the router and it is them who I need to give access to.

Is there any way I can power on the PCs when tunnelling through OpenVPN?

Richard Lapthorn
  • 71
  • 1
  • 2
  • 6

1 Answers1

4

Is it possible to WOL via OpenVPN?

Yes it is.

Is there any way I can power on the PCs when tunnelling through OpenVPN?

Yes, you've got following options:

  • use OpenVPN in bridge mode (VPN & LAN share layer 2 segment, TAP device),
  • forward UDP port 9 at your router from VPN side (when using VPN layer 3 subnet with TUN device),
  • forward UDP port 9 at your router form Internet side.

Newbie hints:

Layers?

http://www.cisco.com/cpress/cc/td/cpress/fund/ith/ith01gb.htm#xtocid166847

https://en.wikipedia.org/wiki/OSI_model

Configuring router port forwarding:

Most routers do not allow you to forward to broadcast, however if you can get shell access to your router (through telnet, ssh, serial cable, etc) you can implement this workaround:

$ ip neighbor add 192.168.1.254 lladdr FF:FF:FF:FF:FF:FF dev net0

Source: https://wiki.archlinux.org/index.php/Wake-on-LAN

Enabling Wake On Lan on the network adapter (Linux way):

ethtool -s eth0 wol g

Enable WOL via /etc/networks/interfaces (Debian, Ubuntu, Mint probably too):

$ cat /etc/network/interfaces.d/eth0 auto eth0 iface eth0 inet dhcp ethernet-wol g

Linux tools:

wol -p forwarded_port -i router_IP target_MAC_address

man wol

wakeonlan -i 10.0.0.255 FF:00:00:00:00:30

man wakeonlan

Michal Sokolowski
  • 1,461
  • 1
  • 11
  • 24
  • Thank you Michael. Our OpenVPN is set up as a tun device, so I guess we would be looking at option 2 or 3. Could you go into a little more detail on either option? – Richard Lapthorn Jun 20 '16 at 15:29
  • I have UDP port 9 forwarded to 192.168.0.99 which is linked to a startup command on my DD-WRT router arp -i br0 -s 192.168.0.99 FF:FF:FF:FF:FF:FF Therefore a MAC address sent to UDP port 9 starts the correct computer. This works perfectly over the internet or on the LAN but not using my OpenVPN tunnel. How should I be attempting to start it from the client end? Should I be sending the packet to the rourter's broadcast iP? Should I use the subnet assigned to the OpenVPN client? I feel like I've tried every possible permutation and I'm now quite confused :( – Richard Lapthorn Jun 20 '16 at 16:30
  • You have to forward 9th UDP port to your LAN broadcast address not the unicast one. – Michal Sokolowski Jun 21 '16 at 09:45
  • So in this case 192.168.0.255? I didn't think that would matter as the D-WRT startup command I mentioned before should make 192.168.0.99 a broadcast address. As mentioned here https://www.dd-wrt.com/wiki/index.php/WOL Just to make sure, I have forwarded UDP port 9 to 192.168.0.255 but it still doesn't make a difference. Is there not an issue with the machines being on different subnets? The LAN is 192.168.0.X and the OpenVPN subnet is 10.9.0.X. What address does the client need to send the packets to? – Richard Lapthorn Jun 21 '16 at 11:12
  • Not necessarily, I believe it depends from the driver, it can be as well: 192.168.255.255 or even 255.255.255.255. Capture the frame in LAN, then forward the port, capture it again and check differences in ethernet frame, IP headers and UDP header, especially: DST MAC, DST IP, DST port. – Michal Sokolowski Jun 21 '16 at 13:10
  • Ha ha, oh dear. I think we've reached the limit of my understanding on this subject. How do I go about capturing a frame? – Richard Lapthorn Jun 21 '16 at 15:22
  • 1
    At PC you can use wireshark (program, a tool, freeware, google it), it's a packet sniffer, at your router you probably have command line and tcpdump. That's all you need, you'll find ton of examples in the Net. All headers description (very well written especially by Cisco) you have in my post above. It sounds a little scary - I know, but it's not that hard as you think it is. :) – Michal Sokolowski Jun 21 '16 at 20:02
  • I think the answer an the comments are not very helpfull. What is the command (in linux for my interest) to WOL a machine that is behind a router and the router has the IP of that machine as forwarding destination for port 9? I don't think it is a good thing to answer a question just half. – bomben Aug 18 '17 at 19:43
  • @Ben with all due respect: 1. You missed that the OP didn't ask for specified command. 2. Serverfaut is NOT type of site you're looking for: https://serverfault.com/help/on-topic . 3. There's no such command to wake up the machine behind (P)NAT without proper router config. 4. Next time write something about the distribution you use, there's high chance that the proper tool is already installed. – Michal Sokolowski Aug 19 '17 at 09:49
  • 5. How destination IP address can be the same as workstation you're willing to wake? 6. Take a look please: https://wiki.archlinux.org/index.php/Wake-on-LAN – Michal Sokolowski Aug 19 '17 at 09:57
  • Again, your comments are strange. OP wants to wake up his MAC from internet side. Your where right to point to the forwarding. Now, what command sends a WOL packet to the dynDNS or static WAN ip? – bomben Aug 19 '17 at 10:03