1

I have a server on the office lan with a public ip running open vpn. External vpn clients can connect to the vpn via the public ip.

But once connected they are unable to connect to other servers on the office lan, but they can access any site over wan.

My openvpn.conf is like

local xx.xx.xx.xx
port 8443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
;ifconfig-pool-persist ipp.txt
push "route 10.84.172.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.84.172.117"
push "dhcp-option DNS 9.9.9.9"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0
key-direction 0
cipher AES-128-CBC
auth SHA256
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 9

client conf is so

client
dev tun
proto tcp
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-128-CBC
auth SHA256
key-direction 1
comp-lzo
verb 3
mute 20

ip route show output is

default via xx.xx.xx.xx dev ens19 onlink 
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0  proto kernel  scope link  src 10.8.0.1 
10.84.172.0/24 dev ens18  proto kernel  scope link  src 10.84.172.76 
xx.xx.xx.xx/27 dev ens19  proto kernel  scope link  src  xx.xx.xx.xx

ifconfig output

ens18     Link encap:Ethernet  HWaddr e2:d0:37:41:fe:62  
          inet addr:10.84.172.76  Bcast:10.84.172.255  Mask:255.255.255.0
          inet6 addr: fe80::e0d0:37ff:fe41:fe62/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:300099 errors:0 dropped:7 overruns:0 frame:0
          TX packets:813 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:45852701 (45.8 MB)  TX bytes:108772 (108.7 KB)

ens19     Link encap:Ethernet  HWaddr a2:c9:4f:0f:b3:a8  
          inet addr:xx.xx.xx.xx  Bcast:xx.xx.xx.xx  Mask:255.255.255.224
          inet6 addr: fe80::a0c9:4fff:fe0f:b3a8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:121480 errors:0 dropped:31009 overruns:0 frame:0
          TX packets:37745 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:14195083 (14.1 MB)  TX bytes:6904167 (6.9 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:176 errors:0 dropped:0 overruns:0 frame:0
          TX packets:176 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:13296 (13.2 KB)  TX bytes:13296 (13.2 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

netsat -r output https://pastebin.com/30ZRNRri

ipv4 forwarding has been enabled

I believe i'm missing some static routes between the openvpn tun subnet and my actual local subnet but nothing im trying to route between them is working.

user618509
  • 151
  • 2
  • 9
  • Does your LAN gateway have a route for your VPN subnet? – sippybear Oct 09 '18 at 19:19
  • only what is posted above – user618509 Oct 09 '18 at 21:56
  • Can you post your `ifconfig` from the OpenVPN server? – sippybear Oct 10 '18 at 00:38
  • added to original question. – user618509 Oct 10 '18 at 06:31
  • @user618509, can you pls post the routing table from a client after connecting to the VPN? – Diamond Oct 10 '18 at 09:17
  • I added a link to pastebin from the routing tables in the original question – user618509 Oct 10 '18 at 09:52
  • If I am right, yours is a case where the VPN Server is not the default gateway/server for the local network. As I can see, in the routing table, the default gateway is 10.84.172.1. I suppose at this gateway/router the route for the vpn network (10.8.0.0/24) is missing. That's why the local servers cant find a way to reach the VPN clients. See this: https://serverfault.com/questions/759438/problems-when-openvpn-server-is-not-the-default-gateway#759448 – Diamond Oct 10 '18 at 11:20
  • yep thats right the vpn is not the router, the gateway is outside of our control as it is a shared office, we use the vpn to give external users access to lan resources. I have tried the information in that question but it fails saying it already exists root@vpn:/home/sysadmin# sudo ip route add 10.8.0.0/24 via 10.84.172.1 RTNETLINK answers: File exists – user618509 Oct 10 '18 at 11:41
  • @user618509, the gateway should be your VPN server: 10.84.172.76 – Diamond Oct 10 '18 at 12:09

2 Answers2

0

enter image description hereI think you should uncomment the push route line in the openvpn.conf file and see if it works.

Humberto Castellon
  • 849
  • 1
  • 7
  • 17
  • I have tried that with no change requests just time out – user618509 Oct 09 '18 at 16:06
  • I have an OpenVPN server scenario and the configuration I mentioned in the comment above is under configuration>VPN settings>routing. There you enable/disable the _should vpn clients have access to private subnets_ option. Have added an image in the initial answer. – Humberto Castellon Oct 09 '18 at 16:15
  • openvpn doesnt have a gui so im not sure what your answer is here – user618509 Oct 09 '18 at 21:56
  • I meant web interface..sorry about that..I have OpenVPN appliance installed in Ubuntu 16.04 and most of the configurations I do are trough the web interface. – Humberto Castellon Oct 09 '18 at 21:59
  • openvpn doesnt have a web interface so you must be referring to some other application. I am asking how to make an ip route between two subnets – user618509 Oct 09 '18 at 22:06
  • By openvpn I've always referred to this: https://openvpn.net/ if you referred to another product/solution maybe it's my bad. – Humberto Castellon Oct 09 '18 at 22:08
0

Assuming this is what you want:

[OVPN Clients(10.8.0.0/24)]<-tunnel->[OVPN Svr(10.84.172.76)]<-LAN->[GW(10.84.172.1)]<-LAN->[SUBNET (10.84.172.0/24)]

and you can't simply add 10.8.0.0/24 --> 10.84.172.76 to the GW's route table, you'll have to manually add a persistent route to each of your LAN systems.

Debian-based: edit /etc/network/interfaces and add

up route add -net 10.8.0.0/24 gw 10.84.172.76 dev [your_lan_nic (not tun!)]

RHEL-based: edit /etc/sysconfig/network-scripts/route-eth[your lan nic #]

10.8.0.0/24 via 10.84.172.76

I would strongly encourage you to talk to the gateway's administrator to get your route added there instead of having to muck with each box individually.

I'd also suggest a few changes to your OpenVPN configs.

server conf (with rationale for the changes):

local xx.xx.xx.xx
#port 8443 isn't officially registered with iana, but it is a default for apache tomcat ssl.
#you may be better served by using a less commonly-used port.
port 8443
#proto udp generally has significantly better performance than tcp.
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
#topology subnet is recommended over the default net30.
#you should only have to use net30 if an old Windows ovpn client needs to connect.
topology subnet
server 10.8.0.0 255.255.255.0
push "route 10.84.172.0 255.255.255.0"
;push "redirect-gateway def1 bypass-dhcp"   #leave this out for now to help diagnose routing issues.
push "dhcp-option DNS 10.84.172.117"
push "dhcp-option DNS 9.9.9.9"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0
#key-direction is unneccessary.
#the tls-auth setting already includes the direction (0)
;key-direction 0
cipher AES-128-CBC
auth SHA256
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
#Use either log or log-append, not both.
#log overwrites the log every time the service starts.
#log-append continues to write to the file when the service starts.
log openvpn.log
;log-append openvpn.log
#you'll probably want to lower the verbosity so your logs are readable.
#verb 3 is usually plenty of information.
verb 9
#mute helps keep your logs readable by suppressing floods of the same error.
mute 20
#explicit-exit-notify helps clients reconnect should the server need to restart.
explicit-exit-notify 1

client config:

client
dev tun
#as above, proto udp has much better performance than tcp
proto udp
#remote host [port] [proto] it's useful to identify the remote server.
#host can be either the IP or FQDN if you have a DNS record.
#I continue to recommend a different port.
remote xx.xx.xx.xx 8443 udp
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-128-CBC
auth SHA256
key-direction 1
comp-lzo
verb 3
mute 20
sippybear
  • 2,997
  • 1
  • 12
  • 12
  • I still cant reach the subnets behind, my openvpn clients are not connecting to the vpn server over lan, they go in via the public iface the lan is on another iface [OVPN Clients(10.8.0.0/24)]<-tunnel->[OVPN Svr ens19->(xx.xx.xx.xx) ->ens18-> ]<-LAN->[GW(10.84.172.1)]<-LAN->[SUBNET (10.84.172.0/24)] – user618509 Oct 11 '18 at 02:30
  • my openvpn client can ping the vpn server when connected via ovpn but just not other servers on the lan. other servers on the lan do not connect to the vpn server. I am just trying to attache the vpn client to our network – user618509 Oct 11 '18 at 02:33
  • @user618509 did you modify the routes on the LAN systems or did you get your sysadmin to add a route on your gateway device? – sippybear Oct 11 '18 at 23:30