Access Client side LAN on VPN server

4

1

Till now I have managed to installed OpenVPN server on DigitalOcean and OpenVPN client on Raspberry Pi. My Raspberry Pi's OpenVPN IP is 10.8.0.6 which I can ping from OpenVPN server. Now this RPi is connected to LAN netword(gateway 10.1.1.253, SubnetMask:255.255.252.0) by IP 10.1.2.14. There is another Linux system connected to this client's(RPi) network and its IP is 10.1.2.2.

Now I want to access 10.1.2.2 from OpenVPN server via VPN. Can anybody explain me how should I do this ?

EDIT: As per @masgo's suggestion, I did following

  1. In server.conf file, added client-config-dir /etc/openvpn/ccd , route 10.1.0.0 255.255.252.0 and push "route 10.1.0.0 255.255.252.0"
  2. In /etc/openvpn/ccd/lappy file, added iroute 10.1.0.0 255.255.252.0
  3. Now I am able to ping to ip 10.1.2.14(OpenVPN's client) from OpenVPN server but not to ip 10.1.2.2. What I am missing in client side routing?

Bhushan

Posted 2016-08-08T14:41:12.623

Reputation: 103

Answers

2

Two things:

  1. Are you sure you have your local network Ok? If the gateway is 10.1.1.253, and the netmask is 255.255.255.252, pcs 10.1.2.2 and 10.1.2.14 are not on the same network as the gateway.

  2. The packet from the Ocean server comes bearing as an IP address the other end of the OpenVPN tunnel, presumably 10.8.0.1. When this reaches 10.1.2.2, this sees it belongs to a different subnet than its own, and will thus try to forward its reply the only way it knows, i.e. via the gateway, not via the OpenVPN client. Hence the return ping never comes back.

    The way to circumvent this is to add the following iptables rule on the RPI:

    iptables -t nat -A POSTROUTING -d (here your local network) -j MASQUERADE

    This way the packet will be sent back to the OpenVPN client. I did not insert your network because it is not clear which one that is: if it is 10.1.2.0/30 please insert that, or modify accordingly.

MariusMatutiae

Posted 2016-08-08T14:41:12.623

Reputation: 41 321

My netmask is not 255.255.255.252 but 255.255.252.0 – Bhushan – 2016-08-25T11:09:30.500

So I need to add following command in RPi iptables -t nat -A POSTROUTING -d 10.1.0.0 / 22 -j MASQUERADE . Right ? – Bhushan – 2016-08-25T11:12:55.700

@BhushanPatil That's right. As for the network, apologies, my bad. – MariusMatutiae – 2016-08-25T11:17:58.477

@BhushanPatil No space in 10.1.0.0/22, careful. – MariusMatutiae – 2016-08-25T11:18:46.147

THAT WORKED. thank you very much. But I am new to networking stuff, so will you explain me what this command iptables -t nat -A POSTROUTING -d 10.1.0.0/22 -j MASQUERADE doing magic here ? – Bhushan – 2016-08-25T11:38:36.733

1@BhushanPatil Sure: it rewrites the IP header of every frame sent, with its own IP address for the sender, to make it look like the frames are sent from the RPI instead of being passed on from the Ocean server. It also keeps track of all conversations automagically, so that when the reply comes, the RPI knows that the reply is really for the Ocean server, not for itself. – MariusMatutiae – 2016-08-25T12:00:19.450

2

What you want to do is called LAN-to-LAN. The solution is to have the correct routes on your VPN client and VPN server. You usually do the client-side config by "pushing" the routing information from the server to the client.

Have a look at this: https://community.openvpn.net/openvpn/wiki/RoutedLans

also: https://serverfault.com/questions/593314/openvpn-routing-for-lan-to-lan-through-tun

masgo

Posted 2016-08-08T14:41:12.623

Reputation: 1 541

Asked: 2016-08-08T14:41:12.623

Viewed: 11 335 times

Active: 2016-08-25T12:19:00.070