Access a subnet behind an openvpn server

4

2

I have an Ubuntu OpenVPN server set up. Everything works just fine, VPN clients can successfully connect to the VPN server. Challenge is that I cannot connect to the computers behind the VPN server

tcp dump on tun0 root@gtway-sr-s:~# tcpdump -i tun0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
15:10:45.785732 IP 10.8.0.6 > 192.168.33.2: ICMP echo request, id 7, seq 48841, length 40
15:10:50.469529 IP 10.8.0.6 > 192.168.33.2: ICMP echo request, id 7, seq 48850, length 40

And this is for em2 [192.168.33.2]

root@gtway-sr-s:~# tcpdump -i em2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em2, link-type EN10MB (Ethernet), capture size 65535 bytes
15:15:15.460870 ARP, Request who-has 192.168.33.2 tell 192.168.33.1, length 28
15:15:15.461025 ARP, Reply 192.168.33.2 is-at e4:1f:13:bb:0f:f2 (oui Unknown), length 46
15:15:15.464351 IP 192.168.33.1 > 192.168.33.2: ICMP echo request, id 7, seq 49287, length 40
15:15:15.464544 IP 192.168.33.2 > 192.168.33.1: ICMP echo reply, id 7, seq 49287, length 40
15:15:16.187506 IP 192.168.33.2.60143 > 229.111.112.12.3071: UDP, length 4
15:15:20.448006 IP 192.168.33.1 > 192.168.33.2: ICMP echo request, id 7, seq 49296, length 40
15:15:20.448207 IP 192.168.33.2 > 192.168.33.1: ICMP echo reply, id 7, seq 49296, length 40
15:15:21.491924 IP 192.168.33.2.60143 > 229.111.112.12.3071: UDP, length 4
15:15:25.450927 IP 192.168.33.1 > 192.168.33.2: ICMP echo request, id 7, seq 49304, length 40
15:15:25.451132 IP 192.168.33.2 > 192.168.33.1: ICMP echo reply, id 7, seq 49304, length 40
15:15:26.823644 IP 192.168.33.2.60143 > 229.111.112.12.3071: UDP, length 4
15:15:30.459822 IP 192.168.33.1 > 192.168.33.2: ICMP echo request, id 7, seq 49315, length 40
15:15:30.460016 IP 192.168.33.2 > 192.168.33.1: ICMP echo reply, id 7, seq 49315, length 40
15:15:32.148672 IP 192.168.33.2.60143 > 229.111.112.12.3071: UDP, length 4
15:15:35.143425 ARP, Request who-has 192.168.33.1 (b0:83:fe:e3:2e:1a (oui Unknown)) tell 192.168.33.2, length 46
15:15:35.143431 ARP, Reply 192.168.33.1 is-at b0:83:fe:e3:2e:1a (oui Unknown), length 28
15:15:35.453679 IP 192.168.33.1 > 192.168.33.2: ICMP echo request, id 7, seq 49324, length 40
15:15:35.453861 IP 192.168.33.2 > 192.168.33.1: ICMP echo reply, id 7, seq 49324, length 40
15:15:37.485259 IP 192.168.33.2.60143 > 229.111.112.12.3071: UDP, length 4
15:15:40.455035 IP 192.168.33.1 > 192.168.33.2: ICMP echo request, id 7, seq 49333, length 40
15:15:40.455220 IP 192.168.33.2 > 192.168.33.1: ICMP echo reply, id 7, seq 49333, length 40
15:15:40.468865 ARP, Request who-has 192.168.33.2 tell 192.168.33.1, length 28
15:15:40.469000 ARP, Reply 192.168.33.2 is-at e4:1f:13:bb:0f:f2 (oui Unknown), length 46
15:15:42.827137 IP 192.168.33.2.60143 > 229.111.112.12.3071: UDP, length 4
15:15:45.461731 IP 192.168.33.1 > 192.168.33.2: ICMP echo request, id 7, seq 49343, length 40
15:15:45.461919 IP 192.168.33.2 > 192.168.33.1: ICMP echo reply, id 7, seq 49343, length 40

chico ahmad

Posted 2015-07-06T10:39:33.903

Reputation: 59

when you say behind an openvpn server, what do you mean.. For example, when i've set up a vpn server, then when a computer connects to it, it just gets an IP as if it is on the same LAN. The vpn server is one computer on the LAN as is the computer that connects to the vpn server, once it connects. So, it'd be interesting if you could explain what you mean there – barlop – 2015-07-06T11:30:35.753

@ Barlop OpenVPN_client ->Internet->Router->Open_VPNServer->LAN_Connected That is the architecture of the connection – chico ahmad – 2015-07-06T11:34:17.183

I think I had my VPN server hand out IPs on the same subnet as itself. By the way, i'd guess your VPN server is LAN too. And I guess yeah it is behind any VPN clients, so it acts as a router. – barlop – 2015-07-06T11:42:32.680

Sure it acts as a router for a machine for which I would like to have VPN clients have access to. – chico ahmad – 2015-07-06T11:47:13.433

Answers

5

Modify the server configuration file to include a line like the following:

  push "route 192.168.73.0 255.255.255.0"

where 192.168.73.0/24 is the LAN behind the server. Replace with whatever you use. Double quotes must be kept, not discarded.

NOTICE:

The above will fail if the LAN behind the server and the LAN to which the client belongs overlap to some extent, and especially if they use the same subnet: in the example above, it would fail if both client LAN and server LAN were 192.168.73.0/255. This is a problem because most automatically-setup LANs are either 192.168.1.0/24 or 192.168.0.0/24, so that there are many chances of finding a collision.

This is the reason why I setup my home's LAN as 192.168.73.0/24. Switching LAN to an unusual subnet is the only remedy possible for such a collision.

EDIT:

In reply to your comment:

  1. the collision is not between the LAN behind the server and the IP numbers dished out to the openvpn clients, but between the two LANs: your client must have, on its ethernet/wifi interface, an IP number which must not collide with the remote LAN. Forget about the subnet for the openvpn clients.

  2. Once the above has been configured, one thing that remains to check is whether the server can transfer packets from the virtual interface (I am ready to bet it is tun0 in your case, not tap0, am I right) to the server's normal interface (I bet it is eth0, not br0). This may happen for two reasons:

    a. you did not allow IPv4 forwarding. As sudo,

     echo 1  /proc/sys/net/ipv4/ip_forward

    will take care of this.

    b. You have a firewall which blocks packet forwarding. 

    sudo iptables -F

    will clear your firewall rules.

  3. Lastly, you should remember to use MASQUERADE, as follows:

       iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -d 192.168.33.0/24 -j MASQUERADE

MariusMatutiae

Posted 2015-07-06T10:39:33.903

Reputation: 41 321

Thank you Marius. I already have the entry as stated with 192.168.33.0 255.255.255.0 as the subnet behind the VPN server. The clients have IP addresses from a subnet 10.8.0.0/24, so there is no any kind of overlap. With the push "route 192.168.33.0 255.255.255.0", I am only able to reach the VPN server interface connecting to the other LAN but not any other station in that same LAN. – chico ahmad – 2015-07-06T11:11:53.903

@chicoahmad Can you ping an existing IP address, not a name? – MariusMatutiae – 2015-07-06T11:17:28.280

Yes Marius, I can ping the interface on the other end of the VPN server on 192.168.33.1 from the VPN client – chico ahmad – 2015-07-06T11:20:15.530

@chicoahmad Please see my edit, let me know. – MariusMatutiae – 2015-07-06T11:33:09.730

The OpenVPN client does not have any interface in the same network as the remote subnet connected to the VPN server. IPv4 forwarding in enabled. I added the firewall rule, and still cannot go past the OpenVPN's interface – chico ahmad – 2015-07-06T11:44:12.420

@chicoahmad Is the OpenVPN server the router of the remote LAN, or just a machine on the remote LAN? – MariusMatutiae – 2015-07-06T11:59:37.520

It is the router for the remote machine. Directly connected to the remote machine OpenVPN_server[192.168.33.1] -> Remote_PC[192.168.33.2] – chico ahmad – 2015-07-06T12:00:45.887

@chicoahmad Use tcpdump to listen to ICMP traffic first on tun0, then on eth0, and lastly on 192.168.33.2. Each time, from the client, issue the command ping 192.168.33.2. See through which interface there are not ICMP packets. – MariusMatutiae – 2015-07-06T12:09:23.353

For me setting up masquerade was the critical missing piece of information. Could you link some more information on why this is necessary? – lanoxx – 2018-10-12T10:43:14.397

@lanoxx It rewrites the header of every packet, to make them appear as though they are coming from the pc on which the command is issued. It is necessary because the machines on the 192.168.33.0/24 network have no idea where the network 10.8.0.0/24 is located, and will try to reach it thru the normal gateway, presumably 192.168.33.1. By using MASQUERADE instead, the return packets for the network 10.8.0.0/24 are first sent to the pc on which the OpenVPN terminal is located, and the the kernel automatically re-writes the packets for the 10.8.0.0/24 and sends them on to the OpenVPN network. – MariusMatutiae – 2018-10-14T08:24:00.713

Asked: 2015-07-06T10:39:33.903

Viewed: 10 268 times

Active: 2015-07-06T12:13:03.130