Allow client access to his LAN

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
D-MAN
OpenVpn Newbie
Posts: 3
Joined: Tue May 09, 2017 5:47 pm

Allow client access to his LAN

Post by D-MAN » Tue May 09, 2017 5:52 pm

Okay I know this is probably asked a lot, but I couldn't find any help that worked... Sorry if it's a repeat!

VPS Ubuntu 16 running openVPN
Client Running Windows 10

Client can connect to VPN and all Internet traffic is routed appropriately.
Client want's to connect to locally hosted Web server at 172.18.10.50 while still connected to remote VPN, but received connection time out

Tried the following in server.conf: push "route 172.10.10.0 255.255.0.0 net_gateway"
Tried adding following to client.ovpn config file: route 172.10.10.0 255.255.0.0 net_gateway

No luck.

Advice?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Allow client access to his LAN

Post by TinCanTech » Tue May 09, 2017 6:16 pm


D-MAN
OpenVpn Newbie
Posts: 3
Joined: Tue May 09, 2017 5:47 pm

Re: Allow client access to his LAN

Post by D-MAN » Wed May 10, 2017 12:19 pm

Thank you for the RTFM suggestion, but I don't quite see how this applies. This part of the manual suggests allowing others on the Client LAN access to the VPN. Instead I'm looking for Client to be able to access VPN for Internet and leave a connection open to a local server on the local LAN that doesn't go through VPN. Sorry if I RTFM wrong. Perhaps I'm missing something.

Thanks in advance!

Server Config:

Code: Select all

port 443
proto tcp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 172.18.10.0 255.255.0.0 net_gateway"  **Latest Try**
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
duplicate-cn

Server Log

Code: Select all

Wed May 10 12:08:46 2017 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
Wed May 10 12:08:46 2017 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Wed May 10 12:08:46 2017 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Wed May 10 12:08:46 2017 Diffie-Hellman initialized with 2048 bit key
Wed May 10 12:08:46 2017 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Wed May 10 12:08:46 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 10 12:08:46 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 10 12:08:46 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
Wed May 10 12:08:46 2017 TUN/TAP device tun0 opened
Wed May 10 12:08:46 2017 TUN/TAP TX queue length set to 100
Wed May 10 12:08:46 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed May 10 12:08:46 2017 /sbin/ip link set dev tun0 up mtu 1500
Wed May 10 12:08:46 2017 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Wed May 10 12:08:46 2017 GID set to nogroup
Wed May 10 12:08:46 2017 UID set to nobody
Wed May 10 12:08:46 2017 Listening for incoming TCP connection on [undef]
Wed May 10 12:08:46 2017 TCPv4_SERVER link local (bound): [undef]
Wed May 10 12:08:46 2017 TCPv4_SERVER link remote: [undef]
Wed May 10 12:08:46 2017 MULTI: multi_init called, r=256 v=256
Wed May 10 12:08:46 2017 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Wed May 10 12:08:46 2017 IFCONFIG POOL LIST
Wed May 10 12:08:46 2017 MULTI: TCP INIT maxclients=1024 maxevents=1028
Wed May 10 12:08:46 2017 Initialization Sequence Completed
Wed May 10 12:08:47 2017 TCP connection established with [AF_INET]xxx.xx.xx.xx:55357
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 TLS: Initial packet from [AF_INET]xxx.xx.xx.xx:55357, sid=55faf31c cb25e9ca
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 CRL CHECK OK: CN=ChangeMe
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 VERIFY OK: depth=1, CN=ChangeMe
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 CRL CHECK OK: CN=VPNClient5-1
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 VERIFY OK: depth=0, CN=VPNClient5-1
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 [VPNClient5-1] Peer Connection Initiated with [AF_INET]xxx.xx.xx.xx:55357
Wed May 10 12:08:48 2017 VPNClient5-1/xxx.xx.xx.xx:55357 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Wed May 10 12:08:48 2017 VPNClient5-1/xxx.xx.xx.xx:55357 MULTI: Learn: 10.8.0.2 -> VPNClient5-1/xxx.xx.xx.xx:55357
Wed May 10 12:08:48 2017 VPNClient5-1/xxx.xx.xx.xx:55357 MULTI: primary virtual IP for VPNClient5-1/xxx.xx.xx.xx:55357: 10.8.0.2
Wed May 10 12:08:51 2017 VPNClient5-1/xxx.xx.xx.xx:55357 PUSH: Received control message: 'PUSH_REQUEST'
Wed May 10 12:08:51 2017 VPNClient5-1/xxx.xx.xx.xx:55357 send_push_reply(): safe_cap=940
Wed May 10 12:08:51 2017 VPNClient5-1/xxx.xx.xx.xx:55357 SENT CONTROL [VPNClient5-1]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 172.18.10.0 255.255.0.0 net_gateway,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0' (status=1)
Wed May 10 12:08:51 2017 TCP connection established with [AF_INET]xxx.xx.xx.xx:60561
Wed May 10 12:08:52 2017 xxx.xx.xx.xx:60561 TLS: Initial packet from [AF_INET]xxx.xx.xx.xx:60561, sid=9d595b4a 80d17372
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 CRL CHECK OK: CN=ChangeMe
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 VERIFY OK: depth=1, CN=ChangeMe
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 CRL CHECK OK: CN=VPNClient5-1
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 VERIFY OK: depth=0, CN=VPNClient5-1
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 [VPNClient5-1] Peer Connection Initiated with [AF_INET]xxx.xx.xx.xx:60561
Wed May 10 12:08:53 2017 VPNClient5-1/xxx.xx.xx.xx:60561 MULTI_sva: pool returned IPv4=10.8.0.3, IPv6=(Not enabled)
Wed May 10 12:08:53 2017 VPNClient5-1/xxx.xx.xx.xx:60561 MULTI: Learn: 10.8.0.3 -> VPNClient5-1/xxx.xx.xx.xx:60561
Wed May 10 12:08:53 2017 VPNClient5-1/xxx.xx.xx.xx:60561 MULTI: primary virtual IP for VPNClient5-1/xxx.xx.xx.xx:60561: 10.8.0.3
Wed May 10 12:08:53 2017 VPNClient5-1/xxx.xx.xx.xx:60561 PUSH: Received control message: 'PUSH_REQUEST'
Wed May 10 12:08:53 2017 VPNClient5-1/xxx.xx.xx.xx:60561 send_push_reply(): safe_cap=940
Wed May 10 12:08:53 2017 VPNClient5-1/xxx.xx.xx.xx:60561 SENT CONTROL [VPNClient5-1]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 172.18.10.0 255.255.0.0 net_gateway,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.3 255.255.255.0' (status=1)
Client Config

Code: Select all

client
dev tun
proto tcp
sndbuf 0
rcvbuf 0
remote xxx.xx.xx.xxx 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Allow client access to his LAN

Post by TinCanTech » Wed May 10, 2017 6:18 pm

That is not the manual that is the HOWTO .. you should read it because this is wrong:

Code: Select all

push "route 172.18.10.0 255.255.0.0 net_gateway"  **Latest Try**
See the HOWTO and this thread.
viewtopic.php?f=4&t=24056

D-MAN
OpenVpn Newbie
Posts: 3
Joined: Tue May 09, 2017 5:47 pm

Re: Allow client access to his LAN

Post by D-MAN » Wed May 10, 2017 6:31 pm

Okay sorry about calling it the manual.

So unfortunately the How-To and the thread linked to are talking about allowing the client access to the server's LAN. This is not quite what I'm trying to accomplish. I do appreciate the help though!

The server is a VPS with no LAN and no other computers connected to it.
The Web server I'm trying to get access to are on my LAN pre-VPN connection.

So my PC has IP: 172.18.10.105 (VPN:10.8.0.5)
Web Server on IP: 172.18.10.50
VPN VPS External IP: x.x.x.x
VPN pool = 10.8.0.0

I need to route 172 traffic locally and not over the VPN

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Allow client access to his LAN

Post by TinCanTech » Wed May 10, 2017 7:06 pm

Networking 101:
Change either your server or client LAN to something else.

Post Reply