Okay I know this is probably asked a lot, but I couldn't find any help that worked... Sorry if it's a repeat!
VPS Ubuntu 16 running openVPN
Client Running Windows 10
Client can connect to VPN and all Internet traffic is routed appropriately.
Client want's to connect to locally hosted Web server at 172.18.10.50 while still connected to remote VPN, but received connection time out
Tried the following in server.conf: push "route 172.10.10.0 255.255.0.0 net_gateway"
Tried adding following to client.ovpn config file: route 172.10.10.0 255.255.0.0 net_gateway
No luck.
Advice?
Allow client access to his LAN
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue May 09, 2017 5:47 pm
Re: Allow client access to his LAN
Thank you for the RTFM suggestion, but I don't quite see how this applies. This part of the manual suggests allowing others on the Client LAN access to the VPN. Instead I'm looking for Client to be able to access VPN for Internet and leave a connection open to a local server on the local LAN that doesn't go through VPN. Sorry if I RTFM wrong. Perhaps I'm missing something.
Thanks in advance!
Server Config:
Server Log
Client Config
Thanks in advance!
Server Config:
Code: Select all
port 443
proto tcp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 172.18.10.0 255.255.0.0 net_gateway" **Latest Try**
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
duplicate-cn
Server Log
Code: Select all
Wed May 10 12:08:46 2017 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016
Wed May 10 12:08:46 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Wed May 10 12:08:46 2017 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Wed May 10 12:08:46 2017 Diffie-Hellman initialized with 2048 bit key
Wed May 10 12:08:46 2017 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Wed May 10 12:08:46 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 10 12:08:46 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 10 12:08:46 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
Wed May 10 12:08:46 2017 TUN/TAP device tun0 opened
Wed May 10 12:08:46 2017 TUN/TAP TX queue length set to 100
Wed May 10 12:08:46 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed May 10 12:08:46 2017 /sbin/ip link set dev tun0 up mtu 1500
Wed May 10 12:08:46 2017 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Wed May 10 12:08:46 2017 GID set to nogroup
Wed May 10 12:08:46 2017 UID set to nobody
Wed May 10 12:08:46 2017 Listening for incoming TCP connection on [undef]
Wed May 10 12:08:46 2017 TCPv4_SERVER link local (bound): [undef]
Wed May 10 12:08:46 2017 TCPv4_SERVER link remote: [undef]
Wed May 10 12:08:46 2017 MULTI: multi_init called, r=256 v=256
Wed May 10 12:08:46 2017 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Wed May 10 12:08:46 2017 IFCONFIG POOL LIST
Wed May 10 12:08:46 2017 MULTI: TCP INIT maxclients=1024 maxevents=1028
Wed May 10 12:08:46 2017 Initialization Sequence Completed
Wed May 10 12:08:47 2017 TCP connection established with [AF_INET]xxx.xx.xx.xx:55357
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 TLS: Initial packet from [AF_INET]xxx.xx.xx.xx:55357, sid=55faf31c cb25e9ca
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 CRL CHECK OK: CN=ChangeMe
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 VERIFY OK: depth=1, CN=ChangeMe
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 CRL CHECK OK: CN=VPNClient5-1
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 VERIFY OK: depth=0, CN=VPNClient5-1
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed May 10 12:08:48 2017 xxx.xx.xx.xx:55357 [VPNClient5-1] Peer Connection Initiated with [AF_INET]xxx.xx.xx.xx:55357
Wed May 10 12:08:48 2017 VPNClient5-1/xxx.xx.xx.xx:55357 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Wed May 10 12:08:48 2017 VPNClient5-1/xxx.xx.xx.xx:55357 MULTI: Learn: 10.8.0.2 -> VPNClient5-1/xxx.xx.xx.xx:55357
Wed May 10 12:08:48 2017 VPNClient5-1/xxx.xx.xx.xx:55357 MULTI: primary virtual IP for VPNClient5-1/xxx.xx.xx.xx:55357: 10.8.0.2
Wed May 10 12:08:51 2017 VPNClient5-1/xxx.xx.xx.xx:55357 PUSH: Received control message: 'PUSH_REQUEST'
Wed May 10 12:08:51 2017 VPNClient5-1/xxx.xx.xx.xx:55357 send_push_reply(): safe_cap=940
Wed May 10 12:08:51 2017 VPNClient5-1/xxx.xx.xx.xx:55357 SENT CONTROL [VPNClient5-1]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 172.18.10.0 255.255.0.0 net_gateway,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0' (status=1)
Wed May 10 12:08:51 2017 TCP connection established with [AF_INET]xxx.xx.xx.xx:60561
Wed May 10 12:08:52 2017 xxx.xx.xx.xx:60561 TLS: Initial packet from [AF_INET]xxx.xx.xx.xx:60561, sid=9d595b4a 80d17372
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 CRL CHECK OK: CN=ChangeMe
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 VERIFY OK: depth=1, CN=ChangeMe
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 CRL CHECK OK: CN=VPNClient5-1
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 VERIFY OK: depth=0, CN=VPNClient5-1
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed May 10 12:08:53 2017 xxx.xx.xx.xx:60561 [VPNClient5-1] Peer Connection Initiated with [AF_INET]xxx.xx.xx.xx:60561
Wed May 10 12:08:53 2017 VPNClient5-1/xxx.xx.xx.xx:60561 MULTI_sva: pool returned IPv4=10.8.0.3, IPv6=(Not enabled)
Wed May 10 12:08:53 2017 VPNClient5-1/xxx.xx.xx.xx:60561 MULTI: Learn: 10.8.0.3 -> VPNClient5-1/xxx.xx.xx.xx:60561
Wed May 10 12:08:53 2017 VPNClient5-1/xxx.xx.xx.xx:60561 MULTI: primary virtual IP for VPNClient5-1/xxx.xx.xx.xx:60561: 10.8.0.3
Wed May 10 12:08:53 2017 VPNClient5-1/xxx.xx.xx.xx:60561 PUSH: Received control message: 'PUSH_REQUEST'
Wed May 10 12:08:53 2017 VPNClient5-1/xxx.xx.xx.xx:60561 send_push_reply(): safe_cap=940
Wed May 10 12:08:53 2017 VPNClient5-1/xxx.xx.xx.xx:60561 SENT CONTROL [VPNClient5-1]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 172.18.10.0 255.255.0.0 net_gateway,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.3 255.255.255.0' (status=1)
Code: Select all
client
dev tun
proto tcp
sndbuf 0
rcvbuf 0
remote xxx.xx.xx.xxx 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Allow client access to his LAN
That is not the manual that is the HOWTO .. you should read it because this is wrong:
See the HOWTO and this thread.
viewtopic.php?f=4&t=24056
Code: Select all
push "route 172.18.10.0 255.255.0.0 net_gateway" **Latest Try**
viewtopic.php?f=4&t=24056
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue May 09, 2017 5:47 pm
Re: Allow client access to his LAN
Okay sorry about calling it the manual.
So unfortunately the How-To and the thread linked to are talking about allowing the client access to the server's LAN. This is not quite what I'm trying to accomplish. I do appreciate the help though!
The server is a VPS with no LAN and no other computers connected to it.
The Web server I'm trying to get access to are on my LAN pre-VPN connection.
So my PC has IP: 172.18.10.105 (VPN:10.8.0.5)
Web Server on IP: 172.18.10.50
VPN VPS External IP: x.x.x.x
VPN pool = 10.8.0.0
I need to route 172 traffic locally and not over the VPN
So unfortunately the How-To and the thread linked to are talking about allowing the client access to the server's LAN. This is not quite what I'm trying to accomplish. I do appreciate the help though!
The server is a VPS with no LAN and no other computers connected to it.
The Web server I'm trying to get access to are on my LAN pre-VPN connection.
So my PC has IP: 172.18.10.105 (VPN:10.8.0.5)
Web Server on IP: 172.18.10.50
VPN VPS External IP: x.x.x.x
VPN pool = 10.8.0.0
I need to route 172 traffic locally and not over the VPN
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Allow client access to his LAN
Networking 101:
Change either your server or client LAN to something else.
Change either your server or client LAN to something else.