iPhone cannot see devices on LAN via VPN Server

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
FatTribble
OpenVpn Newbie
Posts: 3
Joined: Sat May 13, 2017 6:34 am

iPhone cannot see devices on LAN via VPN Server

Post by FatTribble » Sat May 20, 2017 1:15 pm

Router is Netgear R7800 and is flashed with DD-WRT v3.0-r31815M kongat (04/04/17).

I'm a complete novice at this so apologies for any complete ignorance.

Have configured OpenVPN Client to use with IPVanish. All traffic out going via IPVanish servers. Very happy with working that out as the guidance on IPVanish website is pants.

Have been trying to configure OpenVPN Server so when out-and-about I can access devices on my network remotely. Have managed to get it working to a point. I can connect to the router and can log into the router home page no issues. However, I cannot access any of the devices on the network. I've trawled this website and seemingly the whole of the internet, and have been unable to resolve. I can't believe that there isn't a solution out there.

Before I flashed my router, I got the Netgear stockware VPN server working, using the certificates generated by the router installed on OpenVPN client app on iPhone. I then flashed the router to DD-WRT.

The fact that I can get connected to my router with DD-WRT installed means its working, but can't get past the router and onto the LAN. Have played around with the 'Additional config' server settings - no luck. Have played around with the Firewall Settings in Commands - more no luck. Have also set up Port Forwarding - again, no luck. I am using the same port that Netgear uses for TUN (6969). Just did that for consistency - no other real reason and could use 443 or default 1194.

Can't believe it is not impossible to get it working - Netgear have. Unfortunately, I can't get behind their GUI to see how they've configured OpenVPN Server on their router to get it to work for DD-WRT OpenVPN server. And I'm not that clever to work it out, obviously.

All my settings are pasted below. Is there anyone who can offer any suggestions?

Router LAN is set on 192.168.1.*
DHCP set for 50 clients between 192.168.1.100 to 192.168.1.149
I've set up three static leases for devices on the network that don't need to go via VPN (Sky TV box and two TVs). They have IP addresses 192.168.1.147 to 192.168.1.149
VPN network for clients is 10.1.1.*
VPN Port is 6969

VPN Server Settings are:

OpenVPN - [Enable]
Start Type [WAN Up]
Config as [Server]
Server Mode [Router (TUN)
Encryption Cypher [AES-256-CBC]
Hash Algorithm [SHA256]
Advanced Options [Enable]
TLS Cipher [None]
LZO Compression [Yes]
Redirect default Gateway [Disable]
Allow Client to Client [Enable]
Allow duplicate cn [Disable]
Tunnel MTU Setting [1500]
Tunnel UDP Fragment [BLANK]
Tunnel UDP MSS-Fix [Disable]

This is the Additional Config...

Code: Select all

push "dhcp-option DNS 10.1.1.1"
push "dhcp-option DOMAIN HOME"
push "route 10.1.1.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
client-to-client
This is the firewall settings....

Code: Select all

iptables -I INPUT 1 -p udp --dport 6969 -j ACCEPT
iptables -I FORWARD 1 --source 10.1.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
This is the Client OVPN settings with the certificate bit deleted...(my guess this isn't where the issue is because Client can connect, but putting in for completeness and just in case I've missed something here)...

Code: Select all

client
dev tun
prior udp
remote blahblahblah.com 6969
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
cipher AES-256-CBC
comp-lzo
verb 5
Have now spent endless nights and now a lot of weekends trying to suss this out and finally getting to the point of admitting defeat. Have managed to get this far without asking for any help, but I think if I don't, it will defeat me completely. Any help would be gratefully appreciated (especially by she who must be obeyed and the kids......).

FatTribble
OpenVpn Newbie
Posts: 3
Joined: Sat May 13, 2017 6:34 am

Re: iPhone cannot see devices on LAN via VPN Server

Post by FatTribble » Sat May 20, 2017 2:30 pm

Sorry - can't work out how to edit posts...

Just to say that my laptop has helpfully spell checked the Client OVPN config in my first post and replaced 'proto udp' with 'prior udp'. My actual OVPN file does say 'proto udp'.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: iPhone cannot see devices on LAN via VPN Server

Post by TinCanTech » Sat May 20, 2017 3:17 pm

FatTribble wrote:The fact that I can get connected to my router with DD-WRT installed means its working
Good.
FatTribble wrote:but can't get past the router and onto the LAN
ok.

Your LAN is identified by:
FatTribble wrote:This is the Additional Config...

Code: Select all

push "dhcp-option DNS 10.1.1.1"          # Disable this for now
push "dhcp-option DOMAIN HOME"           # Disable this for now
push "route 10.1.1.0 255.255.255.0"      # You do not need this 
                                         # it is automatically pushed 
                                         # by the server
push "route 192.168.1.0 255.255.255.0"   # This could be a problem .. see below
Using 192.168.0.0/24 or 192.168.1.0/24 is a bad idea because it is very likely to cause routing conflicts.

You are advised to change your server LAN to a more unique RFC1918 compliant subnet.
For example: 192.168.143.0/24

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: iPhone cannot see devices on LAN via VPN Server

Post by TinCanTech » Sat May 20, 2017 3:21 pm

FatTribble wrote:Sorry - can't work out how to edit posts...
Don't worry about it .. OpenVPN don't allow users to edit posts due to excessive spammer abuse.

If you need a post edited for privacy, report your own post and a moderator will usually help.

FatTribble
OpenVpn Newbie
Posts: 3
Joined: Sat May 13, 2017 6:34 am

Re: iPhone cannot see devices on LAN via VPN Server

Post by FatTribble » Sat May 20, 2017 5:52 pm

No, not made any difference at all.

I've been doing some more digging and trying to emulate somebody else's set up. The connection still works, but just can't get passed the router....

I've changed the VPN Network to 10.8.0.0

Additional Config now looks like this...(I'm sure somebody will tell me it's wrong in some shape or form)
Additional Config
dev tun0
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.1.103 255.255.255.255"
push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"
The Firewall now reads this...
Firewall
iptables -I INPUT 1 -p udp --dport 6969 -j ACCEPT
iptables -I FORWARD 1 --source 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD 1 --source 10.8.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
You will see I put in "dev tun0" in the Additional Config, because I just happened to look at Routing Table and I spotted 10.8.0.0 was interfacing with tun2. I did wonder if that should be tun0 which is what is in my firewall settings, so I tried to amend the firewall to show "br0 -o tun2", but it didn't like it, so I put in the dev tun0 which then made it work. Assume there is some logic there??

This is the Routing Table now, if its any use...(sorry, I think it loses it's formatting into nice tidy columns)
Routing Table
Destination LAN NET Subnet Mask Gateway Flags Metric Interface
default 0.0.0.0 172.16.14.135 UG 0 ppp0
10.8.0.0 255.255.255.0 * U 0 tun0
169.254.0.0 255.255.0.0 * U 0 LAN & WLAN
172.16.14.135 255.255.255.255 * UH 0 ppp0
172.21.34.0 255.255.254.0 * U 0 tun1
192.168.1.0 255.255.255.0 * U 0 LAN & WLAN
Yes, I guess I'm just stabbing in the dark, but there is surprisingly zilch proper guidance so just trying to work it out. How difficult can it really be?

Post Reply