Cannot access hosts on server subnet despite static route

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
drbob
OpenVpn Newbie
Posts: 4
Joined: Thu Aug 17, 2017 1:00 pm

Cannot access hosts on server subnet despite static route

Post by drbob » Thu Aug 17, 2017 1:46 pm

Hi,

I'm a little stumpted. In the past I've been able to access hosts behind my openVPN server by setting things up according to these instructions in the documentation.

After not needing openVPN for a while I tried to set it up again and I'm having an issue - I can ping the VPN server's local gateway router at 192.168.0.1 but no other hosts on the VPN server's network. My VPN subnet is 10.8.0.0/24, the local network of the VPN server is 192.168.0.0/24 The local network of the client is 192.168.1.0/24

Here is my server.conf:
server.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
keepalive 10 120
comp-lzo
max-clients 3
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
Here is my client configuration:
client
mssfix 1200
client
dev tun
proto udp
remote <redacted> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca <redacted>
cert <redacted>
key <redacted>
ns-cert-type server
comp-lzo
verb 3
IP forwarding is activated on the server (it must be as I can ping the server's gateway). The router has a static route set to send traffic for VPN clients back to the VPN server:

Image

What am I doing wrong? I'm beginning to suspect a bug in my router! Any advice would be greatly appreciated.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Cannot access hosts on server subnet despite static route

Post by TinCanTech » Thu Aug 17, 2017 6:46 pm

First,
  • NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
:arrow: Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN :!:
  • You are advised to change your server LAN to a more unique RFC1918 compliant subnet.
    For example: 192.168.143.0/24
Also, ensure IP forwarding is enabled on your server.

Please see:
HOWTO: Request Help ! {2}

drbob
OpenVpn Newbie
Posts: 4
Joined: Thu Aug 17, 2017 1:00 pm

Re: Cannot access hosts on server subnet despite static route

Post by drbob » Thu Aug 17, 2017 11:14 pm

TinCanTech wrote:First,
  • NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Understood, but that is not the problem here, the server and client local subnets, whilst not ideal, are different and there is not conflict there. I may go about re-configuring them once I've resolved the issue at hand.
TinCanTech wrote: Also, ensure IP forwarding is enabled on your server
As stated in my original post, it is enabled.

Code: Select all

# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: Cannot access hosts on server subnet despite static route

Post by Pippin » Fri Aug 18, 2017 11:23 am

Is --pull missing in Client config?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Cannot access hosts on server subnet despite static route

Post by TinCanTech » Fri Aug 18, 2017 3:11 pm

@pippin --client = --tls-client & --pull .. so no :mrgreen:

drbob
OpenVpn Newbie
Posts: 4
Joined: Thu Aug 17, 2017 1:00 pm

Re: Cannot access hosts on server subnet despite static route

Post by drbob » Fri Aug 18, 2017 6:58 pm

The router on the server's subnet is a TP link TD-W89688.

I can't log in to the router's web interface from the VPN client but I do connect and get an HTTP response "403 Forbidden" which I'm guessing is because the source address is from the VPN subnet and the router is configured to only allow access to client IPs on it's own local subnet. That suggests to me that the router itself is respecting the static route configuration it's just not implementing it for packets it forwards from other LAN clients?

I'm unsure what to check next? Could firewall rules on the router be interfering? I only have a couple of port forwardings from the WAN interface set up. I don't suppose anyone reading this has experienced bugs with static routes using the TD-W8968 or other TP link models?

drbob
OpenVpn Newbie
Posts: 4
Joined: Thu Aug 17, 2017 1:00 pm

Re: Cannot access hosts on server subnet despite static route

Post by drbob » Fri Aug 18, 2017 7:21 pm

I manually added a static route back to the VPN server on a linux host sat behind the VPN server.

Code: Select all

# ip route add 10.8.0.0/24 via 192.168.0.100
This fixed things for that host, VPN clients can talk to it. So I think I can conclude it's a problem with the router not respecting the static route setting rather than any problem with my openVPN config? I guess it's time for a new router...

JSG01
OpenVpn Newbie
Posts: 1
Joined: Tue Sep 25, 2018 6:19 pm

Re: Cannot access hosts on server subnet despite static route

Post by JSG01 » Tue Sep 25, 2018 6:33 pm

i solved this problem by setting up the second ip-adress for my router. I used the same ip-range / the same subnet like the VPN configuration. Now i was able to access the web-interface while i had a VPN connection. :D

Post Reply