[Solved] Allow OpenVPN server access the machines from client-side LAN

Samples of working configurations.
juanpablo
OpenVpn Newbie
Posts: 9
Joined: Sun Mar 08, 2015 10:04 am

[Solved] Allow OpenVPN server access the machines from client-side LAN

Postby juanpablo » Thu May 12, 2016 7:12 am

Hello guys,

I'm stumped and I'm requesting for assistance.

My goal is to allow OpenVPN server to access the rest of the machines in "remote" LAN through the client.

Could you please point me in the right direction?

Ping Tests

OpenVPN Server to Client

Code: Select all

[root@openvpn-server ~]# ping -c 3 192.168.16.150
PING 192.168.16.150 (192.168.16.150) 56(84) bytes of data.
64 bytes from 192.168.16.150: icmp_seq=1 ttl=64 time=70.8 ms
64 bytes from 192.168.16.150: icmp_seq=2 ttl=64 time=63.6 ms
64 bytes from 192.168.16.150: icmp_seq=3 ttl=64 time=69.7 ms

--- 192.168.16.150 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2073ms
rtt min/avg/max/mdev = 63.656/68.091/70.820/3.171 ms
[root@openvpn-server ~]# ping -c 3 172.16.0.253
PING 172.16.0.253 (172.16.0.253) 56(84) bytes of data.
64 bytes from 172.16.0.253: icmp_seq=1 ttl=64 time=68.8 ms
64 bytes from 172.16.0.253: icmp_seq=2 ttl=64 time=64.1 ms
64 bytes from 172.16.0.253: icmp_seq=3 ttl=64 time=66.2 ms

--- 172.16.0.253 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2069ms
rtt min/avg/max/mdev = 64.177/66.434/68.860/1.938 ms
[root@openvpn-server ~]#


Client to OpenVPN Server

Code: Select all

root@raspberrypi:~# ping -c 3 10.0.0.5
PING 10.0.0.5 (10.0.0.5) 56(84) bytes of data.
64 bytes from 10.0.0.5: icmp_seq=1 ttl=255 time=67.8 ms
64 bytes from 10.0.0.5: icmp_seq=2 ttl=255 time=68.2 ms
64 bytes from 10.0.0.5: icmp_seq=3 ttl=255 time=65.4 ms

--- 10.0.0.5 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 65.434/67.187/68.239/1.265 ms
root@openvpn-client:~# ping -c 3 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
64 bytes from 172.16.0.1: icmp_seq=1 ttl=255 time=69.3 ms
64 bytes from 172.16.0.1: icmp_seq=2 ttl=255 time=99.3 ms
64 bytes from 172.16.0.1: icmp_seq=3 ttl=255 time=86.3 ms

--- 172.16.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 69.388/85.051/99.373/12.277 ms
root@openvpn-client:~#


OpenVPN Server to machine in LAN

Code: Select all

[root@openvpn-server ~]# ping -c 3 192.168.16.214
PING 192.168.16.214 (192.168.16.214) 56(84) bytes of data.

--- 192.168.16.214 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 11999ms

[root@openvpn-server ~]#


Client to machine in LAN

Code: Select all

root@raspberrypi:~# ping -c 3 192.168.16.214
PING 192.168.16.214 (192.168.16.214) 56(84) bytes of data.
64 bytes from 192.168.16.214: icmp_seq=1 ttl=64 time=0.447 ms
64 bytes from 192.168.16.214: icmp_seq=2 ttl=64 time=0.521 ms
64 bytes from 192.168.16.214: icmp_seq=3 ttl=64 time=0.523 ms

--- 192.168.16.214 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 0.447/0.497/0.523/0.035 ms
root@raspberrypi:~#


Machine in LAN to OpenVPN Server

Code: Select all

[root@ps2_srva ~]# ping -c 3 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.

--- 172.16.0.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 11999ms

[root@ps2_srva ~]#


Machine in LAN to Client

Code: Select all

[root@ps2_srva ~]# ping -c 3 172.16.0.253
PING 172.16.0.253 (172.16.0.253) 56(84) bytes of data.
64 bytes from 172.16.0.253: icmp_seq=1 ttl=64 time=0.526 ms
64 bytes from 172.16.0.253: icmp_seq=2 ttl=64 time=0.502 ms
64 bytes from 172.16.0.253: icmp_seq=3 ttl=64 time=0.516 ms

--- 172.16.0.253 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.502/0.514/0.526/0.027 ms
:[root@ps2_srva ~]#


IP and Routing Table

OpenVPN Server

Code: Select all

eth0 - ip: 10.0.0.5   mask: 255.255.255.0
tun0 - ip: 172.16.0.1 mask: 255.255.255.0


Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.169.254 0.0.0.0         255.255.255.255 UH    0      0        0 eth0
172.16.0.0      0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.16.0    172.16.0.2      255.255.255.0   UG    0      0        0 tun0


Client

Code: Select all

eth0 - ip: 192.168.16.150 mask: 255.255.255.0
tun0 - ip: 172.16.0.253   mask: 255.255.255.0


Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.16.0.1      128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.16.254  0.0.0.0         UG    0      0        0 eth0
0.0.0.0         192.168.16.254  0.0.0.0         UG    202    0        0 eth0
10.0.0.0        172.16.0.1      255.255.255.0   UG    0      0        0 tun0
5x.xx.xx.xx     192.168.16.254  255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       172.16.0.1      128.0.0.0       UG    0      0        0 tun0
172.16.0.0      0.0.0.0         255.240.0.0     U     0      0        0 tun0
192.168.16.0    0.0.0.0         255.255.255.0   U     202    0        0 eth0


Machine in LAN

Code: Select all

bond0 - ip: 192.168.16.214 mask: 255.255.255.0


Code: Select all

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.16.0.0      192.168.16.150  255.255.255.0   UG    0      0        0 bond0
192.168.16.0    0.0.0.0         255.255.255.0   U     0      0        0 bond0
192.168.254.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
169.254.0.0     0.0.0.0         255.255.0.0     U     1004   0        0 bond0
0.0.0.0         192.168.16.254  0.0.0.0         UG    0      0        0 bond0


OpenVPN Configurations

server.conf
port 1194
proto udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
topology subnet
route 192.168.16.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 1 5
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
cipher AES-256-CBC
crl-verify crl.pem
client-config-dir ccd


ccd client
ifconfig-push 172.16.0.253 172.16.0.254
push "route 10.0.0.0 255.255.255.0"
iroute 192.168.16.0 255.255.255.0


client.conf
client
dev tun
proto udp
remote 5x.xx.xx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
cipher AES-256-CBC
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>


Thanks,
juanpablo

TiTex
OpenVPN Power User
Posts: 186
Joined: Tue Apr 12, 2011 6:22 am

Re: Allow OpenVPN server access the machines from client-side LAN

Postby TiTex » Thu May 12, 2016 7:20 am

you will need to add a static route on client side LAN machine to 172.16.0.0 255.255.255.0 via openvpn client , or add the static route directly to the client side LAN router , that way all the openvpn client LAN will know where to send network traffic for 172.16.0.0/24

also enable ip_forward in you openvpn client machine

juanpablo
OpenVpn Newbie
Posts: 9
Joined: Sun Mar 08, 2015 10:04 am

Re: Allow OpenVPN server access the machines from client-side LAN

Postby juanpablo » Thu May 12, 2016 7:38 am

Hello Titex,

Wow, that was really helpful! I can't believe I missed that!

Here's what I did just in case somebody encounters the same issue:

On my OpenVPN client:
1. vi /etc/sysctl.conf
2. Uncomment: net.ipv4.ip_forward=1
3. Save then exit
4. sysctl -p /etc/sysctl.conf

On my LAN machine:
1. route add -net 172.16.0.0/24 gw 192.168.16.150

Thanks again, Titex!

Cheers,
juanpablo


Return to “Examples”

Who is online

Users browsing this forum: No registered users and 2 guests