Page 1 of 1

help setup OpenVPN server on secondary network (double nat)

Posted: Tue Jul 11, 2017 3:33 pm
by jackal992
Hi!

I have a small "problem" in my OpenVPN setup, and I'd like to understand whether the thing that I consider a problem is actually an error somewhere in my configuration of the OpenVPN server or if this is how it is supposed to work. I'll describe very briefly my home setup.

I have two separate networks, let's say the main one is controlled by a modem/router (given by my isp), the second one is obviously controlled by another router. (Please note that I want the networks to be separated, this is the reason why I'm not using the second router as a switch or the primary router in bridge mode....). The secondary router is connected LAN-to-WAN, so I have a double NAT. Obviously when I'm connected to the second network I can reach the devices in the first network, while vice versa I cannot access the secondary network when I'm connected to the main network because I haven't set any static route towards the secondary router (besides even if I wanted to that crappy modem/router provided by my isp doesn't allow that).

My main network is a 192.168.1.0/24, with main router 192.168.1.254, the 192.168.1.1 address is reserved for my second router. The secondary network is a 192.168.0.0/24 with the second router being 192.168.0.1. I know that these ranges of IPs are not suggested for the well known reasons, but in my situation I know I won't have any IP conflict knowing the addresses I have on "the other side" of the vpn connection.

Now the OpenVPN part: my OpenVPN server is hosted on the secondary router itself (IP 192.168.0.1). I have forwarded the UDP port 1194 from my main router to the ip 192.168.1.1 of the secondary router. I setup my server and clients and everything seems to be working. When I connect to the VPN I receive my correct home public IP address, I can browse the internet, I can ping the OpenVPN server 10.8.0.1.
What bothers me, is that I can ping all the devices on the primary network too, so all the 192.168.1.x devices, while I cannot ping any device on the secondary network where the OpenVPN server itself is hosted (192.168.0.x). I thought that connecting to the VPN meant to be "virtually" connected to the network of the OpenVPN server, but again, maybe here I'm wrong, it's my first time dealing with a VPN, and probably I misunderstood something. So my question is, is it normal that, once connected to the VPN, I'm virtually connected to the primary network? I'd like to connect to the secondary network, is it possible or with my "dual network" setup it is impossible?

My OpenVPN server setup has the following parameters as "push parametrs":
"192.168.0.0 255.255.255.0"
"dhcp-option DNS 10.8.0.1"
"redirect-gateway autolocal def1"

Is my problem due to an error in the parameters above?
Or maybe it is due to the lack of static routes between my first and secondary network?
Or what I want is just simply impossible? :)


Thank you very much!!


[OFF-TOPIC (but related) question]
Would it be possible to connect a third router (with static routes capabilities) as a switch to the first router (so LAN-to LAN, since I don't want to set the first router as a bridge and lose its routing capabilities) and setup the static route from the primary network to the secondary network there on the third router/switch (since the primary router does not allow the setting of static routes)? Would it work to make the second network visible to the first?

Thank you again!

Re: help setup OpenVPN server on secondary network (double nat)

Posted: Sat Jul 15, 2017 5:35 am
by ADFHAU
So you have innermost network, 192.168.0/24, and on the router that manages this subnet, you run OpenVPN. It's "external" interface is 192.168.1.1.
The next network out, 192.168.1/24, on the ISP provided sh**box (aren't they all? :) )
Then the public internet.
So what IP range is your VPN handing out to clients? From reading, it seems to be 10.8.0/24?
All traffic appears to be being routed over the VPN to what the innermost, VPN router considers to be "the internet", including the intermediate network between innermost router, and the internet.

Is there a route, on the innermost router, between 10.8.0/24 and 192.168.0/24?
It sounds like there's a default route for 10.8.0/24 out to the "internet" (intermediate network), but not to the innermost LAN.
This needs to happen on the router as that's where the packets go through.

tl;dr It feels like the OpenVPN server is configured in such a way that it blocks "local" access and only allows clients to connect out to the internet.

Re: help setup OpenVPN server on secondary network (double nat)

Posted: Mon Jul 17, 2017 10:25 pm
by jackal992
Thank you very much for you reply ADFHAU!

You described the network perfectly! ;)
Your guess about the VPN network is correct, it is a 10.8.0.0/24.

I agree with you, probably the OpenVPN server blocks the LAN access, for this reason I also tried without success to enable the "Client to Client Communication"...

When you speak about a route between 10.8.0.0/24 and 192.168.0.0/24 you mean a route in the OpenVPN server settings (in the push parameters maybe?), or in the router (VPN host) static routes? I'm hopeful you spotted the problem, because I don't have the aforementioned route...

Thank you very much!

Re: help setup OpenVPN server on secondary network (double nat)

Posted: Wed Mar 25, 2020 4:03 am
by urp
I have similar issue and want to configure exactly the same thing. However, I am not able to reach the network via VPN. I have had this running perfectly. With previous ISP. I could setup a perfect bridge mode with ISP router and my AirPort extreme as main router. However, with new router I can only do passthrough and it drops the net connection. So I want to keep both routers running with double NAT. ISP doesn't encourage to run own VPN and route the traffic

Primary router (ISP) -

Device IPv4 Address 192.168.1.254
DHCPv4 Netmask 255.255.255.0
DHCPv4 Start Address 192.168.1.64
DHCPv4 End Address 192.168.1.253

Secondary router (Airport Extreme)
IP Address 10.0.1.1
DHCP Range 10.0.1.21 to 10.0.1.200
VPN configuration on the router
Private IP address 10.0.1.2

OpenVPN is running on Ubuntu
IP of the machine : 10.0.1.2

What do I need to change ?

Thank you in advance