Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clients.

This forum is for general conversation and user-user networking.
xh43k
OpenVpn Newbie
Posts: 19
Joined: Tue Jun 09, 2020 8:55 pm

Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clients.

Post by xh43k » Wed Jun 10, 2020 7:59 pm

As mentioned in the subject, I am facing a new problem.

I am able to ping device with IP 10.100.0.10, but I am unable to access it via http/https web administration, it does not load.
I can also access web administration of the router with IP 10.100.0.1 from the tunnel

Here is rough topology pic:
Image

Now.. I've done I think everything I found on random guides on the internet that were supposed to solve this problem.
1. Added push "route 10.100.0.0 255.255.255.0" in the server config, so the remote client (my PC) knows where to route this seemingly unknown network when trying to access it.
2. Added this routing to the cisco router that serves as default GW for the LAN on remote site, so clients from LAN can also with help of default GW route traffic back to the server where openvpn is running:
Image
3. Added firewall rule on the router to allow traffic from openvpn range 10.100.0.0/24 towards LAN
Image
4. Enabled IP routing in registry on the server as well as on both interfaces (ethernet and TAP interface) of course the server was rebooted
5. Even tried creating windows firewall rule to allow bidirectional communication between both ranges (10.100.0.0/24 <-> 10.100.1.0/24)

I am honestly just lost now, no idea what to do next.

This is my server config right now, I also tried enabling the topology subnet but it changed nothing in the situation..
Server Config
port 1195
proto udp4
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
crl-verify "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\crl.pem"
;topology subnet
server 10.100.1.0 255.255.255.0
push "route 10.100.0.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
persist-key
persist-tun
status "C:\\Program Files\\OpenVPN\\log\\openvpn-status.log"
verb 3
explicit-exit-notify 1

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by TinCanTech » Wed Jun 10, 2020 8:03 pm

xh43k wrote:
Wed Jun 10, 2020 7:59 pm
no idea what to do next
Try disabling ALL related Windblows firewalls.

xh43k
OpenVpn Newbie
Posts: 19
Joined: Tue Jun 09, 2020 8:55 pm

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by xh43k » Wed Jun 10, 2020 8:20 pm

TinCanTech wrote:
Wed Jun 10, 2020 8:03 pm
xh43k wrote:
Wed Jun 10, 2020 7:59 pm
no idea what to do next
Try disabling ALL related Windblows firewalls.
I tried disabling firewall for all three types of networks (private, public and AD) completely, still nothing.

User avatar
Pippin
Forum Team
Posts: 799
Joined: Wed Jul 01, 2015 8:03 am

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by Pippin » Wed Jun 10, 2020 8:25 pm

I am able to ping device with IP 10.100.0.10, but I am unable to access it via http/https web administration, it does not load.
I can also access web administration of the router with IP 10.100.0.1 from the tunnel
So, only http/s doesn't work?
Check the web server...
Tried other protocols?

Also try adding

Code: Select all

mssfix 1400
to the client config.

User avatar
Pippin
Forum Team
Posts: 799
Joined: Wed Jul 01, 2015 8:03 am

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by Pippin » Wed Jun 10, 2020 8:28 pm

Forgot this,
I also tried enabling the topology subnet
Do yourself a favour and enable it.

xh43k
OpenVpn Newbie
Posts: 19
Joined: Tue Jun 09, 2020 8:55 pm

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by xh43k » Wed Jun 10, 2020 8:30 pm

Pippin wrote:
Wed Jun 10, 2020 8:25 pm
I am able to ping device with IP 10.100.0.10, but I am unable to access it via http/https web administration, it does not load.
I can also access web administration of the router with IP 10.100.0.1 from the tunnel
So, only http/s doesn't work?
Check the web server...
Tried other protocols?

Also try adding

Code: Select all

mssfix 1400
to the client config.
I did not try other protocols, since the devices I am trying to access are web interfaces of access point and a printer
I can ping the printer with IP .10 but cannot access web interface (https).

btw, I read that topology subnet is the new default, so no point trying to enable it, it is enabled by default.
But just in case, I already tried setting "topology subnet" in config file.. still didn't solve the problem.

User avatar
Pippin
Forum Team
Posts: 799
Joined: Wed Jul 01, 2015 8:03 am

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by Pippin » Wed Jun 10, 2020 8:33 pm

I read that topology subnet is the new default,
Right.
so no point trying to enable it, it is enabled by default.
Not right.

xh43k
OpenVpn Newbie
Posts: 19
Joined: Tue Jun 09, 2020 8:55 pm

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by xh43k » Wed Jun 10, 2020 8:37 pm

Pippin wrote:
Wed Jun 10, 2020 8:33 pm
I read that topology subnet is the new default,
Right.
so no point trying to enable it, it is enabled by default.
Not right.
? If it's the new default, and I don't specify topology setting... isn't subnet setting used automatically ?

Anyway, I tried with and without topology subnet and there was literally no change, so the problem persists.

Might help to try to switch from udp4 to tcp4 ? Or from tun to tap ?
I do not want to use bloated tap however even tho it might fix all the problems.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by TinCanTech » Wed Jun 10, 2020 8:45 pm

xh43k wrote:
Wed Jun 10, 2020 7:59 pm
I've done I think everything I found on random guides on the internet that were supposed to solve this problem
:roll:

Please see the official howto ,, which can be found here:
viewtopic.php?f=30&t=22603

User avatar
Pippin
Forum Team
Posts: 799
Joined: Wed Jul 01, 2015 8:03 am

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by Pippin » Wed Jun 10, 2020 8:54 pm

isn't subnet setting used automatically ?
That could potentially break existing setups, so no.
https://community.openvpn.net/openvpn/wiki/Topology

Forget about TAP, find and fix the problem.
TinCanTech wrote:
Wed Jun 10, 2020 8:45 pm
xh43k wrote:
Wed Jun 10, 2020 7:59 pm
I've done I think everything I found on random guides on the internet that were supposed to solve this problem
:roll:
That just won't die :)

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by TinCanTech » Wed Jun 10, 2020 9:02 pm

Pippin wrote:
Wed Jun 10, 2020 8:54 pm
TinCanTech wrote:
Wed Jun 10, 2020 8:45 pm
xh43k wrote:
Wed Jun 10, 2020 7:59 pm
I've done I think everything I found on random guides on the internet that were supposed to solve this problem
:roll:
That just won't die :)
At least @xh43k had the balls to state it 8-)
xh43k wrote:
Wed Jun 10, 2020 7:59 pm
Added this routing to the cisco router
maybe you did this incorrectly ..

xh43k
OpenVpn Newbie
Posts: 19
Joined: Tue Jun 09, 2020 8:55 pm

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by xh43k » Wed Jun 10, 2020 9:22 pm

TinCanTech wrote:
Wed Jun 10, 2020 9:02 pm
Pippin wrote:
Wed Jun 10, 2020 8:54 pm
TinCanTech wrote:
Wed Jun 10, 2020 8:45 pm
:roll:
That just won't die :)
At least @xh43k had the balls to state it 8-)
xh43k wrote:
Wed Jun 10, 2020 7:59 pm
Added this routing to the cisco router
maybe you did this incorrectly ..
How incorrectly ? I posted the routing setup here so if you see something wrong just tell me.

The cisco router is acting as a default gw for the whole 10.100.0.0/24 network so it makes sense to set up this routing there.

Also, unfortunately, when you google something in relation to openvpn, it doesn't show these forums on first pages, so naturally, people look for those random guides first.. maybe it's time to somehow optimize seo of the forums, idk.

User avatar
Pippin
Forum Team
Posts: 799
Joined: Wed Jul 01, 2015 8:03 am

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by Pippin » Wed Jun 10, 2020 9:33 pm

According to info posted config looks correct and routing works since ping to LAN device is ok if that was done from client to LAN device.
Windows, I don't know...

Did you try

Code: Select all

mssfix 1400
?

Can you open https://duckduckgo.com while connected?

xh43k
OpenVpn Newbie
Posts: 19
Joined: Tue Jun 09, 2020 8:55 pm

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by xh43k » Wed Jun 10, 2020 9:41 pm

Pippin wrote:
Wed Jun 10, 2020 9:33 pm
According to info posted config looks correct and routing works since ping to LAN device is ok if that was done from client to LAN device.
Windows, I don't know...

Did you try

Code: Select all

mssfix 1400
?

Can you open https://duckduckgo.com while connected?
I am accessing internet locally since I am in split tunnel configuration.
Yes the routing and ip forwarding obviously works due to ping working.. I will try the mssfix first thing tommorow.
I am connecting over pppoe connection (ADSL) here and my mtu on the router and connected devices is therefore 1492
So, what would be the max optimal mssfix value ? I also tried googling this but as usual, so many conflicting information on various sites..
I could simply try 1400 but I want to have optimal connection with as much effectiveness as possible.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by TinCanTech » Wed Jun 10, 2020 9:51 pm

xh43k wrote:
Wed Jun 10, 2020 9:22 pm
TinCanTech wrote:
Wed Jun 10, 2020 9:02 pm
xh43k wrote:
Wed Jun 10, 2020 7:59 pm
Added this routing to the cisco router
maybe you did this incorrectly ..
How incorrectly ? I posted the routing setup here so if you see something wrong just tell me.

The cisco router is acting as a default gw for the whole 10.100.0.0/24 network so it makes sense to set up this routing there.
We don't support your router here.. that is why I said "Maybe" ..

Openvpn looks to be setup correctly, therefore the most likely point of failure is your router.

Time to break out the debug tools..

If all else fails then you can contact me privately.

xh43k
OpenVpn Newbie
Posts: 19
Joined: Tue Jun 09, 2020 8:55 pm

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by xh43k » Wed Jun 10, 2020 10:01 pm

tbh, the router is "maybe" set correctly, since I can actually ping the printer at 10.100.0.10, without correct route it would not go through.
Could be the problem with MTU, will test it tommorow.

User avatar
Pippin
Forum Team
Posts: 799
Joined: Wed Jul 01, 2015 8:03 am

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by Pippin » Wed Jun 10, 2020 10:07 pm

I am connecting over pppoe connection (ADSL) here and my mtu on the router
and connected devices is therefore 1492
You changed MTU on connected devices?
So, what would be the max optimal mssfix value ?
The value that doesn't break things ;)

Keywords:
ping find MTU of path

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by TinCanTech » Wed Jun 10, 2020 10:13 pm

xh43k wrote:
Wed Jun 10, 2020 10:01 pm
tbh, the router is "maybe" set correctly, since I can actually ping the printer at 10.100.0.10, without correct route it would not go through.
Could be the problem with MTU, will test it tommorow.
Pippin wrote:
Wed Jun 10, 2020 10:07 pm
I am connecting over pppoe connection (ADSL) here and my mtu on the router
and connected devices is therefore 1492
You changed MTU on connected devices?
So, what would be the max optimal mssfix value ?
The value that doesn't break things ;)

Keywords:
ping find MTU of path
As per the manual:
TYhe Manual wrote:(a good first try for solving MTU-related connection problems) with the following options:

--tun-mtu 1500 --fragment 1300 --mssfix

xh43k
OpenVpn Newbie
Posts: 19
Joined: Tue Jun 09, 2020 8:55 pm

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by xh43k » Thu Jun 11, 2020 6:30 am

Nope I have not changed MTU anywhere manually, only the router I am connecting through on my local network has this MTU set up in WAN settings (1492).

Also, I tried adding these settings to my client config:

Code: Select all

tun-mtu 1500
fragment 1300
mssfix
Didnt help and actually caused these errors:

Code: Select all

Thu Jun 11 08:06:00 2020 FRAG_IN error flags=0x2a187bf3: FRAG_TEST not implemented
Thu Jun 11 08:06:10 2020 FRAG_IN error flags=0x2a187bf3: FRAG_TEST not implemented
btw, when I actually try to visit the IP of the printer via browser "10.100.0.10", it responds back with default path to the page, but simply does not load it:
Image

This is what chrome console shows...
Image

I even tried full tunnel, internet works fine, even secure connection with google etc.., but accessing server side LAN printer web interface - or any other web interface such as AP, fails as above.. the only accessible web interface is the default GW - cisco router, that I can access fine over VPN.

300000
OpenVPN Power User
Posts: 189
Joined: Tue May 01, 2012 9:30 pm

Re: Remote clients can access resources on the OVPN server and also access main router, but cannot access other LAN clie

Post by 300000 » Thu Jun 11, 2020 4:43 pm

what dns server from openvpn you push to openvpn client , check that first

Post Reply