In the below diagram. I had using openvpn server for NAT setting was no problem. The PC_1 using openvpn client had vpnip 172.27.224.10. The PC_1 able ping to PC_2 192.168.2.10. But the problem after I changed to Use Routing in User Permissions the PC1 not able to ping 192.168.2.10. I had try to change many setting but still not work. Does anyone can help me to solve the problem? Please help!
Use Routing NOT WORK
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Aug 03, 2021 12:58 pm
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Aug 02, 2021 10:13 pm
Re: Use Routing NOT WORK
In a NAT scenario, the PC_2 will see the connection from 192.168.2.2 (hidden behind the server) - so it can reply locally as its on the same subnet.
When you enable routing, PC_2 will see the incoming connection from 172.27.224.10 (the VPN client IP), which the local network / router will not know how to reach - so it will send the traffic out of its existing default gateway (typically the ISP/external internet connection
).
So you need to add an IP route for 172.27.224.x/xx (whatever your VPN client pool) as being via next-hop 192.168.2.2 - you can either do this on your main router for the whole 192.168.2.x subnet to resolve for all PC_x, or to test it you can also add it directly on the PC_2 if you want to prove the theory.
When you enable routing, PC_2 will see the incoming connection from 172.27.224.10 (the VPN client IP), which the local network / router will not know how to reach - so it will send the traffic out of its existing default gateway (typically the ISP/external internet connection
).
So you need to add an IP route for 172.27.224.x/xx (whatever your VPN client pool) as being via next-hop 192.168.2.2 - you can either do this on your main router for the whole 192.168.2.x subnet to resolve for all PC_x, or to test it you can also add it directly on the PC_2 if you want to prove the theory.
-
- OpenVPN Power User
- Posts: 156
- Joined: Thu Mar 28, 2013 8:31 am
Re: Use Routing NOT WORK
Another possible solution is to change the Dynamic IP Address range of OpenVPN AS.
Say for example that the router has 192.168.2.1 with a netmask of /24 (255.255.255.0). Also for this example let us assume that the DHCP server's range is 192.168.2.10 to 192.168.2.100.
If those two assumptions are correct, then you should be able to change the Dynamic IP Address Network to be inside the already routed subnet.
Instead of 172.27.224.0/20, it could be set to 192.168.2.128/25.
The Dynamic IP Address Network setting can be found under Configuration -> VPN Settings.
Say for example that the router has 192.168.2.1 with a netmask of /24 (255.255.255.0). Also for this example let us assume that the DHCP server's range is 192.168.2.10 to 192.168.2.100.
If those two assumptions are correct, then you should be able to change the Dynamic IP Address Network to be inside the already routed subnet.
Instead of 172.27.224.0/20, it could be set to 192.168.2.128/25.
The Dynamic IP Address Network setting can be found under Configuration -> VPN Settings.