Configuration for VPN client gateway

[gwideman]

(Moved from parent Topic "Configuration for Reverse VPN setup")
Short version:

What settings do I need on OpenVPN Access Server, and for clients, in order to configure a "reverse VPN" set-up? That is, client on LAN connects to OpenVPN Access Server on WAN, and also provides gateway to LAN. I assume this is a fairly mainstream thing to do, but I'm not finding docs or examples on how to do it. Related forum questions seem to have no answers.

In particular, I'm not sure what to do with the various AS and client settings relating to subnets and routing.

(For what it's worth, I do have OpenVPN Access Server installed on Digital Ocean with basic configuration, and can connect to it from an OpenVPN client.)

Longer version:

I understand I can set up OpenVPN (and Access Server) like this diagram:


The salient points:
1. The Premises are connected to ISP via LTE modem. However for LTE the ISP provides only a private IP address, so incoming connections are not possible.

2. So we would use a machine (svr1) on The Premises LAN to initiate and maintain a continuous VPN connection to the external OpenVPN Access Server.

3. Also, svr1 would provide a gateway from VPN to the LAN.

4. We are NOT interested in routing all traffic in general from The Premises LAN via the VPN, nor for LAN clients (other than svr1) to be able to initiate a connection to the VPN or its clients.

With 2 and 3 in place, external users would be able to connect to the Open VPN Access Server, and see The Premises LAN.

Not clear to me:
----------------
In general, I'm not sure what I need to set for what I want to achieve, mostly because I don't understand the relationship between the "private networks" mentioned in the settings, and the LAN that I want to arrange access to.

Referring to the OpenVPN Access Server web UI:

VPN Settings:
--------------
VPN IP Network:
This asks us to configure "virtual networks" for Dynamic IP, Static IP and Group Default IP.

Routing: Should VPN clients have access to private subnets?
Choices: No, Yes using NAT, Yes using Routing
... and if you select the latter, "Specify the private subnets to which all clients should be given access".

DNS settings -- we'll cross that bridge later.

User Permissions
----------------
I assume I configure a user for the LAN machine svr1 that performs OpenVPN <--> gateway to LAN. For that machine:

Select IP addressing: Presumably Static?

Access Control: Use NAT or Use Routing?

Allow Access To these Networks: ?????

Allow Access From:
[ ] all server-side private subnets (what does that mean?)
[ ] all other VPN clients (pretty sure this is yes)

VPN Gateway
I am hoping that selecting 'Yes' here is what enables the gateway from VPN to The Premises LAN?

So along with all these settings that I don't know how to set, I also don't see where it's determine how The Premises LAN IP addresses will appear to external clients. Will they show up as the same 192.168.xxx.xxx addresses as they are on the LAN, or do they get mapped somehow?

Any insight, or pointers to pages where this is spelled out, would be greatly appreciated!

[droujav]

A few answers:
you need a static IP for your gateway client. In the on-premise router you will need a static route (so that trafiic can be routed to / from LAN and OpenVPN, and on svr1, make sure you have IP forwarding between the 2 interfaces (LAN and VPN gateway).
In your gateway client settings : allow access to the LAN subnet, use NAT, and allow access from all other vpn clients

[gwideman]

A few answers:
you need a static IP for your gateway client. In the on-premise router you will need a static route (so that trafiic can be routed to / from LAN and OpenVPN, and on svr1, make sure you have IP forwarding between the 2 interfaces (LAN and VPN gateway).
In your gateway client settings : allow access to the LAN subnet, use NAT, and allow access from all other vpn clients

I appreciate your answer, though at this point I don't have much hope of getting this right from helpful suggestions about a smattering of settings that might indeed be useful, but not sufficient. At this point I'm further down the track digging into this, and am now stuck on different ambiguities and undocumented points that I'm gradually getting support to answer.

But to answer your suggestions:

> you need a static IP for your gateway client.
I assume you mean a static IP on the on-premise LAN (not necessarily on the virtual LAN).

Yes, that would be needed if either the on-premise router was involved, or if you install a route in the target machines on the LAN (specifying to route to the VPN virtual LAN via the gateway/client). However, it's apparently possible to get this working with neither of those requirements, as LAN Turtle exemplifies (though I have't been able to get that to work either, again due to lack of docs). But I think the idea is to have the gateway client perform NAT to the LAN, so that the packets can travel to/from other LAN machines without involvement of the router.

> on svr1, make sure you have IP forwarding between the 2 interfaces (LAN and VPN gateway)
What does that suggestion translate into in terms of configuration on OpenVPN-AS? Perhaps it's your next sentence? "allow access to the LAN subnet, use NAT, and allow access from all other vpn clients"? Or is that in addition?

[droujav]

Hi,
static IP on the virtual subnet (OpenVPN menu for the gateway client), this static is required for step2: in on-prem router, include a static route to bridge LAN & virtual subnet (but this is assuming you involve the on-prem router… you seem determined not to use it... not sure how to do that because the cases I have seen the router would not allow this traffic). You can also make your static route wider (with masks) and allow all traffic between the 2 subnets (all clients), this way you dont need a static IP, but I prefer to keep it tight (only traffic from svr1).
IP forwarding is on local machine svr1 (not in OpenVPN), I had to do this otherwise the 2 interfaces would not talk to one another. The last settings are on the OpenVPN menu when you configure the gateway client.
hope this helps