Unhelpfulness of gateway documentation

Ask questions about your Access Server configuration here.
Post Reply
gwideman
OpenVpn Newbie
Posts: 7
Joined: Tue Oct 16, 2018 2:24 am

Unhelpfulness of gateway documentation

Post by gwideman » Wed Oct 24, 2018 12:29 am

I am posting this in the hopes that it might prompt someone to fix the docs around gateway configuration. After all, most of the point of AS, the paid product, is that it makes configuration tractable. But without docs of what to set in this GUI, the mission is defeated.

But do feel free to add any clues regarding the questions below, it would certainly help me, and no doubt others, considering related questions on the forum seem to have been unanswered!

I am hoping to configure OpenVPN AS to allow external (WAN) ovpn clients to access through an OpenVPN client/gateway to a LAN.
viewtopic.php?f=25&t=27309

The OpenVPN docs for doing this are not helping.

Setting aside that OpenVPN's doc search doesn't work, using google I find only two somewhat relevant docs:

How to configure a host as a gateway for client-side subnets
https://openvpn.net/vpn-server-resource ... e-subnets/
Close to what I want, though with obtuse additional aspects.

Site-to-site routing explained in detail
https://docs.openvpn.net/connecting/sit ... in-detail/
Not exactly the use-case in mind, but we might be able to learn something if these docs were less vague and cluttered with extraneous detail like how to operate a web page.
But let's examine the first doc, blow by blow.
Introduction
If you wish to have particular client-side subnets routed through the VPN, you must ensure that:
This needs to distinguish the case where all traffic FROM the client-side subnet routes through the VPN, versus the case where the VPN only provides access TO the client side LAN for traffic from other VPN clients.
Your Access Server is properly configured so that the User Permissions page has the desired client-side subnets specified for the corresponding users.
"Specified"... as, or for, what?
The host of each VPN client that is to act as a gateway must be configured to forward traffic to/from the VPN.
"The host" -- meaning the OS of the machine running the VPN client/gateway. And here we hope to learn what is or is not taken care of by AS's "VPN Gateway: Configure = Yes" setting.
Your network routing configuration (for any hosts on the VPN that may use the client-side subnets) is adjusted to account for the client-side subnets on the VPN.
Very ambiguous sentence structure. Translation: "For a machine running VPN client and wishing to access subnets of other clients, adjust its OS's network routing configuration to account for those other-client subnets."
And again, how does this relate to by AS's "VPN Gateway: Configure = Yes" setting?
Example Scenario
Let’s say that a particular user with username “fred" connects to the office VPN (the Access Server) from his home. His main PC at home has multiple network interfaces, with one connected to the Internet (say, via a DSL router) and another interface connected to a personal “test network". All hosts on the test network have an IP address in the 192.168.10.0/24 subnet. For instance, Fred’s main PC has the address 192.168.10.1 on the test network.

Fred connects to the VPN using the OpenVPN-AS client software running on his main PC.
Wait, what? There's a special "OpenVPN-AS" client software? Is this different from the normal OpenVPN client?

And this example is made the more obtuse because fred's PC has multiple network interfaces. Gaaaa. What if fred has only one LAN network?
Now the goal is to make the test network accessible to other users via the VPN, including users on a back-end network in the office.
So I guess this is going to cover two distinct use-cases:
1. Other WAN clients running OpenVPN and connected to the office VPN OpenVPN AS.
2. Workplace LAN clients that are unaware of OpenVPN.
User Permissions Configuration

The Access Server administrator must adjust the settings for username “fred" on the User Permissions page to enable this application. If there is no entry for “fred" on the User Permissions page, the administrator adds one by entering “fred" in the “New Username" box.
Why are we going on a detour to set up user fred when he can already login to the VPN server? Surely he already has a User account?
The administrator clicks the “Show" link on fred’s entry in the User Permissions table, to see the drop-down box of settings specific to the user “fred". Next, the administrator makes the following changes:
Good, we're making some progress -- let's see the example settings...
Sets a static VPN IP address:
And in this example, that IP address would be what? This is crucial.
Specifies the client-side subnet to route through the user’s VPN client
Again -- the point of an example is to show the *&^%%$ example! I think:
"the client-side subnet" = 192.168.10.0/24
"the user" = fred
"VPN client" = the one running on fred's "main PC at home"
And what does this do. Does it permit other VPN clients (or clients on workplace LAN) to access "test network". Or does it force all traffic from "test network" to go to the VPN? Or both?
Turns on Auto-Login for the user that will act as a gateway client
"the user" = fred
And having done this, does this mean that if fred goes to some remote location on the WAN, he can no longer usefully use OpenVPN to log in (for example to remotely access his home "test network"), but must instead use a different user name?
Changes to be made at the Router:
Which router? The one at fred's home? Or the one at the workplace?
– Static routing will need to be enabled
Because? And it the routing is static, do those static routes need to be specified somewhere?
– You will need to add the VPN’s subnet as a static route to the machine you are running the gateway client on
Somehow fred has left the building, and "you" are now supposed to do something. Tentative translation:
On fred's machine, the OS settings for static routes have to be altered so that the VPN's subnet (which is what in this example?) is set to static, and presumably set to some specific route (which is in this example?)
And again, how does this relate, or not, to AS's "VPN Gateway: Configure = Yes" setting?

*NOTE: If trying to run a linux client in gateway mode you may need to run this command to enable routing:
sysctl -w net.ipv4.ip_forward=1
How will we know that this specific thing is needed? What versions of linux does this apply to? What does it do?

Post Reply