Changed main router, inbound VPN to LAN stopped working

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
parents_it_dept
OpenVpn Newbie
Posts: 5
Joined: Sun Oct 15, 2017 1:39 am

Changed main router, inbound VPN to LAN stopped working

Post by parents_it_dept » Sun Oct 15, 2017 2:58 am

Hi everyone, I was just working on a router changeout for my home network. Prior to the change I was running a Linksys with an old version of OpenWRT and Linux kernel 2.4.30. I switched it out for a full machine running Linux with kernel 4.9.41.

My OpenVPN server is located on a different machine within the LAN and nothing has been altered on it. A UDP port is forwarded through the router to the OpenVPN server. My client is my Android phone running OpenVPN Connect and uses a full tunnel with all traffic sent through the VPN.

I duplicated all of the iptables configurations as well as the additional static route that was required to get things working on the old router.

With the new router in place, I can successfuly connect to the OpenVPN server and have connectivity to the outside world. I can ping the LAN IP of the OpenVPN server and the router. I can not ping any machine located on the LAN. However, from any LAN machine I *can* ping the phone and get a reply. So outbound from the LAN through the VPN works and replies occur. Inbound from the VPN to the LAN dies. I watched the iptable state on the VPN server and I see the ping traverse the VPN tunnel and get pushed out but it never makes it through the router.

I put a trace on the raw table of the router and I can see the packets going from the phone to the machines on the LAN. I also see that those machines respond and send a packet back. It appears, though, that the packet goes back to the router instead of to the OpenVPN server.

I'm suspecting my problem is something very subtle that I can't seem to spot when comparing the two routers. Since nothing else changed on the network at all I can at least be sure that it involves the router only. At this point my suspiction is that somehow the machines on the network are not receiving the announcement from the router that the appropriate gateway for the VPN traffic is the OpenVPN server.

This is probably not an OpenVPN problem directly but it's the only application affected by this change so I'm hoping someone has ideas that can lead me in the right direction.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Changed main router, inbound VPN to LAN stopped working

Post by TinCanTech » Mon Oct 16, 2017 5:27 pm

parents_it_dept wrote:
Sun Oct 15, 2017 2:58 am
I put a trace on the raw table of the router and I can see the packets going from the phone to the machines on the LAN. I also see that those machines respond and send a packet back. It appears, though, that the packet goes back to the router instead of to the OpenVPN server.
Add a route for the VPN to the LAN machine.

parents_it_dept
OpenVpn Newbie
Posts: 5
Joined: Sun Oct 15, 2017 1:39 am

Re: Changed main router, inbound VPN to LAN stopped working

Post by parents_it_dept » Tue Oct 17, 2017 5:22 am

TinCanTech wrote:
Mon Oct 16, 2017 5:27 pm
parents_it_dept wrote:
Sun Oct 15, 2017 2:58 am
I put a trace on the raw table of the router and I can see the packets going from the phone to the machines on the LAN. I also see that those machines respond and send a packet back. It appears, though, that the packet goes back to the router instead of to the OpenVPN server.
Add a route for the VPN to the LAN machine.
Yes, I had already done that with route add -net <VPN-network> gw <VPN-server> on the gateway router. It's not working, the return packets are not following that route instead they're still going back to the gateway and stopping there. Pinging outbound from the LAN to the VPN client works. But pinging inbound from VPN to the LAN the packet goes all the way to the LAN, a reply is generated and sent back at which point it dies without ever arriving at the VPN server.

I can't add routes to every LAN device either, not all of them suppport additional routes. It has to be handled by the main gateway router. This worked under the old gateway router but not the new one.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Changed main router, inbound VPN to LAN stopped working

Post by TinCanTech » Tue Oct 17, 2017 11:31 am

Double check the firewall where the packet is dropped.

parents_it_dept
OpenVpn Newbie
Posts: 5
Joined: Sun Oct 15, 2017 1:39 am

Re: Changed main router, inbound VPN to LAN stopped working

Post by parents_it_dept » Tue Oct 17, 2017 2:56 pm

TinCanTech wrote:
Tue Oct 17, 2017 11:31 am
Double check the firewall where the packet is dropped.
Already did that, too. The VPN server has no firewall and the main router's firewall is not filtering packets. The rules are identical for both the original router and the new router. The only thing truly different is the kernel version.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Changed main router, inbound VPN to LAN stopped working

Post by TinCanTech » Tue Oct 17, 2017 4:38 pm

Add the VPN route to a server-side host and test if it works (which it should).

parents_it_dept
OpenVpn Newbie
Posts: 5
Joined: Sun Oct 15, 2017 1:39 am

Re: Changed main router, inbound VPN to LAN stopped working

Post by parents_it_dept » Tue Oct 17, 2017 7:30 pm

TinCanTech wrote:
Tue Oct 17, 2017 4:38 pm
Add the VPN route to a server-side host and test if it works (which it should).
Yes, adding a static route directly to a LAN side host does work. Adding it to the main router no longer does when it used to work just fine.

Post Reply