OpenVPN Support Forum

Hey guys, need a bit of help please, I have setup a VPN on a Hosted VPS Server, I have my Mobile, my Office & my Home dialling into this box, all are connecting fine, the Mobile redirect's Gateway the rest do not (perfect).

I have also enabled CLIENT-2-CLIENT so I can access my NAS (synology) which dials in from Home on it's VPN IP (10.8.0.6).

What I want to do is to map my home network (10.0.0.0/24) to the VPN so that both the Office and my Mobile can access my Home network.

I have followed this article: https://openvpn.net/community-resources/how-to/#scope specifically this section: "Including multiple machines on the client side when using a routed VPN (dev tun)" which to me raises two questions...

1a. It says I need to speficy the file path of the config's like so i the server.conf: 1b. Then I need to create a file named after the Client which i'll call for arguments sake "UK", my quesiton is should this file be just UK or UK.ovpn I have tried both but I am not sure it's working don't know how to check, in that file anyway I have: 1c. Currently I have two files in that path called UK and UK.ovpn but one thing I do know for sure is I only need one file, but maybe with a entirely different extension?

The next question I have is this...

• OpenVPN Server is 10.8.0.1, it's LAN is a Public WAN IP.

• NAS IP: 10.0.0.2 (The OpenVPN Client connecting from Home).

• Home LAN is 10.0.0.0/24

• NAS VPN IP: 10.8.0.6

If I want to enable routing to the 10.0.0.0 network on the OpenVPN Server which of the following is right?

• 10.0.0.2 Being NAS LAN IP.

• 10.8.0.6 Being NAS VPN IP.

• 10.8.0.1 Being OpenVPN Server IP.

Now for my Config, excluding sensitive bits of course...

SERVER: NAS Client: Not sure what I am doing wrong, at this stage the OpenVPN Server cannot even ping the 10.0.0.0/24 network which I guess is the first hurdle I need to resolve.

Once that is working I need to test \ fix if not working the Clients Connecting to the VPN doing the same.

Then finally I'll need to test communication going back the other way which is going to be fun in itself I suspect.

Thanks

Ungifted wrote: ↑

Tue Sep 03, 2019 12:29 pm

1b. Then I need to create a file named after the Client which i'll call for arguments sake "UK", my quesiton is should this file be just UK or UK.ovpn

The file name must be identical to the common_name of the client certificate. No extension.

Ungifted wrote: ↑

Tue Sep 03, 2019 12:29 pm

If I want to enable routing to the 10.0.0.0 network on the OpenVPN Server which of the following is right?

None of them .. you add the route statement to your server config as you have done.

Hi TinCanTech,

Thanks for the response!

The file name must be identical to the common_name of the client certificate. No extension.

Sorry but when you say client certificate... when I create the client it asks me to pick a name, I used "UK" for arguments sake, I presume this means the client certificate will be called "UK"? Or do I need to look that up seperately? On the client itself? The client NAS has an active wildcard SSL Cert installed on it's webserver and for VPN I presume which I know the name of, how can I check what common_name it's using?

None of them .. you add the route statement to your server config as you have done.

Ok thanks, I did get that, but I was trying various things manually in an attempt to get it working.
Just so I am understanding this right though, if I were to be doing this manually, what would the gateway be for the remote network? It's actual Gateway IP? I.E. 10.0.0.2? Or would it be the VPN IP of the Gateway box 10.8.0.6? Or something else?

In my mind there are two ways this could be achieved though I only one of the two are right and would work...

1. Client gets knowledge of both networks but not both Gateways! It asks to browse to 10.0.0.x but only knows gateway 10.8.0.1 so, packet gets sent to VPN Gateway 10.8.0.1 then packet gets send to Home Gateway 10.0.0.2, then to destination.

2. Client gets knowledge of both networks and gateways and tries to communicate with 10.0.0.2 directly, packet automatically routed through tun0 as in routing table to do so, but it cannot communicate directly with 10.0.0.2 it must go through 10.8.0.1 which is turn forwards it to 10.0.0.2 then destination.

I know only one is correct and the only workable option just want clarification of which one, the reason I ask this is when I auto add the routes through the scripts I get the following routes on the OpenVPN Server...
Which rasies a few questions...

1. WTF Is 10.8.0.2 and where is it getting it from? <---- Oh this is my phone, starting to make some sense...

Ok next question, sorry won't clear about probably better if you can follow my thought process...

When I created the VPN Devices \ Users through the script it generates an OVPN file with the client name and gives me 1x ca.crt do I need to manually create a different CA.crt for this or all clients?

Thanks

Ok so for some reason I don't understand why yet my phone which annoyingly gets 10.8.0.2 is getting the route added to it instead of the NAS, I am trying to get the NAS to pickup this IP, I have added a new CCD profile for it but it's not picking it up, I think this maybe because I am using the same CA.CRT for all clients (I know this is bad, still setting it up once I have it working I'll improve security).

If I need to use a different CA.CRT for all clients though how do I go about doing this? As the only place I am see that defined is Global in the Sever.conf or do I need to add something else to the CCD's?!

Thanks