Site-to-site when VPN client is not its LAN's gateway

KBerger · Post by **KBerger** » Mon Mar 02, 2020 8:14 am

Hello, everyone!

Please, advise regarding my particular case of Site-to-Site setup, whether it is possible or not.
I've followed guides for general configuration for connecting OpenVPN server LAN with client LAN. Accordingly, I have in /etc/openvpn/ccd/client1:

Client confir

ifconfig-push 10.0.0.5 255.255.255.0
iroute 192.168.8.0 255.255.255.0

That's (1) client requesting for itself VPN-client IP 10.0.0.5 and (2) client advertising its LAN 192.168.8.0/24.
And here is the corresponding /etc/openvpn/server.conf portion:

Server config portion

server 10.0.0.0 255.255.255.0
route 192.168.8.0 255.255.255.0
client-to-client
push "route 192.168.0.0 255.255.255.224"

Now one particular is that this client machine is NOT its LAN's gateway. That is, this client is on the LAN just like other machines are and connects to VPN server via that LAN's gateway (192.168.8.1), that's a separate machine.
Hence my question: is it still possible for this client to share its LAN through VPN with the VPN side LAN? So far, with the config above, it still doesnt' work. This only makes accessible from the server side the client's own LAN IP (say, 192.168.8.23) from which it connects to VPN, but no other machines on the LAN (e.g. 192.168.8.5, 192.168.8.6 etc.).

Now I have a vague recollection of having done this in the past by adding the LAN's gateway somewhere in configs -- but where? My problem is, I think, that I don't have a 100% clear understanding of how routing works, sorry for that

...

Thank you in advance.

KBerger · Post by **KBerger** » Mon Mar 02, 2020 8:35 am

Ok, this this document here seems to describe similar situation, only the problem there is on the server side. According to what it says, each machine on my client's LAN seems to need static route like this one:

Code: Select all

route add 192.168.0.0/27 192.168.8.1 (we're on FreeBSD)

...or something?

KBerger · Post by **KBerger** » Mon Mar 02, 2020 9:12 am

Or does this route have to use the VPN client machine's IP (192.168.8.23 in my example) as gateway to VPN server's LAN for other machines on the LAN?
Like this:

Code: Select all

route add 192.168.0.0/27 192.168.8.23

KBerger · Post by **KBerger** » Mon Mar 02, 2020 10:06 am

Ok, the VPN client machine in question has this routing table output (netstat -rn):

Code: Select all

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.8.1        UGS         em0
10.0.0.0/24        10.0.0.1           UGS        tun0
10.0.0.1           link#4             UH         tun0
10.0.0.5           link#4             UHS         lo0
127.0.0.1          link#2             UH          lo0
192.168.0.0/24     10.0.0.1           UGS        tun0
192.168.8.0/24     link#1             U           em0
192.168.8.23        link#1             UHS         lo0

So, since it has route to 192.168.0.0/27 network (VPN server's LAN), it would seem logical to add its IP 192.168.8.23 as gateway to that network for other LAN machines, right?
That is, whichever 192.168.8.0/24 net machine needs be connected from VPN server LAN needs this static route:

Code: Select all

route add 192.168.0.0/24 (gw) 192.168.8.23

KBerger · Post by **KBerger** » Mon Mar 02, 2020 11:15 am

Ok, I'll check the results and report back. And just make clear why I need this weird configuration.

My VPN client machine connecting to the VPN server + its LAN is a bhyve host for a Win 10 guest. As bhyve virtio nic is quite slow, so I configured PCI passthrough of my Realtek NIC to the VM. So now it has IP on the same LAN, but for the host it is like a different machine as Realtek NIC is no longer visible to the host.
So then, if I want to connect to that Win 10 bhyve VM from the OpenVPN LAN (or server itself, doesn't matter which) it is like connecting to another machine on the client's LAN.
Yes, I tried PF firewall redirect, but packets seem to have the same problem of not being able to find their way back.

TinCanTech · Post by **TinCanTech** » Mon Mar 02, 2020 1:22 pm

Re: Site-to-site when VPN client is not its LAN's gateway

The Howto explicitly explains what is required for this.

FYI: Openvpn neither knows nor cares if you are using a VM or not.

KBerger · Post by **KBerger** » Mon Mar 02, 2020 2:55 pm

TinCanTech wrote: ↑
Mon Mar 02, 2020 1:22 pm
The Howto explicitly explains what is required for this.

That's why I explicitly mentioned at the beginning what I did according to the HOWTO.
But here's the problem: it still doesn't have the desired effect. Or did I address a wrong HOWTO?

FYI: Openvpn neither knows nor cares if you are using a VM or not.

No, it doesn't. But it's been my experience that people whom I ask for help sometimes care to know more details about what, how and why. At least I do when they ask me...

Thank you anyway

KBerger · Post by **KBerger** » Tue Mar 03, 2020 8:46 am

Ok, my configs from the OP were correct.
Just it is was NOT enough to add route to each machine on client's LAN.
It is equally important to configure NAT/redirect firewall rules on the VPN client machine. Same as it is needed in case this client acts as "standard" gateway (with 2 NICs) for its LAN.

As the goal was to connect 192.168.0.0/27 with 192.168.8.0/24, I used these rules (FreeBSD PF):
1. Packets from VPN server LANs translated to the client's LAN:

Code: Select all

nat on em0 from 192.168.0.0/27 to 192.168.8.0/24 -> (em0)
nat on em0 from 10.0.0.0/24 to 192.168.8.0/24 -> (em0)

2. Making VPN client act as gateway to VPN server's LAN:

Code: Select all

rdr pass on em0 from any to 192.168.0.0/27 -> 10.0.0.1

3. NAT for tun0 device:

Code: Select all

nat on tun0 from 192.168.8.0/24 to 192.168.0.0/27 -> (tun0)
nat on tun0 from any to 10.0.0.0/24 -> (tun0)
nat on tun0 from any to 192.168.8.0/24 -> (em0)