Acces client LAN only accesses certaint IPs but not all in range

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
apalomer
OpenVpn Newbie
Posts: 6
Joined: Mon Apr 27, 2020 1:57 pm

Acces client LAN only accesses certaint IPs but not all in range

Post by apalomer » Wed Jul 29, 2020 8:20 am

Hi!

I have set up a two-daemon VPN server. One VPN daemon is used for administrators (10.8.0.0/24) and gives access to the server's LAN (192.168.8.0/24) as well as to the VPN daemon for users (10.8.1.0/24).
The users VPN (10.8.1.0/24) has no access to the server's LAN nor to the admins VPN (10.8.0.0/24).
Moreover, the users VPN (10.8.1.0/24) has a special client that has a LAN with 192.168.1.0/23.
This LAN has the machines 192.168.1.61 (the client), 192.168.1.25 (a camera) and 192.168.1.4 (a sensor).

If I connect the special client of 10.8.1.0/24 as well as an admin to the 10.8.0.0/24, I can ping from the admin (IP on 10.8.0.0/24) the special client LAN (192.168.1.61) as well as the sensor (192.168.1.4) but not the camera (192.168.1.25).
However, if I ssh into the special client (192.168.1.61) I can ping from there the camera (192.168.1.25).
Do you have any clue on why this happens? Why can I only ping a part of the client's LAN?

VPN server ufw before rules:

Code: Select all

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to enp2s0
-A POSTROUTING -s 10.8.0.0/24 -o enp2s0 -j MASQUERADE
-A POSTROUTING -s 10.8.1.0/24 -o enp2s0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -d 10.8.1.0/24 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -d 192.168.1.0/24 -j MASQUERADE
COMMIT
# END OPENVPN RULES
admins server configuration

port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 10.8.1.0 255.255.255.0"
push "route 192.168.8.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
push "dhcp-options DNS 10.8.1.1"
push "dhcp-options DNS 192.168.1.1"
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3

management localhost 7505


users server configuration

port 1195
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
server 10.8.1.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
route 10.8.1.0 255.255.255.0
route 192.168.1.0 255.255.255.0
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3

management localhost 7506


special client file in ccd

Code: Select all

iroute 192.168.1.0 255.255.255.0
Thing that I have tried
I have already tried to change the 10.8.1.0/24 VPN server to

Code: Select all

route 192.168.1.0 255.255.254.0
and the client file in the ccd to

Code: Select all

iroute 192.168.1.0 255.255.254.0
so it matches the 192.168.1.0/23 of the client's configured LAN interface.
In this case, I cannot ping anything on the 192.168.1.X network.
Last edited by Pippin on Wed Jul 29, 2020 9:33 am, edited 1 time in total.
Reason: Formatting

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7584
Joined: Fri Jun 03, 2016 1:17 pm

Re: Acces client LAN only accesses certaint IPs but not all in range

Post by TinCanTech » Fri Jul 31, 2020 12:32 pm

You need to understand IP routing.

If you cannot resolve your problem then I am available for hire.

apalomer
OpenVpn Newbie
Posts: 6
Joined: Mon Apr 27, 2020 1:57 pm

Re: Acces client LAN only accesses certaint IPs but not all in range

Post by apalomer » Mon Aug 03, 2020 10:25 am

Send me your information and I'll contact you (I cannot send private messages).

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7584
Joined: Fri Jun 03, 2016 1:17 pm

Re: Acces client LAN only accesses certaint IPs but not all in range

Post by TinCanTech » Mon Aug 03, 2020 10:34 am

Contact: tincanteksup <at> gmail dot com

Post Reply