Setting up OpenVPN server for my CG-NAT'ed apartment

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
mike406
OpenVpn Newbie
Posts: 2
Joined: Tue Apr 06, 2021 4:15 am

Setting up OpenVPN server for my CG-NAT'ed apartment

Post by mike406 » Tue Apr 06, 2021 4:27 am

Hi all,

I've been working on a small project of trying to set up an OpenVPN server I can use to access my LAN (192.168.2.0/24) at my apartment when I'm away. The struggle is the apartment is behind a CG-NAT and getting around it.

My current situation: I can ping my router when I am logged into the VPN, but unable to ping any devices behind my router.

I've set up an OpenVPN server that is accessible publicly on a VPS and have my router tunnel in as a client (using FreshTomato firmware if curious). I am able to successfully connect my router to my OpenVPN server and my other devices that I am using off-network (my phone and laptop currently). I am trying to set it up so that when I connect to my VPN with my phone or laptop that I can ping my 192.168.2.x devices behind my router.

Setting up routing rules is not really my forte.I know I'm missing something but just am not sure what. Perhaps I need iptables rules on my router to allow the VPN subnet 10.8.0.0/24 through? Not sure honestly, so am looking for any help on setup. Thanks to anyone who can bless me with their networking expertise. My OpenVPN configuration is below:

Server Config

Code: Select all

port 1194

proto udp

dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt

dh /etc/openvpn/dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist /var/log/openvpn/ipp.txt

client-config-dir ccd
route 192.168.2.0 255.255.255.0

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

client-to-client

keepalive 10 120

cipher AES-256-CBC

persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log

verb 3

explicit-exit-notify 1
Then inside ccd/router (using the actual cert common name as the file name)

Code: Select all

iroute 192.168.1.0 255.255.255.0
Client Config

Code: Select all

client

dev tun

proto udp

remote xxx.xxx.xxx.xxx 1194

resolv-retry infinite

nobind

persist-key
persist-tun

redirect-gateway def1

ca ca.crt
cert client.crt
key client.key

remote-cert-tls server

tls-auth ta.key 1

cipher AES-256-CBC

verb 3
iptables on my apartment router

Code: Select all

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  10.8.0.0/24          anywhere
DROP       all  --  anywhere             anywhere            state NEW
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
shlimit    tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere            state NEW
           all  --  anywhere             anywhere            account: network/netmask: 192.168.2.0/255.255.255.0 name: lan
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
wanin      all  --  anywhere             anywhere
wanout     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8874
Joined: Fri Jun 03, 2016 1:17 pm

Re: Setting up OpenVPN server for my CG-NAT'ed apartment

Post by TinCanTech » Tue Apr 06, 2021 1:33 pm


300000
OpenVPN Super User
Posts: 497
Joined: Tue May 01, 2012 9:30 pm

Re: Setting up OpenVPN server for my CG-NAT'ed apartment

Post by 300000 » Tue Apr 06, 2021 10:37 pm

you only need to NAT and IP forward at the openvpn client so that it can route all subnet you want.you must do the same as with openvpn server. that is the last step you need to do before you can ping to subnet. all other thing have been done correctly . that is site to site connection and that all .

mike406
OpenVpn Newbie
Posts: 2
Joined: Tue Apr 06, 2021 4:15 am

Re: Setting up OpenVPN server for my CG-NAT'ed apartment

Post by mike406 » Wed Apr 07, 2021 3:09 am

TinCanTech wrote:
Tue Apr 06, 2021 1:33 pm
Please see the howto here:
https://community.openvpn.net/openvpn/wiki/HOWTO
Been through it. I think I need to add some more routing rules at the router but I'm just not sure what exactly.
300000 wrote:
Tue Apr 06, 2021 10:37 pm
you only need to NAT and IP forward at the openvpn client so that it can route all subnet you want.you must do the same as with openvpn server. that is the last step you need to do before you can ping to subnet. all other thing have been done correctly . that is site to site connection and that all .
Ok I was wondering that, so I am close. IP forwarding is enabled on my router. Do I just need to add another rule to the 'FORWARD' chain in iptables? Or maybe PREROUTING? I'm not really well-versed in setting up routing rules.

Edit: I got it! NAT rules were already good, I just needed this:

Code: Select all

iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
Thank you for the help

300000
OpenVPN Super User
Posts: 497
Joined: Tue May 01, 2012 9:30 pm

Re: Setting up OpenVPN server for my CG-NAT'ed apartment

Post by 300000 » Wed Apr 07, 2021 8:47 am

Yes you need do the sam as openvpn server
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward =1

Post Reply