I've been working on a small project of trying to set up an OpenVPN server I can use to access my LAN (192.168.2.0/24) at my apartment when I'm away. The struggle is the apartment is behind a CG-NAT and getting around it.
My current situation: I can ping my router when I am logged into the VPN, but unable to ping any devices behind my router.
I've set up an OpenVPN server that is accessible publicly on a VPS and have my router tunnel in as a client (using FreshTomato firmware if curious). I am able to successfully connect my router to my OpenVPN server and my other devices that I am using off-network (my phone and laptop currently). I am trying to set it up so that when I connect to my VPN with my phone or laptop that I can ping my 192.168.2.x devices behind my router.
Setting up routing rules is not really my forte.I know I'm missing something but just am not sure what. Perhaps I need iptables rules on my router to allow the VPN subnet 10.8.0.0/24 through? Not sure honestly, so am looking for any help on setup. Thanks to anyone who can bless me with their networking expertise. My OpenVPN configuration is below:
Server Config
Code: Select all
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
route 192.168.2.0 255.255.255.0
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
client-to-client
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
Code: Select all
iroute 192.168.1.0 255.255.255.0
Code: Select all
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
redirect-gateway def1
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
Code: Select all
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 10.8.0.0/24 anywhere
DROP all -- anywhere anywhere state NEW
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
shlimit tcp -- anywhere anywhere tcp dpt:ssh state NEW
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
logdrop all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state NEW
all -- anywhere anywhere account: network/netmask: 192.168.2.0/255.255.255.0 name: lan
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
wanin all -- anywhere anywhere
wanout all -- anywhere anywhere
ACCEPT all -- anywhere anywhere