Moved Server to new subnet (10.8.0.0 to 10.8.101.0) - no access to LAN access

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
samb
OpenVpn Newbie
Posts: 18
Joined: Sun Nov 29, 2015 11:38 pm

Moved Server to new subnet (10.8.0.0 to 10.8.101.0) - no access to LAN access

Post by samb » Wed Sep 15, 2021 7:58 pm

Hi!

I had a working setup as follows:

LAN: 192.168.1.0
OpenVPN Server: 192.168.1.18
VPN Subnet: 10.8.0.0
Port 1194 open from Internet, forwarded to OpenVPN Server.

All was working, I could access hosts on LAN subnet when connecting over VPN from Internet. It was just one problem. I had several VPN's and the VPN subnet (10.8.0.0) could have a potential collision when connecting to multiple. So I decided to change the VPN subnet to 10.8.101.0.
I updated iptables with the new IP in the forward rule between VPN and LAN subnets.
I can connect and access the OpenVPN server without any issues. But I still cannot access any hosts on LAN.

Code: Select all

#iptables -L (partial output)

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.8.101.0/24        ctstate RELATED,ESTABLISHED /* openvpn-forward-rule */
ACCEPT     all  --  10.8.101.0/24        anywhere             /* openvpn-forward-rule */
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            
ufw-track-forward  all  --  anywhere             anywhere
From the shell at the OpenVPN server I can access hosts on LAN (192.168.1.0) subnet.
What more do I need to change to access here. Note thet it was working before, only change was the VPN subnet.

EDIT: Forgot to mention, I also changed the push route in server-configuration.
A tracerout from client to a LAN ip finds its way to the VPN Server, but not to LAN.

EDIT again:
ping 192.168.1.18 (OpenVPN Server LAN IP) from VPN Client = Success
ping 192.168.1.2 (host on LAN) = Fail

Code: Select all

tracert 192.168.1.2
Tracing route to 192.168.1.2 over a maximum of 30 hops
  1   304 ms    40 ms    37 ms  10.8.101.1
  2     *        *        *     Request timed out.
  3     *     ^C

Code: Select all

tracert 192.168.1.18
Tracing route to 192.168.1.18 over a maximum of 30 hops
  1   295 ms    24 ms    27 ms  192.168.1.18
I have checked I still have this (not changed during my subnet IP move):
net.ipv4.ip_forward = 1

The client route-table seems to be fine:

Code: Select all

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.55.1   192.168.55.155     25
       10.8.101.0    255.255.255.0         On-link        10.8.101.2    281
       10.8.101.2  255.255.255.255         On-link        10.8.101.2    281
     10.8.101.255  255.255.255.255         On-link        10.8.101.2    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.1.0    255.255.255.0       10.8.101.1       10.8.101.2    281
     192.168.55.0    255.255.255.0         On-link    192.168.55.155    281
   192.168.55.155  255.255.255.255         On-link    192.168.55.155    281
   192.168.55.255  255.255.255.255         On-link    192.168.55.155    281
    192.168.121.0    255.255.255.0         On-link     192.168.121.1    291
    192.168.121.1  255.255.255.255         On-link     192.168.121.1    291
  192.168.121.255  255.255.255.255         On-link     192.168.121.1    291
    192.168.186.0    255.255.255.0         On-link     192.168.186.1    291
    192.168.186.1  255.255.255.255         On-link     192.168.186.1    291
  192.168.186.255  255.255.255.255         On-link     192.168.186.1    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.186.1    291
        224.0.0.0        240.0.0.0         On-link     192.168.121.1    291
        224.0.0.0        240.0.0.0         On-link        10.8.101.2    281
        224.0.0.0        240.0.0.0         On-link    192.168.55.155    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.186.1    291
  255.255.255.255  255.255.255.255         On-link     192.168.121.1    291
  255.255.255.255  255.255.255.255         On-link        10.8.101.2    281
  255.255.255.255  255.255.255.255         On-link    192.168.55.155    281
===========================================================================
Server IP config:

Code: Select all

pi@raspberrypi:~ $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.18  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::5a13:1188:fe7e:4542  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:98:f7:67  txqueuelen 1000  (Ethernet)
        RX packets 45234  bytes 3704375 (3.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 18098  bytes 2370883 (2.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.101.1  netmask 255.255.255.0  destination 10.8.101.1
        inet6 fe80::53e6:d905:caec:f46d  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 1748  bytes 126554 (123.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1204  bytes 472084 (461.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

The full iptables output:

Code: Select all

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn /* openvpn-input-rule */
2    ufw-before-logging-input  all  --  anywhere             anywhere
3    ufw-before-input  all  --  anywhere             anywhere
4    ufw-after-input  all  --  anywhere             anywhere
5    ufw-after-logging-input  all  --  anywhere             anywhere
6    ufw-reject-input  all  --  anywhere             anywhere
7    ufw-track-input  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             10.8.101.0/24        ctstate RELATED,ESTABLISHED /* openvpn-forward-rule */
2    ACCEPT     all  --  10.8.101.0/24        anywhere             /* openvpn-forward-rule */
3    ufw-before-logging-forward  all  --  anywhere             anywhere
4    ufw-before-forward  all  --  anywhere             anywhere
5    ufw-after-forward  all  --  anywhere             anywhere
6    ufw-after-logging-forward  all  --  anywhere             anywhere
7    ufw-reject-forward  all  --  anywhere             anywhere
8    ufw-track-forward  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ufw-before-logging-output  all  --  anywhere             anywhere
2    ufw-before-output  all  --  anywhere             anywhere
3    ufw-after-output  all  --  anywhere             anywhere
4    ufw-after-logging-output  all  --  anywhere             anywhere
5    ufw-reject-output  all  --  anywhere             anywhere
6    ufw-track-output  all  --  anywhere             anywhere

Chain ufw-before-logging-input (1 references)
num  target     prot opt source               destination

Chain ufw-before-logging-output (1 references)
num  target     prot opt source               destination

Chain ufw-before-logging-forward (1 references)
num  target     prot opt source               destination

Chain ufw-before-input (1 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere
2    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
3    ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
4    DROP       all  --  anywhere             anywhere             ctstate INVALID
5    ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
6    ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
7    ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
8    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
9    ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
10   ufw-not-local  all  --  anywhere             anywhere
11   ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
12   ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
13   ufw-user-input  all  --  anywhere             anywhere

Chain ufw-before-output (1 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere
2    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
3    ufw-user-output  all  --  anywhere             anywhere

Chain ufw-before-forward (1 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
2    ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
3    ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
4    ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
5    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
6    ufw-user-forward  all  --  anywhere             anywhere

Chain ufw-after-input (1 references)
num  target     prot opt source               destination
1    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
2    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
3    ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
4    ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
5    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
6    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
7    ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-output (1 references)
num  target     prot opt source               destination

Chain ufw-after-forward (1 references)
num  target     prot opt source               destination

Chain ufw-after-logging-input (1 references)
num  target     prot opt source               destination
1    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
num  target     prot opt source               destination

Chain ufw-after-logging-forward (1 references)
num  target     prot opt source               destination
1    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-reject-input (1 references)
num  target     prot opt source               destination

Chain ufw-reject-output (1 references)
num  target     prot opt source               destination

Chain ufw-reject-forward (1 references)
num  target     prot opt source               destination

Chain ufw-track-input (1 references)
num  target     prot opt source               destination

Chain ufw-track-output (1 references)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
2    ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-track-forward (1 references)
num  target     prot opt source               destination

Chain ufw-logging-deny (2 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
2    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-logging-allow (0 references)
num  target     prot opt source               destination
1    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-skip-to-policy-input (7 references)
num  target     prot opt source               destination
1    DROP       all  --  anywhere             anywhere

Chain ufw-skip-to-policy-output (0 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere

Chain ufw-skip-to-policy-forward (0 references)
num  target     prot opt source               destination
1    DROP       all  --  anywhere             anywhere

Chain ufw-not-local (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
2    RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
3    RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
4    ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
5    DROP       all  --  anywhere             anywhere

Chain ufw-user-input (1 references)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
2    ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

Chain ufw-user-output (1 references)
num  target     prot opt source               destination

Chain ufw-user-forward (1 references)
num  target     prot opt source               destination

Chain ufw-user-logging-input (0 references)
num  target     prot opt source               destination

Chain ufw-user-logging-output (0 references)
num  target     prot opt source               destination

Chain ufw-user-logging-forward (0 references)
num  target     prot opt source               destination

Chain ufw-user-limit (0 references)
num  target     prot opt source               destination
1    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
2    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere

Where else can I look? Please give me some advice! :)

samb
OpenVpn Newbie
Posts: 18
Joined: Sun Nov 29, 2015 11:38 pm

Re: Moved Server to new subnet (10.8.0.0 to 10.8.101.0) - no access to LAN access

Post by samb » Tue Sep 21, 2021 8:08 am

Anyone have a clue where I should look.
I tend to try to just wipe and start from scratch as the server are new. But I'm really interested in finding the actual point I'm missing here so I learn from my experience.
Big thanks if you have an idea!

300000
OpenVPN Expert
Posts: 624
Joined: Tue May 01, 2012 9:30 pm

Re: Moved Server to new subnet (10.8.0.0 to 10.8.101.0) - no access to LAN access

Post by 300000 » Tue Sep 21, 2021 10:18 am

You need to post all vpn server configs so we will find out why it not connect? Without info nobody know why and nothing we can help you

samb
OpenVpn Newbie
Posts: 18
Joined: Sun Nov 29, 2015 11:38 pm

Re: Moved Server to new subnet (10.8.0.0 to 10.8.101.0) - no access to LAN access

Post by samb » Tue Sep 21, 2021 10:27 am

Sorry for not including it... I skipped it as it was ok before the subnet-change.
Here it comes! :)

server.conf

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/raspberrypi_27208233-fcca-4b7e-bdae-f54351b23d08.crt
key /etc/openvpn/easy-rsa/pki/private/raspberrypi_27208233-fcca-4b7e-bdae-f54351b23d08.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.8.101.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-GCM
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3


client.ovpn

client
dev tun
proto udp
remote example.com 1194
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name raspberrypi_27208233-fcca-4b7e-bdae-f54351b23d08 name
cipher AES-256-GCM
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>

300000
OpenVPN Expert
Posts: 624
Joined: Tue May 01, 2012 9:30 pm

Re: Moved Server to new subnet (10.8.0.0 to 10.8.101.0) - no access to LAN access

Post by 300000 » Tue Sep 21, 2021 11:16 am

It is NAT trouble . What is nat rule before and what nat rule after you change subnet? Iptables rule for difference os so you need change as it need

On my linux it only do as and it can NAT subnet but again you need checking your firewall rule to make it work.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


You can checking all NAT on iptable as this command

iptables -t nat -L -n -v

samb
OpenVpn Newbie
Posts: 18
Joined: Sun Nov 29, 2015 11:38 pm

Re: Moved Server to new subnet (10.8.0.0 to 10.8.101.0) - no access to LAN access

Post by samb » Tue Sep 21, 2021 11:34 am

Sorry, I don't understand what you mean. Can the iptables have been changed without my interaction? I have only changed the forward policy (see the full iptables config above).

Code: Select all

1    ACCEPT     all  --  anywhere             10.8.101.0/24        ctstate RELATED,ESTABLISHED /* openvpn-forward-rule */
2    ACCEPT     all  --  10.8.101.0/24        anywhere             /* openvpn-forward-rule */

samb
OpenVpn Newbie
Posts: 18
Joined: Sun Nov 29, 2015 11:38 pm

Re: Moved Server to new subnet (10.8.0.0 to 10.8.101.0) - no access to LAN access

Post by samb » Tue Sep 21, 2021 11:38 am

Thanks for adding this. I'll check it out!
300000 wrote:
Tue Sep 21, 2021 11:16 am
You can checking all NAT on iptable as this command

iptables -t nat -L -n -v

Output:

Code: Select all

Chain PREROUTING (policy ACCEPT 8550 packets, 1211K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 175 packets, 22898 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 7051 packets, 429K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      eth0    10.8.0.0/24          0.0.0.0/0            /* openvpn-nat-rule */

Chain OUTPUT (policy ACCEPT 6949 packets, 423K bytes)
 pkts bytes target     prot opt in     out     source               destination

So, there are the old IP... :)

samb
OpenVpn Newbie
Posts: 18
Joined: Sun Nov 29, 2015 11:38 pm

Re: Moved Server to new subnet (10.8.0.0 to 10.8.101.0) - no access to LAN access

Post by samb » Tue Sep 21, 2021 12:06 pm

I managed to fix this by changing the iptables POSTROUTING MASQUERADE configuration (edited /etc/iptables/rules.v4) with new subnet.
I have learned that

Code: Select all

iptables -L
does not list everything... :oops:

300000
OpenVPN Expert
Posts: 624
Joined: Tue May 01, 2012 9:30 pm

Re: Moved Server to new subnet (10.8.0.0 to 10.8.101.0) - no access to LAN access

Post by 300000 » Tue Sep 21, 2021 1:09 pm

POSTROUTING (policy ACCEPT 7051 packets, 429K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 10.8.0.0/



This mean your server NAT old ip .10.8.0.0 so it is work on old not new ip subnet.

You can open terminal and run this command

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

samb
OpenVpn Newbie
Posts: 18
Joined: Sun Nov 29, 2015 11:38 pm

Re: Moved Server to new subnet (10.8.0.0 to 10.8.101.0) - no access to LAN access

Post by samb » Thu Sep 23, 2021 10:50 am

Thanks! I solved it by editing the config-file. But just to learn.

If I have done it with the command:

Code: Select all

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
How does the command affect the subnet 10.8.101.0, as its not specified in the command.

Just for completing my lessons learned here.. :)

Post Reply