Routing problems

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Tobias_84
OpenVpn Newbie
Posts: 2
Joined: Tue Jan 18, 2022 5:27 pm

Routing problems

Post by Tobias_84 » Tue Jan 18, 2022 6:05 pm

Hello all,
I have been trying to get this to work for some days now. Both using the config file to push and enter routes and using iptables.

II have succeeded with a simular situation earlier, but I haven't configured a OpenVPN solutions in years and my brain don't remember how anymore..

I would appropriate to get any hints to get it moving forward.

The senario:
I need to access a remote PLC-system from my computer that I have with me. The OpenVPN-server is set up on a different site.
The PLC-system have a 4G router that connect to the OpenVPN server because it's IP changes and/or is behind a NAT.

Code: Select all

Laptop		OpenVPN-Server		4G Router	PLC + HMI
		192.168.162.254		192.168.5.1	192.168.5.10 / 192.168.5.11
10.8.2.5	10.8.2.1		10.8.2.10
How do I configure the 'routes' correctly on the server.conf and do I really need to set up IPtables?

Server.conf as I last tested it...

Code: Select all

client-to-client
server 10.8.2.0 255.255.255.0
push "route 10.8.2.0 255.255.255.0"
push "route 192.168.162.0 255.255.255.0"

route 10.8.2.0 255.255.255.0 10.8.2.1
route 192.168.5.0 255.255.255.0 10.8.2.1
This results:
Laptop can reach 192.168.162.254 and 10.8.2.10
Server can reach 10.8.2.5, 10.8.2.10
Behind router can reach 192.168.162.254 and 10.8.2.5

if i add

Code: Select all

 push "route 192.168.5.0 255.255.255.0"

Everything behind the 4G router stops to reach anything, even the router (192.168.5.1).

The client config is basically original.

Regards
Tobias

300000
OpenVPN Expert
Posts: 656
Joined: Tue May 01, 2012 9:30 pm

Re: Routing problems

Post by 300000 » Thu Jan 20, 2022 11:43 pm

you need to make site to site between PLC-system and openvpn server. so from your computer connect to openvpnser can route to PLC-system .

PLC-system connect to 4g router so that is why it need site to site connection so all route will over openvpn virtual ip before it can connect to real ip.

Tobias_84
OpenVpn Newbie
Posts: 2
Joined: Tue Jan 18, 2022 5:27 pm

Re: Routing problems

Post by Tobias_84 » Fri Jan 21, 2022 2:19 pm

Hello,

I have changed it to site-to-site using tap and it works now with 'computer' clients.
I can reach them and they can reach me.

But the PLC won't accept this. I can see on the ethernet port that the ping requests is read by the PLC but I get no ping respons.
I can't set a gw address that is outside the PLC subnet. So still some tries left to get it working.

Is it possible to let the 4G router, that is connected as a client, to serve IP to other clients connecting?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 657
Joined: Tue Feb 16, 2021 10:41 am

Re: Routing problems

Post by openvpn_inc » Fri Jan 21, 2022 2:57 pm

Hello Tobias,
Tobias_84 wrote:
Tue Jan 18, 2022 6:05 pm
I have been trying to get this to work for some days now. Both using the config file to push and enter routes and using iptables.
Note that iptables controls NAT and access, not routing.
Tobias_84 wrote:
Tue Jan 18, 2022 6:05 pm
The senario:
I need to access a remote PLC-system from my computer that I have with me. The OpenVPN-server is set up on a different site.
I guess "on a different site" means you also connect to openvpn as a client?
Tobias_84 wrote:
Tue Jan 18, 2022 6:05 pm
The PLC-system have a 4G router that connect to the OpenVPN server because it's IP changes and/or is behind a NAT.

Code: Select all

Laptop		OpenVPN-Server		4G Router	PLC + HMI
		192.168.162.254		192.168.5.1	192.168.5.10 / 192.168.5.11
10.8.2.5	10.8.2.1		10.8.2.10
How do I configure the 'routes' correctly on the server.conf and do I really need to set up IPtables?
Regarding iptables, probably not. You do not need NAT for this.
Tobias_84 wrote:
Tue Jan 18, 2022 6:05 pm
Server.conf as I last tested it...

Code: Select all

client-to-client
server 10.8.2.0 255.255.255.0
push "route 10.8.2.0 255.255.255.0"
push "route 192.168.162.0 255.255.255.0"

route 10.8.2.0 255.255.255.0 10.8.2.1
route 192.168.5.0 255.255.255.0 10.8.2.1
The push and route to 10.8.2.0/24 are redundant, because your "server" line includes those.
Tobias_84 wrote:
Tue Jan 18, 2022 6:05 pm
This results:
Laptop can reach 192.168.162.254 and 10.8.2.10
Server can reach 10.8.2.5, 10.8.2.10
Behind router can reach 192.168.162.254 and 10.8.2.5
"Behind router can reach ... 10.8.2.5", was this not the goal? And if those can reach you but you can't reach them, that almost surely means you're blocking that with a firewall somewhere.
Tobias_84 wrote:
Tue Jan 18, 2022 6:05 pm
if i add

Code: Select all

 push "route 192.168.5.0 255.255.255.0"

Everything behind the 4G router stops to reach anything, even the router (192.168.5.1).
We have a nice wiki page for client LAN access, RoutedLans
And also a nice troubleshooting flowchart here.
It looks like you missed the --client-config-directory and the --iroute for the router.
Tobias_84 wrote:
Tue Jan 18, 2022 6:05 pm
The client config is basically original.
I'm not sure what that could mean. Original, from where?

Anyway, there has been new activity here since I started writing this. You definitely do not want nor need tap/bridging.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply