Page 1 of 1

[SOLVED] Issues to reach services

Posted: Wed Feb 12, 2020 8:10 am
by netdog
Hello community,

currently, I'm configuring OpenVPN the first time.
I'm running it on a small Intel NUC with CentOS in my home LAN.
The goal of this journey is to access my home LAN from outside and working on my clients like I'm inside my LAN.
Especially in case of security reasons, because I don't want to publish services on my public IP /dyndns with port forwardings nor a DMZ.
Maybe you can also give me some hints how I can make my OpenVPN safer.

I configured everything and I'm able to access my OpenVPN Server form my OpenVPN clients.
I also configured a static route from the VPN network range to my home LAN on my DDWRT router.
It's also possible to ping clients behind the VPN IP range.

Now to my issue:
It's not possible to access the internet when a client is connected to the OpenVPN server.
It's possible to ping e.g. 8.8.8.8 (DNS of google) or any client in my LAN, but I cannot access e.g. webservices or do SSH sessions on my LAN clients.

Here are a few configuraitons of my OpenVPN Server:

Code: Select all

[root@nuc iptables]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Server conf

port 1194
proto tcp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.0.0.254"
push "redirect-gateway def1 bypass-dhcp"
push "route 10.0.0.0 255.255.255.0"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_nfIPGN97r1w3gCEY.crt
key server_nfIPGN97r1w3gCEY.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
verb 3


Client conf

proto tcp
remote MYPUBLICIP 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_nfIPGN97r1w3gCEY name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
verb 3

I hope you can help me to fix my issue.

Sorry, you might hear this questions already a few times but I'm sitting now for 3 days in front of this issue and googled a lot for it.

Thanks!

BR
Bernhard

Re: Issues to reach services

Posted: Wed Feb 12, 2020 2:04 pm
by TiTex
do your router,dns server and other machines on your LAN accept traffic from 10.8.0.0/24 (vpn subnet) ?

Re: Issues to reach services

Posted: Thu Feb 13, 2020 7:39 am
by netdog
Hi,

I found out my issue...stupid :-)
I created a static route on my DDWRT from VPN to internal LAN but no route back over the VPN gateway, so it could not work :-)

Thats it!