Trouble with OpenVPN and ping internal network from client

[thetinman]

Hello everyone I need help to understand what I'm doing wrong on this setup:

VM of installation Server 2012 where I have to installa OpenVPN:
No specific role assigned.
ip setup as 192.168.1.10 I have to keep like that sadly.
Gateway is my router 192.168.1.254 and it's connected to internet
IPForwarding enabled from router to the port of OpenVPN server, firewall disabled for testing
key for iprouting edited on registry done,OpenVPN ip assigned is 10.8.0.1
Service work perfecty, this is the conf:

View OriginalServer Config

dev tun
dev-node "ServerVPN"
topology subnet
mode server
port xyzw
proto tcp4-server
tls-server
tls-auth "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ta.key" 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ServerVPN.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ServerVPN.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh2048.pem"
#ifconfig-pool-persist ipp.txt
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
cipher AES-128-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
client-config-dir "C:\\Program Files\\OpenVPN\\config"
verb 4
route-delay 5
route-method exe
push "route 192.168.1.0 255.255.255.0"

Now inside the network I have 2 another computer with ip 192.168.1.11 and 12 where I would like to start up a remote desktop session from a remote client that will connect with a phone using tethering when outside his home. For example now he has ip as 192.168.42.X
this is the configuration on the notebook:

View OriginalClient Config

dev tun
remote ip.remote.server
client
port xyzw
proto tcp4-client
tls-client
tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.key" 1
remote-cert-tls server
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\ClientVPN.crt"
key "C:\\Program Files\\OpenVPN\\config\\ClientVPN.key"

cipher AES-128-CBC
comp-lzo
persist-key
persist-tun
verb 4
mute 20

I did not know what to put on ccd file actually so I just created it and left empty.

With this configuration I can Ping from client my openvnc ip 10.8.0.1 and my local server ip 192.168.1.10 but not ping any other ip inside the network.
From my openvpn server I can ping only the 10.8.0.2 usually assigned to the remote client with notebook as normal.
What I'm missing in the configuration for let me use ONLY my internal network ? (not interested on VPN client using my internet connection, they will log on their remote desktop pc only)
Thank you everyone for the help, I think I am missing something about routing but I not know where and what to add to as configurations.
Best regards

[TinCanTech]

You carefully read your log files ?

viewtopic.php?f=30&t=22603
https://community.openvpn.net/openvpn/w ... gConflicts

[thetinman]

Sorry for make noob questions but I am writing here because I would like to understand the issue better and eventually try to fix it. Regarding the log files I did not see anything that could allow me to understand what I'm doing wrong apart the fact of the ip network on the server 192.168.1.10 that I could not change. Thank you.

[RE:Systems]

Do your computers with ip 192.168.1.11 and 12 each have a route on them for the 10.8.0.0/24 network pointing at 192.168.1.10?

If not they will be sending that traffic to your gateway ip of .254 where it will get lost.

[thetinman]

The 192.168.1.11 and 12 are part of the internal network so they not touched by the VPN server as I understand, they are just part of the internal network of the office where the router will be the gateway for them for connect to internet as well as for the openvpn server.
The remote client could have any kind of ip assigned and should be able at least to ping the computer inside the office network but instead it only able to ping the address of the openvpn server 10.8.0.1 and 192.168.1.10, nothing more then that. I really not know what to look after more I am in total confusion after read up all the day tutorials and faq.

[TinCanTech]

VM of installation Server 2012 where I have to installa OpenVPN

Does this mean the server you are running is a Virtual Machine ?

[thetinman]

VM of installation Server 2012 where I have to installa OpenVPN

Does this mean the server you are running is a Virtual Machine ?

Yes it's a virtual machine for testing purpouse I could not use a production one offcurse my bad I not write it fully.

[RE:Systems]

The 192.168.1.11 and 12 are part of the internal network so they not touched by the VPN server as I understand, they are just part of the internal network of the office where the router will be the gateway for them for connect to internet as well as for the openvpn server.

If I understand you correctly, your OpenVPN server, to which clients connect, and which is the termination point of your tunnel, is on IP 192.168.1.10, and it hands out client IPs on the 10.8.0.0 range.

All of your internal servers on the 192.168.1.0 range use 192.168.1.254 as default gateway for connection to the internet.

However, any traffic from a VPN client will be coming from IP 10.8.0.x through 192.168.1.10 and needs to route back through 192.168.1.10 to traverse the tunnel, and NOT through 192.168.1.254.

Therefore 192.168.1.11 and 192.168.1.12 need to have a route in their routing table to tell them to send traffic from 10.8.0.x back to 192.168.1.10.

To test this, try pinging a connected client from .11 or .12. You will find they can't, until you add a route telling them to send traffic via 192.168.1.10.

[thetinman]

So you mean I have to insert a route on every windows pc on my network for allow other pc on the vnc network to see them ? It sounds quite strange to me, I mean I have a qnap nas with a openvpn service that allow me to browse all my network without problem and it stay on the exact same network range, and yet I'm not able to replicate it on a simple windows virtual machine.

[RE:Systems]

I suggest you try it and see if it fixes your issue, I can't see your network, only make suggestions based on what you describe.

This isn't a windows specific issue though, the same will apply to any other hosts on your internal network, whenever you use a host which isn't the default gateway to provide a VPN termination.

For instance, on one of our office networks, all internal hosts are on 192.168.56.0, and our default gateway to the internet is on 192.168.56.1.
We have a site-to-site VPN on that gateway to another office, which uses the IP range 192.168.10.0. We don't need to add a route for internal hosts to find that IP range, because it goes through the default gateway.

However, we have a site-to-site VPN with yet another office, which terminates on a pfSense firewall whose internal interface is on 192.168.56.50. The remote IPs in that other office are on 192.168.5.0. So all our internal hosts have to have a route for that network, pointing to 192.168.56.50, and that route is pushed out by the DHCP server.

We also use the same pfSense firewall for roadwarrior clients, which are given 10.2.2.0 addresses, so we also have a route pushed to all hosts for that range as well, pointing to 192.168.56.50.

[thetinman]

Yes one of the many test I did after I had bad feedback on the only openvnc server on windows 2012 was to install another VM and try pfsense on it, I did had to change my home network for test purpouse with 192.168.0.x subnet and setup lan of pfsense on same subnet, then had to set up a wan interface with same subnet as my router one 192.168.1.x and did the port forwarding on the wan ip. Setup the openvpn client and download client setup and installed on my notebook for testing and it worked on first shoot but with the complication of change the subnet and insert inside a pfsense machine that I not really need.