Connecting to Webserver on VPNServer

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
berndfl
OpenVpn Newbie
Posts: 3
Joined: Fri Jul 30, 2021 8:14 am

Connecting to Webserver on VPNServer

Post by berndfl » Fri Jul 30, 2021 8:40 am

Hi everyone,

I have a small configuration Problem:
Server: CentOS 7 + OpenVPN 2.4.11

Server Config

local <PUBLICIP>
port 443
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh4096.pem
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
compress lzo
user nobody
group nobody
persist-key
persist-tun
status /dev/shm/openvpn-status.log
verb 3
client-disconnect /etc/openvpn/disconnect.sh
ping-timer-rem
push "ping-timer-rem"
up /etc/openvpn/up.sh
tls-verify /etc/openvpn/tls-verify.sh
client-connect /etc/openvpn/client-connect.sh
route-pre-down /etc/openvpn/route-pre-down.sh
client-disconnect /etc/openvpn/client-disconnect.sh
down /etc/openvpn/down.sh
learn-address /etc/openvpn/learn-address.sh
management 127.0.0.1 4711
script-security 2
fragment 0
mssfix 0


Clients: Linux (Ubuntu + Manjaro with OpenVPN 2.5.2 + 2.5.3), Windows 10, Android (OpenVPN for Android 0.7.22), Mac (Tunnelblick 3.8.5)
Client Config

auth-user-pass pwd
client
dev tun
remote <PUBLILCIP> 3389 tcp-client
remote-cert-tls server
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
key-direction 1
allow-recursive-routing


Client Config

push "dhcp-option DNS 192.168.50.27"
push "dhcp-option DOMAIN <domain>"
push "comp-lzo"
push "route 192.168.50.0 255.255.255.0"
push "route <PUBLICIP> 255.255.255.255"



Now Im running a Webserver on <PUBLICIP>. Connecting with Android and Windows works and I can access the webserver. The webserver sees as remote ip the <PUBLICIP>. Thats good and the expected behaviour as the sites should only accessible through the VPN.

Connecting with Linux dows work, but there is no ping possible to the internal 192.168.50.0/24 nor the <PUBLICIP> nor othe rpublic IPs (ex. 8.8.8.8).

If I delete the route <PUBLICIP> 255.255.255.255 from the ccd then I could ping the internal 192.168.50.0/24, but the webserver sees my remoteip.

Why does this work with Android, Windows and Mac, but not with Linux? Any suggestions?

Thank you for your help.

with kind regards,
Bernd.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connecting to Webserver on VPNServer

Post by TinCanTech » Fri Jul 30, 2021 10:04 am

Do you know what recursive routing means ?

berndfl
OpenVpn Newbie
Posts: 3
Joined: Fri Jul 30, 2021 8:14 am

Re: Connecting to Webserver on VPNServer

Post by berndfl » Fri Jul 30, 2021 6:08 pm

TinCanTech wrote:
Fri Jul 30, 2021 10:04 am
Do you know what recursive routing means ?
The server pushes the route for the VPN-Endpoint over the tunnel to the client and BANG. But, why is it working with Windows, Mac and Android and not with Linux?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connecting to Webserver on VPNServer

Post by TinCanTech » Fri Jul 30, 2021 6:59 pm

Probably because Linux does what you tell it to, while the other choose to ignore you.

berndfl
OpenVpn Newbie
Posts: 3
Joined: Fri Jul 30, 2021 8:14 am

Re: Connecting to Webserver on VPNServer

Post by berndfl » Mon Aug 02, 2021 7:57 am

So, anybody has an idea or hint to solve this problem?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connecting to Webserver on VPNServer

Post by TinCanTech » Mon Aug 02, 2021 11:44 am

If you route the public IP of your VPN server through the tunnel then the VPN stops working, in Linux.

As I understand it, Android has a port based policy rule which will not allow you to route the VPN server-IP:port through the VPN but will allow Server-IP:HTTP through the VPN,

As for Windows, I have no idea .. see your VPN log for details.

Post Reply