LAN-to-LAN, both behind router
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Sep 27, 2021 8:42 pm
LAN-to-LAN, both behind router
Hi everyone... probably there are others posts on the (almost) same topic, but I am a bit confused!
I need to configure a LAN2LAN vpn, where the vpn servers are behind routers, at both ends of the connection
In detail, I have twohome networks, connected to internet via two modem/routers. Both have no openvpn capability, so I set the vpn software on two raspberry pi's, but I can not understand how to configure them: both as server? one as a server and one as a client? I tried to read carefully the wiki, but I am not an expert, so I would appreciate some help
by the way, do I need a public static IP on both sides? at the moment I have a static public IP on one side (site A), and a private dynamic IP on the other (site B)
btw: I've been able to make a client-to-lan connection from site B to the lan on site A, but not yet a full lan to lan
thanks in advance
rosanna
I need to configure a LAN2LAN vpn, where the vpn servers are behind routers, at both ends of the connection
In detail, I have twohome networks, connected to internet via two modem/routers. Both have no openvpn capability, so I set the vpn software on two raspberry pi's, but I can not understand how to configure them: both as server? one as a server and one as a client? I tried to read carefully the wiki, but I am not an expert, so I would appreciate some help
by the way, do I need a public static IP on both sides? at the moment I have a static public IP on one side (site A), and a private dynamic IP on the other (site B)
btw: I've been able to make a client-to-lan connection from site B to the lan on site A, but not yet a full lan to lan
thanks in advance
rosanna
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Sep 27, 2021 8:42 pm
Re: LAN-to-LAN, both behind router
anyone around there has some suggestion?
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Sep 27, 2021 8:42 pm
Re: LAN-to-LAN, both behind router
thanks, but obviously these are the steps I already did.. I asked for help because clearly I was not able to go beyond a client2lan configuration
pivpn is even more criptic!
pivpn is even more criptic!
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: LAN-to-LAN, both behind router
So, how far did you get ?scimmiettarossa wrote: ↑Tue Oct 19, 2021 5:00 pmthanks, but obviously these are the steps I already did..
Clear as my crystal ball ..scimmiettarossa wrote: ↑Tue Oct 19, 2021 5:00 pmI asked for help because clearly I was not able to go beyond a client2lan configuration
If you don't understand pivpn then I fear you are out of your depth.
The place to start is the Howto. Which is why is has been whritten.
And we whritten this twhoo: viewtopic.php?f=30&t=22603#p68963
-
- OpenVPN Expert
- Posts: 685
- Joined: Tue May 01, 2012 9:30 pm
Re: LAN-to-LAN, both behind router
You need write down all server config and client config so we can help you. Only said site to site how can we help?
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Sep 27, 2021 8:42 pm
Re: LAN-to-LAN, both behind router
sorry for the delay,but I had some family issues
anyway: now I've got some improvements:
what am I missing? any help, as usual, is very appreciated!!
server.conf:
file "remoteB" in subdir ccd of server:
file "remoteB.conf" on client in LAN B
anyway: now I've got some improvements:
- raspberry in LAN A is set as openvpn server (see server config below)
- raspberry in LAN B is set as a openvpn client (see client config below)
- IP forwarding is set on both the raspberries
- set a static route on gateway "A", to redirect request to LAN B addresses to raspberry (server) on LAN A
- set a static route on gateway "B", to redirect request to LAN A addresses to raspberry) (client on LAN B
- now ANY machine on LAN A can reach ANY machine on LAN B
- rasbpberry B can reach ANY machine on LAN A
- the other machines on LAN B can reach raspberry A
- but the other machines on LAN B are not able to reach the other machines on LAN A
what am I missing? any help, as usual, is very appreciated!!
server.conf:
Code: Select all
dev tun
proto udp
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/xxxxx.crt
key /etc/openvpn/easy-rsa/pki/private/xxxxx.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.13.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "route 192.168.14.0 255.255.255.0"
push "route 192.168.15.0 255.255.255.0"
route 192.168.15.0 255.255.255.0
client-to-client
# Prevent DNS leaks on Windows
push "block-outside-dns"
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 10 30
persist-key
persist-tun
#############################################
remote-cert-tls client
explicit-exit-notify 1
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
Code: Select all
ifconfig-push 10.8.13.12 255.255.255.0
iroute 192.168.15.0 255.255.255.0
Code: Select all
client
dev tun
proto udp
remote <IP> <port>
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name cubie-rox_7b673588-82aa-4364-8097-a6755973420b name
cipher AES-256-CBC
auth SHA256
auth-nocache
pull-filter ignore "redirect-gateway def1"
route 192.168.14.0 255.255.255.0
keepalive 10 30
ping-timer-rem
persist-key
persist-tun
verb 3
#
<ca>
-----BEGIN CERTIFICATE-----
blablabla
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
blablabla
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
blablabla
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
blablabla
-----END OpenVPN Static key V1-----
</tls-crypt>
-
- OpenVPN Expert
- Posts: 685
- Joined: Tue May 01, 2012 9:30 pm
Re: LAN-to-LAN, both behind router
server 10.13.0.0 255.255.255.0
push "route 192.168.15.0 255.255.255.0"
route 192.168.15.0 255.255.255.0
You cant add route and push route as you dont understand how route work .
Add route mean that route from client to add into server routing tables . Client dont need that route anyway. Push route is subnet from server so client can access more than one subnet so we need push that subnet down to client.
You just random add and push as you think it will not work.
The last without post subnet nobody know how to help
ifconfig-push 10.8.13.12 255.255.255.0
This is wrong config. If you like to assign static ip to client it should be the same range as ifconfig-push 10.13.0.* 255.255.255.0
Name of file in ccd folder must be name as client certiicate or it will not work.
You need post full log on server and client will tell which route add to or not.
push "route 192.168.15.0 255.255.255.0"
route 192.168.15.0 255.255.255.0
You cant add route and push route as you dont understand how route work .
Add route mean that route from client to add into server routing tables . Client dont need that route anyway. Push route is subnet from server so client can access more than one subnet so we need push that subnet down to client.
You just random add and push as you think it will not work.
The last without post subnet nobody know how to help
ifconfig-push 10.8.13.12 255.255.255.0
This is wrong config. If you like to assign static ip to client it should be the same range as ifconfig-push 10.13.0.* 255.255.255.0
Name of file in ccd folder must be name as client certiicate or it will not work.
You need post full log on server and client will tell which route add to or not.
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Sep 27, 2021 8:42 pm
Re: LAN-to-LAN, both behind router
sorry, but I do not understand some of your sentences:
for what regards the following:
anyway, with the above configuration, at least it is working 75% of what I'm expecting: I already know that I'm making some mistake... otherwise I wouldn't have written this post.. I need some help in understanding, and perhaps some advice, or simply an example of a working lan-to-lan;
Add route mean that route from client to add into server routing tables
Push route is subnet from server so client can access more than one subnet so we need push that subnet down to client
.. probably is my poor english, but really I do not understandThe last without post subnet nobody know how to help
for what regards the following:
it is already in the same rangeIf you like to assign static ip to client it should be the same range as ifconfig-push 10.13.0.* 255.255.255.0
name in ccd is the same (as written in the post)Name of file in ccd folder must be name as client certiicate or it will not work.
anyway, with the above configuration, at least it is working 75% of what I'm expecting: I already know that I'm making some mistake... otherwise I wouldn't have written this post.. I need some help in understanding, and perhaps some advice, or simply an example of a working lan-to-lan;
-
- OpenVPN Expert
- Posts: 685
- Joined: Tue May 01, 2012 9:30 pm
Re: LAN-to-LAN, both behind router
server 10.13.0.0 255.255.255.0
ifconfig-push 10.8.13.12 255.255.255.0
It is not the same range as 10.13.0.0 and 10.8.13.12 look difference to me . I dont know you said it is in the range.
In your server config it have this line route 192.168.15.0 255.255.255.0 , do you know what it do ? Then you got this push "route 192.168.15.0 255.255.255.0" .
You have two homes and two router which have two subnet so you did not post any of those subnet only you know that and you hope someone from internet help you solve your trouble?
Only you can correct it and try to deal with that as nobody know which router subnet connect to which subnet. .
ifconfig-push 10.8.13.12 255.255.255.0
It is not the same range as 10.13.0.0 and 10.8.13.12 look difference to me . I dont know you said it is in the range.
In your server config it have this line route 192.168.15.0 255.255.255.0 , do you know what it do ? Then you got this push "route 192.168.15.0 255.255.255.0" .
You have two homes and two router which have two subnet so you did not post any of those subnet only you know that and you hope someone from internet help you solve your trouble?
Only you can correct it and try to deal with that as nobody know which router subnet connect to which subnet. .
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Sep 27, 2021 8:42 pm
Re: LAN-to-LAN, both behind router
oppss.. sorry.. you are right... it was a typo in the trascription.. I meant:
the two subnets are 192.168.14.0/24 in the LAN A, and 192.168.15.0/24 in the LAN B
the subnet of the tunnel is 10.13.0.0/24.. in this subnet, the LAN A openvpn server is 10.13.0.1, while the client in LAN B is 10.13.0.12
why do you say I didn't post any of those subnet????
server 10.13.0.0 255.255.255.0
ifconfig-push 10.13.0.12 255.255.255.0
the two subnets are 192.168.14.0/24 in the LAN A, and 192.168.15.0/24 in the LAN B
the subnet of the tunnel is 10.13.0.0/24.. in this subnet, the LAN A openvpn server is 10.13.0.1, while the client in LAN B is 10.13.0.12
why do you say I didn't post any of those subnet????
-
- OpenVPN Expert
- Posts: 685
- Joined: Tue May 01, 2012 9:30 pm
Re: LAN-to-LAN, both behind router
You should back up all config and then change as follow.
In the server config remove this line push "route 192.168.15.0 255.255.255.0" and leave route 192.168.15.0 255.255.255.0 in config as it need to add into server routing table.
correct this line in remoteB as
ifconfig-push 10.13.0.12 255.255.255.0
iroute 192.168.15.0 255.255.255.0
In the client config remove this line route 192.168.14.0 255.255.255.0
on both server and client delete all static route you add before .
the make sure you need both server and client do NAT and Ipforward then try it again. when connected just try one client from client subnet tracert to one client in server subnet to see when it stop.
In the server config remove this line push "route 192.168.15.0 255.255.255.0" and leave route 192.168.15.0 255.255.255.0 in config as it need to add into server routing table.
correct this line in remoteB as
ifconfig-push 10.13.0.12 255.255.255.0
iroute 192.168.15.0 255.255.255.0
In the client config remove this line route 192.168.14.0 255.255.255.0
on both server and client delete all static route you add before .
the make sure you need both server and client do NAT and Ipforward then try it again. when connected just try one client from client subnet tracert to one client in server subnet to see when it stop.
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Sep 27, 2021 8:42 pm
Re: LAN-to-LAN, both behind router
thanks for the reply
I tried, but no change..
and, if I remove the static routes from the routers (that are NOT the same machines as the openvpn server and client), everything stop working (apart the basic connection between the openvpn server and openvpn client...).. so I think that on the routers the static routes are needed
the ip forwarding is set on both the server / client machines... while I do not fully understand how and where to set the NAT
I tried, but no change..
and, if I remove the static routes from the routers (that are NOT the same machines as the openvpn server and client), everything stop working (apart the basic connection between the openvpn server and openvpn client...).. so I think that on the routers the static routes are needed
the ip forwarding is set on both the server / client machines... while I do not fully understand how and where to set the NAT
-
- OpenVPN Expert
- Posts: 685
- Joined: Tue May 01, 2012 9:30 pm
Re: LAN-to-LAN, both behind router
Just do nat and ipforward on both server and client so it will work . How do you setup your server? So you must do the same on client .
You dont need static route as this route will be done by iroute in file on ccd folder. This is how openpn work or you need to read how to again .
You dont need static route as this route will be done by iroute in file on ccd folder. This is how openpn work or you need to read how to again .
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Sep 27, 2021 8:42 pm
Re: LAN-to-LAN, both behind router
you continue to repeat that I need to read the how to again.... but, I repeat: if I remove the static route from the routers (that are NOT the same machines as the openvpn machines), the connection is limited to the two openvpn machines (server and client) ONLY!
with the static routes activated, ANY machine on LAN A is able to see ANY machine on LAN B (but not in the opposite direction)...
and, to confirm this, at this link: https://openvpn.net/community-resources ... ini-howto/ there is written:
...but in this case NOTHING works....
so, the problem is somewhere else
nevertheless, thanks for your time
anyone else in my situation, out there?
with the static routes activated, ANY machine on LAN A is able to see ANY machine on LAN B (but not in the opposite direction)...
and, to confirm this, at this link: https://openvpn.net/community-resources ... ini-howto/ there is written:
I tried what you suggested above:Allow client to reach entire server subnet
Suppose the OpenVPN server is on a subnet 192.168.4.0/24. Add the following to client configuration:
route 192.168.4.0 255.255.255.0
Then on the server side, add a route to the server's LAN gateway that routes 10.8.0.2 to the OpenVPN server machine (only necessary if the OpenVPN server machine is not also the gateway for the server-side LAN). Also, don't forget to enable IP Forwarding on the OpenVPN server machine.
.You should back up all config and then change as follow.
In the server config remove this line push "route 192.168.15.0 255.255.255.0" and leave route 192.168.15.0 255.255.255.0 in config as it need to add into server routing table.
correct this line in remoteB as
ifconfig-push 10.13.0.12 255.255.255.0
iroute 192.168.15.0 255.255.255.0
In the client config remove this line route 192.168.14.0 255.255.255.0
on both server and client delete all static route you add before .
the make sure you need both server and client do NAT and Ipforward then try it again. when connected just try one client from client subnet tracert to one client in server subnet to see when it stop.
...but in this case NOTHING works....
so, the problem is somewhere else
nevertheless, thanks for your time
anyone else in my situation, out there?
Last edited by scimmiettarossa on Sun Nov 14, 2021 10:26 pm, edited 1 time in total.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: LAN-to-LAN, both behind router
If what you say is true then the traffic is being filtered by a firewall.scimmiettarossa wrote: ↑Sun Nov 14, 2021 10:13 pmwith the static routes activated, ANY machine on LAN A is able to see ANY machine on LAN B (but not in the opposite direction)...
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Sep 27, 2021 8:42 pm
Re: LAN-to-LAN, both behind router
mmhh... actually it could be a firewall issue.. because I discovered something more:
with my present configuration:
-- openvpn client B see openvpn server A
-- openvpn server A sees openvpnclient B
-- any machine in LAN A sees any machine in LAN B
-- openvpn client B sees any machine in LAN A
-- other machines in LAN B see only openvpn server A, but not the other machines in LAN A
actually, when, from a machine on LAN B (not the openvpn client) I try to ping different machines on LAN A, I have the following answers:
so, from last output, it seems to me that the attempt to ping the LAN A machine is redirected to the openvpn client (192.168.15.100), but then it stops.
I should understand how to find the firewall rules (on the vpn client? on the router?)
with my present configuration:
-- openvpn client B see openvpn server A
-- openvpn server A sees openvpnclient B
-- any machine in LAN A sees any machine in LAN B
-- openvpn client B sees any machine in LAN A
-- other machines in LAN B see only openvpn server A, but not the other machines in LAN A
actually, when, from a machine on LAN B (not the openvpn client) I try to ping different machines on LAN A, I have the following answers:
Code: Select all
ping -c 4 192.168.14.17 [b](this is the openvpn server on LAN A)[/b]
PING 192.168.14.17 (192.168.14.17) 56(84) bytes of data.
64 bytes from 192.168.14.17: icmp_seq=1 ttl=63 time=28.2 ms
64 bytes from 192.168.14.17: icmp_seq=2 ttl=63 time=33.4 ms
64 bytes from 192.168.14.17: icmp_seq=3 ttl=63 time=28.2 ms
64 bytes from 192.168.14.17: icmp_seq=4 ttl=63 time=34.0 ms
--- 192.168.14.17 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 28.163/30.929/33.979/2.767 ms
Code: Select all
ping -c 4 192.168.14.110 [b](this is another machine on LAN A)[/b]
PING 192.168.14.110 (192.168.14.110) 56(84) bytes of data.
From 192.168.15.1 icmp_seq=1 Redirect Host(New nexthop: 192.168.15.100)
From 10.13.0.1 icmp_seq=1 Destination Host Unreachable
From 10.13.0.1 icmp_seq=2 Destination Host Unreachable
From 10.13.0.1 icmp_seq=3 Destination Host Unreachable
From 10.13.0.1 icmp_seq=4 Destination Host Unreachable
--- 192.168.14.110 ping statistics ---
4 packets transmitted, 0 received, +5 errors, 100% packet loss, time 3040ms
pipe 4
I should understand how to find the firewall rules (on the vpn client? on the router?)
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVPN Expert
- Posts: 685
- Joined: Tue May 01, 2012 9:30 pm
Re: LAN-to-LAN, both behind router
scimmiettarossa wrote: ↑Sun Nov 14, 2021 10:48 pmmmhh... actually it could be a firewall issue.. because I discovered something more:
with my present configuration:
-- openvpn client B see openvpn server A
-- openvpn server A sees openvpnclient B
-- any machine in LAN A sees any machine in LAN B
-- openvpn client B sees any machine in LAN A
-- other machines in LAN B see only openvpn server A, but not the other machines in LAN A
actually, when, from a machine on LAN B (not the openvpn client) I try to ping different machines on LAN A, I have the following answers:Code: Select all
ping -c 4 192.168.14.17 [b](this is the openvpn server on LAN A)[/b] PING 192.168.14.17 (192.168.14.17) 56(84) bytes of data. 64 bytes from 192.168.14.17: icmp_seq=1 ttl=63 time=28.2 ms 64 bytes from 192.168.14.17: icmp_seq=2 ttl=63 time=33.4 ms 64 bytes from 192.168.14.17: icmp_seq=3 ttl=63 time=28.2 ms 64 bytes from 192.168.14.17: icmp_seq=4 ttl=63 time=34.0 ms --- 192.168.14.17 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3006ms rtt min/avg/max/mdev = 28.163/30.929/33.979/2.767 ms
so, from last output, it seems to me that the attempt to ping the LAN A machine is redirected to the openvpn client (192.168.15.100), but then it stops.Code: Select all
ping -c 4 192.168.14.110 [b](this is another machine on LAN A)[/b] PING 192.168.14.110 (192.168.14.110) 56(84) bytes of data. From 192.168.15.1 icmp_seq=1 Redirect Host(New nexthop: 192.168.15.100) From 10.13.0.1 icmp_seq=1 Destination Host Unreachable From 10.13.0.1 icmp_seq=2 Destination Host Unreachable From 10.13.0.1 icmp_seq=3 Destination Host Unreachable From 10.13.0.1 icmp_seq=4 Destination Host Unreachable --- 192.168.14.110 ping statistics --- 4 packets transmitted, 0 received, +5 errors, 100% packet loss, time 3040ms pipe 4
I should understand how to find the firewall rules (on the vpn client? on the router?)
That is when iroute will do routing in server . When client connect to server.server scanned folder ccd and if it find a file name the same client'certificate then it will execute all conmand contains in that file name .
If everything are corrected when clien connect it will add server like this
route add 192.168.15.0 mask 255.255.255.0 10.13.0.12
You can check when client connect on terminal to see if you can see any route add to server or not .open terminal and type
ip route
That is why when you ping it stop at server ip. In server routing table dont have route to 192.168.15.0 subnet .
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Sep 27, 2021 8:42 pm
Re: LAN-to-LAN, both behind router
I've tried a lot of configurations, with no success.
as I said before, if I ping a machine on LAN A (not the server) from a machine on LAN B (not the client), there is no result:
, but if I make a traceroute to the same IP:
so it seems traceroute finds the way to the target, but the answer to the ping from the target does not reach back the sender.... and for me is really strange, I can not understand why this happens
as I said before, if I ping a machine on LAN A (not the server) from a machine on LAN B (not the client), there is no result:
Code: Select all
ping -c 4 192.168.14.110 [b](this is another machine on LAN A)[/b]
PING 192.168.14.110 (192.168.14.110) 56(84) bytes of data.
From 192.168.15.1 icmp_seq=1 Redirect Host(New nexthop: 192.168.15.100)
From 10.13.0.1 icmp_seq=1 Destination Host Unreachable
From 10.13.0.1 icmp_seq=2 Destination Host Unreachable
From 10.13.0.1 icmp_seq=3 Destination Host Unreachable
From 10.13.0.1 icmp_seq=4 Destination Host Unreachable
--- 192.168.14.110 ping statistics ---
4 packets transmitted, 0 received, +5 errors, 100% packet loss, time 3040ms
pipe 4
Code: Select all
traceroute 192.168.14.110
traceroute to 192.168.14.110 (192.168.14.110), 30 hops max, 60 byte packets
1 fritz.box (192.168.15.1) 0.553 ms 0.747 ms 0.658 ms
2 mediarox-mum.fritz.box (192.168.15.100) 8.859 ms 8.852 ms 8.802 ms
3 10.13.0.1 (10.13.0.1) 32.390 ms 34.284 ms 34.254 ms
4 192.168.14.110 (192.168.14.110) 114.630 ms 118.797 ms 118.708 ms