LAN-to-LAN, both behind router

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
scimmiettarossa
OpenVpn Newbie
Posts: 10
Joined: Mon Sep 27, 2021 8:42 pm

LAN-to-LAN, both behind router

Post by scimmiettarossa » Mon Sep 27, 2021 8:54 pm

Hi everyone... probably there are others posts on the (almost) same topic, but I am a bit confused!

I need to configure a LAN2LAN vpn, where the vpn servers are behind routers, at both ends of the connection

In detail, I have twohome networks, connected to internet via two modem/routers. Both have no openvpn capability, so I set the vpn software on two raspberry pi's, but I can not understand how to configure them: both as server? one as a server and one as a client? I tried to read carefully the wiki, but I am not an expert, so I would appreciate some help

by the way, do I need a public static IP on both sides? at the moment I have a static public IP on one side (site A), and a private dynamic IP on the other (site B)

btw: I've been able to make a client-to-lan connection from site B to the lan on site A, but not yet a full lan to lan

thanks in advance
rosanna

scimmiettarossa
OpenVpn Newbie
Posts: 10
Joined: Mon Sep 27, 2021 8:42 pm

Re: LAN-to-LAN, both behind router

Post by scimmiettarossa » Tue Oct 12, 2021 7:15 pm

anyone around there has some suggestion?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: LAN-to-LAN, both behind router

Post by TinCanTech » Tue Oct 12, 2021 7:24 pm

Start here:
https://community.openvpn.net/openvpn/wiki/HOWTO

Also, do a search for pivpn

scimmiettarossa
OpenVpn Newbie
Posts: 10
Joined: Mon Sep 27, 2021 8:42 pm

Re: LAN-to-LAN, both behind router

Post by scimmiettarossa » Tue Oct 19, 2021 5:00 pm

thanks, but obviously these are the steps I already did.. I asked for help because clearly I was not able to go beyond a client2lan configuration

pivpn is even more criptic!

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: LAN-to-LAN, both behind router

Post by TinCanTech » Tue Oct 19, 2021 9:58 pm

scimmiettarossa wrote:
Tue Oct 19, 2021 5:00 pm
thanks, but obviously these are the steps I already did..
So, how far did you get ?
scimmiettarossa wrote:
Tue Oct 19, 2021 5:00 pm
I asked for help because clearly I was not able to go beyond a client2lan configuration
Clear as my crystal ball ..
scimmiettarossa wrote:
Tue Oct 19, 2021 5:00 pm
pivpn is even more criptic!
If you don't understand pivpn then I fear you are out of your depth.

The place to start is the Howto. Which is why is has been whritten.

And we whritten this twhoo: viewtopic.php?f=30&t=22603#p68963

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: LAN-to-LAN, both behind router

Post by 300000 » Wed Oct 20, 2021 3:54 pm

You need write down all server config and client config so we can help you. Only said site to site how can we help?

scimmiettarossa
OpenVpn Newbie
Posts: 10
Joined: Mon Sep 27, 2021 8:42 pm

Re: LAN-to-LAN, both behind router

Post by scimmiettarossa » Sun Nov 07, 2021 9:46 pm

sorry for the delay,but I had some family issues

anyway: now I've got some improvements:
  • raspberry in LAN A is set as openvpn server (see server config below)
  • raspberry in LAN B is set as a openvpn client (see client config below)
  • IP forwarding is set on both the raspberries
  • set a static route on gateway "A", to redirect request to LAN B addresses to raspberry (server) on LAN A
  • set a static route on gateway "B", to redirect request to LAN A addresses to raspberry) (client on LAN B
  • now ANY machine on LAN A can reach ANY machine on LAN B
  • rasbpberry B can reach ANY machine on LAN A
  • the other machines on LAN B can reach raspberry A
  • but the other machines on LAN B are not able to reach the other machines on LAN A
it seems that the client raspberry in LAN B is not able to redirect requests to LAN A, or that the answers from LAN A are not able to reach back the originating machine

what am I missing? any help, as usual, is very appreciated!!

server.conf:

Code: Select all

dev tun
proto udp
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/xxxxx.crt
key /etc/openvpn/easy-rsa/pki/private/xxxxx.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.13.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "route 192.168.14.0 255.255.255.0"
push "route 192.168.15.0 255.255.255.0"
route 192.168.15.0 255.255.255.0
client-to-client
# Prevent DNS leaks on Windows
push "block-outside-dns"
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 10 30
persist-key
persist-tun
#############################################
remote-cert-tls client
explicit-exit-notify 1
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
file "remoteB" in subdir ccd of server:

Code: Select all

ifconfig-push 10.8.13.12 255.255.255.0
iroute 192.168.15.0 255.255.255.0
file "remoteB.conf" on client in LAN B

Code: Select all

client
dev tun
proto udp
remote <IP> <port>
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name cubie-rox_7b673588-82aa-4364-8097-a6755973420b name
cipher AES-256-CBC
auth SHA256
auth-nocache
pull-filter ignore "redirect-gateway def1"
route 192.168.14.0 255.255.255.0
keepalive 10 30
ping-timer-rem
persist-key
persist-tun
verb 3
#
<ca>
-----BEGIN CERTIFICATE-----
blablabla
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
blablabla
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
blablabla
-----END PRIVATE KEY-----
</key>
<tls-crypt>

-----BEGIN OpenVPN Static key V1-----
blablabla
-----END OpenVPN Static key V1-----
</tls-crypt>

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: LAN-to-LAN, both behind router

Post by 300000 » Mon Nov 08, 2021 10:01 am

server 10.13.0.0 255.255.255.0
push "route 192.168.15.0 255.255.255.0"
route 192.168.15.0 255.255.255.0

You cant add route and push route as you dont understand how route work .
Add route mean that route from client to add into server routing tables . Client dont need that route anyway. Push route is subnet from server so client can access more than one subnet so we need push that subnet down to client.
You just random add and push as you think it will not work.

The last without post subnet nobody know how to help
ifconfig-push 10.8.13.12 255.255.255.0

This is wrong config. If you like to assign static ip to client it should be the same range as ifconfig-push 10.13.0.* 255.255.255.0

Name of file in ccd folder must be name as client certiicate or it will not work.

You need post full log on server and client will tell which route add to or not.

scimmiettarossa
OpenVpn Newbie
Posts: 10
Joined: Mon Sep 27, 2021 8:42 pm

Re: LAN-to-LAN, both behind router

Post by scimmiettarossa » Mon Nov 08, 2021 2:29 pm

sorry, but I do not understand some of your sentences:
Add route mean that route from client to add into server routing tables
Push route is subnet from server so client can access more than one subnet so we need push that subnet down to client
The last without post subnet nobody know how to help
.. probably is my poor english, but really I do not understand

for what regards the following:
If you like to assign static ip to client it should be the same range as ifconfig-push 10.13.0.* 255.255.255.0
it is already in the same range
Name of file in ccd folder must be name as client certiicate or it will not work.
name in ccd is the same (as written in the post)

anyway, with the above configuration, at least it is working 75% of what I'm expecting: I already know that I'm making some mistake... otherwise I wouldn't have written this post.. I need some help in understanding, and perhaps some advice, or simply an example of a working lan-to-lan;

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: LAN-to-LAN, both behind router

Post by 300000 » Mon Nov 08, 2021 3:40 pm

server 10.13.0.0 255.255.255.0
ifconfig-push 10.8.13.12 255.255.255.0

It is not the same range as 10.13.0.0 and 10.8.13.12 look difference to me . I dont know you said it is in the range.

In your server config it have this line route 192.168.15.0 255.255.255.0 , do you know what it do ? Then you got this push "route 192.168.15.0 255.255.255.0" .

You have two homes and two router which have two subnet so you did not post any of those subnet only you know that and you hope someone from internet help you solve your trouble?

Only you can correct it and try to deal with that as nobody know which router subnet connect to which subnet. .

scimmiettarossa
OpenVpn Newbie
Posts: 10
Joined: Mon Sep 27, 2021 8:42 pm

Re: LAN-to-LAN, both behind router

Post by scimmiettarossa » Mon Nov 08, 2021 3:56 pm

oppss.. sorry.. you are right... it was a typo in the trascription.. I meant:
server 10.13.0.0 255.255.255.0
ifconfig-push 10.13.0.12 255.255.255.0

the two subnets are 192.168.14.0/24 in the LAN A, and 192.168.15.0/24 in the LAN B

the subnet of the tunnel is 10.13.0.0/24.. in this subnet, the LAN A openvpn server is 10.13.0.1, while the client in LAN B is 10.13.0.12

why do you say I didn't post any of those subnet????

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: LAN-to-LAN, both behind router

Post by 300000 » Mon Nov 08, 2021 4:08 pm

You should back up all config and then change as follow.

In the server config remove this line push "route 192.168.15.0 255.255.255.0" and leave route 192.168.15.0 255.255.255.0 in config as it need to add into server routing table.

correct this line in remoteB as

ifconfig-push 10.13.0.12 255.255.255.0
iroute 192.168.15.0 255.255.255.0

In the client config remove this line route 192.168.14.0 255.255.255.0

on both server and client delete all static route you add before .

the make sure you need both server and client do NAT and Ipforward then try it again. when connected just try one client from client subnet tracert to one client in server subnet to see when it stop.

scimmiettarossa
OpenVpn Newbie
Posts: 10
Joined: Mon Sep 27, 2021 8:42 pm

Re: LAN-to-LAN, both behind router

Post by scimmiettarossa » Sun Nov 14, 2021 9:07 pm

thanks for the reply

I tried, but no change..

and, if I remove the static routes from the routers (that are NOT the same machines as the openvpn server and client), everything stop working (apart the basic connection between the openvpn server and openvpn client...).. so I think that on the routers the static routes are needed
the ip forwarding is set on both the server / client machines... while I do not fully understand how and where to set the NAT

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: LAN-to-LAN, both behind router

Post by 300000 » Sun Nov 14, 2021 9:23 pm

Just do nat and ipforward on both server and client so it will work . How do you setup your server? So you must do the same on client .

You dont need static route as this route will be done by iroute in file on ccd folder. This is how openpn work or you need to read how to again .

scimmiettarossa
OpenVpn Newbie
Posts: 10
Joined: Mon Sep 27, 2021 8:42 pm

Re: LAN-to-LAN, both behind router

Post by scimmiettarossa » Sun Nov 14, 2021 10:13 pm

you continue to repeat that I need to read the how to again.... but, I repeat: if I remove the static route from the routers (that are NOT the same machines as the openvpn machines), the connection is limited to the two openvpn machines (server and client) ONLY!

with the static routes activated, ANY machine on LAN A is able to see ANY machine on LAN B (but not in the opposite direction)...

and, to confirm this, at this link: https://openvpn.net/community-resources ... ini-howto/ there is written:
Allow client to reach entire server subnet

Suppose the OpenVPN server is on a subnet 192.168.4.0/24. Add the following to client configuration:

route 192.168.4.0 255.255.255.0

Then on the server side, add a route to the server's LAN gateway that routes 10.8.0.2 to the OpenVPN server machine (only necessary if the OpenVPN server machine is not also the gateway for the server-side LAN). Also, don't forget to enable IP Forwarding on the OpenVPN server machine.
I tried what you suggested above:
You should back up all config and then change as follow.

In the server config remove this line push "route 192.168.15.0 255.255.255.0" and leave route 192.168.15.0 255.255.255.0 in config as it need to add into server routing table.

correct this line in remoteB as

ifconfig-push 10.13.0.12 255.255.255.0
iroute 192.168.15.0 255.255.255.0

In the client config remove this line route 192.168.14.0 255.255.255.0

on both server and client delete all static route you add before .

the make sure you need both server and client do NAT and Ipforward then try it again. when connected just try one client from client subnet tracert to one client in server subnet to see when it stop.
.
...but in this case NOTHING works....

so, the problem is somewhere else

nevertheless, thanks for your time

anyone else in my situation, out there?
Last edited by scimmiettarossa on Sun Nov 14, 2021 10:26 pm, edited 1 time in total.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: LAN-to-LAN, both behind router

Post by TinCanTech » Sun Nov 14, 2021 10:19 pm

scimmiettarossa wrote:
Sun Nov 14, 2021 10:13 pm
with the static routes activated, ANY machine on LAN A is able to see ANY machine on LAN B (but not in the opposite direction)...
If what you say is true then the traffic is being filtered by a firewall.

scimmiettarossa
OpenVpn Newbie
Posts: 10
Joined: Mon Sep 27, 2021 8:42 pm

Re: LAN-to-LAN, both behind router

Post by scimmiettarossa » Sun Nov 14, 2021 10:48 pm

mmhh... actually it could be a firewall issue.. because I discovered something more:

with my present configuration:
-- openvpn client B see openvpn server A
-- openvpn server A sees openvpnclient B
-- any machine in LAN A sees any machine in LAN B
-- openvpn client B sees any machine in LAN A
-- other machines in LAN B see only openvpn server A, but not the other machines in LAN A

actually, when, from a machine on LAN B (not the openvpn client) I try to ping different machines on LAN A, I have the following answers:

Code: Select all

 ping -c 4 192.168.14.17   [b](this is the openvpn server on LAN A)[/b]
PING 192.168.14.17 (192.168.14.17) 56(84) bytes of data.
64 bytes from 192.168.14.17: icmp_seq=1 ttl=63 time=28.2 ms
64 bytes from 192.168.14.17: icmp_seq=2 ttl=63 time=33.4 ms
64 bytes from 192.168.14.17: icmp_seq=3 ttl=63 time=28.2 ms
64 bytes from 192.168.14.17: icmp_seq=4 ttl=63 time=34.0 ms

--- 192.168.14.17 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 28.163/30.929/33.979/2.767 ms

Code: Select all

ping -c 4 192.168.14.110  [b](this is another machine on LAN A)[/b]
PING 192.168.14.110 (192.168.14.110) 56(84) bytes of data.
From 192.168.15.1 icmp_seq=1 Redirect Host(New nexthop: 192.168.15.100)
From 10.13.0.1 icmp_seq=1 Destination Host Unreachable
From 10.13.0.1 icmp_seq=2 Destination Host Unreachable
From 10.13.0.1 icmp_seq=3 Destination Host Unreachable
From 10.13.0.1 icmp_seq=4 Destination Host Unreachable

--- 192.168.14.110 ping statistics ---
4 packets transmitted, 0 received, +5 errors, 100% packet loss, time 3040ms
pipe 4
so, from last output, it seems to me that the attempt to ping the LAN A machine is redirected to the openvpn client (192.168.15.100), but then it stops.

I should understand how to find the firewall rules (on the vpn client? on the router?)

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: LAN-to-LAN, both behind router

Post by TinCanTech » Sun Nov 14, 2021 11:23 pm

300000 wrote:
Sun Nov 14, 2021 9:23 pm
Just do nat and ipforward on both server and client so it will work
You probably forgot the client or some route ..

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: LAN-to-LAN, both behind router

Post by 300000 » Mon Nov 15, 2021 12:33 pm

scimmiettarossa wrote:
Sun Nov 14, 2021 10:48 pm
mmhh... actually it could be a firewall issue.. because I discovered something more:

with my present configuration:
-- openvpn client B see openvpn server A
-- openvpn server A sees openvpnclient B
-- any machine in LAN A sees any machine in LAN B
-- openvpn client B sees any machine in LAN A
-- other machines in LAN B see only openvpn server A, but not the other machines in LAN A

actually, when, from a machine on LAN B (not the openvpn client) I try to ping different machines on LAN A, I have the following answers:

Code: Select all

 ping -c 4 192.168.14.17   [b](this is the openvpn server on LAN A)[/b]
PING 192.168.14.17 (192.168.14.17) 56(84) bytes of data.
64 bytes from 192.168.14.17: icmp_seq=1 ttl=63 time=28.2 ms
64 bytes from 192.168.14.17: icmp_seq=2 ttl=63 time=33.4 ms
64 bytes from 192.168.14.17: icmp_seq=3 ttl=63 time=28.2 ms
64 bytes from 192.168.14.17: icmp_seq=4 ttl=63 time=34.0 ms

--- 192.168.14.17 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 28.163/30.929/33.979/2.767 ms

Code: Select all

ping -c 4 192.168.14.110  [b](this is another machine on LAN A)[/b]
PING 192.168.14.110 (192.168.14.110) 56(84) bytes of data.
From 192.168.15.1 icmp_seq=1 Redirect Host(New nexthop: 192.168.15.100)
From 10.13.0.1 icmp_seq=1 Destination Host Unreachable
From 10.13.0.1 icmp_seq=2 Destination Host Unreachable
From 10.13.0.1 icmp_seq=3 Destination Host Unreachable
From 10.13.0.1 icmp_seq=4 Destination Host Unreachable

--- 192.168.14.110 ping statistics ---
4 packets transmitted, 0 received, +5 errors, 100% packet loss, time 3040ms
pipe 4
so, from last output, it seems to me that the attempt to ping the LAN A machine is redirected to the openvpn client (192.168.15.100), but then it stops.

I should understand how to find the firewall rules (on the vpn client? on the router?)


That is when iroute will do routing in server . When client connect to server.server scanned folder ccd and if it find a file name the same client'certificate then it will execute all conmand contains in that file name .

If everything are corrected when clien connect it will add server like this

route add 192.168.15.0 mask 255.255.255.0 10.13.0.12


You can check when client connect on terminal to see if you can see any route add to server or not .open terminal and type

ip route


That is why when you ping it stop at server ip. In server routing table dont have route to 192.168.15.0 subnet .

scimmiettarossa
OpenVpn Newbie
Posts: 10
Joined: Mon Sep 27, 2021 8:42 pm

Re: LAN-to-LAN, both behind router

Post by scimmiettarossa » Tue Nov 23, 2021 8:42 pm

I've tried a lot of configurations, with no success.

as I said before, if I ping a machine on LAN A (not the server) from a machine on LAN B (not the client), there is no result:

Code: Select all

ping -c 4 192.168.14.110  [b](this is another machine on LAN A)[/b]
PING 192.168.14.110 (192.168.14.110) 56(84) bytes of data.
From 192.168.15.1 icmp_seq=1 Redirect Host(New nexthop: 192.168.15.100)
From 10.13.0.1 icmp_seq=1 Destination Host Unreachable
From 10.13.0.1 icmp_seq=2 Destination Host Unreachable
From 10.13.0.1 icmp_seq=3 Destination Host Unreachable
From 10.13.0.1 icmp_seq=4 Destination Host Unreachable

--- 192.168.14.110 ping statistics ---
4 packets transmitted, 0 received, +5 errors, 100% packet loss, time 3040ms
pipe 4
, but if I make a traceroute to the same IP:

Code: Select all

traceroute 192.168.14.110
traceroute to 192.168.14.110 (192.168.14.110), 30 hops max, 60 byte packets
 1  fritz.box (192.168.15.1)  0.553 ms  0.747 ms  0.658 ms
 2  mediarox-mum.fritz.box (192.168.15.100)  8.859 ms  8.852 ms  8.802 ms
 3  10.13.0.1 (10.13.0.1)  32.390 ms  34.284 ms  34.254 ms
 4  192.168.14.110 (192.168.14.110) 114.630 ms  118.797 ms  118.708 ms
so it seems traceroute finds the way to the target, but the answer to the ping from the target does not reach back the sender.... and for me is really strange, I can not understand why this happens

Post Reply