Lans behind OpenVPN

OpenVPN tutorials ranging from configuration to hacks to compilation will be posted here.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
User avatar
krzee
Forum Team
Posts: 728
Joined: Fri Aug 29, 2008 5:42 pm

Lans behind OpenVPN

Post by krzee » Sun Apr 19, 2009 12:16 am

I made a document to help people understand everything they need to know about setting up a routed VPN where there are LANs behind OpenVPN.
https://community.openvpn.net/openvpn/wiki/RoutedLans

YOU MUST COMPLETELY READ THIS TO UNDERSTAND IT.

Also, dont expect it to walk you through your exact configuration, it exists to teach you about the different options you may need, not to hold your hand.

With that said, this is the place to discuss it.
Last edited by Pippin on Wed Jan 17, 2024 9:13 pm, edited 1 time in total.
Reason: Corrected link

KBerger
OpenVPN User
Posts: 31
Joined: Wed Mar 16, 2011 1:27 pm

Re: Lans behind OpenVPN

Post by KBerger » Fri Mar 18, 2011 5:45 pm

Well thanks a LOT for this clarification. Just as usual, things become more clear when repeated twice: first time in the official HOWTO and second time here.

Regards,
Kostya

DCh
OpenVpn Newbie
Posts: 1
Joined: Tue Mar 22, 2011 10:47 pm

Re: Lans behind OpenVPN

Post by DCh » Wed Mar 23, 2011 12:14 am

Following instructions, I got the 1st part down
YOU MUST COMPLETELY READ THIS ...
& I've read through this article a couple of times, and am pretty sure it's relevant -- but not directly applicable -- to my setup.

Not doing so good on the 2nd part
... TO UNDERSTAND IT.
I've managed to completely confuse myself so far.

I have:
(1) a local LAN with one desktop & one mail-server, behind a firewall/router.
(2) a remote/hosted Server running a firewall & one web-server

My ascii-art depiction of the system is below.

I want to:
(a) Setup the Hosted Server as an OpenVPN server
(b) Ping from server <-> desktop/client over VPN
(b) access the web server @ a privateIP over an OpenVPN link from the Desktop, i.e., http://10.2.3.4
(c) 'connect/redirect' the HostedServer's port:25 over a 2nd OpenVPN link to the MailServer's port:25.
so mail sent TO 1.2.3.4:25 gets TO the MailServer on the LAN, &
mail sent FROM the MailServer on the LAN appears to originate from the HostedServer @ 1.2.3.4:25

I'm pretty certain I've badly screwed up some combination of routing and firewall rules :-(

I'm hoping to get some guidance as to how to fix what I've done to get it all working.

Here's more info --

ASCII art:

Code: Select all

Hosted Server:
|---------------------------|
| Server (Linux):           |
|        eth0 = 1.2.3.4/24 -|---> (Internet)
|                  |        |
|    Apache -- (listen)     |
|                  |        |
|        tap0 = 10.2.3.4/24 |
|---------------------------|


Office LAN:
|-----------------------------------|
| Router/Firewall (FreeBSD):        |
|   tun0 (pppoe/dsl)= 5.6.7.201/29 -|---> (Internet)
|         |                         |
|       pf firewall                 |
|         |                         |
|   sis0: 10.30.8.1/24 -------|     |
|-----------------------------------|
                              |
                              |---------------------------------------|
                              |                                       |
|--------------------------------|      |--------------------------------|
| Desktop (Linux):            |  |      | MailServer (Linux):         |  |
|   eth0   = 10.30.8.101/24 --|  |      |   eth0   = 10.30.8.110/24 --|  |
|   eth0:1 = 10.101.0.101/24     |      |   eth0:1 = 10.110.0.110/24     |
|--------------------------------|      |--------------------------------|
The pre-OpenVPN routing tables are:

@ HostedServer:

Code: Select all

netstat -nr
 Kernel IP routing table
 Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
 1.2.3.0         0.0.0.0         255.255.255.0   U         0 0          0 eth0
 10.2.3.0        0.0.0.0         255.255.255.0   U         0 0          0 tap0
 127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
 0.0.0.0         1.2.3.1         0.0.0.0         UG        0 0          0 eth0
@ OfficeLAN's Router/Firewall:

Code: Select all

netstat -nr
 Kernel IP routing table
 Destination        Gateway            Flags    Refs      Use  Netif Expire
 default            152.166.181.133    UGS         0  1797052   tun0
 5.6.7.201          152.166.181.133    UGS         0        0   tun0
 5.6.7.202          152.166.181.133    UGS         0        0   tun0
 5.6.7.203          152.166.181.133    UGS         0        0   tun0
 5.6.7.204          152.166.181.133    UGS         0        0   tun0
 5.6.7.205          152.166.181.133    UGS         0        0   tun0
 127.0.0.1          127.0.0.1          UH          0     1094    lo0
 152.166.181.133    5.6.7.206          UH          6        0   tun0
 10.30.8/24         link#1             UC          0        0   sis0
 10.30.8.1          00:00:24:c8:34:77  UHLW        1      716    lo0
As a first step, I've installed OpenVPN server on the HostedServer & the Desktop.

The configs are:

Code: Select all

/etc/openvpn/tls-server.conf 
-------------------------------------------------
local       1.2.3.4
dev         tun1
proto       udp
port        12345
mode        server
daemon
server      10.10.10.0 255.255.255.0
topology   subnet
push "route 10.2.3.0 255.255.255.0 10.10.10.1"
client-to-client
management  127.0.0.1 1195
tls-server
dh          /etc/openvpn/dh2048.pem
ca          /etc/openvpn/ca.crt
cert        /etc/openvpn/server.openvpn.dc.loc.crt
key         /etc/openvpn/server.openvpn.dc.loc.key
tls-auth    /etc/openvpn/shared.ta.key 1
auth        RSA-SHA512
cipher      AES-256-CBC
keepalive   15 45
comp-lzo
ping-timer-rem
persist-tun
persist-key
max-clients 10
client-config-dir ccd
script-security 2 system
verb   5
status      /etc/openvpn/openvpn-status.log
ifconfig-pool-persist /etc/openvpn/ipp.txt
-------------------------------------------------

Code: Select all

/etc/openvpn/ccd/desktop.client.openvpn.dc.loc
-------------------------------------------------
ifconfig-push 10.10.10.2 255.255.255.0
iroute        10.101.0.0 255.255.255.0
-------------------------------------------------

Code: Select all

/etc/openvpn/tls-desktop.client.conf 
-------------------------------------------------
dev        tun
proto      udp
port       12345
mode       p2p
remote     1.2.3.4 12345 udp
topology   subnet
pull
remote-cert-tls server
tls-client
ca         /etc/openvpn/ca.crt
cert       /etc/openvpn/desktop.client.openvpn.dc.loc.crt
key        /etc/openvpn/desktop.client.openvpn.dc.loc.key
tls-auth   /etc/openvpn/shared.ta.key 0
auth       RSA-SHA512
cipher     AES-256-CBC
comp-lzo
persist-tun
persist-key
script-security 2 system
verb   5
status     /etc/openvpn/openvpn-status.log
-------------------------------------------------
with this config, I can bring up the openvpn connection, see the interfaces, and
ping from server to the desktop's VPN endpoint.

i can NOT ping from the desktop to the server's VPN endpoint, or beyond it to the webserver.

@ HostedServer

Code: Select all

ifconfig tun1
 tun1     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.10.10.1  P-t-P:10.10.10.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
netstat -rn | egrep -i "tun|tap"
 10.10.10.0      0.0.0.0         255.255.255.0   U         0 0          0 tun1
 10.2.3.0        0.0.0.0         255.255.255.0   U         0 0          0 tap0

ping -c 1 10.10.10.2
 PING 10.10.10.2 (10.10.10.2) 56(84) bytes of data.
 64 bytes from 10.10.10.2: icmp_req=1 ttl=64 time=17.9 ms
ping -c 1 10.2.3.4
 PING 10.2.3.4 (10.2.3.4) 56(84) bytes of data.
 64 bytes from 10.2.3.4: icmp_req=1 ttl=64 time=0.050 ms
@ Desktop

Code: Select all

ifconfig tun0
 tun0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.10.10.2  P-t-P:10.10.10.2  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
netstat -rn | grep -i tun
10.10.10.0      0.0.0.0         255.255.255.0   U         0 0          0 tun0
10.2.3.0        10.10.10.1      255.255.255.0   UG        0 0          0 tun0

ping -c 1 10.101.0.101
 PING 10.101.0.101 (10.101.0.101) 56(84) bytes of data.
 64 bytes from 10.101.0.101: icmp_req=1 ttl=64 time=0.041 ms
ping -c 1 10.10.10.1
 PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
(just sits)

DonJuane
OpenVpn Newbie
Posts: 1
Joined: Thu Dec 01, 2011 2:55 pm

Re: Lans behind OpenVPN

Post by DonJuane » Mon Dec 05, 2011 7:02 am

Thank you for this illustration! It helps. I have one more request. Can you tell me how to configure this same illustrated setup with a slightly major alteration?

I wish to have the same ability to communicate from LAN to LAN to LAN in your single server and two client setup example here, however, I wish for all traffic from all LANs to be routed out only over the server gateway from a routed and not bridged network perspective. Also would like the DNS server used by the server gateway to serve all client stations in addition to the gateway. This will be for a dd-wrt setup if that is important to the solution.

Thanks in advance.

User avatar
krzee
Forum Team
Posts: 728
Joined: Fri Aug 29, 2008 5:42 pm

Re: Lans behind OpenVPN

Post by krzee » Mon Apr 23, 2012 7:24 am

DonJuane wrote:Thank you for this illustration! It helps. I have one more request. Can you tell me how to configure this same illustrated setup with a slightly major alteration?

I wish to have the same ability to communicate from LAN to LAN to LAN in your single server and two client setup example here, however, I wish for all traffic from all LANs to be routed out only over the server gateway from a routed and not bridged network perspective. Also would like the DNS server used by the server gateway to serve all client stations in addition to the gateway. This will be for a dd-wrt setup if that is important to the solution.

Thanks in advance.
you would first get the lan routing working with the above document. then you would start using redirect gateway def1 on the clients (and enable nat on the server for the vpn/lan subnets). then when your clients route over the vpn, you would setup your lans to route using those clients for their default gateway (which is already normal since you said it would run on the routers).
The above document is only for routing to the lans, but the rest is not too hard. I have been meaning to make a little writeup on routing internet over vpn, but i havnt gotten around to it

zothen
OpenVpn Newbie
Posts: 3
Joined: Tue Jun 21, 2011 5:11 pm

Re: Lans behind OpenVPN

Post by zothen » Tue Sep 11, 2012 11:45 pm

Hello krzee and all,

I found your article because I ran into the "bad source address from client" in my Windows OpenVPN server log. In fact, I read pretty much every web page Google could find. But still I can't find an answer to my question.

All discussion about this error seem to assume the client has some static LAN IP that can then be configured on the server with iroute, etc. But one of the biggest use cases is for mobile when connecting with public or not-fully-trusted WIFI hotspots. In this case the client LAN IP Addresses will be random and so all this discussion of setting up the client LAN's IP address as part of the server configuration goes out the window. E.g., 10.x.x.x in one location, 172.16.x.x in the next, etc.

I am sure I am missing something but I'll be a monkey's uncle if I can find it. Could you help?

Some more background, at this point I could care less about VPN access from anything other than the client itself. But in my OpenVPN Server log, I get the "bad source address from client [IP of a proxy server required by a connection from my client, or IP of my WIFI Hotspot gateway]".

I have tried various configurations but here is an example of one that has this problem:
server.ovpn:

port 1194
proto tcp
dev tun
ca "C:\\OpenVPN\\config\\ca.crt"
cert "C:\\OpenVPN\\config\\server.crt"
key "C:\\OpenVPN\\config\\server.key" # This file should be kept secret
dh "C:\\OpenVPN\\easy-rsa\\keys\\dh2048.pem"
server 192.168.69.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
duplicate-cn
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 5
topology subnet

client.ovpn:

client
dev tun
proto tcp
remote remote <my home ip> 443 #my home router NATs to 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
verb 3

My client routes look something like this upon connecting to the server:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.69.1 0.0.0.0 UG 0 0 0 tun0
<my home ip> 192.168.43.1 255.255.255.255 UGH 0 0 0 wlan0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0
192.168.43.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan0
192.168.69.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0

In this example, 192.168.43.0 255.255.255.0 happens to be the LAN subnet, but it could change as I go to the next hotspot.

Thanks,
Rob

zothen
OpenVpn Newbie
Posts: 3
Joined: Tue Jun 21, 2011 5:11 pm

Re: Lans behind OpenVPN

Post by zothen » Wed Sep 12, 2012 3:48 pm

I just saw one mistake in my above message:

"or IP of my WIFI Hotspot gateway"

should be

"or IP of the 4G wifi hotspot".

Also to make sure it is very clear, in all cases I am trying to route all internet traffic from the client to the server. In some cases (at work) I will allow some private subnet range to be routed to the local lan and not to the VPN. In all cases my VPN server is running on Windows. The clients will be Windows, Linux, and Android.

Various websites and documentation talk about the use of iptables to route all internet traffic through the VPN server, but I am very confused as I have routed all internet traffic through the VPN server in the past without the use of iptables. The first time I did it was to my own Windows VPN server set up in TAP bridged mode. More recently, I have been using a OpenVPN service provider and my client is set up in TUN mode. No iptables usage on the client in either case and I'm able to route all internet traffic through the OpenVPN server just fine.

konqstar
OpenVpn Newbie
Posts: 5
Joined: Wed Jan 22, 2014 9:29 pm

Re: Lans behind OpenVPN

Post by konqstar » Fri Jan 24, 2014 5:03 pm

@ krzee

What could one do, if say, in your particular example "client1 with lan 10.10.1.0" has an IP in that LAN like 10.10.1.120 and that is allocated to a bridged interface, as this client1 is a hypervisor for 5 VMs that are also members of the 10.10.1.0 lan ?

In my case:

Code: Select all

root@client1:/home# route -een
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface    MSS   Window irtt
0.0.0.0         WAN_GW     0.0.0.0         UG    0      0        0 eth0     0     0      0
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0     0     0      0
10.8.0.5        0.0.0.0          255.255.255.255 UH    0      0        0 tun0     0     0      0
10.10.1.0       0.0.0.0         255.255.255.0   U     0      0        0 xenbr0   0     0      0
WAN            WAN_GW     255.255.255.224 UG    0      0        0 eth0     0     0      0
WAN             0.0.0.0         255.255.255.224 U     0      0        0 eth0     0     0      0
After following your example, I ended up with:

Code: Select all

root@client1:/home# route -een
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface    MSS   Window irtt
0.0.0.0         WAN_GW     0.0.0.0         UG    0      0        0 eth0     0     0      0
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0     0     0      0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0     0     0      0
10.10.1.0       10.8.0.5        255.255.255.0   UG    0      0        0 tun0     0     0      0
10.10.1.0       0.0.0.0         255.255.255.0   U     0      0        0 xenbr0   0     0      0
WAN             WAN_GW     255.255.255.224 UG    0      0        0 eth0     0     0      0
WAN             0.0.0.0         255.255.255.224 U     0      0        0 eth0     0     0      0
Which obviously made my virtual machines inaccessible...
I know there's a fix for this as I saw this setup before somehwere, but I was curios what would you suggest.

Many many thanks for your comprehensive tutorial.

Cheers.

yetanotherlogin
OpenVpn Newbie
Posts: 3
Joined: Sat Aug 29, 2015 8:45 am

Re: Lans behind OpenVPN

Post by yetanotherlogin » Sat Aug 29, 2015 11:34 pm

It isn't entirely clear to me whether or not this setup will help with what I am trying to do.

Code: Select all

LAN client (cell phone/computer/etc) via wifi
                |
                v
Wifi AP Router:
wlan0 local area network
using iptables masquerading to route through eth0
eth0 connects to internet 
via openvpn client
                |
                v
openvpn server
I simply want to have masqueraded values travelling through eth0 to go out to the openvpn server. Is there a way to only have the openvpn client handle traffic on a single device? I am really confused about what I need to be doing. I have tried adding iroutes and using ccd, but I am thinking that since I don't intend to give networks on either side access to one another that the iroute/ccd solution isn't actually going to solve my particular problem.

On the openvpn server (as it is right now) I am seeing errors like:
MULTI: bad source address from client [192.168.42.11], packet dropped
which lead me to try out the iroute solution. Maybe I should just stop using masquerading? The clients connect and data is being sent all the way to the openvpn server, but DNS doesn't appear to be working. I cannot ping anything on the internet (eg google.com) from the LAN clients which is my only goal here.

User avatar
krzee
Forum Team
Posts: 728
Joined: Fri Aug 29, 2008 5:42 pm

Re: Lans behind OpenVPN

Post by krzee » Wed Jan 13, 2016 9:17 pm

this thread was for the document, not for helping with everybody's individual use case. I guess I am going to lock the thread.

Locked