My VPN client can't connect to another VPN client's LAN via ssh

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
pk23
OpenVpn Newbie
Posts: 4
Joined: Thu Mar 10, 2022 12:30 pm

My VPN client can't connect to another VPN client's LAN via ssh

Post by pk23 » Fri Mar 11, 2022 3:19 pm

Hello, here is my network configuration.
LAN1: 10.128.10.0/24
openvpn_server:
local ip: 10.128.10.18
vpn tunel ip: 10.8.0.1

LAN2: 192.168.20.0/24
PC2_1 (openvpn_client) => CN= client2:
local ip: 192.168.20.4
vpn tunel ip: 10.8.0.200
PC2_2 :
local ip: 192.168.20.5
(it is not in VPN)

LAN3: 192.168.176.0/24
PC3_1 (openvpn_client) => CN=client1:
local ip: 192.168.176.25
vpn tunel ip: 10.8.0.100

And i can use PC3_1 to ping PC2_2.

My problem is that PC3_1 can't connect via ssh to PC2_2, however ssh is available and enabled on PC2_2. In fact I believe that except ping that works I can't start another service of PC2_2 from the PC3_1 machine.
Correct me if I'm wrong but once I can ping an address, normally I can access the service of this address.

This is my config :
#### For openvpn_server:

>> cat /etc/openvpn/server/server.conf

Code: Select all


port 1800
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

dh none

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt


push "route 192.168.20.0 255.255.255.0"
push "route 192.168.176.0 255.255.255.0"

route 192.168.20.0 255.255.255.0
route 192.168.176.0 255.255.255.0

client-config-dir /etc/openvpn/server/ccd
ccd-exclusive

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"


client-to-client

keepalive 10 120

tls-crypt ta.key
cipher AES-256-GCM
auth SHA256

user nobody
group nogroup

persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log

crl-verify crl.pem

verb 3

explicit-exit-notify 1
>> route

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    0      0        0 ens160
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.128.10.0     0.0.0.0         255.255.255.224 U     0      0        0 ens160
192.168.20.0    10.8.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.176.0   10.8.0.2        255.255.255.0   UG    0      0        0 tun0
#### For openvpn_clients:
# Config client

Code: Select all

client


dev tun



proto udp


remote Public_ip 1800



resolv-retry infinite


nobind

user nobody
group nogroup

persist-key
persist-tun





key-direction 1

remote-cert-tls server


cipher AES-256-GCM
auth SHA256

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf



verb 3

<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ...
        Signature Algorithm: ecdsa-with-SHA512
        Issuer: CN=certificat
        Validity
            Not Before: Mar  9 15:49:26 2022 GMT
            Not After : Feb 21 15:49:26 2025 GMT
        Subject: CN=client2 # Same for client1
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    ...
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                ...
            X509v3 Authority Key Identifier: 
                ...
                DirName:/CN=certificat
                serial:...

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
    Signature Algorithm: ecdsa-with-SHA512
         ...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-crypt>
# For PC3_1
>> cat /etc/openvpn/server/ccd/client1

Code: Select all

ifconfig-push 10.8.0.100 255.255.255.0
iroute 192.168.176.0 255.255.255.0
>> route

Code: Select all

Table de routage IP du noyau
Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
0.0.0.0         255.255.255.0   128.0.0.0       UG    0      0        0 tun0
default         _gateway        0.0.0.0         UG    600    0        0 wlan0
10.8.0.0        255.255.255.0   255.255.255.0   UG    0      0        0 tun0
128.0.0.0       255.255.255.0   128.0.0.0       UG    0      0        0 tun0
Public_ip_of_vpn_server _gateway        255.255.255.255 UGH   0      0        0 wlan0
192.168.20.0    255.255.255.0   255.255.255.0   UG    0      0        0 tun0
192.168.176.0   0.0.0.0         255.255.255.0   U     600    0        0 wlan0
255.255.255.0   0.0.0.0         255.255.255.255 UH    0      0        0 tun0
# For PC2_2
>> cat /etc/openvpn/server/ccd/client2

Code: Select all

ifconfig-push 10.8.0.200 255.255.255.0
iroute 192.168.20.0 255.255.255.0
>> route

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         255.255.255.0   128.0.0.0       UG    0      0        0 tun0
default         192.168.20.1    0.0.0.0         UG    202    0        0 eth0
10.8.0.0        255.255.255.0   255.255.255.0   UG    0      0        0 tun0
128.0.0.0       255.255.255.0   128.0.0.0       UG    0      0        0 tun0
Public_ip_of_vpn_server 192.168.20.1    255.255.255.255 UGH   0      0        0 eth0
192.168.20.0    0.0.0.0         255.255.255.0   U     202    0        0 eth0
192.168.176.0   255.255.255.0   255.255.255.0   UG    0      0        0 tun0
255.255.255.0   0.0.0.0         255.255.255.255 UH    0      0        0 tun0
In conclusion, I want to connect to a computer behind the LAN of a vpn client.
Thanks for your helps
Top
User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: My VPN client can't connect to another VPN client's LAN via ssh

Post by openvpn_inc » Sun Mar 20, 2022 1:59 pm

Hi pk,

Search the forum for "clientlan" and you will find several places where I have answered this.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Top
pk23
OpenVpn Newbie
Posts: 4
Joined: Thu Mar 10, 2022 12:30 pm

Re: My VPN client can't connect to another VPN client's LAN via ssh

Post by pk23 » Wed Mar 23, 2022 3:11 pm

Hi rob0
No i have see your answers
But ping is not my problems, I can ping all machins behind the client vpn lan, my problems is that I can't connect by ssh.
Top
pk23
OpenVpn Newbie
Posts: 4
Joined: Thu Mar 10, 2022 12:30 pm

Re: My VPN client can't connect to another VPN client's LAN via ssh

Post by pk23 » Wed Mar 23, 2022 3:32 pm

The answer is:
ssh: connect to host 192.168.1.42 port 22: Connection timed out
where 192.168.1.42 is one machine on client lan
Top
pk23
OpenVpn Newbie
Posts: 4
Joined: Thu Mar 10, 2022 12:30 pm

Re: My VPN client can't connect to another VPN client's LAN via ssh

Post by pk23 » Thu Mar 24, 2022 1:46 pm

Ok I have solved it.
My problem was that ufw was enable on my machine client on lan.
I have disable it:

Code: Select all

sudo ufw disable
Top
Post Reply

Return to “Off Topic, Related”