Client access from the server LAN

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
KPOTOC_DPR
OpenVpn Newbie
Posts: 3
Joined: Tue Aug 02, 2022 7:14 am

Client access from the server LAN

Post by KPOTOC_DPR » Tue Aug 02, 2022 8:01 am

Good afternoon. I'm sorry for my English.

I really don't understand the global settings of OpenVPN, but I'm familiar with the basic ones.

There is a local network 192.168.5.0/24
In this network there is a router (looking at the Internet) and a DHCP Server 192.168.5.1/24
In this network there is a server 192.168.5.11/24, on which VirtualBox is installed, guest system Ubuntu 22.04 (OpenVPN Server) in local bridge mode, 192.168.5.51/24
There are also other network clients 192.168.5.10/24 and so on

Since I couldn't configure OpenVPN server on my own, I used the script and basically everything works, vpn network 10.8.0.0/24

But in my task there is a condition that I cannot implement, I need clients of the local network 192.168.5.0/24 to be able to connect to vpn clients that have the address 10.8.0.2/24, the vpn client's LAN address 192.168.10.0/24, he has his own router and internet access

By pinging from the PC 192.168.5.10, I was able to reach 10.8.0.1 (OpenVPN Server), but not 10.8.0.2
After I registered the route 10.8.0.0/24 192.168.5.51 on the router, this gave me the opportunity to ping 10.8.0.2

It turned out that LAN clients can ping vpn clients, but at the same time I can't connect via samba to //10.8.0.2/C$ - he is //192.168.10.16/C$

Accordingly, the clients of the network 192.168.5.0 do not know about the existence of the remote network 192.168.10.0, respectively //192.168.10.16/C$ also does not work and there is no ping to 192.168.10.16

In order to have access from the vpn server to the vpn client, I temporarily completely disable the firewall of the windows client.

As far as I understand, we need a route on the server 192.168.10.0/24 dev tun0, which is not there

Maybe there is some parameter in the script itself, with which I create an OpenVPN server, or in the configuration of the server itself, which does not allow me to make such a connection?

I also watched the script itself and as I understand it, a non-standard iptables is specified in it

On my own, I did not configure iptables and routing on OpenVPN Server and in Ubuntu itself

There is also a file that I learned about after studying the script, the file is located /etc/systemd/system/openvpn-iptables.service

server.conf

local 192.168.5.51
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 192.168.5.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
[/code]
Last edited by KPOTOC_DPR on Tue Aug 02, 2022 9:40 am, edited 1 time in total.

KPOTOC_DPR
OpenVpn Newbie
Posts: 3
Joined: Tue Aug 02, 2022 7:14 am

Re: Client access from the server LAN

Post by KPOTOC_DPR » Tue Aug 02, 2022 9:23 am

client.ovpn

client
dev tun
proto udp
remote my.ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
[/code]

KPOTOC_DPR
OpenVpn Newbie
Posts: 3
Joined: Tue Aug 02, 2022 7:14 am

Re: Client access from the server LAN

Post by KPOTOC_DPR » Tue Aug 02, 2022 9:39 am

$ ip r
default via 192.168.5.1 dev enp0s3 proto dhcp metric 20100
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
169.254.0.0/16 dev enp0s3 scope link metric 1000
192.168.5.0/24 dev enp0s3 proto kernel scope link src 192.168.5.51 metric 100

$ ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.5.51 netmask 255.255.255.0 broadcast 192.168.5.255
inet6 fe80::ba21:5547:e8b4:bd1c prefixlen 64 scopeid 0x20<link>
ether 08:00:27:98:bd:3d txqueuelen 1000 (Ethernet)
RX packets 989 bytes 131290 (131.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 405 bytes 49759 (49.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: ...

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.0 destination 10.8.0.1
inet6 fe80::822c:cc15:8862:653b prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 6 bytes 392 (392.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11 bytes 1200 (1.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

nano /etc/systemd/system/openvpn-iptables.service
[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 192.168.5.51
ExecStart=/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 192.168.5.51
ExecStop=/usr/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

Post Reply