Adding route on OpenVPN server side to connect VPN Clients to the internal LAN

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
xMRi
OpenVpn Newbie
Posts: 7
Joined: Tue Aug 02, 2022 12:38 pm

Adding route on OpenVPN server side to connect VPN Clients to the internal LAN

Post by xMRi » Wed Aug 03, 2022 3:24 pm

I am using a Windows Server 2019.

I have an OpenVPN Server listening a NIC with IP 192.16.2.10 (Subnet 255.255.255.0). Connected to the Fritz!Box Router. The router is configured to forward UDP port 1194 to the appropriate NIC.

The internal LAN has a different NIC with IP 192.168.16.205 (Subnet 255.255.255.0).

I can connect from extern to the OpenVPN Server and I get a successful connection.

But the Ping from the external VPN Client to another server in the local net (for example the DNS server 192.168.16.201) fail.

I sam stuck on the documentation https://community.openvpn.net/openvpn/w ... rversubnet telling me that I have to do nothing, because I use `dev tap`
Make sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN server machine.

Including multiple machines on the server side when using a bridged VPN (dev tap) One of the benefits of using ethernet bridging is that you get this for free without needing any additional configuration.
All firewalls (Windows firewalls) are turned off. All hints only point on the Firewall settings...

- I can't ping any server in my local net 192.168.16.x
- I can't reach any server in my local net 192.168.16.x with RDP.
- DNS doesn't work either. (DNS server at 192.168.16.201)

Any ideas?

Here my server.ovpn file:

Server Config

#################################################
# OpenVPN
#################################################
local 192.168.2.10
port 1194
proto udp
dev tap
topology subnet

#----------------------------------------------
#Zertifikate
#----------------------------------------------
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\dh.pem"
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\issued\\VPNServer-01.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\private\\VPNServer-01.key"

#----------------------------------------------
#Server-Setup
#----------------------------------------------
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist "C:\\Program Files\\OpenVPN\\ipp.txt"
client-to-client

#----------------------------------------------
#Client-Settings (inkl Special Dir) Files - OPTIONAL
#----------------------------------------------
#client-config-dir "C:\\Program Files\\OpenVPN\\ccd"
push "route 192.168.16.0 255.255.255.0"
push "dhcp-option DNS 192.168.16.201"
push "dhcp-option DOMAIN vpn.xyz.loc"

#----------------------------------------------
#Defaults
#----------------------------------------------
keepalive 10 120
persist-key
persist-tun
allow-compression yes
cipher AES-256-GCM
data-ciphers-fallback AES-256-CBC

#----------------------------------------------
# Logging
# ----------------------------------------------
status "C:\\Program Files\\OpenVPN\\log\\openvpn-status.log"
log "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
# log-append "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
verb 3


PS: I use `dev tap` according to the following link, the second answer seams to match for my situation:

https://serverfault.com/questions/21157 ... or-openvpn
Last edited by xMRi on Thu Aug 04, 2022 9:03 am, edited 1 time in total.
Top
xMRi
OpenVpn Newbie
Posts: 7
Joined: Tue Aug 02, 2022 12:38 pm

Re: Adding route on OpenVPN server side to connect VPN Clients to the internal LAN

Post by xMRi » Thu Aug 04, 2022 6:04 am

OK I stumbled over server-bridge and the config was changed to use it.

I now get an IP 192.196.16.64 on the client.
But still I don't have a name resolution. Even Ipconfig /all tells me the the correct DNS server is set up.

Ping doesn't work to.

Server Configuration

#################################################
# OpenVPN
#################################################

local 192.168.2.10
port 1194
proto udp
dev tap
topology subnet

#----------------------------------------------
# Certificates
#----------------------------------------------
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\dh.pem"
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\issued\\VPNServer-01.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\private\\VPNServer-01.key"

#----------------------------------------------
# Server-Setup
# https://openvpn.net/community-resources ... -bridging/
# https://superuser.com/questions/1735151 ... ternal-lan
#----------------------------------------------
# server 10.8.0.0 255.255.255.0
# ifconfig-pool-persist "C:\\Program Files\\OpenVPN\\ipp.txt"
# Allow IPs from 64 to 80 for bridging
server-bridge 192.168.16.205 255.255.255.0 192.168.16.64 192.168.16.80
client-to-client

#----------------------------------------------
# Client-Settings (inkl Special Dir) Files
#----------------------------------------------
# client-config-dir "C:\\Program Files\\OpenVPN\\ccd"
# push "route 192.168.16.0 255.255.255.0"
push "dhcp-option DNS 192.168.16.201"
push "dhcp-option DOMAIN vpn.xyz.loc"

#----------------------------------------------
#Defaults
#----------------------------------------------
keepalive 10 120
persist-key
persist-tun
allow-compression yes
cipher AES-256-GCM
data-ciphers-fallback AES-256-CBC

#----------------------------------------------
# Logging
# ----------------------------------------------
status "C:\\Program Files\\OpenVPN\\log\\openvpn-status.log"
log "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
# log-append "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
verb 3
Top
xMRi
OpenVpn Newbie
Posts: 7
Joined: Tue Aug 02, 2022 12:38 pm

Re: Adding route on OpenVPN server side to connect VPN Clients to the internal LAN

Post by xMRi » Thu Aug 04, 2022 9:48 am

Again here full details to my question:

Configuration:

- Server: Windows Server 2019 Standard
- Server internal network IP is 192.168.16.204
- DNS on 192.168.16.201
- Access to the Internet is donbe via 192.168.2.10 (Fritz!Box using Port forwarding)
- Client: Windows 10
- Firewalls are all off

OpenVPN Server can be successfully connected from the client. Client receives the IP 192.168.16.64 as expected.

Server is configured for
Server

local 192.168.2.10
port 1194
proto udp
dev tap
dev-node OpenVPN-TAP-Bridge
topology subnet
server-bridge 192.168.16.204 255.255.255.0 192.168.16.64 192.168.16.80


As described I bridged the internal network and the TAP adapter and set the IP address of the bridge to the internal server address 192.168.16.205. (see picture below).

But when I use a ping from the client (IP 192.168.16.64) to an internal IP on the network (192.168.16.170) than it doesn't work. Also no DNS works. Of course no RDP.

Any idea what to check and to look for? WireShark is available on the server. but I have no real experience with it.

Image
Top
Post Reply

Return to “Configuration”