Can access client through access server, but the client cannot connect to external hosts

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
Mythoclast
OpenVpn Newbie
Posts: 1
Joined: Tue Aug 02, 2022 8:29 pm

Can access client through access server, but the client cannot connect to external hosts

Post by Mythoclast » Tue Aug 02, 2022 8:48 pm

I would like to access my client via SSH through my access server. Therefore, I forward port 667 on my access server's WAN IP to port 22 of my client's VPN IP. However, the connection times out, with the packets not arriving on the client's end. If I enable routing on the access server and pass 0.0.0.0/0 to Specify the private subnets to which all clients should be given access (one per line):, I can access my client just fine. However, now my client cannot access external hosts (e.g. ping 8.8.8.8 fails). What is the correct way allow access to my client while maintaining its connectivity to the internet?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Can access client through access server, but the client cannot connect to external hosts

Post by openvpn_inc » Fri Aug 05, 2022 3:38 pm

Hi,

If you want traffic to go in two directions and be initiated from either side, you’ll have to set things up to use Routing. With Routing, there is no address translation. That means traffic coming from a VPN client in the VPN client subnet, gets forwarded as-is onto the target private network behind the Access Server. This target network then must be made aware of where this VPN client subnet can be reached. This is done by adding either a static route in the default gateway of the target private network or in the operating system of the particular server you are trying to reach. The static route should point to the private IP address of the OpenVPN Access Server in the private network.

Change from NAT to routing
Go to VPN Settings, Should VPN clients have access to private subnets, and set the option to yes, using routing (advanced) instead.
Switch the "Allow access from these private subnets to all VPN client IP addresses and subnets" option to Yes. If you want to route internet traffic through VPN, just switch the "Should client Internet traffic be routed through the VPN?" option to Yes.
Then save settings and update running servers. That completes the configuration from the Access Server side. You may notice that if you try the connection now it may appear to fail. Appear to, because most likely the traffic now is actually making it from the VPN clients to a target in the private network just fine, but the target network may not have a clue on how to respond to traffic coming from a subnet (the VPN client subnet) that is unknown to it.

To make things work properly again now you have to look up the static route table in the default gateway system in your private network. If your VPN client subnet is for example 172.18.208.0/24, and your OpenVPN Access Server installation is at IP address 10.100.1.4 then add this static route:

Network 172.18.208.0 with subnet mask 255.255.255.0 to go through gateway 10.100.1.4
Now traffic should find its way in both directions. From the VPN client subnet to the private network, and from the private network to the VPN client subnet. Two-way traffic is now possible in routing mode, and access can be initiated from either side.

Regards,
.\kionci
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply