Connection between VPN clients

[selectany]

Hello

The problem is that from client side I can only access server not other clients.

The server is a host from my home LAN ( 192.168.1.0 ) network,
and I have 2 clients from the same network and 1 client over the internet.

VPN network is 10.8.0.0.

All I want is that all client in the VPN to able to access each other.

Here is my server.ovpn:

port 1194
proto tcp
dev tun

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/homeserver.crt
key /etc/openvpn/easy-rsa/keys/homeserver.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
client-config-dir ccd

log-append /var/log/openvpn
status /tmp/vpn.status 10

Here is one of my client.ovpn:

client
remote <MYSERVER> 1194
dev tun
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
verb 2
ca ca.crt
cert client.crt
key client.key

I thought that "client-to-client" in server.ovpn is sufficient but may be I have to do some routing.
I'm not very familiar with the later.

[Mimiko]

Hello.

Does your LAN's server act as gateway?

In order for the client from internet to find your local LAN, you have to push local LAN to that client:

Code: Select all

push "route 192.168.1.0 255.255.255.0"

The internet client can be accessed by tunnel IP: 10.8.0.x

[selectany]

Hello.

Does your LAN's server act as gateway?

In order for the client from internet to find your local LAN, you have to push local LAN to that client:

Code: Select all

push "route 192.168.1.0 255.255.255.0"

The internet client can be accessed by tunnel IP: 10.8.0.x

No, it doesn't act as gateway. It is just a host in LAN. I have a router (192.168.1.1) which is a gateway.


Does the above push statement will resolve problem of accessing clients each other, including clients of my LAN. I mean client 192.168.1.11 to be able to access 192.168.1.12 through the tunnel IPs (only for test of course).

[Mimiko]

The OpenVPN clients will access each other directly. The client from internet may be accessed by tunnel IP.
You don't have to deply OpenVPN client on your home LAN computers, they will access clients connected from internet, thru that host which runs OpenVPN server. Only you will have on each home computer add static route for tunnel network with the gateway to your host which runs OpenVPN server.

[maikcat]

hi there,

if your other clients are windows try disabling their firewall...

also, if by telling "clients" you mean other hosts on openvpn server side you
must do the following:

enable ip forwarding on openvpn server
push the appropiate routes as mimiko suggests
configure firewall on "clients"
setup a static route on them for 10.8.0.0 network

Michael.

[selectany]

All tests I have made are within my LAN (192.168.1.0).
router: 192.168.1.1 (dd-wrt)
vpn server: 192.168.1.10 (Arch Linux)
vpn client1: 192.168.1.11 (Windows 7)
vpn client2: 192.168.1.12 (Windows 7)
-------------------------------------------

So I did the following, as you said:

1. Enable ip forwarding on my vpn server.
2. Add push "route 192.168.1.0 255.255.255.0" in server.ovpn
3. Turn off firewall on TAP interface on client.
4. For static route I decide to set it on the my router, instead on each clients. Is it right?

And now, I can ping vpn client from vpn server.

I still didn't test client to client vpn connection, but I hope it will work now.


But there is a strange thing: If a vpn client is connected to the vpn server, then I can browse internet, but cannot access my router's Web interface. As soon as I disconnect it from vpn server then I can access router's Web interface.

PS: Just to be more precise -> When I say "client" I mean client1 (192.168.1.11)

[Mimiko]

selectany, are you intentionally connect to VPN the LAN computers?

push "route 192.168.1.0 255.255.255.0"
Will not work for client's from your LAN, them already have LAN 192.168.1.0 so OpenVPN deside to not give the client's this route.

Static route to where you want to set on router? If you want to access the client, connected from internet, you will have to use the IP got from OpenVPN DHCP pool 10.8.0.0. But this route (10.8.0.0) you don't need to configure on LAN router, because it is automatically configured on each client when it connects to OpenVPN server.

And now, I can ping vpn client from vpn server.

Are you sure the ping goes thru tunnel? I think, in normal circumstances, on linux box with OpenVPN server the route for 192.168.1.0/24 is not modified, so packets are routed tu eth0 directly to LAN, not thru tunnel. And as I stated before, push "route 192.168.1.0 255.255.255.0" does not invoke for clients on LAN, so for them the routing for 192.18.1.0/24 are made directly to phisical interface, not thru tunnel.

The strange indeed is the lost of Web access to router. There is a lot investigation in routing tables, that will be for help. Show routing tables from server and client when the VPN is established.

[janjust]

when you use 'client-to-client' then the clients can see each other on their VPN IPs (e.g. 10.8.0.6 can see 10.8.0.10), NOT on their LAN IPs; to make sure the clients can see each other's LAN IPs you will need to set up much more elaborate routing, AND it may not always work : what should happen if both clients use the same LAN subnet?

[selectany]

Well I think I was not clear.
Sorry, it is my fault.

What I meant was:
---------------------------
server host: LAN IP 192.168.1.10, VPN IP 10.8.0.1
client1 host: LAN IP 192.168.1.11, VPN IP 10.8.0.6
client2 host: LAN IP 192.168.1.12, VPN IP 10.8.0.14
---------------------------
There is another one:
client3 host: LAN IP 192.168.200.44 VPN IP 10.8.0.2 (my office over internet)


When I said "ping client from server", I meant ping from server host client1 by means of "ping 10.8.0.6".
The later ping was succesful only if I turn off Windows 7's firewall on TAP interface (public profile) on client1.
I think that 'push "route 192.168.1.0 255.255.255.0" ' is needed
because I want third client3 to be able to connect to the VPN.

I used hosts from 192.168.1.0 (my home LAN) because it is suitable to use my home LAN to configure and test VPN.

Anyway, today I was able to start remote desktop session initated from client1(VPN IP 10.8.0.6) through the VPN server, to the client3 (VPN IP 10.8.0.2). Tomorrow I'll try to start remote desktop session from client3 to client1. At now I just successfully ping this direction.

I use settings in my upper post, but I remove static rule (step 4.)
So, the real problem was firewall.

Thanks for a help.

PS: The strange thing about accessing my router's Web interface, remains.

[janjust]

I'm glad to hear it's working.
Who assigned the 10.8.0.2 address? in your setup this would not normally be assigned by the OpenVPN server; either use

Code: Select all

topology subnet

to get linear addressing (so that 10.8.0.2 becomes available) or assign the host a /30 address (e.g. 10.8.0.14).

[selectany]

I use static client adresses configured from a files in ccd directory.
Name of these files are the same as the common name (CN) from the crt files.

I supose that this is the /30 adressing.

For client1:
ifconfig-push 10.8.0.6 10.8.0.5

For client2:
ifconfig-push 10.8.0.14 10.8.0.13

For client3:
ifconfig-push 10.8.0.2 10.8.0.1

There will be potential client4 with VPN IP 10.8.0.10.

Is the "topology subnet" some kind of directive for the config files?

[Mimiko]

I think that 'push "route 192.168.1.0 255.255.255.0" ' is needed
because I want third client3 to be able to connect to the VPN.

Will only work for client3, that connects from internet. And only if on client3 no interfece is set to 192.168.1.x/24.
Clients send back to server the network configuration's that it has, and if same LAN mask is found (in you case client1 and client2 has interfaces with 192.168.1.x) it is aware and don't push to client route 192.168.1.0 255.255.255.0. Insteed you will see in servers log:

Fri Jul 22 06:53:48 2011 us=984000 client/a.b.c.d:1114 REMOVE PUSH ROUTE: 'route 192.168.0.0 255.255.255.0'

Is the "topology subnet" some kind of directive for the config files?

yes. Look in manual. And topology net30 is default used, especialy for Windows systems.

[janjust]

For client3:
ifconfig-push 10.8.0.2 10.8.0.1

you can't do this ; this is the IP block used for the VPN server itself. Try using

Code: Select all

ifconfig-push 10.8.0.22 10.8.0.21

Is the "topology subnet" some kind of directive for the config files?

yes , read the openvpn 2.1+ manual page.

[selectany]

Ok, I changed client3's VPN IP to 10.8.0.22, although I have no problems with:

Code: Select all

ifconfig-push 10.8.0.2 10.8.0.1

------------------------------------------

What if I want to connect to vpn server from some client over internet with LAN IP 192.168.1.x?

Any possible resolutions?

[Mimiko]

What if I want to connect to vpn server from some client over internet with LAN IP 192.168.1.x?

That client will not have access to LAN on server side, but will be able to access other clients by ip address defined in config file: 10.8.0.x.

Any possible resolutions?

If a lot of clients have a LAN mask 192.168.1.0, you can use bridging method.

[janjust]

Ok, I changed client3's VPN IP to 10.8.0.22, although I have no problems with:

Code:
ifconfig-push 10.8.0.2 10.8.0.1

the openvpn client will accept this alright, but routing will be screwed up

What if I want to connect to vpn server from some client over internet with LAN IP 192.168.1.x?

Any possible resolutions?

the LAN IP of the client has little effect on the VPN, as long as your VPN IP range does not overlap with the IP range of your clients. This is why it is best to avoid using 192.168.0.0/24 or 192.168.1.0/24 for the VPN IP range. In your setup you are using 10.8.0.0/24 , which should be fine.