Accessing LAN resources when OpenVPN is not LAN's GW

OpenVPN tutorials ranging from configuration to hacks to compilation will be posted here.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply

Was this tutorial helpful?

Yes
4
80%
No
1
20%
Partially
0
No votes
 
Total votes: 5

User avatar
Mimiko
Forum Team
Posts: 1564
Joined: Wed Sep 22, 2010 3:18 am

Accessing LAN resources when OpenVPN is not LAN's GW

Post by Mimiko » Sun Dec 25, 2011 4:49 pm

The scope of this tutorial is to give some hints on accessing OpenVPN's LAN resources when OpenVPN software is not the default gateway of the local network, ie OpenVPN is installed on some computer/server and not on the router.

The concept
Every computer when sending a packet to some address need to know where to send. In modern systems this is done by having a routing table, in which every line indicates where to send the specific packet. The routing line consist of a destination network, a netmask to delimit the network bits, the gateway, ie remote ip which will handle the packet, and the interface name (or IP) thru which the packet will be send. There are default routes in the routing table, which indicates where to send packets destined for the self interface, for the loopback desination, for the local lan computers and a default route which does not meet the other criteria. The default route is defined with zeroes, ie network 0.0.0.0 and netmask 0.0.0.0, and as the gateway IP it has some local router's IP, or the ISP's gateway's IP. This rule is named as a general or default route. If computer needs to send a packet that is not specified by a more specific rule, it is send to the default GW as is specified in the default rule.

It's often when new OpenVPN users starting to join remote sites succesfully install OpenVPN and configure firewall and iptable rules, but still have problem accessing remote resources.

Suppose we set up a OpenVPN on some other computer in the LAN. The VPN's IP and remote site's LAN's IPs are not known to the LAN hosts, ie, there is no entry in the routing table, which will specify where to send the packets for those networks. So the hosts will send the packets to the default gateway of the LAN, which (by default in networking) will drop this packets as the gateway also does not know what to do with such destinations packets. For this tutorial we will use this kind of configuration:

Site A
Local network is 192.168.0.0/255.255.255.0.
Default gateway have IP 192.168.0.1 (the common configuration).
Ip of the host running OpenVPN is 192.168.0.A, where A may be any from 2 to 254.
The hosts have IPs like 192.168.0.x, where x is 2 to 254 and different from A (the OpenVPN's host's IP).

Site B
Local network is 192.168.1.0/255.255.255.0.
Default gateway have IP 192.168.1.1 (the common configuration).
Ip of the host running OpenVPN is 192.168.1.B, where B may be any from 2 to 254.
The hosts have IPs like 192.168.1.x, where x is 2 to 254 and different from B (the OpenVPN's host's IP).

The VPN IP's are from 10.8.0.0/255.255.255.0.

In discussing this mater it is not important which site is server or client, and what IPs get the TAP interfaces. To resolve this routing issue there are 4 methods:

Method 1
As obvious it is, move the OpenVPN software to the LAN's default gateway. As there are situation where this is not possible (a simple router which can't run OpenVPN), this method is the best for future expandings, as adding more remote sites will not involve on return to the routing issues.

Method 2
Adding a static route for remote network to the every host's routing table. On every hosts we have to add a route like this:

Code: Select all

route add <remote_network> mask <remote_netmask> gw <openvpn_host_ip>
For example, on every host from site A we have to add two routes:

Code: Select all

route add 192.168.1.0 mask 255.255.255.0 gw 192.168.0.A
route add 10.8.0.0 mask 255.255.255.0 gw 192.168.0.A
The route for VPN network 10.8.0.0 can be ommited, but it is not recommended.

The same way we add routes on the Site B, to show the hosts where to route the packets for remote site:

Code: Select all

route add 192.168.0.0 mask 255.255.255.0 gw 192.168.1.B
route add 10.8.0.0 mask 255.255.255.0 gw 192.168.1.B
If there will be a 3rd site, we must add another route for the new remote network in the same way.

The routes have to be added on default LAN's gateways too. Althought, it seems that many routers are able to return responces back without adding routers for the remote networks.

Method 3
This method implies adding same routes as in method 2 only on the LAN's default gateway. So the redirecting will be held by the router and we don't need to add routes on every host. Of course, this is possible if the router permits modifying routing table and iptable.
As in method 2, on the default router we add routes to remote sites:

Code: Select all

route add <remote_network> mask <remote_netmask> gw <openvpn_host_ip>
For example, on default gateway of the site A with IP 192.168.0.1 we have to add two routes:

Code: Select all

route add 192.168.1.0 mask 255.255.255.0 gw 192.168.0.A
route add 10.8.0.0 mask 255.255.255.0 gw 192.168.0.A
But this will only show the gateway where to send packets originating from itself. We also need to show how to route packets for remote site from local hosts. For this we have to add a rule to the routers iptable which will tell that all packets incoming from LAN interface and have the destination to the remote site network must be redirected to the OpenVPN host. Most routers which handle wider customization have the ability to use unix like command "iptables". So, we use the iptables rule like this:

Code: Select all

iptables -A PREROUTING -t mangle -i <LAN_interface> -d <remote_network>/<remote_netmask> -j ROUTE --gw <openvpn_host_ip>
For example, on default router from site A we will add:

Code: Select all

iptables -A PREROUTING -t mangle -i <LAN_interface> -d 192.168.1.0/255.255.255.0 -j ROUTE --gw 192.168.0.A
iptables -A PREROUTING -t mangle -i <LAN_interface> -d 10.8.0.0/255.255.255.0 -j ROUTE --gw 192.168.0.A
The same way we add rules on the default router from site B.

If we add a 3rd site, then we will have to add to the other sites a route to the 3rd site network in the same way.

Method 4
We will do masquerading. This way we will masquerade all packets from remote network and tunnel itself to the OpenVPN host local IP, so every host on the LAN will believe that the packets are comming from the OpenVPN host, so them will return packets to that IP.

If OpenVPN host is set up on unix system, then we just use "iptables". For windows systems we will have to search and install a simple (and free if we are lucky) forward and nat software. So, the iptables rule will be very simple:

Code: Select all

iptables -t nat -A POSTROUTING -o <local_lan_interface_name> -j MASQUERADE
That's it. Add on every OpenVPN host on every site.


But remember, all this methods will work if we enable forwarding on the computer wich will run OpenVPN software. To check forwarding on unix systems see the output of

Code: Select all

cat /proc/sys/net/ipv4/ip_forward
If responce is "0" then forwarding is not enabled, if responce is "1" then forwarding is enabled. To enable forwarding execute

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward
or add to /etc/sysctl.conf the line

Code: Select all

net.ipv4.ip_forward = 1
By default, in windows systems forwarding is disabled, even in server's versions. To enable forwarding in windows XP/2003 we need on the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" registry key add an entry with name "IPEnableRouter" type "REG_DWORD" and value of "1". All without quotes. For windows 2008/7 from an elevated command prompt send command

Code: Select all

netsh interface ipv4 set int "[name of the NIC]" forwarding=enabled
where "name of the NIC" is local LAN interface name, and OpenVPN interface name.


The next thing we must check is iptables rules to allow incoming and forwarding packets. In windows disable firewall on TUN interface, also in Windows Vista and more recently ones set the TUN interface to Work or Home type. In linux add a rule to accept incoming packets from TUN adapter:

Code: Select all

iptables -A INPUT -i tun+ -j ACCEPT
and allow forwarding:

Code: Select all

iptables -A FORWARD -i tun+ -o <local_lan_interface_name> -J ACCEPT
iptables -A FORWARD -i <local_lan_interface_name> -o tun+ -j ACCEPT
And don't forget about OpenVPN's internal routing. In server's config file we push the route to server's LAN to the client's with

Code: Select all

push "route <local_lan_network> <local_lan_netmask>"
Also the same way we will push the route for every remote site LAN to other clients

Code: Select all

push "route <remote_lan_network> <remote_lan_netmask>"
This is needed when connectin more sites.
We have to tell OpenVPN server where to route packets for client's lan with the

Code: Select all

route <remote_lan_network> <remote_lan_netmask>
And ofcourse create a ccd file with name like common name of client's certificate and write in it

Code: Select all

iroute <remote_lan_network> <remote_lan_netmask>
In our examle, the OpenVPN server config (if it is on site A) will contain:

Code: Select all

push "route 192.168.0.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0" # This line will be pushed only to other clients, not to the site B client.
The site B's ccd file will contain

Code: Select all

iroute 192.168.1.0 255.255.255.0

This covers most of the configuration to able hosts and devices from one site to reach hosts and devices on other site, considering that target hosts has their firewalls disabled or are configured to accept incoming packets.

Related reading: topic98.html

mozart
OpenVpn Newbie
Posts: 10
Joined: Mon Feb 20, 2012 8:50 pm

Re: [Draft] Accessing LAN resources when OpenVPN is not LAN'

Post by mozart » Wed Feb 22, 2012 7:13 pm

I don't understand what to do here:

Code: Select all

# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.  Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.  Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.  Leave this line commented
# out unless you are ethernet bridging.
server-bridge 192.168.1.250 255.255.255.0 10.10.10.100 10.10.10.215
That obviously won't work because the address of br0 does not match the iprange that I am trying to give out to my clients.
Mimiko wrote:And don't forget about OpenVPN's internal routing. In server's config file we push the route to server's LAN to the client's with

Code: Select all

push "route <local_lan_network> <local_lan_netmask>"
Also the same way we will push the route for every remote site LAN to other clients

Code: Select all

push "route <remote_lan_network> <remote_lan_netmask>"
This is needed when connectin more sites.
We have to tell OpenVPN server where to route packets for client's lan with the

Code: Select all

route <remote_lan_network> <remote_lan_netmask>
And ofcourse create a ccd file with name like common name of client's certificate and write in it

Code: Select all

iroute <remote_lan_network> <remote_lan_netmask>
In our examle, the OpenVPN server config (if it is on site A) will contain:

Code: Select all

push "route 192.168.0.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0" # This line will be pushed only to other clients, not to the site B client.
The site B's ccd file will contain

Code: Select all

iroute 192.168.1.0 255.255.255.0
I am good up to the point above. I don't understand what to put into my OpenVPN config file given your examples above.

Here is a copy of my config:

Code: Select all

#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info).               #
#                                               #
# This config should work on Windows            #
# or Linux/BSD systems.  Remember on            #
# Windows to quote pathnames and use            #
# double backslashes, e.g.:                     #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################

# Which local IP address should OpenVPN
# listen on? (optional)
;local 192.168.1.250

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
port 1194

# TCP or UDP server?
;proto tcp
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one.  On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys. 
dh dh1024.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
;server 10.8.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.  Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.  Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.  Leave this line commented
# out unless you are ethernet bridging.
server-bridge 192.168.1.250 255.255.255.0 10.10.10.100 10.10.10.215

# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses.  You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 192.168.1.1 255.255.255.0"
push "route 10.10.10.100 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN.  This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different
# firewall access policies for different groups
# of clients.  There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
#     group, and firewall the TUN/TAP interface
#     for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
#     modify the firewall in response to access
#     from different clients.  See man
#     page for more info on learn-address script.
;learn-address ./script

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client

# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.  This is recommended
# only for testing purposes.  For production use,
# each client should have its own certificate/key
# pair.

# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
;log         openvpn.log
;log-append  openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

User avatar
Mimiko
Forum Team
Posts: 1564
Joined: Wed Sep 22, 2010 3:18 am

Re: [Draft] Accessing LAN resources when OpenVPN is not LAN'

Post by Mimiko » Wed Feb 22, 2012 9:56 pm

mozart wrote:I don't understand what to do here:

Code: Select all

# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.  Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.  Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.  Leave this line commented
# out unless you are ethernet bridging.
server-bridge 192.168.1.250 255.255.255.0 10.10.10.100 10.10.10.215
That obviously won't work because the address of br0 does not match the iprange that I am trying to give out to my clients.

I am good up to the point above. I don't understand what to put into my OpenVPN config file given your examples above.
This tutorial does not address understanding the server or server-bridge options. You must have to clearly understand the configuration option prior using extended VPN functionality. That saying, you must first create a bridge of two or more interfaces, then assign an IP address from network you are using, then set server-bridge with IP address you assigned, followed by the mask and IP address pool from the same netmask, like using on same switch.

Anyway, your question does not address the things writted in the first post.

mozart
OpenVpn Newbie
Posts: 10
Joined: Mon Feb 20, 2012 8:50 pm

Re: [Draft] Accessing LAN resources when OpenVPN is not LAN'

Post by mozart » Wed Feb 22, 2012 10:01 pm

I see where my mistake is. Thank you. I am only using the one bridge interface.

mozart
OpenVpn Newbie
Posts: 10
Joined: Mon Feb 20, 2012 8:50 pm

Re: [Draft] Accessing LAN resources when OpenVPN is not LAN'

Post by mozart » Wed Feb 22, 2012 10:05 pm

And my apologies if it seems that my question does not address the initial message but it does. I will follow your instructions again once I have the interfaces bridged correctly. My error initially was contributing to the latter problem.

albertoopenvpn
OpenVpn Newbie
Posts: 4
Joined: Tue Mar 19, 2013 8:36 pm

Re: Accessing LAN resources when OpenVPN is not LAN's GW

Post by albertoopenvpn » Sun Mar 24, 2013 6:14 pm

good morning

my problem is the same

ip of server openvpn 192.168.0.221

i must reach from openvpn client a remote host on the same subnet of openvpn server ( your ip is 192.168.0.25) but whit different gateway ( 192.168.0.1)

( if i change gateway of this host in 192.168.0.221 a can reach its successfully but i can not change it)

a statis route can be a resolution for my problem ?

can i have an example ?

thanks Albertro

Blisk
OpenVpn Newbie
Posts: 10
Joined: Wed Jul 03, 2013 5:07 pm

Re: Accessing LAN resources when OpenVPN is not LAN's GW

Post by Blisk » Mon Jul 15, 2013 4:20 pm

I have all like it is described in first post as example.
I tried everything but still can't ping anything in local network behind VPN.
Also I don't wan't to add some extra routing on client I hope I can do that in in client.conf file or on firewall on vpn server.
And unfortunally there is no even one guid which I can use to make VPN works and local network is accessible for client connected to VPN server. All is about to connect client to VPN server after that nothing works. I can't see usable VPN server just to connect to it and nothing else. :(

leon111
OpenVPN User
Posts: 26
Joined: Sat Jan 25, 2014 10:25 pm

Re: Accessing LAN resources when OpenVPN is not LAN's GW

Post by leon111 » Tue Dec 23, 2014 8:43 am

Blisk wrote:I have all like it is described in first post as example.
I tried everything but still can't ping anything in local network behind VPN.
Also I don't wan't to add some extra routing on client I hope I can do that in in client.conf file or on firewall on vpn server.
And unfortunally there is no even one guid which I can use to make VPN works and local network is accessible for client connected to VPN server. All is about to connect client to VPN server after that nothing works. I can't see usable VPN server just to connect to it and nothing else. :(
I'm still looking how to solve this problem, but can't do anything. I just added to each machine from OPENVPN SERVER network default gateway which set on OPENVPN SERVER. So OPENVPN SERVER is working as router. When I power off OPEN VPN SERVER nobody has connection with lan and internet...

Can anyone help with that?

How fix that without set default gateway or add routes to each client?

jergen
OpenVpn Newbie
Posts: 14
Joined: Fri Mar 27, 2015 7:37 pm

Re: Accessing LAN resources when OpenVPN is not LAN's GW

Post by jergen » Sat Mar 28, 2015 4:25 pm

Hello,

Router on Debian Linux (also as openvpn client for xbox):
- the gateway is 192.168.1.1 (eth0),
- the lan interface ip is 192.168.10.1 (eth1),
- the wifi interface ip is 192.168.11.1 (wlan0)
- the tun+ ips are from 10.100.201.00

Home network host:
- the xbox ip is 192.168.11.2,

How to make xbox using the vpn? The rest hosts from home network (eth1 and wlan0) should use standard connection.

Post Reply