Issue of Allow client to reach entire server subnet

[corydon]

Hi,
I am practicing the openVPN staring from the "Static Key Mini-HOWTO" guide(https://openvpn.net/community-resources ... ini-howto/).
I met an issue of letting the client to access the server's subnet.

My OpenVPN server resides in subnet of 192.168.0.0/8 with gateway Ip of 192.168.0.1 and OpenVPN server installed on a Windows 10 computer with IP of 192.168.0.23.

All tests are fine until trying the Allow client to reach entire server subnet part.

The manual says:
==================================================================
Allow client to reach entire server subnet
Suppose the OpenVPN server is on a subnet 192.168.4.0/24. Add the following to client configuration:

route 192.168.4.0 255.255.255.0
Then on the server side, add a route to the server’s LAN gateway that routes 10.8.0.2 to the OpenVPN server machine (only necessary if the OpenVPN server machine is not also the gateway for the server-side LAN). Also, don’t forget to enable IP Forwarding on the OpenVPN server machine.
=================================================================

So according to the guide above in considering of my real test environment, I took following steps:
Step 1. I added
route 192.168.0.0 255.255.255.0
in .ovpn file of cliemt

Step 2. I added
route 192.168.0.1
in .ovpn file of server


Step 3. I set the value of IPEnableRouter to 1 of Windows 10 computer which hosts the OpenVPN server.


After reconnecting the OpenVpn Server and Client, I was trying to ping a file server of 192.168.0.110 in server subnet, but it was always timer out.

Could I have you help whether some settings are wrong? I guess the step 2 is not correct, but don't know what should be right.

Thanks!

Corydon

[TinCanTech]

First of all, never use 192.168.0.0/24 as your server subnet because you will encounter routing conflicts.

Second, better to start with the full blown server/client setup because that has full documentation.

[corydon]

First of all, never use 192.168.0.0/24 as your server subnet because you will encounter routing conflicts.

Second, better to start with the full blown server/client setup because that has full documentation.

Thanks for your reply.

I am not so confident to start from full settings. I am trying to add one small change a time to make sure I fully understand what has been done.

I think step 1 and 3 are correct.

for step 2, I don't know the correct statement in the server.ovpn to add a route to the server’s LAN gateway(192.168.0.1) that routes 10.8.0.2 to the OpenVPN server machine(192.168.0.23), could I have your comment?

I will change the ip range later.

Thanks!

[Pippin]

192.168.0.0/8

Is a typo?

[TinCanTech]

for step 2, I don't know the correct statement in the server.ovpn to add a route to the server’s LAN gateway(192.168.0.1) that routes 10.8.0.2 to the OpenVPN server machine(192.168.0.23), could I have your comment?

It is not an openvpn command .. you have to configure the route on your router.

I will change the ip range later.

Do it now .....

I am not so confident to start from full settings. I am trying to add one small change a time to make sure I fully understand what has been done.

I still don't understand WTF is going on

[corydon]

192.168.0.0/8

Is a typo?

Sorry, it should be 192.168.0.0/24. Thanks!

[corydon]

for step 2, I don't know the correct statement in the server.ovpn to add a route to the server’s LAN gateway(192.168.0.1) that routes 10.8.0.2 to the OpenVPN server machine(192.168.0.23), could I have your comment?

It is not an openvpn command .. you have to configure the route on your router.

Thanks. the routing table just specifies the destination ip and ip of next hope. no source ip is needed.
Here is the content of the gateway routing table. Could you advice how to add a route for step 2?

=============================
Current Routing Table
Destination Gateway / Next Hop Subnet Mask Metric Interface
58.35.12.1 * 255.255.255.255 0 ppp0 (WAN)
192.168.0.0 * 255.255.255.0 0 br0 (LAN)
127.0.0.0 * 255.0.0.0 0 lo
default 58.35.12.1 0.0.0.0 0 ppp0 (WAN)


Static Routing Table(Add new route)
Destination Gateway Subnet Mask Metric Interface Description


===============================

Thanks!

[TinCanTech]

Could you advice how to add a route for step 2?

Router specific support is care of: tincanteksup <at> gmail

[corydon]

Hi TinCanTech,

After adding
Destination Gateway Subnet Mask
10.8.0.0 192.168.0.23 255.255.255.0 on the gateway routing table. now I can access local host and internet.
But I have one question, when and where is VPN terminated?


Are there some documents explaining the detail IP flows?

Thanks!

[Pippin]

when and where is VPN terminated?

The VPN is terminated on the host running OpenVPN.
Diagram:
https://community.openvpn.net/openvpn/w ... acketsFlow

Are there some documents explaining the detail IP flows?

Search for a routing tutorial online.

[corydon]

when and where is VPN terminated?

The VPN is terminated on the host running OpenVPN.
Diagram:
https://community.openvpn.net/openvpn/w ... acketsFlow

Are there some documents explaining the detail IP flows?

Search for a routing tutorial online.

Hi Pippin,

Thanks!

I tested the PKI instead of static, working fine