Client(s) cannot access LAN devices behind OpenVPN server

[GainfulShrimp]

I've setup an OpenVPN server on my Ubiquiti Edgerouter Lite (which is also my home LAN gateway and firewall).

I can successfully connect from my workplace or mobile network, from both iPhone (using OpenVPN Connect) and MacBook (using Viscosity). I can access the Edgerouter itself, and also browse the web fine. If I Google "what is my IP?" then my home public (static) IP address is displayed, so I know I'm browsing via the tunnel.

However, I cannot access other devices on my home LAN, except for the Edgerouter itself.

The router and OpenVPN server IP is 192.168.2.1. My home LAN subnet is 192.168.2.0/24.

My NAS, which I'd like to access via the VPN, IP is 192.168.2.50.

My OpenVPN (virtual) client subnet is 10.8.91.0/24.

I have used port-forwarding and opened up firewall rules for port 1194-UDP.

I've configured OpenVPN using the Edgemax EdgeOS system (based on a forked Vyatta), so don't have a config file per se - but here is my config as shown in the router:

Code: Select all

    openvpn vtun1 {
        local-host 192.168.2.1
        local-port 1194
        mode server
        openvpn-option --tls-server
        openvpn-option --comp-lzo
        openvpn-option "--user nobody --group nogroup"
        openvpn-option --persist-key
        openvpn-option --persist-tun
        openvpn-option --persist-local-ip
        openvpn-option --persist-remote-ip
        openvpn-option "--keepalive 8 30"
        openvpn-option "--verb 3"
        openvpn-option --client-to-client
        openvpn-option "--ifconfig-pool-persist /config/auth/openvpn/vtun1_ipp.txt"
        openvpn-option "--push redirect-gateway def1"
        openvpn-option "--push dhcp-option DNS 192.168.2.1"
        openvpn-option "--cipher AES-128-CBC"
        openvpn-option --float
        openvpn-option "--tls-auth /config/auth/openvpn/keys/ta.key 0"
        openvpn-option "--tls-cipher DHE-RSA-AES256-SHA"
        protocol udp
        server {
            push-route 192.168.2.0/24
            subnet 10.8.91.0/24
            topology subnet
        }
        tls {
            ca-cert-file /config/auth/openvpn/keys/ca.crt
            cert-file /config/auth/openvpn/keys/server.crt
            dh-file /config/auth/openvpn/keys/dh2048.pem
            key-file /config/auth/openvpn/keys/server.key
        }
    }

If I use "ps -ef | grep openvpn" on the command line of the router, I can see the resulting daemon process running:

Code: Select all

...
nobody    1590     1  0 10:56 ?        00:00:26 /usr/sbin/openvpn --daemon --verb 3 --writepid /var/run/openvpn-vtun1.pid --status /var/run/openvpn/status/vtun1.status 30 --dev-type tun --dev vtun1 --mode server --tls-server --topology subnet --keepalive 10 60 --local 192.168.2.1 --lport 1194 --ca /config/auth/openvpn/keys/ca.crt --cert /config/auth/openvpn/keys/server.crt --key /config/auth/openvpn/keys/server.key --dh /config/auth/openvpn/keys/dh2048.pem --management /tmp/openvpn-mgmt-intf unix --push route 192.168.2.0 255.255.255.0 --server 10.8.91.0 255.255.255.0 --client-config-dir /var/run/openvpn/ccd/vtun1 --tls-server --comp-lzo --user nobody --group nogroup --persist-key --persist-tun --persist-local-ip --persist-remote-ip --keepalive 8 30 --verb 3 --client-to-client --ifconfig-pool-persist /config/auth/openvpn/vtun1_ipp.txt --push redirect-gateway def1 --push dhcp-option DNS 192.168.2.1 --cipher AES-128-CBC --float --tls-auth /config/auth/openvpn/keys/ta.key 0 --tls-cipher DHE-RSA-AES256-SHA
...

If I run "show ip route", I see this:

Code: Select all

admin@ubnt:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route

K>* 0.0.0.0/0 is directly connected, pppoe0
C>* 10.7.91.0/24 is directly connected, vtun0
C>* 10.8.91.0/24 is directly connected, vtun1
C>* 10.9.91.0/24 is directly connected, vtun2
C>* 127.0.0.0/8 is directly connected, lo
C>* 192.168.2.0/24 is directly connected, eth1
C>* 195.166.128.192/32 is directly connected, pppoe0
admin@ubnt:~$ 

Here is a sample client config:

Code: Select all

client
dev tun
tls-client
proto udp
remote MYDOMAINNAME 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert matt-mbp.crt
key matt-mbp.key
tls-auth ta.key 1
ns-cert-type server
cipher AES-128-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
comp-lzo
verb 3
reneg-sec 0

(Note that vtun0 and vtun3 relate to two other OpenVPN instances, for testing - they are running on different protocols/ports - but all three instances exhibit the same problem re: accessing LAN devices.)

I've tried to follow the How-To guide as far as I can, but I'm struggling to see why it's not working.

[GainfulShrimp]

Just to update this with what I've found while my post was being approved...

I've now realised that it's not the case that I can't access anything on my LAN when connected via OpenVPN - I can successfully ping my Raspberry Pi and ssh to it. It's just that my NAS doesn't respond (to either ping or https requests) from my OpenVPN clients. It can't be a general routing problem, otherwise I wouldn't be able to ping/ssh to the Pi (or at least, my client wouldn't receive responses from the Pi).

When connected to the Pi via ssh, I can then successfully ping my NAS from the Pi, so I'm starting to think that my OpenVPN connection is working OK but it's something on the NAS config which is stopping this from working.

I think the reason it works when connecting via my L2TP VPN is that I get assigned a LAN IP address that way, so the NAS 'thinks' my client is local.

It's pretty frustrating as I can't find anything in the NAS's firewall settings etc which would cause this issue.

It's a Synology DS1812+ running the latest (5.2) version of DSM by the way.

If anybody has any ideas, I'd appreciate it!

[Traffic]

I think the reason it works when connecting via my L2TP VPN is that I get assigned a LAN IP address that way, so the NAS 'thinks' my client is local.

If your server machine uses iptables you can easily NAT your VPN packets and the NAS will see the VPN client as the server private IP ..

[GainfulShrimp]

Thanks very much for the suggestion, traffic. But I found another solution this morning, before I saw your post: adding a 'static route' in my NAS's Network config (easy to do through my NAS's GUI), pointing my OpenVPN subnet to my router/server.

I used the following options:

Destination: 10.8.91.0 (my OpenVPN 'virtual' subnet)
Subnet Mask: 255.255.255.0 (subnet mask of my OpenVPN subnet)
Gateway: 192.168.2.1 (the LAN IP of my router/OpenVPN server)
Interface: Bond 1 (my NAS is configured to use Link Aggregation)

When I enabled this route, everything started working perfectly.

I'm still a little confused why it didn't already work, as I'd already checked that the 'default gateway' for the NAS was correctly set as 192.168.2.1. (This seems to be all that's required for most devices on my LAN to be reachable through the OpenVPN connection.)
Apparently my NAS needed explicitly telling where to respond for my OpenVPN traffic, for some reason...

[serjmac]

I think the reason it works when connecting via my L2TP VPN is that I get assigned a LAN IP address that way, so the NAS 'thinks' my client is local.

If your server machine uses iptables you can easily NAT your VPN packets and the NAS will see the VPN client as the server private IP ..

I got to this post googleing hard and I'm "glad" I found my scenario. I confirm your problem is that your VPN packets are not being forwarded to your NAS with and IP for your local subnet 192.168.2.0, instead your NAS is receiving pings and requests from 10.8.9.0 and its firewall is dropping all.

In a similar scenario of yours I'm having the same situation with a Windows 8 firewall, if I disable the Windows Firewall I can ping that computer and access to its shared resources from an VPN client. I've got also a linux machine with a particular software only accepting requests from local subnet IPs, and it is forbiding access because it detects the requests are not coming from 192.168.x.x local subnet. There is no NAT process and the source IP is the VPN server IP.

By the way, in my local LAN, I have a raspberry with which I started training about OpenVPN some months ago. I still have it running as just parallel VPN gateway....If I access to my LAN through the Raspberry VPN tunnel (same server config as the OpenWRT router acting as VPN gateway), I get correct NAT forwarding and my local machines see the incoming VPN client requests as the gateway LAN IP (192.168.x.x), while if I access through the OpenWRT router VPN tunnel it is just forward with VPN subnet 10.8.x.x

Other machines in my local LAN which don't have strict firewall accepts requests from my VPN client through my OpenWRT VPN server, they don't care if it comes from 192.168.x.x or 10.8.x.x.... but I want to masquerade??? all traffic coming through VPN gateway as 192.168.x.x

The point is that all this is happening with a OpenWRT router which is at the same time LAN gateway, WAN gateway and OpenVPN gateway. As @Traffic quoted, I think I'm missing a NAT rule in iptables. Please, could you tell us how to configure this ? I have the option to set iptables rules in firewall.user section.

Sorry if I extended too much, English is not my native tongue and I wanted to give clear my particular problem

[serjmac]

I think the reason it works when connecting via my L2TP VPN is that I get assigned a LAN IP address that way, so the NAS 'thinks' my client is local.

If your server machine uses iptables you can easily NAT your VPN packets and the NAS will see the VPN client as the server private IP ..

I got to this post googleing hard and I'm "glad" I found my scenario. I confirm your problem is that your VPN packets are not being forwarded to your NAS with and IP for your local subnet 192.168.2.0, instead your NAS is receiving pings and requests from 10.8.9.0 and its firewall is dropping all.

In a similar scenario of yours I'm having the same situation with a Windows 8 firewall, if I disable the Windows Firewall I can ping that computer and access to its shared resources from an VPN client. I've got also a linux machine with a particular software only accepting requests from local subnet IPs, and it is forbiding access because it detects the requests are not coming from 192.168.x.x local subnet. There is no NAT process and the source IP is the VPN server IP.

By the way, in my local LAN, I have a raspberry with which I started training about OpenVPN some months ago. I still have it running as just parallel VPN gateway....If I access to my LAN through the Raspberry VPN tunnel (same server config as the OpenWRT router acting as VPN gateway), I get correct NAT forwarding and my local machines see the incoming VPN client requests as the gateway LAN IP (192.168.x.x), while if I access through the OpenWRT router VPN tunnel it is just forward with VPN subnet 10.8.x.x

Other machines in my local LAN which don't have strict firewall accepts requests from my VPN client through my OpenWRT VPN server, they don't care if it comes from 192.168.x.x or 10.8.x.x.... but I want to masquerade??? all traffic coming through VPN gateway as 192.168.x.x

The point is that all this is happening with a OpenWRT router which is at the same time LAN gateway, WAN gateway and OpenVPN gateway. As @Traffic quoted, I think I'm missing a NAT rule in iptables. Please, could you @Traffic tell us how to configure this ? I have the option to set iptables rules in firewall.user section.

Sorry if I extended too much, English is not my native tongue and I wanted to give clear my particular problem.

[Traffic]

As @Traffic quoted, I think I'm missing a NAT rule in iptables. Please, could you @Traffic tell us how to configure this ? I have the option to set iptables rules in firewall.user section.

Please start a new thread here:
http://forums.openvpn.net/server-administration-f4.html

Please read the forum rules at the top of the page ..

IPTables NAT rule (Example):

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE