OpenVPN Server Issue - Cannot access LAN devices using TUN
Posted: Mon Nov 16, 2015 12:00 am
Hi,
I have an OpenVPN Server up and running on my Netgear ReadyNAS which is based on Linux (Debian).
I can connect to the the VPN server successfully from my laptop and iPhone from a remote location but I cannot access any of my LAN devices.
I wanted to use a bridge interface originally but have found I cannot use this on the ReadyNAS as the bridge-utils and some of the drivers are missing from the Linux kernel on the system so i cannot run brctl commands.
I have now setup a TUN interface instead but I have no idea how to setup the routing to make all of my LAN devices accessible though the VPN.
I will explain my physical network setup if that makes it easier to assist.
Primary Router (internet connected) – LAN IP – 160.55.3.33, Subnet 255.255.255.0 (DHCP server for LAN 160.55.3.34/149)
ReadyNAS – LAN IP – 160.55.3.250 (STATIC IP) – LAN Interface Name – eth0
OpenVPN server running on ReadyNAS – IP - 10.8.0.0
Secondary Router – LAN IP - 160.55.3.254 (STATIC IP)
WAN IP of Primary Router – 10*.***.**.** (I have masked this for security)
I have read that for the TUN interface I will need to setup iptables and routing so that all my LAN devices are accessible through the VPN server when I am connected remotely.
An example is
iptables -A PREROUTING -t mangle -i <LAN_interface> -d 192.168.1.0/255.255.255.0 -j ROUTE --gw 192.168.0.A
iptables -A PREROUTING -t mangle -i <LAN_interface> -d 10.8.0.0/255.255.255.0 -j ROUTE --gw 192.168.0.A
I just don’t know which IP address I need to put where
I also found
iptables -t nat -A POSTROUTING -o <local_lan_interface_name> -j MASQUERADE
I am unable to set these routes on the primary router as there is no option through the web GUI and it has stock TP Link firmware installed (DD WRT not supported unfortunately)
Any assistance with what routing I will need to configure would be much appreciated and if you are able to advise where each of my LAN IP’s described above need to be placed in the commands would be great as I have no idea really. Also as can be seen I’ve probably made mistakes in my server and client config files.
Client Config
client
dev tap
;dev tun
;dev-node vpn2 #This is the adaptor name for my TAP adaptor in Windows
proto udp
remote 10*.***.**.** 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert iphone.crt
key iphone.key
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3
Server Config
local 160.55.3.250
port 1194
proto udp
mssfix 1400
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 160.55.3.33"
push "route 0.0.0.0 255.255.255.255 net_gateway"
client-to-client
keepalive 10 120
cipher AES-256-CBC
comp-lzo
max-clients 6
persist-key
persist-tun
status openvpn-status.log
verb 1
user openvpn
group openvpn
I have an OpenVPN Server up and running on my Netgear ReadyNAS which is based on Linux (Debian).
I can connect to the the VPN server successfully from my laptop and iPhone from a remote location but I cannot access any of my LAN devices.
I wanted to use a bridge interface originally but have found I cannot use this on the ReadyNAS as the bridge-utils and some of the drivers are missing from the Linux kernel on the system so i cannot run brctl commands.
I have now setup a TUN interface instead but I have no idea how to setup the routing to make all of my LAN devices accessible though the VPN.
I will explain my physical network setup if that makes it easier to assist.
Primary Router (internet connected) – LAN IP – 160.55.3.33, Subnet 255.255.255.0 (DHCP server for LAN 160.55.3.34/149)
ReadyNAS – LAN IP – 160.55.3.250 (STATIC IP) – LAN Interface Name – eth0
OpenVPN server running on ReadyNAS – IP - 10.8.0.0
Secondary Router – LAN IP - 160.55.3.254 (STATIC IP)
WAN IP of Primary Router – 10*.***.**.** (I have masked this for security)
I have read that for the TUN interface I will need to setup iptables and routing so that all my LAN devices are accessible through the VPN server when I am connected remotely.
An example is
iptables -A PREROUTING -t mangle -i <LAN_interface> -d 192.168.1.0/255.255.255.0 -j ROUTE --gw 192.168.0.A
iptables -A PREROUTING -t mangle -i <LAN_interface> -d 10.8.0.0/255.255.255.0 -j ROUTE --gw 192.168.0.A
I just don’t know which IP address I need to put where
I also found
iptables -t nat -A POSTROUTING -o <local_lan_interface_name> -j MASQUERADE
I am unable to set these routes on the primary router as there is no option through the web GUI and it has stock TP Link firmware installed (DD WRT not supported unfortunately)
Any assistance with what routing I will need to configure would be much appreciated and if you are able to advise where each of my LAN IP’s described above need to be placed in the commands would be great as I have no idea really. Also as can be seen I’ve probably made mistakes in my server and client config files.
Client Config
client
dev tap
;dev tun
;dev-node vpn2 #This is the adaptor name for my TAP adaptor in Windows
proto udp
remote 10*.***.**.** 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert iphone.crt
key iphone.key
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3
Server Config
local 160.55.3.250
port 1194
proto udp
mssfix 1400
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 160.55.3.33"
push "route 0.0.0.0 255.255.255.255 net_gateway"
client-to-client
keepalive 10 120
cipher AES-256-CBC
comp-lzo
max-clients 6
persist-key
persist-tun
status openvpn-status.log
verb 1
user openvpn
group openvpn
