OpenVPN Server forward subnet to PPTP client

This is where we can discuss what we would like to see added or changed in OpenVPN.
Post Reply
kkourmousis
OpenVpn Newbie
Posts: 2
Joined: Sat Aug 11, 2018 12:16 am

OpenVPN Server forward subnet to PPTP client

Post by kkourmousis » Sat Aug 11, 2018 1:05 am

Hi,

Being a programmer I really tried to solve this on my own but I didn't succeed.

Let me tell you my setup and what I wish to achieve and after that I will explain where I am stuck:

I want to have the following running on my router:
  • An OpenVPN Server so I can connect to my Router from my laptop or phone when I work outside, without directing internet through it
  • A PPTP client connected to my work VPN, so I can have access to all my work's subnets but without directing internet through it
  • An OpenVPN client so I can browse the Internet (from my LAN only) through paid VPN service (VyprVPN)
Right now I have achieved all the above. What I cannot achieve and I would like to is a client of my OpenVPN server to have access to the subnets exposed through the PPTP client. Now let me give you some details:
  • I have an ASUS RT-AC68U with Merlin 384.6 (latest).
  • My LAN subnet is 192.168.11.0/24
  • Concerning the OpenVPN Server , I have achieved its clients to only get LAN access through it (not internet) and also the client (PC) connected to the OpenVPN server can ping my LAN devices and vice versa. Here is the server configuration:
    Server Config
    # Automatically generated configuration
    daemon ovpn-server1
    topology subnet
    server 192.168.12.0 255.255.255.0
    proto udp
    port 1194
    dev tun21
    ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
    cipher AES-128-CBC
    auth SHA256
    comp-lzo adaptive
    keepalive 15 60
    verb 3
    push "route 192.168.11.0 255.255.255.0 vpn_gateway 500"
    client-config-dir ccd
    client-to-client
    duplicate-cn
    route 192.168.0.0 255.255.255.0
    push "route 192.168.0.0 255.255.255.0"
    push "dhcp-option DNS 192.168.11.1"
    plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
    verify-client-cert none
    username-as-common-name
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status 5

    As you can see I tried routing 192.168.0.0/24 subnet from the client (PC) connected to the OpenVPN server to the PPTP client but it is incomplete. A tracert from the client (PC) connected to the OpenVPN server indicated that the packets are indeed reaching my OpenVPN server but they stop there. In order to be sure that my tests are correct, I am sending a UDP packet from the client (PC) connected to the OpenVPN server to a PC inside the 192.168.0.0/24 subnet as to ensure that at least half way communication will be achieved and I will know it
  • Concerning the PPTP client:
    • Subnets exposed through the PPTP VPN are 10.0.4.0/24 and 192.168.0.0/24 -yes I know... this shouldn't be.... go tell my boss :lol: -
    • when the PPTP client connects it messes my Routing table. It adds a default gateway through it and it can't keep permanent routes to the desired subnets. I have managed to sole it with the following:

      Code: Select all

      ip route delete default via 192.168.0.160 dev ppp5
      route -n add -net 192.168.0.0 netmask 255.255.255.0 ppp5
      route -n add -net 10.0.4.0 netmask 255.255.255.0 ppp5
      ip route add default dev ppp5 table 3
      but I have to do it every time. I found out I can put that in a service to run each time the PPTP client gets conected, and I will when I solve my current problem. For now, I do it manually. After all that, my LAN subnet 192.168.11.0/24 can access my work's subnets 192.168.0.0/24 and 10.0.0.4/24 successfully
    • The result of all the above is the following Routing Table:

      Code: Select all

      Destination		Gateway			Genmask			Flags		Metric	Ref	Use	Iface
      WORK.wan.puclic.ip	HOME.public.wan.ip	255.255.255.255		UGH		0	0	0	WAN
      HOME.public.wan.ip	*			255.255.255.255		UH		0	0	0	WAN
      192.168.0.0		*			255.255.255.0		U		0	0	0	ppp5
      192.168.12.0		*			255.255.255.0		U		0	0	0	tun21
      192.168.11.0		*			255.255.255.0		U		0	0	0	LAN
      HOME.public.wan.ip	*			255.255.254.0		U		0	0	0	WAN
      default			HOME.public.wan.ip	0.0.0.0			UG		0	0	0	WAN
      
    So to sum up, I need help so I can make the OpenVPN Server subnet 192.168.12.0/24 will get access to the subnets exposed by the PPTP client (10.0.4.0/24 and 192.168.0.0/24).

    I hope I provided enough info for some guru in here to help me out.

    Many thanks in advance for whoever invest some time in this

kkourmousis
OpenVpn Newbie
Posts: 2
Joined: Sat Aug 11, 2018 12:16 am

Re: OpenVPN Server forward subnet to PPTP client

Post by kkourmousis » Mon Aug 13, 2018 7:11 am

In addition, here are the results of iptables -S command:

Code: Select all

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ACCESS_RESTRICTION
-N FUPNP
-N INPUT_ICMP
-N NSFW
-N OVPN
-N PControls
-N PTCSRVLAN
-N PTCSRVWAN
-N SECURITY
-N default_block
-N logaccept
-N logdrop
-N other2wan
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j OVPN
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j other2wan
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A FORWARD -i br0 -j ACCEPT
-A FORWARD ! -i br0 -o ppp5 -j DROP
-A OVPN -i tun11 -j ACCEPT
-A OVPN -d 192.168.11.0/24 -i tun21 -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A other2wan -i tun+ -j RETURN
-A other2wan -j DROP
I tried the following but it didn't help:

Code: Select all

iptables -I FORWARD -i tun21 -o ppp5 -s 192.168.12.0/24 -d 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OVPN -d 192.168.0.0/24 -i tun21 -j ACCEPT

Post Reply