OpenVPN Server: 172.16.2.0/24 255.255.255.0
Internal LAN: 172.16.1.0/24 255.255.255.0
Internal LAN GW: 172.16.1.1
Internal LAN IP of client with iroute: 172.16.1.10
Internal VPN IP of client with iroute: 172.16.2.10
As you can see I am using iroute, expecting client 172.16.2.10 to advertise it's 172.16.1.0 route. However I cannot ping any other hosts on the 172.16.1.0 network, except for the client hosting the iroute. Logs confirm that the iroute is being picked up;
to the server configuration, except then all internal LAN clients route all internal LAN traffic to the openvpn server, which I don't want. Local LAN traffic should be hitting the local LAN router (172.16.1.1).
Re: No Traffic To Internal Lan with iroute
Posted: Mon Oct 01, 2018 4:40 am
by ClontarfX
An image to hopefully illustrate my dramas;
Re: No Traffic To Internal Lan with iroute
Posted: Mon Oct 01, 2018 7:27 am
by flint2003
Hi!
IMHO, first of all I would recommend you to abidy with common accepted rules: internal VPN network has to be 10.8.0.0/24, clients' networks have to be different, e.g. 192.168.x.y/24 where x = 10, 11 and so on (x != 0 or 1). In future, when your VPN will work fine, you can change network ranges as you want without limitations.
The next steps you should change your CCD file's name and check its path (placement):
1) put your CCD file in folder "CCD" directly in "config" folder.
2) give the same name as its client. For example, I've got the client "client9". It means that the file in the folder "CCD" has got the same name
3) Check the content of your file. I usually write as follows:
ifconfig-push 10.8.0.2 255.255.255.0
push "route 10.8.0.0 255.255.255.0"
push "route-gateway 10.8.0.1"
iroute 192.169.0.0 255.255.255.0
The order of entries (or rows) matters! Pay attention on it.
The last step - try to ping VPN nodes: 10.8.0.1 (VPN Server) and 10.8.0.2 (VPN client) can be pinged in both direction.
So, if it is truth, adjust routing in your PCs and you can ping local addresses.
Any questions - write here
Re: No Traffic To Internal Lan with iroute
Posted: Tue Oct 02, 2018 7:49 am
by ClontarfX
Thanks
1) CCD file is in place and is correct. iroute is correctly advertised and learned by clients.
2) See above
3) No need to ifconfig because addresses are assigned by ipp (topology subnet).
Unfortunately with your changes, vpnclient3 (172.16.2.30) still cannot contact clients behind vpnclient1 (172.16.2.10 -> 172.16.1.0/24).
Additionally, with the above configuration, clients connected to the VPN on the 172.16.1.0/24 network are routing their traffic over the VPN to other LAN clients.
e.g PING 172.16.1.10 from 172.16.1.20 is going over the VPN (172.16.2.1), instead of being routed locally. This is bad.
As you can see I am using iroute, expecting client 172.16.2.10 to advertise it's 172.16.1.0 route. However I cannot ping any other hosts on the 172.16.1.0 network, except for the client hosting the iroute. Logs confirm that the iroute is being picked up;
Notice the wrong "gateway" for the 172.16.1.0 route. There is no VPN client with 172.16.2.2. The client hosting the iroute is 172.16.2.10.
You need a fixed VPN IP for this client. Add --ifconfig details to this client CCD file.
Thanks TinCanTech for the reply, not sure why I need ifconfig in the CCD file. Does this tell OpenVPN to use this IP as a reference to the client? The reason I ask this is because the client is correctly allocated an IP address from the ipp pool. Adding the ifconfig statement to the CCD did not change anything regarding the advertised routes or the IP assigned to the host
In either case, as I posted above, adding NAT rules to my iptables seems to have resolved the routing issue on the iroute gateway. Why does the routing work only when I configure the NAT on the iroute gateway? Am I fundamentally misunderstanding the purpose of iroute and it's internal routing capabilities (OpenVPN)?
Final (working) configuration (except VPN clients on LAN still route via VPN for LAN route);
the client is correctly allocated an IP address from the ipp pool
But this is not a fixed IP. Only CCD --ifconfig gives a fixed IP.
Are you meaning fixed IP as in the IP stays allocated to the interface when the VPN is offline? When a VPN client connects, OpenVPN server allocates the IP assigned to the host via ipp. This is why I asked whether ifconfig has something to do with internal routing or OpenVPN server behaviour, because putting ifconfig into the CCD file did nothing (IP already allocated via OpenVPN server IPP).
Am I fundamentally misunderstanding the purpose of iroute and it's internal routing capabilities (OpenVPN)?
Yes .. Openvpn sets up a VPN and routing for the end points. It does not configure your network, you must do that yourself.
So what I probably need then is some instruction on correctly setting up the routing (docs suggest the reason my NAT fix works is because routing is not right).
Final (working) configuration (except VPN clients on LAN still route via VPN for LAN route);
This does not make sense .. perhaps you can elaborate.
With the above config, I can ping LAN clients from an external VPN client.
However, with the above config, VPN clients which sit on the LAN (so have both routes), route all LAN traffic via the VPN.
So client2 has 172.16.1.20 (LAN) and 172.16.2.20 (VPN). It sits on the 172.16.1.0/24 network.
When client2 pings lanclient1 (172.16.1.10), the traffic goes to the VPN server first (172.16.2.1), then back to lanclient1 (172.16.1.10).
This obviously isn't desired. LAN clients should prefer the LAN route and not use the VPN route when the traffic is destined for the same network.
