Can't access a computer on the LAN of the VPN server, unless its firewall is completly turned off
Posted: Sat Jan 02, 2021 7:23 pm
Hello guys,
First of all, I would like to apologize for the confusing subject, I had some troubles phrasing it...
On a certain LAN that has several computers that I wish to access remotely, I have one computer running OpenVPN as a server (Tun, On Windows).
LAN range: 10.0.0.0 (Gateway-Router, separated from VPN is on 10.0.0.138).
VPN range: 192.168.5.0/24 (OpenVPN Server is on 192.168.5.1).
I have followed the "Extending the scope" part of the How-to. I'm pushing "route 10.0.0.0 255.255.255.0" to the clients, IP forwarding is enabled on the VPN server windows machine and I added a static route to my router, and everything seems to work fine.
The problem applies to computers running Windows Firewall, for example, the one at 10.0.0.10 which I need to access for RD and for file sharing. When the firewall is completely disabled (Which is not a good practice), I can access it through the VPN without any issues. However, when I enable the firewall, I lose the ability to reach it. I tried both allowing incoming connections through specific ports (RD and SMB ports, for example) from the desired scope (192.168.5.0/24) and simply allowing all traffic from that scope, but both options failed to work. The thing that confuses me is that, from my understanding, allowing all traffic from that scope is almost like turning off the firewall completely, so I just don't get where the issue is at.
I have taken a look at wireshark while the firewall was turned on, with the rule that allows all traffic from 192.168.5.0/24 to flow, and it does show incoming requests, but as far as I understand, they get rejected.
Server config:
dev-node "Obelisk"
topology subnet
server 192.168.5.0 255.255.255.0
port 49361
proto udp4
dev tun
tls-server
tls-crypt "C:\\Program Files\\OpenVPN\\config\\ta.key" 0
ca ...
cert ...
key ...
dh ...
keepalive 300 600
cipher AES-256-GCM
auth SHA256
push "route 10.0.0.0 255.255.255.0"
persist-key
persist-tun
verb 3
I'm also linking 2 screenshots of Wireshark ping updates (Sorry for the confusion, when I took those screenshots, my VPN range was changed to 10.8.0.0):
This one is running on the target of the ping, with its firewall enabled, with or without a general rule of allowing traffic from VPN subnet: https://imgur.com/RMRddko
This one is running on the computer running the VPN server: https://imgur.com/dlS6Tu9
I'll admit that I can't totally understand what is going on in here, but attaching them sure can't hurt.
I'm not a professional of any sort, but I am trying to learn and to do my googling for solutions before posting.
I'll be more than happy to provide any more info necessary.
Thank you so much!
Noam.
First of all, I would like to apologize for the confusing subject, I had some troubles phrasing it...
On a certain LAN that has several computers that I wish to access remotely, I have one computer running OpenVPN as a server (Tun, On Windows).
LAN range: 10.0.0.0 (Gateway-Router, separated from VPN is on 10.0.0.138).
VPN range: 192.168.5.0/24 (OpenVPN Server is on 192.168.5.1).
I have followed the "Extending the scope" part of the How-to. I'm pushing "route 10.0.0.0 255.255.255.0" to the clients, IP forwarding is enabled on the VPN server windows machine and I added a static route to my router, and everything seems to work fine.
The problem applies to computers running Windows Firewall, for example, the one at 10.0.0.10 which I need to access for RD and for file sharing. When the firewall is completely disabled (Which is not a good practice), I can access it through the VPN without any issues. However, when I enable the firewall, I lose the ability to reach it. I tried both allowing incoming connections through specific ports (RD and SMB ports, for example) from the desired scope (192.168.5.0/24) and simply allowing all traffic from that scope, but both options failed to work. The thing that confuses me is that, from my understanding, allowing all traffic from that scope is almost like turning off the firewall completely, so I just don't get where the issue is at.
I have taken a look at wireshark while the firewall was turned on, with the rule that allows all traffic from 192.168.5.0/24 to flow, and it does show incoming requests, but as far as I understand, they get rejected.
Server config:
config
dev-node "Obelisk"
topology subnet
server 192.168.5.0 255.255.255.0
port 49361
proto udp4
dev tun
tls-server
tls-crypt "C:\\Program Files\\OpenVPN\\config\\ta.key" 0
ca ...
cert ...
key ...
dh ...
keepalive 300 600
cipher AES-256-GCM
auth SHA256
push "route 10.0.0.0 255.255.255.0"
persist-key
persist-tun
verb 3
I'm also linking 2 screenshots of Wireshark ping updates (Sorry for the confusion, when I took those screenshots, my VPN range was changed to 10.8.0.0):
This one is running on the target of the ping, with its firewall enabled, with or without a general rule of allowing traffic from VPN subnet: https://imgur.com/RMRddko
This one is running on the computer running the VPN server: https://imgur.com/dlS6Tu9
I'll admit that I can't totally understand what is going on in here, but attaching them sure can't hurt.
I'm not a professional of any sort, but I am trying to learn and to do my googling for solutions before posting.
I'll be more than happy to provide any more info necessary.
Thank you so much!
Noam.