OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Routing problems

https://forums.openvpn.net/viewtopic.php?t=33598

Page 1 of 1

Routing problems

Posted: Tue Jan 18, 2022 6:05 pm
by Tobias_84
Hello all,
I have been trying to get this to work for some days now. Both using the config file to push and enter routes and using iptables.

II have succeeded with a simular situation earlier, but I haven't configured a OpenVPN solutions in years and my brain don't remember how anymore..

I would appropriate to get any hints to get it moving forward.

The senario:
I need to access a remote PLC-system from my computer that I have with me. The OpenVPN-server is set up on a different site.
The PLC-system have a 4G router that connect to the OpenVPN server because it's IP changes and/or is behind a NAT.

Code: Select all

Laptop		OpenVPN-Server		4G Router	PLC + HMI
		192.168.162.254		192.168.5.1	192.168.5.10 / 192.168.5.11
10.8.2.5	10.8.2.1		10.8.2.10
How do I configure the 'routes' correctly on the server.conf and do I really need to set up IPtables?

Server.conf as I last tested it...

Code: Select all

client-to-client
server 10.8.2.0 255.255.255.0
push "route 10.8.2.0 255.255.255.0"
push "route 192.168.162.0 255.255.255.0"

route 10.8.2.0 255.255.255.0 10.8.2.1
route 192.168.5.0 255.255.255.0 10.8.2.1
This results:
Laptop can reach 192.168.162.254 and 10.8.2.10
Server can reach 10.8.2.5, 10.8.2.10
Behind router can reach 192.168.162.254 and 10.8.2.5

if i add

Code: Select all

 push "route 192.168.5.0 255.255.255.0"

Everything behind the 4G router stops to reach anything, even the router (192.168.5.1).

The client config is basically original.

Regards
Tobias

Re: Routing problems

Posted: Thu Jan 20, 2022 11:43 pm
by 300000
you need to make site to site between PLC-system and openvpn server. so from your computer connect to openvpnser can route to PLC-system .

PLC-system connect to 4g router so that is why it need site to site connection so all route will over openvpn virtual ip before it can connect to real ip.

Re: Routing problems

Posted: Fri Jan 21, 2022 2:19 pm
by Tobias_84
Hello,

I have changed it to site-to-site using tap and it works now with 'computer' clients.
I can reach them and they can reach me.

But the PLC won't accept this. I can see on the ethernet port that the ping requests is read by the PLC but I get no ping respons.
I can't set a gw address that is outside the PLC subnet. So still some tries left to get it working.

Is it possible to let the 4G router, that is connected as a client, to serve IP to other clients connecting?

Re: Routing problems

Posted: Fri Jan 21, 2022 2:57 pm
by openvpn_inc
Hello Tobias,
Tobias_84 wrote:
Tue Jan 18, 2022 6:05 pm
 I have been trying to get this to work for some days now. Both using the config file to push and enter routes and using iptables.
Note that iptables controls NAT and access, not routing.
Tobias_84 wrote:
Tue Jan 18, 2022 6:05 pm
 The senario:
I need to access a remote PLC-system from my computer that I have with me. The OpenVPN-server is set up on a different site.
I guess "on a different site" means you also connect to openvpn as a client?
Tobias_84 wrote:
Tue Jan 18, 2022 6:05 pm
 The PLC-system have a 4G router that connect to the OpenVPN server because it's IP changes and/or is behind a NAT.

Code: Select all

Laptop		OpenVPN-Server		4G Router	PLC + HMI
		192.168.162.254		192.168.5.1	192.168.5.10 / 192.168.5.11
10.8.2.5	10.8.2.1		10.8.2.10
How do I configure the 'routes' correctly on the server.conf and do I really need to set up IPtables?
Regarding iptables, probably not. You do not need NAT for this.
Tobias_84 wrote:
Tue Jan 18, 2022 6:05 pm
 Server.conf as I last tested it...

Code: Select all

client-to-client
server 10.8.2.0 255.255.255.0
push "route 10.8.2.0 255.255.255.0"
push "route 192.168.162.0 255.255.255.0"

route 10.8.2.0 255.255.255.0 10.8.2.1
route 192.168.5.0 255.255.255.0 10.8.2.1
The push and route to 10.8.2.0/24 are redundant, because your "server" line includes those.
Tobias_84 wrote:
Tue Jan 18, 2022 6:05 pm
 This results:
Laptop can reach 192.168.162.254 and 10.8.2.10
Server can reach 10.8.2.5, 10.8.2.10
Behind router can reach 192.168.162.254 and 10.8.2.5
"Behind router can reach ... 10.8.2.5", was this not the goal? And if those can reach you but you can't reach them, that almost surely means you're blocking that with a firewall somewhere.
Tobias_84 wrote:
Tue Jan 18, 2022 6:05 pm
 if i add

Code: Select all

 push "route 192.168.5.0 255.255.255.0"

Everything behind the 4G router stops to reach anything, even the router (192.168.5.1).
We have a nice wiki page for client LAN access, RoutedLans
And also a nice troubleshooting flowchart here.
It looks like you missed the --client-config-directory and the --iroute for the router.
Tobias_84 wrote:
Tue Jan 18, 2022 6:05 pm
 The client config is basically original.
I'm not sure what that could mean. Original, from where?

Anyway, there has been new activity here since I started writing this. You definitely do not want nor need tap/bridging.

regards, rob0
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/