Communicating to the clients nettwork
-
arne
- OpenVpn Newbie
- Posts: 3
- Joined: Sat Feb 05, 2022 12:40 pm
Communicating to the clients nettwork
I have connectes two PC's via OpenVPN Access server. The PC's hase address 10.1.1.5 and 10.1.1.6 in the tunnel. (But physically in two different bulidings). In the same network (LAN) as 10.1.1.5 there is a IP camera (or some other equipment). Camera has a static address 10.1.1.4 (?!). Is it possible in some way to communicate from PC 10.1.1.6 (LAN B) to camera IP 10.1.1.4 on lan A? (The camara has no OpenVPN client.)
-
arne
- OpenVpn Newbie
- Posts: 3
- Joined: Sat Feb 05, 2022 12:40 pm
Re: Communicating to the clients nettwork
Maybe the camera should not be given a static adress belonging to the tunnel, but rather an address om the pysical network, lets say 192.168.1.4 (?!) Then there might be needed some kind of routing on the OpenVPN Access server to send the trafic via 10.1.1.5 to 192.168.1.4? Could this be "the right way"? If so, how to do that?
Could this descpription give the right solution?
https://openvpn.net/vpn-server-resource ... ss-server/
Could this descpription give the right solution?
https://openvpn.net/vpn-server-resource ... ss-server/
-
openvpn_inc
- OpenVPN Inc.
- Posts: 1332
- Joined: Tue Feb 16, 2021 10:41 am
Re: Communicating to the clients network
Hi Arne,
You definitely do need to use separate networks, on each side of the tunnel, and for the tunnel itself.
The Access Server's default VPN network is in 172.27.0.0/16, which won't usually overlap with anything but another Access Server. You could use any other RFC 1918 networks on each end of the tunnel.
If you are using embedded devices which don't allow you to set an IP address, well, my first suggestion would be not to buy such a thing.
But poorly designed devices like that can be reached through a VPN directly (if they run the openvpn client themselves) or via NAT on the site client. You would access the device using your VPN client IP address (as assigned by the Access Server.)
Bridging is another option, but very rarely is it a good idea. Don't consider it.
Here is a troubleshooting flowchart for connecting to a LAN behind a VPN client. It is written for community openvpn servers, so it's not quite right for how you would do it with Access Server. But the ideas are very much the same. The iroute & CCD parts are different; see "VPN Gateway" in User Permissions. If you get stuck on the AS configuration just reply, or open a support ticket at the link in my signature.
regards, rob0
You definitely do need to use separate networks, on each side of the tunnel, and for the tunnel itself.
The Access Server's default VPN network is in 172.27.0.0/16, which won't usually overlap with anything but another Access Server. You could use any other RFC 1918 networks on each end of the tunnel.
If you are using embedded devices which don't allow you to set an IP address, well, my first suggestion would be not to buy such a thing.
But poorly designed devices like that can be reached through a VPN directly (if they run the openvpn client themselves) or via NAT on the site client. You would access the device using your VPN client IP address (as assigned by the Access Server.)Bridging is another option, but very rarely is it a good idea. Don't consider it.
Here is a troubleshooting flowchart for connecting to a LAN behind a VPN client. It is written for community openvpn servers, so it's not quite right for how you would do it with Access Server. But the ideas are very much the same. The iroute & CCD parts are different; see "VPN Gateway" in User Permissions. If you get stuck on the AS configuration just reply, or open a support ticket at the link in my signature.
regards, rob0
OpenVPN Inc.Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
arne
- OpenVpn Newbie
- Posts: 3
- Joined: Sat Feb 05, 2022 12:40 pm
Re: Communicating to the clients nettwork
Thanks for answer!
Just now I am testing with Windows so it is not a problem to configure IP adresses, and of course there were two LAN's before clients on those LAN's were connectet via OpenVPN Access server. Connection between those clients works fine.
I guess the question actually is: How to route traffic between those two LAN's.
Just now I am testing with Windows so it is not a problem to configure IP adresses, and of course there were two LAN's before clients on those LAN's were connectet via OpenVPN Access server. Connection between those clients works fine.
I guess the question actually is: How to route traffic between those two LAN's.
-
openvpn_inc
- OpenVPN Inc.
- Posts: 1332
- Joined: Tue Feb 16, 2021 10:41 am
Re: Communicating to the clients nettwork
Hi Arne,
The bottom line seems to be: change one of those LAN addresses. You can't easily have different routes to the same IP network, in Access Server.
The OpenVPN Cloud service, OTOH, has a hack to do this:
User Guide - Remote access to private networks with overlapping IP address space
Still, RFC 1918 is plenty big enough to give no excuse for any organization of any size to have overlapping LAN networks.
regards, rob0
The bottom line seems to be: change one of those LAN addresses. You can't easily have different routes to the same IP network, in Access Server.
The OpenVPN Cloud service, OTOH, has a hack to do this:
User Guide - Remote access to private networks with overlapping IP address space
Still, RFC 1918 is plenty big enough to give no excuse for any organization of any size to have overlapping LAN networks.
regards, rob0
OpenVPN Inc.Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support