Routing problem between networks (Windows Server 2016)
Posted: Tue Jan 10, 2023 7:18 pm
I have an OpenVPN connection between a single remote client and a server which is in a home LAN. I need access between the remote client and the entire home LAN and vice versa (Windows file shares etc.). So far, the OpenVPN connection works (server and client can access each other) and the client can access all machines on the home LAN, but no LAN machine (except the server) can access the remote client. I'm not sure whether this is an OpenVPN or a local routing issue (I suspect the latter), but maybe someone has experienced a similar problem. Here's the network layout:
Remote client (Windows):
- Direct internet connection (public IP)
- OpenVPN connection: 10.8.0.2
--------------------
Home LAN:
1. Internet router:
- WAN (public IP)
- Private LAN address: 192.168.10.1
2. OpenVPN server (Windows Server 2016):
- Private LAN address: 192.168.10.2
- LAN gateway: 192.168.10.1
- OpenVPN connection: 10.8.0.1
3. Other home LAN machines (Windows):
- Private LAN address: 192.168.10.x
- LAN gateway: 192.168.10.1
I also added a static route to the home LAN internet router to forward the VPN subnet to the OpenVPN server: 10.8.0.0/24 -> 192.168.10.2
This should work because I can access the server from other home LAN machines via 10.8.0.1 without having any static routes for that subnet on the other LAN machines. However, I can't access the remote client on 10.8.0.2 from the LAN (except directly from the server), so it's probably a routing issue on the server. I set IPEnableRouter = 1 in the registry (then reboot), and also installed the "routing and remote access" role on the server and configured for LAN routing (which shouldn't be necessary for this?). I also completely disabled the Windows firewall for testing with the same results. The remote client can access the 192.168.10.0 subnet but noone in the LAN (except the server) can access the 10.8.0.0 subnet on the other side of the VPN (but accessing the server via 10.8.0.1 is possible, as I mentioned).
Is there anything else I can try to get the routing on the server to work?
Remote client (Windows):
- Direct internet connection (public IP)
- OpenVPN connection: 10.8.0.2
--------------------
Home LAN:
1. Internet router:
- WAN (public IP)
- Private LAN address: 192.168.10.1
2. OpenVPN server (Windows Server 2016):
- Private LAN address: 192.168.10.2
- LAN gateway: 192.168.10.1
- OpenVPN connection: 10.8.0.1
3. Other home LAN machines (Windows):
- Private LAN address: 192.168.10.x
- LAN gateway: 192.168.10.1
Server Config
port 1194
proto udp4
dev tun
[...cert section...]
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.10.0 255.255.255.0"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
allow-compression yes
max-clients 32
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20
explicit-exit-notify 1
proto udp4
dev tun
[...cert section...]
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.10.0 255.255.255.0"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
allow-compression yes
max-clients 32
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20
explicit-exit-notify 1
I also added a static route to the home LAN internet router to forward the VPN subnet to the OpenVPN server: 10.8.0.0/24 -> 192.168.10.2
This should work because I can access the server from other home LAN machines via 10.8.0.1 without having any static routes for that subnet on the other LAN machines. However, I can't access the remote client on 10.8.0.2 from the LAN (except directly from the server), so it's probably a routing issue on the server. I set IPEnableRouter = 1 in the registry (then reboot), and also installed the "routing and remote access" role on the server and configured for LAN routing (which shouldn't be necessary for this?). I also completely disabled the Windows firewall for testing with the same results. The remote client can access the 192.168.10.0 subnet but noone in the LAN (except the server) can access the 10.8.0.0 subnet on the other side of the VPN (but accessing the server via 10.8.0.1 is possible, as I mentioned).
Is there anything else I can try to get the routing on the server to work?