Lans behind OpenVPN
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
- krzee
- Forum Team
- Posts: 728
- Joined: Fri Aug 29, 2008 5:42 pm
Lans behind OpenVPN
I made a document to help people understand everything they need to know about setting up a routed VPN where there are LANs behind OpenVPN.
https://community.openvpn.net/openvpn/wiki/RoutedLans
YOU MUST COMPLETELY READ THIS TO UNDERSTAND IT.
Also, dont expect it to walk you through your exact configuration, it exists to teach you about the different options you may need, not to hold your hand.
With that said, this is the place to discuss it.
https://community.openvpn.net/openvpn/wiki/RoutedLans
YOU MUST COMPLETELY READ THIS TO UNDERSTAND IT.
Also, dont expect it to walk you through your exact configuration, it exists to teach you about the different options you may need, not to hold your hand.
With that said, this is the place to discuss it.
Last edited by Pippin on Wed Jan 17, 2024 9:13 pm, edited 1 time in total.
Reason: Corrected link
Reason: Corrected link
-
- OpenVPN User
- Posts: 31
- Joined: Wed Mar 16, 2011 1:27 pm
Re: Lans behind OpenVPN
Well thanks a LOT for this clarification. Just as usual, things become more clear when repeated twice: first time in the official HOWTO and second time here.
Regards,
Kostya
Regards,
Kostya
-
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Mar 22, 2011 10:47 pm
Re: Lans behind OpenVPN
Following instructions, I got the 1st part down
Not doing so good on the 2nd part
I have:
(1) a local LAN with one desktop & one mail-server, behind a firewall/router.
(2) a remote/hosted Server running a firewall & one web-server
My ascii-art depiction of the system is below.
I want to:
(a) Setup the Hosted Server as an OpenVPN server
(b) Ping from server <-> desktop/client over VPN
(b) access the web server @ a privateIP over an OpenVPN link from the Desktop, i.e., http://10.2.3.4
(c) 'connect/redirect' the HostedServer's port:25 over a 2nd OpenVPN link to the MailServer's port:25.
so mail sent TO 1.2.3.4:25 gets TO the MailServer on the LAN, &
mail sent FROM the MailServer on the LAN appears to originate from the HostedServer @ 1.2.3.4:25
I'm pretty certain I've badly screwed up some combination of routing and firewall rules
I'm hoping to get some guidance as to how to fix what I've done to get it all working.
Here's more info --
ASCII art:
The pre-OpenVPN routing tables are:
@ HostedServer:
@ OfficeLAN's Router/Firewall:
As a first step, I've installed OpenVPN server on the HostedServer & the Desktop.
The configs are:
with this config, I can bring up the openvpn connection, see the interfaces, and
ping from server to the desktop's VPN endpoint.
i can NOT ping from the desktop to the server's VPN endpoint, or beyond it to the webserver.
@ HostedServer
@ Desktop
& I've read through this article a couple of times, and am pretty sure it's relevant -- but not directly applicable -- to my setup.YOU MUST COMPLETELY READ THIS ...
Not doing so good on the 2nd part
I've managed to completely confuse myself so far.... TO UNDERSTAND IT.
I have:
(1) a local LAN with one desktop & one mail-server, behind a firewall/router.
(2) a remote/hosted Server running a firewall & one web-server
My ascii-art depiction of the system is below.
I want to:
(a) Setup the Hosted Server as an OpenVPN server
(b) Ping from server <-> desktop/client over VPN
(b) access the web server @ a privateIP over an OpenVPN link from the Desktop, i.e., http://10.2.3.4
(c) 'connect/redirect' the HostedServer's port:25 over a 2nd OpenVPN link to the MailServer's port:25.
so mail sent TO 1.2.3.4:25 gets TO the MailServer on the LAN, &
mail sent FROM the MailServer on the LAN appears to originate from the HostedServer @ 1.2.3.4:25
I'm pretty certain I've badly screwed up some combination of routing and firewall rules
I'm hoping to get some guidance as to how to fix what I've done to get it all working.
Here's more info --
ASCII art:
Code: Select all
Hosted Server:
|---------------------------|
| Server (Linux): |
| eth0 = 1.2.3.4/24 -|---> (Internet)
| | |
| Apache -- (listen) |
| | |
| tap0 = 10.2.3.4/24 |
|---------------------------|
Office LAN:
|-----------------------------------|
| Router/Firewall (FreeBSD): |
| tun0 (pppoe/dsl)= 5.6.7.201/29 -|---> (Internet)
| | |
| pf firewall |
| | |
| sis0: 10.30.8.1/24 -------| |
|-----------------------------------|
|
|---------------------------------------|
| |
|--------------------------------| |--------------------------------|
| Desktop (Linux): | | | MailServer (Linux): | |
| eth0 = 10.30.8.101/24 --| | | eth0 = 10.30.8.110/24 --| |
| eth0:1 = 10.101.0.101/24 | | eth0:1 = 10.110.0.110/24 |
|--------------------------------| |--------------------------------|
@ HostedServer:
Code: Select all
netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
1.2.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.2.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 eth0
Code: Select all
netstat -nr
Kernel IP routing table
Destination Gateway Flags Refs Use Netif Expire
default 152.166.181.133 UGS 0 1797052 tun0
5.6.7.201 152.166.181.133 UGS 0 0 tun0
5.6.7.202 152.166.181.133 UGS 0 0 tun0
5.6.7.203 152.166.181.133 UGS 0 0 tun0
5.6.7.204 152.166.181.133 UGS 0 0 tun0
5.6.7.205 152.166.181.133 UGS 0 0 tun0
127.0.0.1 127.0.0.1 UH 0 1094 lo0
152.166.181.133 5.6.7.206 UH 6 0 tun0
10.30.8/24 link#1 UC 0 0 sis0
10.30.8.1 00:00:24:c8:34:77 UHLW 1 716 lo0
The configs are:
Code: Select all
/etc/openvpn/tls-server.conf
-------------------------------------------------
local 1.2.3.4
dev tun1
proto udp
port 12345
mode server
daemon
server 10.10.10.0 255.255.255.0
topology subnet
push "route 10.2.3.0 255.255.255.0 10.10.10.1"
client-to-client
management 127.0.0.1 1195
tls-server
dh /etc/openvpn/dh2048.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.openvpn.dc.loc.crt
key /etc/openvpn/server.openvpn.dc.loc.key
tls-auth /etc/openvpn/shared.ta.key 1
auth RSA-SHA512
cipher AES-256-CBC
keepalive 15 45
comp-lzo
ping-timer-rem
persist-tun
persist-key
max-clients 10
client-config-dir ccd
script-security 2 system
verb 5
status /etc/openvpn/openvpn-status.log
ifconfig-pool-persist /etc/openvpn/ipp.txt
-------------------------------------------------
Code: Select all
/etc/openvpn/ccd/desktop.client.openvpn.dc.loc
-------------------------------------------------
ifconfig-push 10.10.10.2 255.255.255.0
iroute 10.101.0.0 255.255.255.0
-------------------------------------------------
Code: Select all
/etc/openvpn/tls-desktop.client.conf
-------------------------------------------------
dev tun
proto udp
port 12345
mode p2p
remote 1.2.3.4 12345 udp
topology subnet
pull
remote-cert-tls server
tls-client
ca /etc/openvpn/ca.crt
cert /etc/openvpn/desktop.client.openvpn.dc.loc.crt
key /etc/openvpn/desktop.client.openvpn.dc.loc.key
tls-auth /etc/openvpn/shared.ta.key 0
auth RSA-SHA512
cipher AES-256-CBC
comp-lzo
persist-tun
persist-key
script-security 2 system
verb 5
status /etc/openvpn/openvpn-status.log
-------------------------------------------------
ping from server to the desktop's VPN endpoint.
i can NOT ping from the desktop to the server's VPN endpoint, or beyond it to the webserver.
@ HostedServer
Code: Select all
ifconfig tun1
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.10.1 P-t-P:10.10.10.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
netstat -rn | egrep -i "tun|tap"
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 tun1
10.2.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
ping -c 1 10.10.10.2
PING 10.10.10.2 (10.10.10.2) 56(84) bytes of data.
64 bytes from 10.10.10.2: icmp_req=1 ttl=64 time=17.9 ms
ping -c 1 10.2.3.4
PING 10.2.3.4 (10.2.3.4) 56(84) bytes of data.
64 bytes from 10.2.3.4: icmp_req=1 ttl=64 time=0.050 ms
Code: Select all
ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.10.2 P-t-P:10.10.10.2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
netstat -rn | grep -i tun
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.2.3.0 10.10.10.1 255.255.255.0 UG 0 0 0 tun0
ping -c 1 10.101.0.101
PING 10.101.0.101 (10.101.0.101) 56(84) bytes of data.
64 bytes from 10.101.0.101: icmp_req=1 ttl=64 time=0.041 ms
ping -c 1 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
(just sits)
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Dec 01, 2011 2:55 pm
Re: Lans behind OpenVPN
Thank you for this illustration! It helps. I have one more request. Can you tell me how to configure this same illustrated setup with a slightly major alteration?
I wish to have the same ability to communicate from LAN to LAN to LAN in your single server and two client setup example here, however, I wish for all traffic from all LANs to be routed out only over the server gateway from a routed and not bridged network perspective. Also would like the DNS server used by the server gateway to serve all client stations in addition to the gateway. This will be for a dd-wrt setup if that is important to the solution.
Thanks in advance.
I wish to have the same ability to communicate from LAN to LAN to LAN in your single server and two client setup example here, however, I wish for all traffic from all LANs to be routed out only over the server gateway from a routed and not bridged network perspective. Also would like the DNS server used by the server gateway to serve all client stations in addition to the gateway. This will be for a dd-wrt setup if that is important to the solution.
Thanks in advance.
- krzee
- Forum Team
- Posts: 728
- Joined: Fri Aug 29, 2008 5:42 pm
Re: Lans behind OpenVPN
you would first get the lan routing working with the above document. then you would start using redirect gateway def1 on the clients (and enable nat on the server for the vpn/lan subnets). then when your clients route over the vpn, you would setup your lans to route using those clients for their default gateway (which is already normal since you said it would run on the routers).DonJuane wrote:Thank you for this illustration! It helps. I have one more request. Can you tell me how to configure this same illustrated setup with a slightly major alteration?
I wish to have the same ability to communicate from LAN to LAN to LAN in your single server and two client setup example here, however, I wish for all traffic from all LANs to be routed out only over the server gateway from a routed and not bridged network perspective. Also would like the DNS server used by the server gateway to serve all client stations in addition to the gateway. This will be for a dd-wrt setup if that is important to the solution.
Thanks in advance.
The above document is only for routing to the lans, but the rest is not too hard. I have been meaning to make a little writeup on routing internet over vpn, but i havnt gotten around to it
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Jun 21, 2011 5:11 pm
Re: Lans behind OpenVPN
Hello krzee and all,
I found your article because I ran into the "bad source address from client" in my Windows OpenVPN server log. In fact, I read pretty much every web page Google could find. But still I can't find an answer to my question.
All discussion about this error seem to assume the client has some static LAN IP that can then be configured on the server with iroute, etc. But one of the biggest use cases is for mobile when connecting with public or not-fully-trusted WIFI hotspots. In this case the client LAN IP Addresses will be random and so all this discussion of setting up the client LAN's IP address as part of the server configuration goes out the window. E.g., 10.x.x.x in one location, 172.16.x.x in the next, etc.
I am sure I am missing something but I'll be a monkey's uncle if I can find it. Could you help?
Some more background, at this point I could care less about VPN access from anything other than the client itself. But in my OpenVPN Server log, I get the "bad source address from client [IP of a proxy server required by a connection from my client, or IP of my WIFI Hotspot gateway]".
I have tried various configurations but here is an example of one that has this problem:
server.ovpn:
port 1194
proto tcp
dev tun
ca "C:\\OpenVPN\\config\\ca.crt"
cert "C:\\OpenVPN\\config\\server.crt"
key "C:\\OpenVPN\\config\\server.key" # This file should be kept secret
dh "C:\\OpenVPN\\easy-rsa\\keys\\dh2048.pem"
server 192.168.69.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
duplicate-cn
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 5
topology subnet
client.ovpn:
client
dev tun
proto tcp
remote remote <my home ip> 443 #my home router NATs to 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
verb 3
My client routes look something like this upon connecting to the server:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.69.1 0.0.0.0 UG 0 0 0 tun0
<my home ip> 192.168.43.1 255.255.255.255 UGH 0 0 0 wlan0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0
192.168.43.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan0
192.168.69.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
In this example, 192.168.43.0 255.255.255.0 happens to be the LAN subnet, but it could change as I go to the next hotspot.
Thanks,
Rob
I found your article because I ran into the "bad source address from client" in my Windows OpenVPN server log. In fact, I read pretty much every web page Google could find. But still I can't find an answer to my question.
All discussion about this error seem to assume the client has some static LAN IP that can then be configured on the server with iroute, etc. But one of the biggest use cases is for mobile when connecting with public or not-fully-trusted WIFI hotspots. In this case the client LAN IP Addresses will be random and so all this discussion of setting up the client LAN's IP address as part of the server configuration goes out the window. E.g., 10.x.x.x in one location, 172.16.x.x in the next, etc.
I am sure I am missing something but I'll be a monkey's uncle if I can find it. Could you help?
Some more background, at this point I could care less about VPN access from anything other than the client itself. But in my OpenVPN Server log, I get the "bad source address from client [IP of a proxy server required by a connection from my client, or IP of my WIFI Hotspot gateway]".
I have tried various configurations but here is an example of one that has this problem:
server.ovpn:
port 1194
proto tcp
dev tun
ca "C:\\OpenVPN\\config\\ca.crt"
cert "C:\\OpenVPN\\config\\server.crt"
key "C:\\OpenVPN\\config\\server.key" # This file should be kept secret
dh "C:\\OpenVPN\\easy-rsa\\keys\\dh2048.pem"
server 192.168.69.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
duplicate-cn
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 5
topology subnet
client.ovpn:
client
dev tun
proto tcp
remote remote <my home ip> 443 #my home router NATs to 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
verb 3
My client routes look something like this upon connecting to the server:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.69.1 0.0.0.0 UG 0 0 0 tun0
<my home ip> 192.168.43.1 255.255.255.255 UGH 0 0 0 wlan0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0
192.168.43.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan0
192.168.69.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
In this example, 192.168.43.0 255.255.255.0 happens to be the LAN subnet, but it could change as I go to the next hotspot.
Thanks,
Rob
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Jun 21, 2011 5:11 pm
Re: Lans behind OpenVPN
I just saw one mistake in my above message:
"or IP of my WIFI Hotspot gateway"
should be
"or IP of the 4G wifi hotspot".
Also to make sure it is very clear, in all cases I am trying to route all internet traffic from the client to the server. In some cases (at work) I will allow some private subnet range to be routed to the local lan and not to the VPN. In all cases my VPN server is running on Windows. The clients will be Windows, Linux, and Android.
Various websites and documentation talk about the use of iptables to route all internet traffic through the VPN server, but I am very confused as I have routed all internet traffic through the VPN server in the past without the use of iptables. The first time I did it was to my own Windows VPN server set up in TAP bridged mode. More recently, I have been using a OpenVPN service provider and my client is set up in TUN mode. No iptables usage on the client in either case and I'm able to route all internet traffic through the OpenVPN server just fine.
"or IP of my WIFI Hotspot gateway"
should be
"or IP of the 4G wifi hotspot".
Also to make sure it is very clear, in all cases I am trying to route all internet traffic from the client to the server. In some cases (at work) I will allow some private subnet range to be routed to the local lan and not to the VPN. In all cases my VPN server is running on Windows. The clients will be Windows, Linux, and Android.
Various websites and documentation talk about the use of iptables to route all internet traffic through the VPN server, but I am very confused as I have routed all internet traffic through the VPN server in the past without the use of iptables. The first time I did it was to my own Windows VPN server set up in TAP bridged mode. More recently, I have been using a OpenVPN service provider and my client is set up in TUN mode. No iptables usage on the client in either case and I'm able to route all internet traffic through the OpenVPN server just fine.
-
- OpenVpn Newbie
- Posts: 5
- Joined: Wed Jan 22, 2014 9:29 pm
Re: Lans behind OpenVPN
@ krzee
What could one do, if say, in your particular example "client1 with lan 10.10.1.0" has an IP in that LAN like 10.10.1.120 and that is allocated to a bridged interface, as this client1 is a hypervisor for 5 VMs that are also members of the 10.10.1.0 lan ?
In my case:
After following your example, I ended up with:
Which obviously made my virtual machines inaccessible...
I know there's a fix for this as I saw this setup before somehwere, but I was curios what would you suggest.
Many many thanks for your comprehensive tutorial.
Cheers.
What could one do, if say, in your particular example "client1 with lan 10.10.1.0" has an IP in that LAN like 10.10.1.120 and that is allocated to a bridged interface, as this client1 is a hypervisor for 5 VMs that are also members of the 10.10.1.0 lan ?
In my case:
Code: Select all
root@client1:/home# route -een
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface MSS Window irtt
0.0.0.0 WAN_GW 0.0.0.0 UG 0 0 0 eth0 0 0 0
10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0 0 0 0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 0 0 0
10.10.1.0 0.0.0.0 255.255.255.0 U 0 0 0 xenbr0 0 0 0
WAN WAN_GW 255.255.255.224 UG 0 0 0 eth0 0 0 0
WAN 0.0.0.0 255.255.255.224 U 0 0 0 eth0 0 0 0
Code: Select all
root@client1:/home# route -een
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface MSS Window irtt
0.0.0.0 WAN_GW 0.0.0.0 UG 0 0 0 eth0 0 0 0
10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0 0 0 0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 0 0 0
10.10.1.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0 0 0 0
10.10.1.0 0.0.0.0 255.255.255.0 U 0 0 0 xenbr0 0 0 0
WAN WAN_GW 255.255.255.224 UG 0 0 0 eth0 0 0 0
WAN 0.0.0.0 255.255.255.224 U 0 0 0 eth0 0 0 0
I know there's a fix for this as I saw this setup before somehwere, but I was curios what would you suggest.
Many many thanks for your comprehensive tutorial.
Cheers.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Sat Aug 29, 2015 8:45 am
Re: Lans behind OpenVPN
It isn't entirely clear to me whether or not this setup will help with what I am trying to do.
I simply want to have masqueraded values travelling through eth0 to go out to the openvpn server. Is there a way to only have the openvpn client handle traffic on a single device? I am really confused about what I need to be doing. I have tried adding iroutes and using ccd, but I am thinking that since I don't intend to give networks on either side access to one another that the iroute/ccd solution isn't actually going to solve my particular problem.
On the openvpn server (as it is right now) I am seeing errors like:
MULTI: bad source address from client [192.168.42.11], packet dropped
which lead me to try out the iroute solution. Maybe I should just stop using masquerading? The clients connect and data is being sent all the way to the openvpn server, but DNS doesn't appear to be working. I cannot ping anything on the internet (eg google.com) from the LAN clients which is my only goal here.
Code: Select all
LAN client (cell phone/computer/etc) via wifi
|
v
Wifi AP Router:
wlan0 local area network
using iptables masquerading to route through eth0
eth0 connects to internet
via openvpn client
|
v
openvpn server
On the openvpn server (as it is right now) I am seeing errors like:
MULTI: bad source address from client [192.168.42.11], packet dropped
which lead me to try out the iroute solution. Maybe I should just stop using masquerading? The clients connect and data is being sent all the way to the openvpn server, but DNS doesn't appear to be working. I cannot ping anything on the internet (eg google.com) from the LAN clients which is my only goal here.
- krzee
- Forum Team
- Posts: 728
- Joined: Fri Aug 29, 2008 5:42 pm
Re: Lans behind OpenVPN
this thread was for the document, not for helping with everybody's individual use case. I guess I am going to lock the thread.