Accessing an ADSL router from a distant connected client?

[lolex]

Hi all,
I've managed succesfully to start the OpenVPN between my Linux server and a Windows XP client, that is connected to the Internet via an ADSL SpeedTouch router.

While the remote administration of the ADSL router is permanently closed from the Internet, I have only two ways to perform some administrative tasks on it:

1) accessing an Windows SSH server trough the OpenVPN tunnel, and then telnet into the ADSL router and use CLI commands ; this is a nightmare (!).
2) finding a way in which I may trick the packets sent trough the OpenVPN tunnel, to reach the ADSL router from the internal interface, and return to the source.

Well, I am asking for help at the 2) point. )

To be very clear, I will insert here an image with my setup:



So, i would like to access the [Remote Site] ADSL Web management interface (located at http://192.168.1.1), using a browser installed on [Admin site] on Admin PC, at 192.168.10.213 .

In this moment, I can ping (from the ADMIN PC) the Ethernet interface of the client (192.168.1.66), but if I'll try the IP of the ADSL router (192.168.1.1), there will be no reply. WINDUMP installed on the client machine, is showing the outgoing packets on the TUN/TAP interface, but no reply. Probably, because I cannot set any return route in the table of the ADSL router. Well, here is the trick that I am asking for... of course, if there are any...

While I hope that you will not send me to RTFM (!), I will put here also a link to my server.conf file (the client.ovpn is classical, as in the examples from the OpenVPN HowTo). My config file is using a subdirectory "ccd" for client-specific configuration files, as specified in the HowTo, and it's obviously working (I've watched the logs).
Please note that I've also tried NAT under the Windows XP machine and I've started the IP Forwarding on it ( HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter=1 ).

server.conf

In the hope of a positive answer, please allow me to wish you all the best!

Regards,
Lolex

[janjust]

you would need to set up masquerading on the windows server (search for one of Bebop's post on this subject). However, I would not use a VPN for this in the first place:

1) launch the windows SSH server (which, I hope, supports port forwarding)
2) ssh to the windows SSH server with port forwarding turned on (on linux this would be 'ssh -D 1080 <remote-IP>' ; in PuTTY I'd configure a Dynamic Port 1080)
3) configure your browser to use the SOCKS proxy at 127.0.0.1:1080
4) you can now access your ADSL web interface.

another quick&dirty trick is to use dedicated port forwarding, e.g.
ssh -L 8080:192.168.1.1:80 <remote-IP>
and then access your ADSL web interface on http://127.0.0.1:8080

[lolex]

Hello Janjust,
Thank you very much for the trick explanation. Meanwhile, I've noticed that the site where I've put my "site" image is down, so I entered again and modified the link, to point to another site that is up.
I must admit that I wasn't aware about the portfw capability of the SSH, so I will try your setup and return here to post the results.

I've downloaded the SSHD server for Windows from sshwindows.sourceforge.net and I read the installation procedure here , but I don't know yet if it supports portfw. I'll be back with news, anyway!

Thanks a lot and have a nice day!
Lolex

[maikcat]

hi there,

you can use your client lan xp pc to connect both lans
(using iroute inside ccd file & a route statement inside server.conf)

*also* you must add 2 static routes to your client router for both 10.8.0 and 192.168.10 networks
pointing to your client xp pc (ip forwarding in xp is needed).

i personally used this setup to access routers to remote clients via vpn.

Michael.

[lolex]

Hello maikcat,
Thanks for the reply and suggestions, however:

you can use your client lan xp pc to connect both lans
(using iroute inside ccd file & a route statement inside server.conf)

I've already did it, as I specified in my first post, where I put a link to my server.conf file. And also I've specified that I have tried to use the "ccd" configuration. It works until the source packets are reaching the target (i.e. the ADSL router internal interface).
And....

*also* you must add 2 static routes to your client router for both 10.8.0 and 192.168.10 networks pointing to your client xp pc (ip forwarding in xp is needed).

Yes, you're right. This is exactly what I've realized that I cannot do, because I do not have a direct access to that router, trough the Internet. The only way is to find a path from the inside of the VPN, hi !

Anyway, thanks for the good intentions!

Best regards,
Lolex

[lolex]

another quick&dirty trick is to use dedicated port forwarding, e.g.
ssh -L 8080:192.168.1.1:80 <remote-IP>
and then access your ADSL web interface on http://127.0.0.1:8080

Hello again!
I've just tested your "quick&dirty" trick and is working like a dream !
For those that might be interested, the setup is in the above picture. I've also installed SSHD for Windows (see my first post) and I've launched SSH tunneling with the following line, from the Windows cmd prompt:

ssh -L 80:192.168.1.254:80 user@10.8.0.6
or, for those that would like to use plink (tool from Putty page), is the same syntax:
plink -L 80:192.168.1.254:80 user@10.8.0.6

Here, 192.168.1.254 is the LAN IP of the ADSL router, and 10.8.0.6 is the OpenVPN IP of the peer activated on the Windows PC. The OpenVPN server is on my Linux box, and I've set up client-to-client configuration using "ccd" setup (see the server.conf that is published in my first post).

After the authentication (with the password for <user@10.8.0.6> - that is the Windows password for <user> ), I've got a standard Windows command prompt. And then, I've opened a browser on my Windows PC, and typed http://127.0.0.1:80 (of course, while the http request is going by default to the 80 port, in this case is somehow overkill, but I've added the port just for the sake of the syntax!).
Finally, I've obtained the login window of the Web interface of the ADSL router.

Q.E.D!
(but I will try also the other ways and I'll be back to share my results).

Thanks Janjust !

Best regards,
Lolex

[lolex]

you would need to set up masquerading on the windows server (search for one of Bebop's post on this subject).

Hello Janjust,
I've tried to find and read some of Bebop's posts, but I didn't find yet one regarding the IP masquerading on Windows (XP).

The only (apparently) usable document that I've found is Pseud IP Masquerade on Win32 , but I'm not sure that is still useful.

I would like to test also a masquerade/SNAT solution for the Windows machine, so if you know a direct hit about this, please hit me! (of course, when you can).

Thanks a lot,
Lolex

[janjust]

the word 'masquerading' was misleading; read up on topic7815.html