What's new

[Solved] Access OpenVPN Server LAN over Remote VPN Client

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Wingsfan87

Regular Contributor
@Martineau I really could use your expertise on solving this problem I have been working on for a while. Or anyone else who might know what I am missing/doing wrong.

Background:
I have a Linux OpenVPN Gateway Client setup at my house. It is connected to 5 different OpenVPN Servers running at friends/families houses that are all using Asus routers running Merlin's latest firmware. For my home network I am using Unifi with a USGPro4 and latest Unifi controller. I have static routes set to those remote subnets pointing to my VM running Linux as my OpenVPN Gateway Client. When I am at my house on my LAN I can access all the remote subnets just fine no issues. I have the IPTABLES set correctly to allow established related traffic and my home LAN to forward to the remote LAN and I am dropping their remote LAN to connect to my LAN. I can access their network since they are the OpenVPN server's but me as the client side I don't want them accessing my LAN from theirs. Again all this is working just fine as intended.

Problem: Also on my home LAN Unifi gear I am using a L2TP IPSEC VPN that is included as an option. I am attempting to access the remote subnets for friends and families from this VPN connection but not able to. I did a trace and my VPN connection it is forwarding correctly to the OpenVPN gateway client on my LAN but it is not returning from the remote OpenVPN Server side running on the Asus routers.

I can't tell if I need to adjust the firewall iptable rules on my OpenVPN gateway client or what to set in the custom configuration on the remote OpenVPN server on the Asus router. I am using your custom VPNClientConnect.sh script that adds the iroute dynamically based on user.

Any ideas?

*Note I am only giving one remote LAN example for the rules and IP details but they all are configured similarly just different subnets of course to prevent conflicts/overlap.

IP Details:
Local LAN: 192.168.50.0
Local IPSEC VPN: 10.10.50.0

Remote LAN: 192.168.30.0
Remote OpenVPN: 10.8.30.0

Local OpenVPN Gateway Client IPTABLE List:
root@ovpngateway:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.50.0/24 -d 192.168.0.0/16 -j ACCEPT
-A FORWARD -s 10.10.50/24 -d 192.168.0.0/16 -j ACCEPT
-A FORWARD -s 10.8.30.0/24 -d 192.168.0.0/16 -j ACCEPT
-A FORWARD -s 192.168.30.0/24 -d 192.168.0.0/16 -j DROP

OpenVPN Server Router Custom Config:
script-security 2
client-connect /jffs/scripts/VPNClientConnect.sh
route 192.168.50.0 255.255.255.0 vpn_gateway
route 10.10.50.0 255.255.255.0 vpn_gateway


Thanks
 
Slightly different topic with OpenVPN as common denominator. I have a number of routers running Merlin 384.7 (lately.) 1 OpenVPN server enabled on each of those. Local networks running at 192.168.1.0. I start an OpenVPN client on any of the local networks (Windows 10) and it takes me to the local router at 192.168.1.1.
I do the same thing on an Android phone, it flashes an URL like 192.168.1.1/Status_OpenVPN.asp and then switches to whatever the remote router is at 192.168.1.1/Main_Login.asp. Is there any way to convince the Win10 systems to allow access to the remote routers webgui over OpenVPN?

You're hijacking my thread! ;-)

  • Change each of your separate router local LAN subnet to something different. Recommend to not use the default 192.168.1.x (Ex 192.168.10.x , 192.168.20.x, 192.168.30.x)
  • Do you really need each to have a server? You could set them all up to connect back to one as the server and each site as a client so all the networks can talk to each other.
    • If you still want each to be its own change each of the OpenVPN subnets to be different as well. Default is 10.8.0.0 Recommend to not use the default either (Ex 10.8.10.x , 10.8.20.x 10.8.30.x to mirror the LAN subnet).
    • If you are connecting to more than one at a time then you also need to change the port from the standard 1194. Use something higher and you can mirror your LAN octet to keep it easy to remember like 119410, 119420, 119430 and so on.
  • Are you doing LAN only, internet only or both on the VPN server? There are different options you can do based on the need.

Once you have it correctly configured as I mentioned above you will have no problem accessing the remote router gui's over the VPN tunnels.
 
Thank you for the reply - I'll open a new thread. You're absolutely right - my apologies.
 
Thank you for the reply - I'll open a new thread. You're absolutely right - my apologies.
No worries. Hope my post helped.

I think I know my issue. Just not how to solve it. How do I dynamically add multiple iroutes to the same temporary CCD Name using @Martineau VPNClientConnect.sh script?
 
Ok never mind I solved it.

Used Martineau's original script and added an echo line to the config for the client to include another iroute and added a route line to the custom config line in the gui.

Now it works as I needed it from the other VPN :)
 
Ok never mind I solved it.

Used Martineau's original script and added an echo line to the config for the client to include another iroute and added a route line to the custom config line in the gui.

Now it works as I needed it from the other VPN :)
Would you mind sharing the scripts here? Thanks.
 
Ok never mind I solved it.

Used Martineau's original script and added an echo line to the config for the client to include another iroute and added a route line to the custom config line in the gui.

Now it works as I needed it from the other VPN :)

I knew you would figure it out! :D
 
Last edited:
Would you mind sharing the scripts here? Thanks.

See this post https://www.snbforums.com/threads/o...e-to-site-connection.24268/page-4#post-306591

I used his original script there and added one line to it. The 2nd echo line. So it defines 2 iroutes for the same client. That way if the client has multiple subnets on their side anyone of those subnets can access the openvpn server LAN.

Code:
   "clientone")
              echo "iroute 192.168.3.0 255.255.255.0" >>$1
              echo "iroute 10.10.3.0 255.255.255.0" >>$1
              ;;

You also need route in the custom config box in the GUI on the router. See this post as an example where it says route xxxx xxxxx. I don't use push as I'm not sharing the network with other clients. Also I only allow traffic one way on mine. I only want my client or "my network" connecting to the remote server and the server side can't access mine.
 
I knew you would figure it out! :D

Thanks @Martineau the credit goes to you :) Your script and reading through your posts here I have learned a lot.

A couple of things I tried your revised 3.x script for static and added an iroute line to it but didn't work. It would never add the internal route just the static IP. Second you said you revised yours to 4.7x but I haven't seen that one ;) Could you share that update?
 
Your script, you said you revised yours to 4.7x but I haven't seen that one ;) Could you share that update?

Since v3.01 was initially made public, v4.80 of the script evolved primarily due to the lack of interest by Asus etc. to provide (IMHO long over due) 2-factor OpenVPN authentication in order to reduce the possibility of misuse by stricter control etc.

Consequently my aim was to ensure that additional access rules could be applied to OpenVPN Server inbound connecting Clients.

However, apart from the 'pass-thu' feature (outbound via an OpenVPN Client), I don't recall ever seeing any forum posts lamenting the lack of custom OpenVPN Server access rules being an issue, nor any enhancement request for 'Howtos' for any of my considered nice-to-haves.

So my psuedo commands now comprise (some of which may no longer be unique/useful)
v3.01 My pseudo OpenVPN server directive
Code:
staticip
        # This client will be assigned a static IP Assign static I/P xxx.xxx.xxx.nnn (Normally xxx.xxx.xxx=10.8.0 for VPN Server 1, and xxx.xxx.xxx=10.16.0 for VPN Server 2)
        # e.g. staticip .22
I doubt anyone would guess/use many of these!
Code:
allowip
    # List of ALLOWED (ACL) remote IP addresses (Probably not useful for non-static WAN e.g. mobile devices?)
    # e.g. allowip xxx.xxx.xxx.xxx [...]
 
blockip
    # List of BLOCKED remote IP addresses (Probably not useful for non-static WAN e.g. mobile devices?)
    # e.g. blockip xxx.xxx.xxx.xxx [...]

allowperiod
    # List of avail periods hh:59-hh:mm,prime - Check on initial connection only i.e. Client is not kicked off at period end.
    # e.g. allowperiod 07:59-17:00

restrictperiod
    # List of restricted times hh:mm-hh:mm,online,overnight - Check on initial connection only
    # e.g. restrictperiod 00:59-05:00

passthru                                        
    # This client will 'pass-thru' the router and use the VPN client specified
    # e.g. pass-thru 2
 
wol
    # This client is allowed to issue WOL commands to LAN devices i.e. ensure NAS/Media Sever etc. is UP
    # e.g. wol xx:xx:xx:xx:xx:xx
    #      wol xxx.xxx.xxx.xxx
 
forcedns                                        
    # This client cannot override the pushed DNS
    # e.g. forcedns 10.0.0.254

lanonly                                         
    # This client cannot passthru outbound via the WAN or any VPN Client tunnel; only LAN resources are accessible
    # v384.xx Partially superceded by 'Client will use VPN to access=LANONLY' GUI option"
    # e.g. both NAS servers, both PS3s, Rasp Pi and ALL cameras
    # lanonly 10.88.8.195 10.88.8.197 10.88.8.142-10.88.8.143 10.88.8.126 CAMERAS

wanonly                                         
    # This client cannot access the LAN; only WAN is accessible
    # v384.xx Implements 'Client will use VPN to access=INTERNETONLY' GUI option" for ALL clients
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top