VPN Client to allow access to home network

[gjf]

Hi all.

From some time my home provider uses NAT so I have no "white IP" anymore.

However I am using Oracle Cloud VPS with OpenVPN-AS installed on it. "Using" means I connect all my portable devices to this VPN being in trip.

So my idea is to connect the router to the same VPN but limiting access to other VPN clients only with no internet access from router to VPN - because my home internet speed is much higher and much cheaper than Oracle ones.

So I have created a user on OpenVPN server named "router" with ability to connect to others and with a static IP:

Here 172.27.236.111 is static IP in OpenVPN client range (172.27.224.0/20) and 192.168.111.1/24 is network range of clients in my home network (where router acts as DHCP and DNS being 192.168.111.1).

Configuration file for OpenVPN client on my router is as follows:

cipher AES-256-CBC
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote 130.xx.xx.xx 1194 udp
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 0
rcvbuf 0
auth-user-pass
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
pull-filter ignore redirect-gateway

<ca>
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
MII...
-----END PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
1f9b...
-----END OpenVPN Static key V1-----
</tls-auth>

I have tested this configuration using computer: and I can connect from my PC to smartphone and vice versa, at the same time whatismyip.org shows internet connection from PC and smartphone are different - so it looks like everything works!
Then I transfered the file to router and started OpenVPN client. It connects succesfully internet was still "router's" not "Oracles's" one for all my home devices - but I cannot connect to router from other VPNed clients!
I've tried both SSH and WebGUI connection, I have changed parameters to be able to connect both from WAN&LAN, I've tried both 192.168.111.1 (home IP for router) and 172.27.236.111 (VPN IP for router) - nothing helped!

So my question: why?

What I have to change to make what I want?

 

[eibgrad]

I have to admit, I must had read this post a dozen times before I *think* I understood the problem. Best I can tell, you want both your router and other devices on the internet side of your WAN to act as OpenVPN clients to the OpenVPN server hosted on the VPS. And now you're wondering why those devices on the internet side of the WAN can't access your router, either via the router's OpenVPN client IP or LAN ip.

Assuming I have this right, realize that from the perspective of the devices on the internet side of the WAN, those clients need site-to-site access from the OpenVPN server and across the tunnel into the router's OpenVPN client. And that requires some additional configuration (minimally route and iroute directives), as described in the following link.

https://community.openvpn.net/openvpn/wiki/RoutedLans

What complicates matters for me is that you're using OpenVPN AS rather than OpenVPN. The former hides some of the details of what's actually being generated in terms of the OpenVPN server config file. And I since I don't use OpenVPN AS, I'm unfamiliar w/ using it for the purposes of a site-to-site config. I more used to manually configuring site-to-site. So I'm a bit limited in helping you. But hopefully that link will provide some guidance.

 

[eibgrad]

P.S. One other thing. The router and devices on the internet side of the WAN can NOT be using the same OpenVPN client configuration, since the router is site-to-site wrt the OpenVPN server, while the devices on the internet side of the WAN are NOT. I got the impression from your post that in fact you *are* trying to use the router's OpenVPN client configuration for every OpenVPN client.

 

[gjf]

Thank you for your answer. In fact I found out the decision but I would like to share my findings because it looks like router's behaviour is different from other approaches.

I want to try to clarify the situation more. Please look on this picture:

So the task is:
1. Network A and Network B should see one each other.
2. Network A should have internet access through Router, not VPN.
3. Network B should have internet access (does not matter how really).
4. Router acts as gateway, DHCP and DNS for Network A.

I know - this is disadvantage of OpenVPN-AS, but it is really the easier thing to work in Oracle Cloud.
And I cannot use the same client configuration for all clients for sure. That's why router's one includes:

pull-filter ignore redirect-gateway

I have added it by myself. So after that I can assign correct routes using route commands in client config.
Because it works: here is OpenVPN client log for all clients: look into attached client.txt.

And this is how it looks like for the router: look into attached router.txt.

As you can see default route command from VPN server are ommited for the router.

So now I need to add appropriate push route commands only in router's client config:

route 172.27.224.0 255.255.240.0

And - voila!

What makes me a headache - a different approach in router OpenVPN client and Windows/Android clients. Later has TAP interface that is set to correct netmask already:

Sun Feb 14 15:20:24 2021 Set TAP-Windows TUN subnet mode network/local/netmask = 172.27.236.0/172.27.236.111/255.255.252.0 [SUCCEEDED]
Sun Feb 14 15:20:24 2021 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.27.236.111/255.255.252.0 on interface {E724CDB6-830E-4BC2-9B76-5716FF2297AA} [DHCP-serv: 172.27.239.254, lease-time: 31536000]

So there is no need in any additional route commands. But the router does not have such interface - and route have to be added manually.

Sometimes it is better to sleep a night and to drink some Irish Coffee to find a solution.

Now I have what I want - it is free of charge and I can say kiss my butt to all keendns and similar low speed and buggy solutions!

 

[gjf]

With the latest Merlin updates introducing VPN Director all above mentioned were broken.
I believe the following will solve the problem, but being at home cannot test it yet:


If somebody has any idea on this - it will be of use.