VPN Routing Question. VPN over VPN

[mcmax]

Hi all,

I am trying to implement an open VPN connection through 2 VPNs but having difficulties to propperly set it up in order to be able to access the entire network from the outside world.

Lets call the networks Home and Work. So, I have two routers both running merlin builds (Home R and Work R). Work R has an OpenVPNServer running (Work VPN) while Home R has both, an OpenVPNClien (Work C) connecting to Work VPN and an OpenVPNServer Home VPN. From within the Home LAN I am perfectly able to connect to the LAN client of the Work R by their IP, but while having the VPN connection established from the outside (Home C) to the Home VPN, I am not able to reach the Work R LAN clients. I am assuming a routing issue to route the packages from 10.9.0.0/24 clients to 192.168.2.0/24 over 10.8.0.1 gateway but can not figure it out by myself. What is wrong and what corrective actions have to be executed in order to make it work?

Thank you very much for your help.
------------------

What I want is:
Home C -> Home VPN/Work C -> Work VPN -> Work LAN


Work R Details
Static Public IP: Work IP
Work VPN Server IP: 10.8.0.1 (10.8.0.0/24); Push LAN to clients=true
Work R internal IP: 192.168.2.1 (192.168.2.0/24)

Home R Details
Static Public IP: Home IP
Home VPN Server IP: 10.9.0.1 (10.9.0.0/24); Push LAN to clients=true
Work VPN Client IP: 10.8.0.2
Home R internal IP: 192.168.1.1 (192.168.1.0/24)

Work VPN client policy rules:
escape : 192.168.1.1 0.0.0.0 WAN
R1 Site: 0.0.0.0 192.168.2.0/24 VPN
Internet: 0.0.0.0 0.0.0.0 WAN
r4: 10.9.0.0/24 192.168.2.0/24 VPN

Routing table of Home R:
# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
Home IP * 255.255.255.255 UH 0 0 0 eth0
Modem IP * 255.255.255.252 U 0 0 0 eth0
169.254.39.0 * 255.255.255.0 U 0 0 0 br0 (<- what is that and why do I have it?)
10.8.0.0 * 255.255.255.0 U 0 0 0 tun11
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
10.9.0.0 * 255.255.255.0 U 0 0 0 tun21
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default ModemIP 0.0.0.0 UG 0 0 0 eth0

also on Home R:
# ip rule
0: from all lookup local
1001: from 192.168.1.1 lookup main
1101: from all to 192.168.2.0/24 lookup ovpnc1
1102: from 10.9.0.0/24 to 192.168.2.0/24 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default

 

[System Error Message]

check the weightages of the routes.
For each router it should look like this -
LAN weightage 0
vpn weightage 1
internet weightage 2

Only NAT for internet and not the other routes.
modem doesnt matter only the router which will see 3 interface, LAN, vpn and WAN. Each client will have only 1 route and that is 0.0.0.0/0 with their respective router as the gateway.

The problem sounds like it could be weightage or conflict or NAT.

You also need to decide which router is the server which is client as that determines the IP and route for vpn. You should have the router server assign the same ip address always.

This problem is the same with having 2 routers on the same network in order to route between them. Its really simple as each router will treat the other as a gateway for their respective network.

 

[sfx2000]

Don't do VPN over VPN...

 

[mcmax]

Hi SEM,

thanks a lot for your answer.

check the weightages of the routes.
For each router it should look like this -
LAN weightage 0
vpn weightage 1
internet weightage 2

How could I check and adjust it?

Only NAT for internet and not the other routes.
modem doesnt matter only the router which will see 3 interface, LAN, vpn and WAN. Each client will have only 1 route and that is 0.0.0.0/0 with their respective router as the gateway.

Confirming default routes are pointing to the respective WAN interfaces on all devices (Work R, Home R, 10.9.0.2 Client), which, I assume, is correct since not Internet trafic will be routet through VPN.

Currently there are only the following rules on Home Router set:
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:https
VSERVER all -- anywhere Home IP
DNSFILTER udp -- 192.168.1.0/24 anywhere udp dpt:domain
DNSFILTER tcp -- 192.168.1.0/24 anywhere tcp dpt:domain

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.1.0/24 anywhere
MASQUERADE all -- !Home IP anywhere (<- why is there a question mark? What does it mean?)
MASQUERADE all -- 192.168.1.0/24 192.168.1.0/24
...

The problem sounds like it could be weightage or conflict or NAT.

You also need to decide which router is the server which is client as that determines the IP and route for vpn. You should have the router server assign the same ip address always.

Well, each of the routers suppose to serve as the gateway for their own LANs. In terms of VPN: Work R is the server for the 10.8.0.0/24 network and the Home R is the client for this net. Further more Home R is the server for the 10.9.0.0/24 VPN network and my Laptop is the client of it. Routers are not suppose to route the internet traffic through the VPN that is why the policy based routing is set up on the Home R as described in my first post. What else would be required?

This problem is the same with having 2 routers on the same network in order to route between them. Its really simple as each router will treat the other as a gateway for their respective network.

Once on the LAN of the Home R I am having no issues to access the LAN Clients of the Work R, so at this point the routing seems to work as expected. But once I am dialing in via VPN to Home R, I am no longer able to reacht the Work R, not even the 10.8.0.1 (Work R VPN Server IP) is accessible, meaning having the issue to redirect the incoming VPN traffic to the correct Network. My understanding was that by setting up the correct routing policy for the Home R VPN Client (R1 Site or r4) would solve the problem, but no success.

Any help is appreciated.

max

 

[mcmax]

Don't do VPN over VPN...

why not? Theoretically, from networking point of view, there should be no issue to route the traffic through different networks once set up correctly. Please correct me if I am wrong, but this is what the routers and the VPN have been made for. Performance is currently irrelevant.

Thanks

max

 

[sfx2000]

why not? Theoretically, from networking point of view, there should be no issue to route the traffic through different networks once set up correctly. Please correct me if I am wrong, but this is what the routers and the VPN have been made for. Performance is currently irrelevant.

Thanks

max

It's inefficient (packects within packets) and if you don't own/control all the machines in the path, it's extremely susceptible to Man in the Middle attacks.

So while it can be done, doesn't mean it should be done - it adds complexity in an area where complexity is not a good thing.

 

[mcmax]

It's inefficient (packects within packets) and if you don't own/control all the machines in the path, it's extremely susceptible to Man in the Middle attacks.

So while it can be done, doesn't mean it should be done - it adds complexity in an area where complexity is not a good thing.

all nets are owned by me and due to the limit of the users I do not care about the performance or efficiency.

Anyway, I did think over the setup and have decided to give it a try to have the standard Server-Client setup. My intention was to access both LANs at the same time. According to the openvpn how to, I would have to specify the "iroute" parameter for the Client. I have succeeded to get the correct routing by creating the custom client files (ccd1,...ccdn) as described by merlin in his how to and let the vpnServer-router push the iroute parameter to the vpnClient-router. In addition the "push route" (for the vpnClientl-router LAN) has to be specified on the vpnServer-router (can be done via UI). Now, connecting to the VPN net from the outside I am able to access both LAN at the same time.

Thank you all for giving me the brain food.

max

 

[sfx2000]

all nets are owned by me and due to the limit of the users I do not care about the performance or efficiency.

You should however be concerned with security - and that was my other concern voiced - anyways - it's only my informed and somewhat knowledgable opinion - feel free to introduce any level of complexity you desire into your network.

It's all good...