Can't access hosts through OpenVPN

[untarded]

I've created a vpn connection and the client connects successfully but I can't access the target hosts. I can access the hosts while I'm connected locally on the lan.

The router is 192.168.1.1/255.255.255.0
The vpn is 10.8.0.0/255.255.255.0

The target host is a web app at 192.168.1.160 (on eth0). It has a second static ip of 10.8.0.10 (on eth0:1).

I'm only able to access is on the lan at the 192 network.

Any ideas?

 

[Martineau]

I've created a vpn connection and the client connects successfully but I can't access the target hosts. I can access the hosts while I'm connected locally on the lan.

The router is 192.168.1.1/255.255.255.0
The vpn is 10.8.0.0/255.255.255.0

The target host is a web app at 192.168.1.160 (on eth0). It has a second static ip of 10.8.0.10 (on eth0:1).

I'm only able to access is on the lan at the 192 network.

Any ideas?

Local LAN 192.168.1.* --> OpenVpn (10.8.0.*) --> Remote 192.168.1.*

won't work, i.e. the local and remote LANs must be on different subnets.

So if you change your local LAN to something unique (may be best to Use a 10.xxx.xxx.* as you have a better chance of being unique but don't use 10.8.0.* )

Local LAN 192.168.123.* --> OpenVpn (10.8.0.*) --> Remote 192.168.1.*
should work.

If the local LAN subnet is different to the remote LAN subnet and you are sure that VPN has connected successfully, then chances are the firewall on the target host 192.168.1.160 is rejecting the 10.8.0.10 access.
(To prove this you could temporarily set up a potentially insecure PPTP connection and see if you can successfully access the remote host - PPTP usually assigns an I/P address on the same subnet as the remote host so its firewall will usually accept the PPTP subnet connection).

 

[untarded]

Thanks Martineau. I think I may have explained my setup poorly.

I set up an openvpn server with a subnet of 10.8.0.0. My regular lan is on subnet 192.168.1.0. Got your point of changing those

One of my hosts on the lan is a web app at a static address 192.168.160. I also assigned it a second static ip of 10.8.0.11 so that some colleagues can connect remotely via the vpn and access it (on the 10.8.0.0 subnet). I can access it on the local lan (192.168.xxx) but when I connect to the vpn from my cell (wifi off) browsing to 10.8.0.11 times out.

My objective is to create a private subnet of few build/continuous integration servers for a small remote team of software developers.

I'm thinking best practice would be to keep it on a separate subnet?

 

[Martineau]

Thanks Martineau. I think I may have explained my setup poorly.

I set up an openvpn server with a subnet of 10.8.0.0. My regular lan is on subnet 192.168.1.0. Got your point of changing those

One of my hosts on the lan is a web app at a static address 192.168.160. I also assigned it a second static ip of 10.8.0.11 so that some colleagues can connect remotely via the vpn and access it (on the 10.8.0.0 subnet). I can access it on the local lan (192.168.xxx) but when I connect to the vpn from my cell (wifi off) browsing to 10.8.0.11 times out.

My objective is to create a private subnet of few build/continuous integration servers for a small remote team of software developers.

I'm thinking best practice would be to keep it on a separate subnet?

Apologies I did indeed misinterpret your multihomed topology

Presumably, when connected via the VPN server, browsing to 192.168.1.160 works?

But I would agree, use a cheap second router and hang all the developer kit off that with their own subnet, then simply add a static route entry into the LAN->Route tab

 

[untarded]

Presumably, when connected via the VPN server, browsing to 192.168.1.160 works?

This doesn't work either. My understanding is that this shouldn't work as the vpn is granting access to resources on the 10.8.* subnet. Is my understanding incorrect?

 

[Martineau]

This doesn't work either. My understanding is that this shouldn't work as the vpn is granting access to resources on the 10.8.* subnet. Is my understanding incorrect?

I would have to say unfortunately yes in this situation


Here is what is shown in the syslog, when I connect to my VPN server using a phone:

MULTI: Learn: 10.8.0.6 -> SGS5_FONE/zzz.zzz.zzz.zzz:ppppp
MULTI: primary virtual IP for SGS5_FONE/zzz.zzz.zzz.zzz:ppppp: 10.8.0.6
PUSH: Received control message: 'PUSH_REQUEST'
send_push_reply(): safe_cap=940
SENT CONTROL [SGS5_FONE]: 'PUSH_REPLY,route xxx.xxx.xxx.0 255.255.255.0,route 10.8.0.1,topology net30,ping 15,

You can see that a route is automatically added for the 10.8.0.* subnet to (all devices on) my local LAN xxx.xxx.xxx.* - which isn't 10.8.0.* nor is it 192.168.1.*!

This is the whole point about using the VPN server; it makes (secure) remote connections appear as if they were locally attached to the LAN!

 

[untarded]

Thanks.

I removed the second static ip (10.8.0.11) from the host with the web app and can now access it over the vpn remotely.