Client Connected to OpenVPN Server Cannot Ping LAN Devices

[Brenneke]

I have OpenVPN server set up on my RT-AC68U:

Router 192.168.2.1

Server 1
Both
TUN TCP 443

Server 2
Both
TUN UDP 1195

I can connect successfully to both servers with my Android phone from outside the network. (WiFi or mobile data)

When connected from outside the network to either server:
I can log onto router
I can access the internet
I can ping 192.168.2.1 using Nmap on phone
I cannot ping any devices connected to my router

I have also tried setting up servers as TAP, (using Android VPN client app with TAP support) but can see that this will be too slow to do anything with. I achieved same results as above with TAP.

Please help me with what I need to do to make this work. My network knowledge is limited but things are slowly percolating through after much reading.

Thank you.

 

[Brenneke]

I am following instruction from here:
https://community.openvpn.net/openv...tionalmachinesoneithertheclientorserversubnet.
(Expanding the scope of the VPN to include additional machines on either the client or server subnet)

I am assuming my OpenVPN server and the LAN gateway are different machines. I am interested in accessing devices that are Ethernet-connected to my router at addresses 192.168.2.82 and 192.168.2.5.
1) How do I set up a route on the server side gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server?
2) How can I enable IP and TUN/TAP forwarding on my Asus router?

Thank you.

 

[bbunge]

Make sure you are using the OpenVPN for Android from Arne Schwabe. Other clients do not work well.

 

[Brenneke]

OK, found IP forwarding information - ran this and I am set to 1.

cat /proc/sys/net/ipv4/ip_forward

Could someone please help me with this statement?
'Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines).'
1) Am I understanding correctly that this applies to my situation?
2) Do I also use push route in config to achieve this and numbers do I use?

 

[bbunge]

OpenVPN server set up:
General
Client will use VPN to access - Both
Advanced Settings
Change the Server Port to other than 1194, 443, 80, 8080
UsernamePassword Authentication - Yes
Username / Password Auth. Only - Yes
Advertise DNS to clients - Yes

And that should be enough to get it to work. Yes, you can change other settings but for beginners use a simple setup.

And use the client I recommended before and import the settings from the file you exported from OpenVPN Server.

 

[Brenneke]

I am not doubting you and appreciate your help and advice but I meet all above criteria with my Server 2 except:

'Username / Password Auth. Only - Yes'
'And use the client I recommended'

Would these two recommendations not just affect connection to the server? Setting Auth. to user/pass only is less secure is it not?

I found this explanation below written in language that I can better understand than most written in network-speak - would I not need to 'add a route' and if so how and where?

'All of your internal servers on the 192.168.1.0 range use 192.168.1.254 as default gateway for connection to the internet.
However, any traffic from a VPN client will be coming from IP 10.8.0.x through 192.168.1.10 and needs to route back through 192.168.1.10 to traverse the tunnel, and NOT through 192.168.1.254.
Therefore 192.168.1.11 and 192.168.1.12 need to have a route in their routing table to tell them to send traffic from 10.8.0.x back to 192.168.1.10.
To test this, try pinging a connected client from .11 or .12. You will find they can't, until you add a route telling them to send traffic via 192.168.1.10.'

 

[ColinTaylor]

Could someone please help me with this statement?
'Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines).'
1) Am I understanding correctly that this applies to my situation?
2) Do I also use push route in config to achieve this and numbers do I use?

You do not need to do any of this because the VPN server is running on the LAN gateway device (the router).

 

[bbunge]

I am not doubting you and appreciate your help and advice but I meet all above criteria with my Server 2 except:

'Username / Password Auth. Only - Yes'
'And use the client I recommended'

Would these two recommendations not just affect connection to the server? Setting Auth. to user/pass only is less secure is it not?

I found this explanation below written in language that I can better understand than most written in network-speak - would I not need to 'add a route' and if so how and where?

'All of your internal servers on the 192.168.1.0 range use 192.168.1.254 as default gateway for connection to the internet.
However, any traffic from a VPN client will be coming from IP 10.8.0.x through 192.168.1.10 and needs to route back through 192.168.1.10 to traverse the tunnel, and NOT through 192.168.1.254.
Therefore 192.168.1.11 and 192.168.1.12 need to have a route in their routing table to tell them to send traffic from 10.8.0.x back to 192.168.1.10.
To test this, try pinging a connected client from .11 or .12. You will find they can't, until you add a route telling them to send traffic via 192.168.1.10.'

And, are you using the Android client I recommended? Other clients just do not work!
Just trying to keep things simple and know what works for me. Besides my home network there are a couple of remote networks at a not-for-profit I manage over OpenVPN on Asus routers. About the only change I make is to the server port as plenty of web criminals will try to hack the OpenVPN on the standard port.

 

[elorimer]

I agree with the advice you've been given: it isn't complicated, it will work with nothing fancy, but you can't use the official android client.

Also, just because you can reach the internet doesn't mean you are reaching it over the tunnel. The client could be changing that, so it could also be compression.

You might post the exported client here.

 

[ColinTaylor]

I've never had a problem using the official OpenVPN app for Android. Obviously it doesn't support TAP connections but TUN works fine.

 

[elorimer]

Slightly off point for the OP, but the Schwabe version works nifty for Android-enabled Chromebooks, but not the official one.

 

[Brenneke]

You do not need to do any of this because the VPN server is running on the LAN gateway device (the router).

Thank you, one less thing!

 

[Brenneke]

And, are you using the Android client I recommended? Other clients just do not work!
Just trying to keep things simple and know what works for me. Besides my home network there are a couple of remote networks at a not-for-profit I manage over OpenVPN on Asus routers. About the only change I make is to the server port as plenty of web criminals will try to hack the OpenVPN on the standard port.

I have been using Open VPN Client Pro for quite some time and really like it.

https://play.google.com/store/apps/details?id=it.colucciweb.vpnclientpro

I will follow all your recommendations (app included) and report back - thank you.

 

[Brenneke]

I agree with the advice you've been given: it isn't complicated, it will work with nothing fancy, but you can't use the official android client.

Also, just because you can reach the internet doesn't mean you are reaching it over the tunnel. The client could be changing that, so it could also be compression.

You might post the exported client here.

When connected to internet through my server I am verifying that I am getting my server IP and not IP from mobile data or other WiFi network.
By "exported client" do you mean exported config file from my server?

Thank you.

 

[elorimer]

By "exported client" do you mean exported config file from my server?

Yes. I'm assuming you exported the client configuration file from the router, and then imported it into Open VPN Client Pro without changes. The "Both" setting means that the server will both push a route to your LAN and will reset the default gateway on the Android device when/while the Tunnel is up.

I see there seems to be a reasonable amount of support at the website for that client, and that it does have options for ignoring the route pushed by the server. Is it possible you invoked one of those options?

https://www.colucci-web.it/forum/viewtopic.php?f=7&t=407

 

[Brenneke]

I see there seems to be a reasonable amount of support at the website for that client, and that it does have options for ignoring the route pushed by the server. Is it possible you invoked one of those options?

https://www.colucci-web.it/forum/viewtopic.php?f=7&t=407

I checked settings in VPN Client Pro, did not have any ignore settings checked.
Thank you.

 

[Brenneke]

And, are you using the Android client I recommended? Other clients just do not work!
Just trying to keep things simple and know what works for me. Besides my home network there are a couple of remote networks at a not-for-profit I manage over OpenVPN on Asus routers. About the only change I make is to the server port as plenty of web criminals will try to hack the OpenVPN on the standard port.

Installed OpenVPN for Android 0.7.15.
Set up Server 1 TCP 8443, server 2 UDP 1195 using exported files from router. (all recommended settings on both servers)
Was in town today and tested on mobile data:
Connected immediately on each server and confirmed internet connectivity.
I could ping my router IP 192.168.2.1 and access my router GUI but could not unfortunately ping any device connected to my router. (both servers tested)
ColinTaylor suggested to test with VPN clients on router disabled, I did try this before but will try again with this setup tomorrow.
Please reply with any other suggestions - thank you.