Configuring tun openvpn to route/assign ip from lan subnet

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

stretch

Occasional Visitor
I have router running asus merlin and have setup TUN openvpn server on it. Clients are able to connect and ping lan clients etc however one of my lan devices will only accept connections from devices that are on the same LAN subnet i.e 192.168.1.0/24 so from a vpn connected client on the 10.8.0.0 subnet this fails. What I need is for the openvpn client to have a static ip on the same subnet as the lan and must also be pingable form other lan devices. So basically I need TAP but using TUN. TAP is not an option due to using android client.

Router lan ip: 192.168.1.1
Openvpn subnet: 10.8.0.0

custom client config
ifconfig-push 192.168.1.241 255.255.255.0

I believe i'm missing a "route"


 
Last edited:

ColinTaylor

Part of the Furniture
so do you mean

Code:
iptables -t nat -A POSTROUTING -s 192.168.1.241/32 -o br0 -j MASQUERADE
No. The client's real address is NATed to 10.8.0.x so the source address isn't 192.168.1.241. You need to MASQUERADE or SNAT the client's 10.8.0.x address (and remove your ifconfig-push).

The example I linked to would masquerade all client addresses so that they appear to be coming from the router itself (e.g. 192.168.1.1). If you only want to do this for one client you would use SNAT on its 10.8.0.x address rather than MASQUERADE.
 

ColinTaylor

Part of the Furniture
How have you configured the server to handle this specific client? You need for it to have a fixed IP address (10.8.0.?) so that you can differentiate it from any other client. Once you know this address you can create the iptables rule.
 

stretch

Occasional Visitor
ok so if i don't do

custom client config
ifconfig-push 192.168.1.241 255.255.255.0

it gets the address 10.8.0.2
 

ColinTaylor

Part of the Furniture
it gets the address 10.8.0.2
Yes but that's a dynamic address. It's just picked up the first available address in the pool. If another client had connected before it it would have got that address and your client would have got 10.8.0.3.

Search the forum for posts regarding assigning fixed IP addresses to VPN clients. I can't remember the details myself.
 

stretch

Occasional Visitor
Yes I can assign fixed no porblem just need to know what the snat iptables rule you mentioned is
 
Last edited:

ColinTaylor

Part of the Furniture
As a test try this:

Code:
iptables -t nat -I POSTROUTING -s 10.8.0.2 -o br0 -j SNAT --to 192.168.1.241

Where 192.168.1.241 is a free address that's not in your local DHCP pool.

I don't know whether that will work.
 
Last edited:

ColinTaylor

Part of the Furniture
EDIT: Just realised the above won't work unless there is a network interface on the router with the IP address of 192.168.1.241. So,

Code:
ifconfig br0:0 192.168.1.241 netmask 255.255.255.0

Just tested this on my router and it works.
 

stretch

Occasional Visitor
no doesn't work

Code:
ping 10.8.0.2 -t


Pinging 10.8.0.2 with 32 bytes of data:
Reply from 10.8.0.2: bytes=32 time=63ms TTL=63
Reply from 10.8.0.2: bytes=32 time=52ms TTL=63


Ping statistics for 10.8.0.2:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 52ms, Maximum = 63ms, Average = 57ms

ping 192.168.1.241 -t


Pinging 192.168.1.241 with 32 bytes of data:
Reply from 192.168.1.59: Destination host unreachable.
Reply from 192.168.1.59: Destination host unreachable.


Ping statistics for 192.168.1.241:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 

stretch

Occasional Visitor
EDIT: Just realised the above won't work unless there is a network interface on the router with the IP address of 192.168.1.241. So,

Code:
ifconfig br0:0 192.168.1.241 netmask 255.255.255.0

Just tested this on my router and it works.
oh yes now that works!
 

stretch

Occasional Visitor
Is there any way to make it look like any traffic that comes from 10.8.0.2 appears to be coming form 192.168.1.241?
 

ColinTaylor

Part of the Furniture
Is there any way to make it look like any traffic that comes from 10.8.0.2 appears to be coming form 192.168.1.241?
That's what it's doing. You proved that when you could ping 192.168.1.241. I also checked this on a web server on my LAN.
 

stretch

Occasional Visitor
I've just checked and after doing

Code:
ifconfig br0:0 192.168.1.241 netmask 255.255.255.0

a non vpn connect lan client can ping it without even adding the iptables rule

If after connecting the client from 10.8.0.2 192.168.1.241 still pings but the latency doesn't go up so all i'm doing is pining the router interface.
 

ColinTaylor

Part of the Furniture
I've just checked and after doing

Code:
ifconfig br0:0 192.168.1.241 netmask 255.255.255.0

a non vpn connect lan client can ping it without even adding the iptables rule

If after connecting the client from 10.8.0.2 192.168.1.241 still pings but the latency doesn't go up so all i'm doing is pining the router interface.
Good point, hadn't thought about that.

But it does work for me. I connected the VPN client on my phone to the server and then browsed to a web server on my LAN. Without the iptables rule the connection came from 10.8.100.2, but with the rule it came from 192.168.1.5 (my address ranges are different than yours).
 

stretch

Occasional Visitor
When I connect from via the remote openvpn client and browse to an internal (192.168.1.100) webserver it displays

User IP Address : 10.8.0.2

if I add the iptables rule it still displays the same ip
 

ColinTaylor

Part of the Furniture
Merlin's firmware has changed quite a lot compared to John's (which I use). Maybe that's why.

Check for conflicting rules in the NAT table:
Code:
iptables-save -t nat
 

stretch

Occasional Visitor
Code:
-A POSTROUTING -s 10.8.0.2/32 -o br0:0 -j SNAT --to-source 192.168.1.241
-A POSTROUTING -o eth0 -j PUPNP
-A POSTROUTING ! -s PUBLIC IP/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MASQUERADE
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top