What's new

Configuring tun openvpn to route/assign ip from lan subnet

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

stretch

Occasional Visitor
I have router running asus merlin and have setup TUN openvpn server on it. Clients are able to connect and ping lan clients etc however one of my lan devices will only accept connections from devices that are on the same LAN subnet i.e 192.168.1.0/24 so from a vpn connected client on the 10.8.0.0 subnet this fails. What I need is for the openvpn client to have a static ip on the same subnet as the lan and must also be pingable form other lan devices. So basically I need TAP but using TUN. TAP is not an option due to using android client.

Router lan ip: 192.168.1.1
Openvpn subnet: 10.8.0.0

custom client config
ifconfig-push 192.168.1.241 255.255.255.0

I believe i'm missing a "route"

5028.jpg

5029.jpg
 
Last edited:
so do you mean

Code:
iptables -t nat -A POSTROUTING -s 192.168.1.241/32 -o br0 -j MASQUERADE
No. The client's real address is NATed to 10.8.0.x so the source address isn't 192.168.1.241. You need to MASQUERADE or SNAT the client's 10.8.0.x address (and remove your ifconfig-push).

The example I linked to would masquerade all client addresses so that they appear to be coming from the router itself (e.g. 192.168.1.1). If you only want to do this for one client you would use SNAT on its 10.8.0.x address rather than MASQUERADE.
 
How have you configured the server to handle this specific client? You need for it to have a fixed IP address (10.8.0.?) so that you can differentiate it from any other client. Once you know this address you can create the iptables rule.
 
ok so if i don't do

custom client config
ifconfig-push 192.168.1.241 255.255.255.0

it gets the address 10.8.0.2
 
it gets the address 10.8.0.2
Yes but that's a dynamic address. It's just picked up the first available address in the pool. If another client had connected before it it would have got that address and your client would have got 10.8.0.3.

Search the forum for posts regarding assigning fixed IP addresses to VPN clients. I can't remember the details myself.
 
Yes I can assign fixed no porblem just need to know what the snat iptables rule you mentioned is
 
Last edited:
As a test try this:

Code:
iptables -t nat -I POSTROUTING -s 10.8.0.2 -o br0 -j SNAT --to 192.168.1.241

Where 192.168.1.241 is a free address that's not in your local DHCP pool.

I don't know whether that will work.
 
Last edited:
EDIT: Just realised the above won't work unless there is a network interface on the router with the IP address of 192.168.1.241. So,

Code:
ifconfig br0:0 192.168.1.241 netmask 255.255.255.0

Just tested this on my router and it works.
 
no doesn't work

Code:
ping 10.8.0.2 -t


Pinging 10.8.0.2 with 32 bytes of data:
Reply from 10.8.0.2: bytes=32 time=63ms TTL=63
Reply from 10.8.0.2: bytes=32 time=52ms TTL=63


Ping statistics for 10.8.0.2:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 52ms, Maximum = 63ms, Average = 57ms

ping 192.168.1.241 -t


Pinging 192.168.1.241 with 32 bytes of data:
Reply from 192.168.1.59: Destination host unreachable.
Reply from 192.168.1.59: Destination host unreachable.


Ping statistics for 192.168.1.241:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
EDIT: Just realised the above won't work unless there is a network interface on the router with the IP address of 192.168.1.241. So,

Code:
ifconfig br0:0 192.168.1.241 netmask 255.255.255.0

Just tested this on my router and it works.
oh yes now that works!
 
Is there any way to make it look like any traffic that comes from 10.8.0.2 appears to be coming form 192.168.1.241?
 
Is there any way to make it look like any traffic that comes from 10.8.0.2 appears to be coming form 192.168.1.241?
That's what it's doing. You proved that when you could ping 192.168.1.241. I also checked this on a web server on my LAN.
 
I've just checked and after doing

Code:
ifconfig br0:0 192.168.1.241 netmask 255.255.255.0

a non vpn connect lan client can ping it without even adding the iptables rule

If after connecting the client from 10.8.0.2 192.168.1.241 still pings but the latency doesn't go up so all i'm doing is pining the router interface.
 
I've just checked and after doing

Code:
ifconfig br0:0 192.168.1.241 netmask 255.255.255.0

a non vpn connect lan client can ping it without even adding the iptables rule

If after connecting the client from 10.8.0.2 192.168.1.241 still pings but the latency doesn't go up so all i'm doing is pining the router interface.
Good point, hadn't thought about that.

But it does work for me. I connected the VPN client on my phone to the server and then browsed to a web server on my LAN. Without the iptables rule the connection came from 10.8.100.2, but with the rule it came from 192.168.1.5 (my address ranges are different than yours).
 
When I connect from via the remote openvpn client and browse to an internal (192.168.1.100) webserver it displays

User IP Address : 10.8.0.2

if I add the iptables rule it still displays the same ip
 
Merlin's firmware has changed quite a lot compared to John's (which I use). Maybe that's why.

Check for conflicting rules in the NAT table:
Code:
iptables-save -t nat
 
Code:
-A POSTROUTING -s 10.8.0.2/32 -o br0:0 -j SNAT --to-source 192.168.1.241
-A POSTROUTING -o eth0 -j PUPNP
-A POSTROUTING ! -s PUBLIC IP/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MASQUERADE
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top