How to access client's LAN being on the server side of OpenVPN

[Teymur]

Hi there,

Need some help from the experts on routing and openvpn

So here is the thing. My ISP blocks the external IPTV I'm using. Because they want me to purchase that from them which is 10 times as expensive. My friend's ISP doesn't do that. We live in the same city and pings are 1-2 ms between the routers (both are asus) mine is AC3200 his AC66U_B1. I know I could run OpenVPN server on his router and configure my iptv routing through his router. But the trouble is that his ISP provides him with a private dynamic IP address so the DDNS doesn't work nor does the OpenVPN as u may guess.

The goal: I'm hosting the OpenVPN server. He's the client to me. I want to be able to access his LAN as well as use his internet to route my IPTV traffic. I could easily do that when he had a public IP address and then his router was a OpenVPN server and I was the client to him and could easily route my IPTV traffic through his internet connection. But what do you think I can do in this case? All your inputs are highly appreciated.

p.s when his router connects to mine as a client, it gets openvpn client IP from this subnet: 10.8.0.0/24

I'm able to ssh into his router and run commands and stuff. But say if I try to open 10.8.0.x in the browser it won't let me access the router's WebUI. Don't know why. His remote access is enabled. Should be able to, and this has worked in the past on older firmwares, now it doesn't.

 

[eibgrad]

It may simply be the case that his GUI isn't bound to the OpenVPN network interface. Many times services are only bound to specific network interfaces, usually as a security measure. Frankly, I'm not sure why it matters if your intent is to route traffic over the tunnel. The tunnel's network address doesn't serve much practical purpose other than maintaining the tunnel. All your references to IPTV or other resources on your friend's network will be using that local IP network or public internet IP addresses anyway. Does all that work?

 

[Teymur]

It may simply be the case that his GUI isn't bound to the OpenVPN network interface. Many times services are only bound to specific network interfaces, usually as a security measure. Frankly, I'm not sure why it matters if your intent is to route traffic over the tunnel. The tunnel's network address doesn't serve much practical purpose other than maintaining the tunnel. All your references to IPTV or other resources on your friend's network will be using that local IP network or public internet IP addresses anyway. Does all that work?

Hi,

Thanks for your reply,

Little update, when my friend’s router connects to my router as open vpn client, I now can access his LAN as well. My aim was to route my IPTV traffic Through the tunnel, in this case. Usually the client routes the traffic through the tunnel, but I was wondering if that can work opposite way.

 

[eibgrad]

Hi,

Thanks for your reply,

Little update, when my friend’s router connects to my router as open vpn client, I now can access his LAN as well. My aim was to route my IPTV traffic Through the tunnel, in this case. Usually the client routes the traffic through the tunnel, but I was wondering if that can work opposite way.

If you can *initiate* connections (e.g., ping) to his LAN while hosting the OpenVPN server, then you already *are* routing your traffic through the tunnel and over to his network.

It is possible by "I now can access his LAN as well", you were only referring to the replies sent back to his network when he initiates connections from his OpenVPN client into your network??

 

[Teymur]

If you can *initiate* connections (e.g., ping) to his LAN while hosting the OpenVPN server, then you already *are* routing your traffic through the tunnel and over to his network.

Hi,

I’m sorry I think you’re not getting what I mean. Hosting the OpenVPN Server I want to be able to get to some host on the internet using the internet connection of my openvpn client. So for example:

I’m on the LAN side of openvpn server. When i traceroute host say xxx.yyy.zzz.ccc it goes to my router and then to the wan interface of my router and so on until it reaches that host. But what I want it to do is to go to the router then to go to the “tun0” interface which is openvpn then go to the client which is connected to openvpn server and from there to the internet.

 

[eibgrad]

That actually is what I thought you meant. But the first step in making this possible is making sure you have bi-directional (aka site-to-site) access across the tunnel. IOW, that a device on either side of the tunnel can *initiate* a connection to some device on the other side. By default, OpenVPN tunnels are uni-directional, where only devices on the OpenVPN client side can initiate connections over tunnel. You actually have to take extras steps in the OpenVPN server configuration to enable bi-directional tunnels. And when you said "I now can access his LAN as well", I though perhaps you had already accomplished these extra steps.

In order to make it bi-directional, you need to add a route directive to the OpenVPN server config for your friend's local IP network, the one directly behind his OpenVPN client. Let's assume that's 192.168.0.x.

route 192.168.0.0 255.255.255.0

Once the OpenVPN server comes up, it will install a static route in the local (kernel) routing table that's bound to the OpenVPN server's network interface (e.g., tun2).

But that's not sufficient. Because *all* OpenVPN clients are connected to a single network interface on the OpenVPN server, the OpenVPN server needs an iroute directive (that's not a typo, it's "i" route, as in internal route) that tells it *which* OpenVPN client is associated w/ which route you added in the kernel's routing table. Remember, in theory there could be *many* OpenVPN clients connecting to your OpenVPN server, all w/ different local IP networks behind their respective OpenVPN clients.

That's why this is a bit tricky. You need to establish the routing at two levels; w/ the kernel externally, and w/ the OpenVPN server, internally.

To establish the iroute directive, you need to establish a CCD directory that contains a file by the common name on the OpenVPN client cert, and where you add the following line.

iroute 192.168.0.0 255.255.255.0

A lot of this is explained in the following OpenVPN document.

https://community.openvpn.net/openvpn/wiki/RoutedLans

Yes, a bit complicated. And most ppl stumble at this point because it's not obvious you need to go through all these extra steps to get bi-directional access working.

Once the tunnel works bi-directionally, then you need to change the default gateway on your primary router to point to your friend's default gateway on his network, which should be accessible over the tunnel, just like anything else on his network.

So first thing to do is just get bi-directional access working. Then worry about the change in the default gateway.

 

[eibgrad]

P.S. Btw, what's the firmware running on your respective routers? Sometimes the manufacturer's firmware is not very flexible, and makes adding capabilities like this very difficult. That's why many of us install third party firmware (dd-wrt, tomato, etc.), where either the GUI is much enhanced to make something like this trivial to implement/configure, or worst case, you can drop down to a shell (telnet/ssh) and use scripting to add such capabilities.

That's why even if you know how to make it work, it's not always possible using the manufacturer's firmware. This is often the biggest stumbling block.