OpenVPN as Client for some Services

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

pagogc

New Around Here
Hello!
I am behind an ISP who's using a DS-Lite Stack.

As far as i am understandig, there is no way to get a connection to my home network from outside directly. Even when, then only via IPv6, but thats another topic.

So for now, i am trying the following setup.

- Hosting a Ubuntu VM on a VPS Provider.
- Setting up OpenVPN Server there
- Trying to route traffic from there to OpenVPN Client on Router.

I got so far to configure OpenVPN on the server (adding ccd option and file for "iroute" configuration), and getting the client.ovpn uploaded on the router.
I can connect to the server and looking in the server log, the iroute is accepted.

But from terminal of server, i cant ping any range of my LAN network.

I dont understand, how routing works exactly in this situation...

i want to:
- Use OpenVPN Client Connection from Router to Server only for incomming traffic (all other clients in my LAN should not get affected by VPN)
- route traffic of official IP/Ports from VPS Provider to 1-2 endpoints in my LAN.

Endgoal:
- providing a reverse proxy + Letsencypt (on server or client side... i don't know?) for 1-2 services (like nextcloud).

======

Reading through other guides (for example this: https://community.openvpn.net/openvpn/wiki/RoutedLans), that is not exactly what i want, as this option would open my whole LAN to the external server.
I don't even know, if this is the right forum to ask, but as i try step by step to set this up and cant ping, i maybe thought to ask here first, if maybe some settings are needed in the router.

For example, i read posts that set "inbound firewall" to "Allow" in the vpn client setting.
As far as i know, i need this too, but can i set detailed rules for traffic afterwards?
Do i need "Create NAT on Tunnel"?

every little help is appreciated, tia.
 

eibgrad

Very Senior Member
Without getting into the specific services you might want to map from the VPS into your LAN (that could be potentially anything, even another OpenVPN client), you should be able to ping from the VPS back into the OpenVPN client and beyond provided you have properly configured iroute *and* route directives on the OpenVPN server side.

IOW, if the OpenVPN client is hosted on the 192.168.1.0/24 LAN, you need to add an iroute directive for that network to the CCD directory based on the OpenVPN client's CN (Command Name). Let's assume that CN is 'client' and the file is stored on Ubuntu under /tmp.

/tmp/client
Code:
iroute 192.168.1.0 255.255.255.0

In the OpenVPN server config, you need the following directive as well:
Code:
route 192.168.1.0 255.255.255.0

Of course, the OpenVPN server config has to contain a reference to the folder which supports the CCD files.
Code:
client-config-dir /tmp

Assuming there are no firewall issues preventing access either on the client or server side, you'll want to NAT the inbound traffic from the OpenVPN server, since clients of the LAN behind the OpenVPN client would otherwise see a *public* IP from any connections initiated from the server side to the client side. If you don't NAT, then the reply packets will get routed out over the WAN of the OpenVPN client rather than the VPN!
 
Last edited:

pagogc

New Around Here
Thanks for your answer, even as i asume, you have similar quetions like this way too often :).
i read through many of your posts as well, and even with the documentation of openvpn, where it says to add "route" too.

But i hesitated, because when i implement this, all of my home-network would be open, right?

So the only other thing is through manualy creating iptables, when i want to open only some ports and only ONE IP adresss of my home-network?
 

eibgrad

Very Senior Member
Thanks for your answer, even as i asume, you have similar quetions like this way too often :).
i read through many of your posts as well, and even with the documentation of openvpn, where it says to add "route" too.

But i hesitated, because when i implement this, all of my home-network would be open, right?

So the only other thing is through manualy creating iptables, when i want to open only some ports and only ONE IP adresss of my home-network?

When you speak of opening *all* your home network, we have to be precise in terms of open to *who*. From the perspective of the OpenVPN server, it's like any tunnel you create between two endpoints. It's going to be open to the extent you do nothing to prevent such access. When you connect an OpenVPN client to a commerical OpenVPN server, you can bet your life the VPN provider has firewalled his side of the tunnel to prevent/limit access to specific devices on his own LAN, since he has no reason to trust you. YOU have to do the same if this is a concern, although since you control the VPS, this may be overkill. From the perspective of the Ubuntu server, hopefully you've configured a firewall on the VPS as well to prevent access to all but SSH (for management purposes) and eventually some port forwarding for the various services you want mapped from the public IP of the VPS, through the VPN, and into your LAN.

IOW, it's *possible* to leave the OpenVPN server wide-open provided the VPS itself is firewalled. Or if you want to be super-safe, provide firewall protection also at the point of the VPN, specifically the OpenVPN client side (which is what the Inbound Firewall option attempts to do).
 
Last edited:

eibgrad

Very Senior Member
P.S. Note, the Inbound Firewall option prevents *all* connection attempts initiated from the OpenVPN server side and into the OpenVPN client. But you don't have to disable it in order to allow access to specific services or LAN ips. You can simply add port forwarding rules (but NOT using the GUI, only manually) as exceptions. As long as the exceptions are added as insertions (rather than appended) to the FORWARD chain of the filter table, they will get tested *before* the blocking created by the Inbound Firewall option.

IOW, it would only make sense to disable the Inbound Firewall option if you intended to allow *all* access to the LAN (e.g., using OpenVPN as a client to the VPS).
 

pagogc

New Around Here
yes, i set up ufw and only opend ssh/22 so far on ubuntu.

so on merlin, if inbound activated, i have to ssh into the router and setup routings there, check.

Thanks for your help!
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top