1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

[Solved] Access OpenVPN Server LAN over Remote VPN Client

Discussion in 'Asuswrt-Merlin' started by Wingsfan87, Oct 16, 2018.

  1. Wingsfan87

    Wingsfan87 Regular Contributor

    Joined:
    Sep 18, 2015
    Messages:
    100
    Location:
    Michigan
    @Martineau I really could use your expertise on solving this problem I have been working on for a while. Or anyone else who might know what I am missing/doing wrong.

    Background:
    I have a Linux OpenVPN Gateway Client setup at my house. It is connected to 5 different OpenVPN Servers running at friends/families houses that are all using Asus routers running Merlin's latest firmware. For my home network I am using Unifi with a USGPro4 and latest Unifi controller. I have static routes set to those remote subnets pointing to my VM running Linux as my OpenVPN Gateway Client. When I am at my house on my LAN I can access all the remote subnets just fine no issues. I have the IPTABLES set correctly to allow established related traffic and my home LAN to forward to the remote LAN and I am dropping their remote LAN to connect to my LAN. I can access their network since they are the OpenVPN server's but me as the client side I don't want them accessing my LAN from theirs. Again all this is working just fine as intended.

    Problem: Also on my home LAN Unifi gear I am using a L2TP IPSEC VPN that is included as an option. I am attempting to access the remote subnets for friends and families from this VPN connection but not able to. I did a trace and my VPN connection it is forwarding correctly to the OpenVPN gateway client on my LAN but it is not returning from the remote OpenVPN Server side running on the Asus routers.

    I can't tell if I need to adjust the firewall iptable rules on my OpenVPN gateway client or what to set in the custom configuration on the remote OpenVPN server on the Asus router. I am using your custom VPNClientConnect.sh script that adds the iroute dynamically based on user.

    Any ideas?

    *Note I am only giving one remote LAN example for the rules and IP details but they all are configured similarly just different subnets of course to prevent conflicts/overlap.

    IP Details:
    Local LAN: 192.168.50.0
    Local IPSEC VPN: 10.10.50.0

    Remote LAN: 192.168.30.0
    Remote OpenVPN: 10.8.30.0

    Local OpenVPN Gateway Client IPTABLE List:
    [email protected]:~$ sudo iptables -S
    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -s 192.168.50.0/24 -d 192.168.0.0/16 -j ACCEPT
    -A FORWARD -s 10.10.50/24 -d 192.168.0.0/16 -j ACCEPT
    -A FORWARD -s 10.8.30.0/24 -d 192.168.0.0/16 -j ACCEPT
    -A FORWARD -s 192.168.30.0/24 -d 192.168.0.0/16 -j DROP

    OpenVPN Server Router Custom Config:
    script-security 2
    client-connect /jffs/scripts/VPNClientConnect.sh
    route 192.168.50.0 255.255.255.0 vpn_gateway
    route 10.10.50.0 255.255.255.0 vpn_gateway


    Thanks
     
  2. Wingsfan87

    Wingsfan87 Regular Contributor

    Joined:
    Sep 18, 2015
    Messages:
    100
    Location:
    Michigan
    You're hijacking my thread! ;-)

    • Change each of your separate router local LAN subnet to something different. Recommend to not use the default 192.168.1.x (Ex 192.168.10.x , 192.168.20.x, 192.168.30.x)
    • Do you really need each to have a server? You could set them all up to connect back to one as the server and each site as a client so all the networks can talk to each other.
      • If you still want each to be its own change each of the OpenVPN subnets to be different as well. Default is 10.8.0.0 Recommend to not use the default either (Ex 10.8.10.x , 10.8.20.x 10.8.30.x to mirror the LAN subnet).
      • If you are connecting to more than one at a time then you also need to change the port from the standard 1194. Use something higher and you can mirror your LAN octet to keep it easy to remember like 119410, 119420, 119430 and so on.
    • Are you doing LAN only, internet only or both on the VPN server? There are different options you can do based on the need.

    Once you have it correctly configured as I mentioned above you will have no problem accessing the remote router gui's over the VPN tunnels.
     
  3. Torson

    Torson Occasional Visitor

    Joined:
    Aug 3, 2018
    Messages:
    19
    Thank you for the reply - I'll open a new thread. You're absolutely right - my apologies.
     
  4. Wingsfan87

    Wingsfan87 Regular Contributor

    Joined:
    Sep 18, 2015
    Messages:
    100
    Location:
    Michigan
    No worries. Hope my post helped.

    I think I know my issue. Just not how to solve it. How do I dynamically add multiple iroutes to the same temporary CCD Name using @Martineau VPNClientConnect.sh script?
     
  5. Wingsfan87

    Wingsfan87 Regular Contributor

    Joined:
    Sep 18, 2015
    Messages:
    100
    Location:
    Michigan
    Ok never mind I solved it.

    Used Martineau's original script and added an echo line to the config for the client to include another iroute and added a route line to the custom config line in the gui.

    Now it works as I needed it from the other VPN :)
     
  6. loveleeyoungae

    loveleeyoungae Regular Contributor

    Joined:
    May 3, 2014
    Messages:
    88
    Would you mind sharing the scripts here? Thanks.
     
  7. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,861
    Location:
    UK
    I knew you would figure it out! :D
     
    Last edited: Oct 18, 2018
  8. Wingsfan87

    Wingsfan87 Regular Contributor

    Joined:
    Sep 18, 2015
    Messages:
    100
    Location:
    Michigan
    See this post https://www.snbforums.com/threads/o...e-to-site-connection.24268/page-4#post-306591

    I used his original script there and added one line to it. The 2nd echo line. So it defines 2 iroutes for the same client. That way if the client has multiple subnets on their side anyone of those subnets can access the openvpn server LAN.

    Code:
       "clientone")
                  echo "iroute 192.168.3.0 255.255.255.0" >>$1
                  echo "iroute 10.10.3.0 255.255.255.0" >>$1
                  ;;
    You also need route in the custom config box in the GUI on the router. See this post as an example where it says route xxxx xxxxx. I don't use push as I'm not sharing the network with other clients. Also I only allow traffic one way on mine. I only want my client or "my network" connecting to the remote server and the server side can't access mine.
     
    loveleeyoungae likes this.
  9. Wingsfan87

    Wingsfan87 Regular Contributor

    Joined:
    Sep 18, 2015
    Messages:
    100
    Location:
    Michigan
    Thanks @Martineau the credit goes to you :) Your script and reading through your posts here I have learned a lot.

    A couple of things I tried your revised 3.x script for static and added an iroute line to it but didn't work. It would never add the internal route just the static IP. Second you said you revised yours to 4.7x but I haven't seen that one ;) Could you share that update?
     
  10. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,861
    Location:
    UK
    Since v3.01 was initially made public, v4.80 of the script evolved primarily due to the lack of interest by Asus etc. to provide (IMHO long over due) 2-factor OpenVPN authentication in order to reduce the possibility of misuse by stricter control etc.

    Consequently my aim was to ensure that additional access rules could be applied to OpenVPN Server inbound connecting Clients.

    However, apart from the 'pass-thu' feature (outbound via an OpenVPN Client), I don't recall ever seeing any forum posts lamenting the lack of custom OpenVPN Server access rules being an issue, nor any enhancement request for 'Howtos' for any of my considered nice-to-haves.

    So my psuedo commands now comprise (some of which may no longer be unique/useful)
    v3.01 My pseudo OpenVPN server directive
    Code:
    staticip
            # This client will be assigned a static IP Assign static I/P xxx.xxx.xxx.nnn (Normally xxx.xxx.xxx=10.8.0 for VPN Server 1, and xxx.xxx.xxx=10.16.0 for VPN Server 2)
            # e.g. staticip .22
    I doubt anyone would guess/use many of these!
    Code:
    allowip
        # List of ALLOWED (ACL) remote IP addresses (Probably not useful for non-static WAN e.g. mobile devices?)
        # e.g. allowip xxx.xxx.xxx.xxx [...]
     
    blockip
        # List of BLOCKED remote IP addresses (Probably not useful for non-static WAN e.g. mobile devices?)
        # e.g. blockip xxx.xxx.xxx.xxx [...]
    
    allowperiod
        # List of avail periods hh:59-hh:mm,prime - Check on initial connection only i.e. Client is not kicked off at period end.
        # e.g. allowperiod 07:59-17:00
    
    restrictperiod
        # List of restricted times hh:mm-hh:mm,online,overnight - Check on initial connection only
        # e.g. restrictperiod 00:59-05:00
    
    passthru                                        
        # This client will 'pass-thru' the router and use the VPN client specified
        # e.g. pass-thru 2
     
    wol
        # This client is allowed to issue WOL commands to LAN devices i.e. ensure NAS/Media Sever etc. is UP
        # e.g. wol xx:xx:xx:xx:xx:xx
        #      wol xxx.xxx.xxx.xxx
     
    forcedns                                        
        # This client cannot override the pushed DNS
        # e.g. forcedns 10.0.0.254
    
    lanonly                                         
        # This client cannot passthru outbound via the WAN or any VPN Client tunnel; only LAN resources are accessible
        # v384.xx Partially superceded by 'Client will use VPN to access=LANONLY' GUI option"
        # e.g. both NAS servers, both PS3s, Rasp Pi and ALL cameras
        # lanonly 10.88.8.195 10.88.8.197 10.88.8.142-10.88.8.143 10.88.8.126 CAMERAS
    
    wanonly                                         
        # This client cannot access the LAN; only WAN is accessible
        # v384.xx Implements 'Client will use VPN to access=INTERNETONLY' GUI option" for ALL clients
     
    Last edited: Oct 21, 2018