[Solved] Cannot see my LAN with openvpn

[kvic]

thanks, i'll check tomorrow from the office, it is very frustrating to do it with a phone client, especially if i am in the same lan i want to reach through vpn

Gosh...that's certainly not the right environment to debug your issue. Use mobile data perhaps is closer emulation to your office environment. But then you won't be able to check TCP stack in the usual way..

 

[cowst]

Of course, that's what I implied with frustrating
Turn off wifi, connect vpn, check it fail again and again on the small device, and back

 

[cowst]

Ok, from the office, I put Wireshark listening on tun0 and I called 192.168.2.1 (internal router ip) from 10.8.0.2: it responded and opened the web interface as before.
Then I called 192.168.2.80 (satellite receiver), and I saw the TCP packets through tun0 to the destination but no ACK ever came.
I think this is proof enough that the client is correctly sending through the correct route and we could safely assume that the traffic is not dropped when back to the client, but rather there is something wrong on the router (it would be strange to drop all traffic from 192.168.2.x except 192.168.2.1).
In fact, I installed tcpdump on the router and dumped traffic on tun21, and I see https going to 192.168.2.80 and never coming back.
Now I will try to do the same on the satellite receiver so I know if the traffic is received, and if it is sent back at all.

If you have any suggestion in the meanwhile, please let me know, this is becoming painfully surgical

 

[cowst]

VICTORY AT LAST!
First of all thanks to everybody who tried to help.

Now to the ending titles...
I saw the traffic arriving on eth0 in the satellite receiver and nothing else, so I checked the routes and I noticed something unexpected.
The receiver is a client in another vpn, which, according to the netmask should not interfere, but look at the route:
root@vuduo2:~# route -e
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default router.asus.com 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.1.18 255.255.255.0 UG 0 0 0 tun0
10.8.1.18 * 255.255.255.255 UH 0 0 0 tun0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
192.168.2.0 * 255.255.255.0 U 0 0 0 eth0

Somehow the other vpn ended up as a gateway swallowing the traffic of my vpn.
Now I changed my vpn to 172.16.0.0 and I can access the lan. Technically I could already, but all the devices being clients of the other one, were routing responses on the wrong interface.

 

[cowst]

Additional question.
I think the issue I had might have been solved with MASQUERADE.
If the router instead of showing the request source as 10.8.0.2 would have replaced it with 192.168.2.1 the traffic would have gone back properly.
So the question: is there a way from the web interface to set something like "iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE" or I have to write some firewall script?

 

[martinr]

.


You can't connect from inside your own network. I don't know why. I'd have to check but I think you can with the PPTP vpn; anyway, my point is that not being able to connect from inside is normal.

Minor correction: something I've just noticed. Firstly, you can connect with PPTP from inside your own network and you can't with Openvpn using port 1194 UDP, but I've just noticed that connecting to port 443 TCP, I can indeed connect using Openvpn inside my own network.

 

[jumblies]

"iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE" or I have to write some firewall script?

This was like gold! Thanks a bunch. I have been going crazy trying to get an android device to connect through the firewall.

My setup is a little more exotic having 2 ISP - 2 Merlin Routers. I use the vpn extensively away from home for home automation.

I had been using Dual WAN with fail over, but it turns out you can't really run the vpn on dual WAN in load balance because of DDNS misdirection and as I understand it, you can only have 1 DDNS operating. So if the connection goes to the WAN that isn't the DDNS IP, you can't connect. I guess I could update it every minute or so, but that seems like abusing the free DDNS.