Allow OVPN clients - using OVPN-Plugin (not OVPN AS!) - to access other servers on the OVPN-Server LAN

nassy · 23. August 2015

Hi all!

I installed the OVPN-plugin and can cannot to the omv-server (which is the ovpn-server as well) but I can't connect to any other server on the same LAN as the omv-server resides.

What do I have to do in irder to reach other servers via VPN from my OVPN-client? Please, if possible, tell me the detailed commands I have to run. Thanks in advance.

My setup is as follows:

LAN ip: 192.168.2.0
router: 192.168.2.1
omv server 192.168.2.33
synology server 192.168.2.176

Meanwhile I have the following situation:

I have a synology server with a OpenVPN configuration which allows me to reach all servers on my LAN from my client via VPN.

The server config of my synology server is as follows:

Code

cat openvpn.conf
push "route 192.168.2.0 255.255.255.0"
push "route 10.9.0.0 255.255.255.0"
dev tun


management 127.0.0.1 1195


server 10.9.0.0 255.255.255.0


dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh1024.pem
ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key


max-clients 5


comp-lzo


persist-tun
persist-key


verb 3


#log-append /var/log/openvpn.log


keepalive 10 60
reneg-sec 0


plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf
client-cert-not-required
username-as-common-name
duplicate-cn


status /tmp/ovpn_status_2_result 30
status-version 2
proto udp6
port 1197

Alles anzeigen

The routes are:

Zitat

route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default easy.box 0.0.0.0 UG 0 0 0 eth0
10.9.0.0 10.9.0.2 255.255.255.0 UG 0 0 0 tun0
10.9.0.2 * 255.255.255.255 UH 0 0 0 tun0
192.168.2.0 * 255.255.255.0 U 0 0 0 eth0

Alles anzeigen

As expected, because I did not change anything manually (only via openvpn.conf).

And really nothing within iptables:

Zitat

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Alles anzeigen

When I connect to the above configuration I can ping the omv server, the synology server, the router and all other servers residing on 192.168.2.0 using their native lan-adresses.

----

Now I show the the server.conf from my omv server:

Zitat

cat server.conf
push "route 192.168.2.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
dev tun

management 127.0.0.1 1195

server 10.8.0.0 255.255.255.0

dh /etc/openvpn/keys/dh2048.pem
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
max-clients 5

comp-lzo

persist-tun
persist-key

verb 3

#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

duplicate-cn

status /tmp/ovpn_status_2_result 30
status-version 2
proto udp6
port 1196

Alles anzeigen

You see, after trying a lot of config parameters I simply copied and edited (where neccessary) the server.config.
route looks similar

Zitat

route
Kernel-IP-Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
default easy.box 0.0.0.0 UG 0 0 0 eth1
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
172.17.0.0 * 255.255.0.0 U 0 0 0 docker0
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1

Alles anzeigen

And so do the iptables (it makes no difference, if I delete the first two ACCEPT-lines in omv-network/firewall).

Zitat

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 10.8.0.0/24 192.168.2.0/24
ACCEPT tcp -- 192.168.2.0/24 192.168.2.0/24

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (0 references)
target prot opt source destination

Chain fail2ban-ssh (0 references)
target prot opt source destination
nas1:/etc/openvpn#

Alles anzeigen

When I connect to this config, I am only able to reache the omv-server from the ovpn client. No access to the router, no access to the synology server, nor any other server on my LAN.

Any help is very much appreciated

subzero79 · 23. August 2015

You need to enable forwarding in the omv server.

echo 1 > /proc/sys/net/ipv4/ip_forward

nassy · 23. August 2015

Zitat von subzero79

You need to enable forwarding in the omv server.

echo 1 > /proc/sys/net/ipv4/ip_forward

thanks for your response.

I forgot, that I already tried it. I did try again and restarted vpn server also. Then reconnected from my client. Same effect: Only 192.168.2.1 is reachable from vpn client.

---
edit: Even a reboot does not change anything.

subzero79 · 23. August 2015

Time to use tcpdump to capture icmp packets at server (request and reply). I don't see the client routing tables after openvpn is started. Also compare the logs at client and server (verb 4) when the client starts.

nassy · 28. August 2015

Phew!!!!!

I took me quite some time to get the access of other servers on the same lan as the omv-openvpn-server working again.

I nearly tried everything.
1.) I set up another omv-server on a nearly identical hardware and the access of other servers worked instantaneously.
2.) I compared the configs. First /etc/openvpn later whole /etc/*/*. Especially /etc/network* - but nothing.
3.) I noticed that the failing server had no eth0 but only eth1. I managed to reconfigure the server, so that it works well with eth0. - No change.
4.) I remembered that I installed the backport kernel for enabling virtualbox and/or docker. I switched back to the original kernel - no change: I could not reach other servers. So I switched back to the backport kernel.
5.) I spent quite some time in order to understand "route" and "iptables", I compared the two servers over and over again. The most obvious difference was fail2ban was installed on the server, which did not work well.
6.) So I de-installed fail2ban. No change.
7.) I de-installed docker (had some real trouble in de-installing a half-installed omv-docker-plugin): No change.
8.) Again I switched back to the original kernel and - hoorah! I can reach other servers via openvpn client.

At the moment I am quite glad, because I can reach all my servers on my lan at home from my openvpn-client and can run my virtual-machines. It is only a bit annoying that docker seems to need the backport kernel, which seems to inhibit the routing to/from other servers on my home lan.

subzero79 · 28. August 2015

i have backport kernel, with docker, openvpn and forwarding enabled working.

Dont get why are you using proto udp6, didnt notice before. Seems unnecessary. I would try also updating to openvpn wheezy-backport package.

subzero79 · 29. August 2015

I forgot about this, when your reaching clients in the LAN, packets exiting OMV that come from openvpn to neighbour lan clients, they receive an ip from the openvpn client (10.8.0.0/24), the lan clients won't know how to respond to this because they don't know how reach that subnet.
You can solve this by either adding a static route on each lan client or
You need a masquerade rule that transforms all openvpn subnet into he OMV lan ip. Something like this

iptables -t nat -I POSTROUTING -o eth0 -s 10.8.0.0/24 -d 192.168.2.0/24 -j MASQUERADE

subzero79 · 29. August 2015

@nassy i was just testing this in a VM, there is a bug indeed with mkconf (You can check here ). There is a iptables rule that refers to public ip. That public ip fetching is done with a bash ifconfig grep, but doesn't exclude docker subnets so the SNAT rule comes likes this

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 172.17.42.1 That 172.x subnet shouldn't be there, it should be the public ip, that's needed when you want to route vpn client internet through the server

Now i still think you need masquerade to reach lan clients (or a static route in clients or your router)So after the server starts, flush the nat table iptables -t nat -F and add the masquerade rule from before, now try an ping from a vpn client to a lan client. If you can use tcpdump in the lan client (in linux, windows would be wireshark) to observe the packets coming

tcpdump -nni eth0 -e icmp

tekkb · 29. August 2015

I just want to say the OpenVPN plugin works. I use it on a RPi 2 at my office. nassy has done something to his system that has messed it up. Or his configuration is no good.

If you are having problems with you config read this thread.

Setting up openvpn

PS- I connect to internal LAN site at my office all the time.

tekkb · 29. August 2015

If you comment out the grep line it will fetch the public IP from the internet with the if then statement for the ip variable.

subzero79 · 29. August 2015

That doesn't matter in this case, LAN clients are receiving packets coming from 10.8.0.0, clients don't know how to route that address. That's why he either:

1. Adds a masquerade rule (packets will convert their source to omv lan ip when they hit lan clients), he seems to already have this. The SNAT rule was probably acting before this that's why it works without docker enabled
2. Add a global static route in the router pointing 10.8.0.0/24 to omv lan ip
3. Add individual static route to each lan client, same direction as mentioned before

Jetzt mitmachen!