OpenVPN - Different Configuration Question

Pollux · 6. November 2014

Zitat von HK-47

It should be fixed now

Thanks.

To be completely thorough, there is still one case where this could mess up the configuration. If for whatever reason the iptables rule is not present in the iptables nat table (table flushed by another process for example), the iptables rule deletion will fail and mkconf will fail.

We could solve this by adding '|| true' to the command:

Code

iptables -t nat -D $(tail -1 ${SERVICE_IPTABLES_CONF} | cut -c20-) || true

HK-47 · 6. November 2014

You're right, added.

Pollux · 7. November 2014

Thank you (once again)

wulfjoergensen · 22. November 2014

Sorry for asking again,
but after updating the plugin to the newest version, I could not connect to any devices in the LAN where the NAS stands and also could not connect from LAN to VPN clients.
I have checked Default Gateway and also client to client. No Howto I've found in the internet could help me. Is there a good one?
I've tried setting route to VPN on my router (which isn't my VPN Server), setting push route in VPN Server, but the only thing I could reach is the VPN Server. Also Websites I could not reach from VPN Clients.

Thanks

subzero79 · 22. November 2014

For external clients to reach LAN clients you need, this should give you access by ip in extra options

push "route 10.10.10.0 255.255.255.0"

The red part you need to change it for your subnet. LAN clients are not going to reach VPN clients, unless they have a route there in each client. This one of the benefits of using Openvpn in the router. Is doable but you need more work. I believe the openvpnAS can do this easily.

For hostname LAN client access you should try DNS server and put the LAN clients gateway like

10.10.10.1 again the red part you need to change it for yours.

wulfjoergensen · 25. November 2014

Ok, thanks for the hint. It also doesn't works for me. So I a solution from the router, which sadly is no OpenVPN.

subzero79 · 25. November 2014

Is not easy the first time with openvpn, but once you try and read the documentation and the forums it helps understands. There are much much complicated setups, especially IPSEC/L2TP, very frustrating for me the when I tried years ago.
The openvpn-connect app for iOS came as a wonderful solution for mobile access.

You can find on ebay 20-40 dollars routers that can run tomato or openwrt with 2 simultaneous openvpn servers. Tomato is much easy to set up for openvpn.

Pollux · 25. November 2014

Client to client option is not relevant in this case as it is used to allow VPN client to reach another VPN client.

Default gateway option should only be used to route all traffic from VPN client toward VPN server, including internet traffic. If unchecked a route to the LAN subnet will be pushed to VPN clients.

No extra options should be needed for external clients to reach LAN clients because an iptables NAT rule is set that will NAT VPN client traffic to the LAN VPN server IP. If no iptables NAT rule is set, a route to the VPN network would be required on each LAN clients.
You can check iptables NAT status with the following command (with a typical output):

Code

root@NAS:~# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 192.168.10.30
root@NAS:~#

In my case, 192.168.10.30 being the IP of my NAS on the LAN (subnet 192.168.10.0/24) and 10.8.0.0/24 being the subnet of the VPN.

I see one case where there could be an issue: if the VPN client is on a private LAN prior to access the Internet and if that private LAN subnet is identical to the private LAN subnet where the VPN server resides, there will probably be issues for the VPN client to access the LAN clients behind the VPN server.

Jetzt mitmachen!