OpenVPN - Different Configuration Question

  • It should be fixed now :)


    To be completely thorough, there is still one case where this could mess up the configuration. If for whatever reason the iptables rule is not present in the iptables nat table (table flushed by another process for example), the iptables rule deletion will fail and mkconf will fail.

    We could solve this by adding '|| true' to the command:

    iptables -t nat -D $(tail -1 ${SERVICE_IPTABLES_CONF} | cut -c20-) || true
  • Sorry for asking again,
    but after updating the plugin to the newest version, I could not connect to any devices in the LAN where the NAS stands and also could not connect from LAN to VPN clients.
    I have checked Default Gateway and also client to client. No Howto I've found in the internet could help me. Is there a good one?
    I've tried setting route to VPN on my router (which isn't my VPN Server), setting push route in VPN Server, but the only thing I could reach is the VPN Server. Also Websites I could not reach from VPN Clients.


  • For external clients to reach LAN clients you need, this should give you access by ip in extra options

    push "route"

    The red part you need to change it for your subnet. LAN clients are not going to reach VPN clients, unless they have a route there in each client. This one of the benefits of using Openvpn in the router. Is doable but you need more work. I believe the openvpnAS can do this easily.

    For hostname LAN client access you should try DNS server and put the LAN clients gateway like again the red part you need to change it for yours.

  • Is not easy the first time with openvpn, but once you try and read the documentation and the forums it helps understands. There are much much complicated setups, especially IPSEC/L2TP, very frustrating for me the when I tried years ago.
    The openvpn-connect app for iOS came as a wonderful solution for mobile access.

    You can find on ebay 20-40 dollars routers that can run tomato or openwrt with 2 simultaneous openvpn servers. Tomato is much easy to set up for openvpn.

  • Client to client option is not relevant in this case as it is used to allow VPN client to reach another VPN client.

    Default gateway option should only be used to route all traffic from VPN client toward VPN server, including internet traffic. If unchecked a route to the LAN subnet will be pushed to VPN clients.

    No extra options should be needed for external clients to reach LAN clients because an iptables NAT rule is set that will NAT VPN client traffic to the LAN VPN server IP. If no iptables NAT rule is set, a route to the VPN network would be required on each LAN clients.
    You can check iptables NAT status with the following command (with a typical output):

    root@NAS:~# iptables -t nat -S
    -A POSTROUTING -s -j SNAT --to-source

    In my case, being the IP of my NAS on the LAN (subnet and being the subnet of the VPN.

    I see one case where there could be an issue: if the VPN client is on a private LAN prior to access the Internet and if that private LAN subnet is identical to the private LAN subnet where the VPN server resides, there will probably be issues for the VPN client to access the LAN clients behind the VPN server.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!