Join Log in
Score:-1
Arkadiusz Rycyk avatar Server

OpenVPN Configuration

al flag
Arkadiusz Rycyk

I am trying to connect to remote network 10.0.4.0/24 via cloud relay server form windows pc with no success. Whole setup looks like this : enter image description here

windows client sits on 192.168.150.0/24 locally remote network to which I want access to sits on 10.0.4.0/24

my openvpn server.conf

local 161.xx.xx.xxx
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 67.207.67.2"
push "dhcp-option DNS 67.207.67.3"
push "block-outside-dns"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
client-config-dir ccd
client-to-client
route 10.0.4.0 255.255.255.0 10.8.0.2
route 192.168.150.0 255.255.255.0 10.8.0.4

client ccd file for both windows2 and client.

client

iroute 10.0.4.0 255.255.255.0
push "route 192.168.150.0 255.255.255.0"

windows2

iroute 192.168.150.0 255.255.255.0
push "route 10.0.4.0 255.255.255.0"

I can see routes being added to both clients and I have added routes to the main ubuntu server (cloud) yet still no access... what am I doing wrong ?

64
2 + 0
Score:0
avatar Server
in flag
Lacek

My first guess would be that the local LAN has no knowledge of the VPN network. Seeing as the routing table of Alma contains a default via 10.0.4.1 entry, it seems that Alma is not the default gateway for the local LAN.

For this, when the Windows server pings the local LAN via VPN, the computer targeted has no idea what to do with a source address of 10.8.0.4, so it forwards the answer to the default router, which also has no idea about the VPN network, and so the answer never reaches the Windows computer.

The computers in the 10.0.4.0/24 network need to be able to properly route the packages to 10.8.0.0/24. So either they need a route entry which tells them that 10.8.0.0/24 is to be routed via the Alma server, or you need to move the VPN client from Alma to the default gateway of the local LAN.

It is also possible (if routing is set up properly on the local LAN) that the Alma server does not allow routing between the two networks. Check the routing and firewall settings on the Alma server if there is anything which prohibits routing between LAN and VPN.

+ 4
Arkadiusz Rycyk avatar
al flag
Arkadiusz Rycyk
Alma is not a default gateway on 10.0.4.0/24. I don't think it needs to be for this to work. I made it work in the past using Lan Turtle from Hak5 and following their reverse vpn yt video https://www.youtube.com/watch?v=b7qr0laM8kA&t=376s disabling firewall on alma and all firewall/anyviruses on windows 10 didn't help. One additional piece of info is that I can ping 10.0.4.202 (almas local ip on 10.0.4.0/24). Which I haven't noticed previously. I have re-enabled firewall on Alma and it makes no difference, local IP still pings and devices on that subnet won't...
0
Reply
in flag
Lacek
But do the devices on the subnet know how to route packages for 10.8.0.x addresses properly? Pinging Alma's other interface does not count, as Alma _does_ know how to route VPN addresses. Alma does not need to be the default router, but it needs to be the router for the VPN network, as nothing else on that subnet knows anything about the VPN subnet.
0
Reply
Arkadiusz Rycyk avatar
al flag
Arkadiusz Rycyk
they don't have to know, Alma acts as a router, NATing traffic (I think). I have posted the solution below. Thanks for your input.
0
Reply
in flag
Lacek
If Alma uses NAT to forward the traffic, then for computers on the local LAN, every connection from the VPN network will be seen as originating from Alma. Also, computers on the local LAN will not be able to initiate a connection to any of the computers on the VPN network. This is not necessarily a problem, but something to consider. Also, please accept your answer as a solution, so the question will not remain unanswered forever.
0
Reply
Score:0
Arkadiusz Rycyk avatar Server
al flag
Arkadiusz Rycyk

adding this command to Alma fixed it

sudo iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE

where enp1s0 is the interface connnected to 10.0.4.0/24. Happy days

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.